[asciident]

I think you are misunderstanding what happened. They emailed the patches to the maintainers, and when the maintainers responded "this looks good", then told them there was a bug in the patch. They never committed a bad patch to the source tree. The problem is they were deceptive in their initial email, not that they actually introduced kernel vulnerabilities. No bad code was ever committed, and they had a written mandate to verify that.

[noptd]

No the parent is correct- malicious commits made it into stable.

https://lore.kernel.org/lkml/78ac6ee8-8e7c-bd4c-a3a7-5a90c7c...

https://lore.kernel.org/linux-nfs/CADVatmNgU7t-Co84tSS6VW=3N...

[asciident]

Both of those reverts suggest those were just non-malicious contributions that the maintainers reverted just in case (and reapplied after review). If that's the proof, then I think you are mistaken. Maybe put another way, if someone says "noptd has bad intentions, so I'm reverting all of noptd's contributions that were committed to stable" the reverts themselves are not proof that malicious commits made it to stable, and that noptd has bad intentions.

[smbullet]

It doesn't sound like either of those reverts are necessarily for malicious patches. They are reverting all commits from umn.edu addresses regardless of their involvement with this professor.

[luckystarr]

It doesn't matter whether the patches made it in our not. Even the attempt is illegal in some jurisdictions.

[slenk]

Except Greg K-H disagrees with the students, stating it did make it to stable.

I trust Greg over the students.

[asciident]

Can you cite a source of Greg saying this? I read this article which is the closest I could find that reports this, https://www.zdnet.com/article/greg-kroah-hartman-bans-univer... which says,

"""Romanovsky reported that he had looked at four accepted patches from Pakki "and 3 of them added various severity security 'holes.'" Sudip Mukherjee, Linux kernel driver and Debian developer, followed up and said "a lot of these have already reached the stable trees." These patches are now being removed."""

However, if you click the links, you'll see that "have already reached stable trees" is about non-buggy patches, and "3 of them added various [holes]" are not one of those. So the articles seem to be intentionally deceiving the reader to think those are connected, when they're separate events. I actually feel like the media has been doing this (putting together non-related facts together in a way that readers reasonably infer a connection between the two).

[slenk]

I guess it was Romanovsky who said it: https://lore.kernel.org/linux-nfs/YH+zwQgBBGUJdiVK@unreal/

Wait so do you disagree with ZDnet too?

[asciident]

Again, there's nothing that says the patches with vulnerabilities made it to stable.

Did you read the ZDnet article and look at the links that in that article in the relevant paragraph? I'm not "disagreeing", I'm saying that they are misleading the reader (and it looks like many were fooled).

The two sentences they put together are not related, but put next to each other, they make it seem like they're related. We have to be careful when reading these articles. So the researchers have made commits to stable, and the researchers have introduced vulnerabilities, but they are not referring to the same patches. So no vulnerabilities have been committed to stable.