On April 25, 2021, researchers from the University of Minnesota issued an open letter of apology for carrying out unauthorized research via buggy Linux patches.
The whole affair started with Qiushi Wu and Kangjie Lu, computer scientists at U of M, who published a paper on the possibility of sneaking vulnerabilities into open-source software.
The experimenters carried out their testing through the so-called “hypocrite commits”—patches that fix a minor issue but expose a much more significant vulnerability. Three of these patches were committed to the Linux kernel repository.
Though the paper played a significant part, the instigating event came weeks later. It happened when Aditya Pakki, another student of Kangije Lu, committed what was described as “nonsense patches.” The only reasonable assumption was that the University of Minnesota was carrying on with its experiments on Linux code.
The response came from Greg Kroah-Hartman, the maintainer of the Linux kernel-stable branch and one of its most significant developers. He condemned the University’s breach of trust, unauthorized penetration testing, and human experimentation.
Even though the researchers had supposed safeguards to prevent malicious commits from being accepted, the majority of the Linux community criticized the unsafe practices. If a vulnerability was to be pushed to the stable branch, it would possibly endanger millions of personal devices, as well as the majority of hosting servers.
Kroah-Hartman went on to ban U of M from making any future commits and reverted 68 existing patches until further review.
The Linux Foundation’s Advisory Board, headed by senior VP Mike Dolan, issued demands to be met before any scientists from the university can participate in the project again.
The list includes publishing all info needed to identify vulnerabilities introduced by the researchers, formally retracting the aforementioned paper, and ensuring all future experiments are carried out with the consent of those involved.
The University of Minnesota has since issued a public apology to the Linux community. However, many have speculated that the experimenters seem to be justifying their actions instead of showing actual remorse for borderline hacking actions.
Kroah-Hartman issued a curt reply, stating there is nothing to discuss until the aforementioned demands are met.
Though you might not condone the actions of the U of M researchers, the paper certainly shows the importance of digital safety. Identity protection tools, antiviruses, and regular backups will, by all accounts, play even more central role in our safety in the years to come.