University of Minnesota was Banned from Contributing to the Linux Kernel
due to deliberate introduction of vulnerabilities
Greg Kroah-Hartman,the Linux developer who oversees the stable release channel, decided to prohibit the University of Minnesota (UMN) from contributing to the open source Linux project. The reason is that researchers at the University of Minnesota were found to have submitted a series of malicious code or deliberately introduced patches with security vulnerabilities in the official Linux code base as part of their research activities.
What happened at UMN
Researchers at the University of Minnesota deliberately introduced vulnerabilities in the mainline of the Linux kernel, and based on this, published a paper describing "open source insecurity" in February 2021. The focus of this research is to deliberately introduce known security vulnerabilities into the Linux kernel by submitting malicious or insecure code patches.
However, even after this paper is published, researchers at UMN introduced a new round of patches, which claim to come from "a new static analyzer", but in fact the patch has no real value. For better or worse, it is at least wasting the time of upstream developers, and this ultimately led to Greg's decision to ban them from trying to contribute to the Linux kernel in the future.
Greg wrote on the kernel mailing list that these new patches obviously don’t fix anything at all. Then, except you and your team continue to send such nonsense patches to developers in the kernel community. What else can I think of outside of the experiment? Anyone who has some knowledge of the C language can see that the patch you submitted has no effect at all. Because of this, I now have to ban all future contributions from your university and Delete your previous contributions, because they were clearly submitted in a malicious way to cause problems. Therefore, people from the University of Minnesota are no longer welcome to contribute to upstream Linux kernel development.
Response from UMN
After deliberately introducing vulnerabilities, the entire UMN was banned from participating in the development of the Linux kernel; the relevant researchers at the University of Minnesota — Assistant Professor Kangjie Lu and doctoral students Qiushi Wu and Aditya Pakki published a public announcement to the Linux kernel community apology letter.
Link to the letter HERE.
The letter stated that the research team sincerely apologized for any harm it caused to the Linux kernel community.
We sincerely apologize for any harm our research group did to theLinux kernel community. Our goal was to identify issues with thepatching process and ways to address them, and we are very sorry thatthe method used in the “hypocrite commits” paper was inappropriate.
They also stated that they had made the mistake of negotiating with the Linux community and obtaining permission before conducting the research. But the letter also explained that because they knew that they could not ask for permission from the maintainers of Linux in advance, otherwise they would draw the attention of the maintainers to these patches, which would affect the results of the research.
The letter also emphasized that the other patches from UMN.edu are kind and sincere.
* All the other 190 patches being reverted and re-evaluated weresubmitted as part of other projects and as a service to the community;they are not related to the “hypocrite commits” paper.* These 190 patches were in response to real bugs in the code and allcorrect--as far as we can discern--when we submitted them.
The letter finally pointed out that the members of the research team are sincerely sorry for the extra work that the Linux kernel community needs to undertake. In addition to their pain, they have also learned some important lessons about research with the open source community from this incident.
We can and will dobetter, and we believe we have much to contribute in the future, andwill work hard to regain your trust.
I believe that the Open Source movement has resulted in a large amount of useful software as well as increased public knowledge of topics such as open access and open content.
Open Source software is becoming more common in developing countries where the cost of proprietary software is prohibitively high, as well as by governments around the world who want to avoid relying on a single business.