Hacker News new | ask | show | jobs
by zekrioca 1882 days ago
I don't agree this is the way to fix the bigger problem, which is the acceptance that every commit to the kernel is done in good faith. As mentioned in another comment, I believe having these grad students to take a look at the ethical impacts of their research is a way forward. Another would be to somehow cast some blame into their supervisor, which should know more.

I understand that what they did was, and is bad and shouldn't be done. However how many other people do not also purposely submit buggy patches? In the end of the day, this happening just show vulnerabilities of the merging system itself.
2 comments
weagle05 1881 days ago
I think we disagree on the bigger problem. In my view the bigger problem is the erosion of trust for open source. Over the last 10-ish years there has been a flood of research and marketing around open source software security. I wrote a white paper about it back in 2011. We know there are risks in open source and we know vulnerabilities are created both intentionally and accidentally. We also know open source maintainers are overworked and human. There will be mistakes and we must prepare for them. This is the reason why the fine folks at Sonatype, Snyk, and WhiteSource have jobs.

These grad students wanted to make a splash and went after one of the most important code bases on the planet. It stopped being an ethical problem when the kernel maintainers had to manually search for vulnerabilities. They are using hours that could be used elsewhere. The Linux Foundation is paying Greg Kroah-Hartman to solve this problem, so they have a financial loss due to the actions of these grad students. There's your civil liability. They "knowingly cause(d) the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer" so there's your criminal liability from the Computer Fraud and Abuse Act. There's probably criminal liability in the state where they live as well.

link
threatofrain 1882 days ago
The issue isn’t that every commit and committer is treated in good faith. They aren’t.

The issue is that U of Minnesota, and universities in general, had a good standing reputation with the Linux kernel group. Students at the University can still submit patches, but not currently with the strength of institutional credibility standing behind them.

Knowing who to trust and updating your trust when you’re wrong is part of healthy security.

link