'Earlier this week Greg Kroah-Hartman of the Linux kernel development
team banned the University of Minnesota from contributing after
researchers there submitted what he called "obviously-incorrect
patches" believed to be part of a research project into whether buggy
code would be accepted.
Today the professor in charge of that project, as well as two of its
researchers, sent an email to the Linux kernel mailing list saying
they "sincerely apologize for any harm our research group did to the
Linux kernel community."
Our goal was to identify issues with the patching process and ways to
address them, and we are very sorry that the method used in the
"hypocrite commits" paper was inappropriate. As many observers have
pointed out to us, we made a mistake by not finding a way to consult
with the community and obtain permission before running this study; we
did that because we knew we could not ask the maintainers of Linux for
permission, or they would be on the lookout for the hypocrite patches.
While our goal was to improve the security of Linux, we now understand
that it was hurtful to the community to make it a subject of our
research, and to waste its effort reviewing these patches without its
knowledge or permission.
We just want you to know that we would never intentionally hurt the
Linux kernel community and never introduce security vulnerabilities.
Our work was conducted with the best of intentions and is all about
finding and fixing security vulnerabilities... We are a research group
whose members devote their careers to improving the Linux kernel. We
have been working on finding and patching vulnerabilities in Linux for
the past five years...
This current incident has caused a great deal of anger in the Linux
community toward us, the research group, and the University of
Minnesota. We apologize unconditionally for what we now recognize was
a breach of the shared trust in the open source community and seek
forgiveness for our missteps. We seek to rebuild the relationship with
the Linux Foundation and the Linux community from a place of humility
to create a foundation from which, we hope, we can once again
contribute to our shared goal of improving the quality and security of
Linux software... We are committed to following best practices for
collaborative research by consulting with community leaders and
members about the nature of our research projects, and ensuring that
our work meets not only the requirements of the Institutional Review
Board but also the expectations that the community has articulated to
us in the wake of this incident.
While this issue has been painful for us as well, and we are genuinely
sorry for the extra work that the Linux kernel community has
undertaken, we have learned some important lessons about research with
the open source community from this incident. We can and will do
better, and we believe we have much to contribute in the future, and
will work hard to regain your trust.
Their email also says their work did not introduce vulnerabilities
into the Linux code. ("The three incorrect patches were discussed and
stopped during exchanges in a Linux message board, and never committed
to the code.")
And the email also clarifies that their research was only done in
August of 2020, and "All the other 190 patches being reverted and
re-evaluated were submitted as part of other projects and as a service
to the community; they are not related to the 'hypocrite commits'
paper. These 190 patches were in response to real bugs in the code and
all correct — as far as we can discern — when we submitted them... Our
recent patches in April 2021 are not part of the 'hypocrite commits'
-- source: https://linux.slashdot.org/story/21/04/25/0243259
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 577-5304