[weagle05]

I'm giving you an upvote. Look around your house and count the number of linux kernels running. My count is 6 that I know about. I haven't seen the actual vulnerable code submitted to know how critical the vulnerabilities are but I believe these grad students are liable both civilly and criminally. Not advocating for mob justice but there needs to be more than a slap on the wrist. For those of us who live and breath software security everyday this is kind of a big deal.

[zekrioca]

I don't agree this is the way to fix the bigger problem, which is the acceptance that every commit to the kernel is done in good faith. As mentioned in another comment, I believe having these grad students to take a look at the ethical impacts of their research is a way forward. Another would be to somehow cast some blame into their supervisor, which should know more.

I understand that what they did was, and is bad and shouldn't be done. However how many other people do not also purposely submit buggy patches? In the end of the day, this happening just show vulnerabilities of the merging system itself.

[weagle05]

I think we disagree on the bigger problem. In my view the bigger problem is the erosion of trust for open source. Over the last 10-ish years there has been a flood of research and marketing around open source software security. I wrote a white paper about it back in 2011. We know there are risks in open source and we know vulnerabilities are created both intentionally and accidentally. We also know open source maintainers are overworked and human. There will be mistakes and we must prepare for them. This is the reason why the fine folks at Sonatype, Snyk, and WhiteSource have jobs.

These grad students wanted to make a splash and went after one of the most important code bases on the planet. It stopped being an ethical problem when the kernel maintainers had to manually search for vulnerabilities. They are using hours that could be used elsewhere. The Linux Foundation is paying Greg Kroah-Hartman to solve this problem, so they have a financial loss due to the actions of these grad students. There's your civil liability. They "knowingly cause(d) the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer" so there's your criminal liability from the Computer Fraud and Abuse Act. There's probably criminal liability in the state where they live as well.

[threatofrain]

The issue isn’t that every commit and committer is treated in good faith. They aren’t.

The issue is that U of Minnesota, and universities in general, had a good standing reputation with the Linux kernel group. Students at the University can still submit patches, but not currently with the strength of institutional credibility standing behind them.

Knowing who to trust and updating your trust when you’re wrong is part of healthy security.