WTF?! It’s probably not unusual for individual users to get banned from contributing to Linux for making poor decisions. However, for the first time to my knowledge, the Linux Foundation has soft-banned an entire domain. Any user submitting commits from a umn.edu (University of Minnesota) address will be “default-rejected” until further notice.
The Linux Foundation has banned the entire University of Minnesota from contributing to the Linux kernel. The expulsion comes after researchers from the school published a paper titled “Open Source Insecurity: Stealthily Introducing Vulnerabilities via Hypocrite Commits.” The paper details how Qiushi Wu and Kangjie Lu, both students at U of M, intentionally submitted code with security flaws to “test the kernel community’s ability to review ‘known malicious’ changes.”
Linux Foundation fellow Greg Kroah-Hartman did not appreciate the “bad faith” experiment. He mentions in an email to other kernel maintainers, including Linus Torvalds himself, that from now on, they should reject all submissions from users with a umn.edu email address.
Follow up removing almost all of these changes: https://t.co/wLnQxwKfyk
— Greg K-H (@gregkh) April 21, 2021
“I’ll take this through my tree, so no need for any maintainer to worry about this, but they should be aware that future submissions from anyone with a umn.edu address should be by default-rejected unless otherwise determined to actually be a valid fix,” Kroah-Hartman wrote. He said that maintainers are still free to approve submissions, but only if “they provide proof and can verify it.” So it is essentially a soft ban.
“But really, why waste your time doing that extra work?” Kroah-Hartman added as an afterthought.
The two researchers’ actions were not the only factor in determining to ban the entire school. A third U of M user had several submissions of junk code that did nothing. Kroah-Hartman ordered that all past commits coming from the university be reverted and re-reviewed. He started the work himself and listed scores of code that he has already reverted.
In response to the ban, UMN leadership issued a statement promising “remedial action.”
“Leadership in the University of Minnesota Department of Computer Science & Engineering learned today about the details of research being conducted by one of its faculty members and graduate students into the security of the Linux Kernel.
“We take this situation extremely seriously. We have immediately suspended this line of research. We will investigate the research method and the process by which this research method was approved, determine appropriate remedial action, and safeguard against future issues, if needed. We will report our findings back to the community as soon as practical.”
This is worse than just being experimented upon; this is like saying you’re a “safety researcher” by going to a grocery store and cutting the brake lines on all the cars to see how many people crash when they leave. Enormously unethical; I hope @UMNews has an IRB that takes note!
— Jered Floyd (@jeredfloyd) April 21, 2021
The researchers also issued a statement denying they ever intentionally submitted bugs into the kernel. They said that flawed patches were introduced to maintainers for feedback via email. Once they got a reply amounting to “looks good,” they informed the maintainers of the intentional bug and told them not to make the commit. However, the whole controversy started after someone found at least four vulnerabilities that made it through review submitted by someone with a UMN email address.
While not apologizing for their work, the students did express regret for the extra effort it caused maintainers.
“We would like to sincerely apologize to the maintainers involved in the corresponding patch review process; this work indeed wasted their precious time,” Wu and Lu explained. “We had carefully considered this issue, but could not figure out a better solution in this study.”
The issue has understandably provoked heated exchanges within the Linux community. Kernel developer Laura Abbot condemned the frivolous nature and conclusions of the study, pointing out that the possibility of malicious code being intentionally introduced is already well-known in the community.
Images credit: Stanislaw Mikulski