Re: Report on University of Minnesota Breach-of-Trust Incident

From: Pavel Machek
Date: Thu May 06 2021 - 17:40:15 EST

Next message: Jesse Brandeburg: "[PATCH net] igb: fix netpoll exit with traffic"
Previous message: Daniel Borkmann: "Re: [PATCH bpf] bpf: Don't WARN_ON_ONCE in bpf_bprintf_prepare"
In reply to: Metztli Information Technology: "Re: Report on University of Minnesota Breach-of-Trust Incident"
Next in thread: Kangjie Lu: "Re: Report on University of Minnesota Breach-of-Trust Incident"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

> > # Commits from @umn.edu addresses have been found to be submitted in "bad
> > # faith" to try to test the kernel community's ability to review "known
> > # malicious" changes.
>
> I would agree that the phrasing here is sub-optimal in that it could
> more clearly separate a few related things (e.g. "malicious change" vs
> "valid fix"). If I were writing this, I would have said something along
> the lines of:
>
> Commits from UMN authors have been found to be submitted with intentional
> flaws to try to test the kernel community's ability to review "known
> malicious" changes. ...
> During review of all submissions, some patches were found to be
> unintentionally flawed. ...
> Out of an abundance of caution all submissions from this group must be
> reverted from the tree and will need to be re-review again. ...

Thank you.

> > UMN apologized. Our reaction to their apology was:
> >
> > https://lore.kernel.org/lkml/YIV+pLR0nt94q0xQ@xxxxxxxxx/#t
> >
> > Do we owe them apology, too?
>
> I will defer to Greg on what he thinks his duties are there, but in
> trying to figure out who "we" is, I'll just point out that I attempted
> to clarify the incorrect assumptions about the intent of historical UMN
> patches, and spoke for the entire TAB (Greg included) here:
> https://lore.kernel.org/lkml/202104221451.292A6ED4@keescook/
> The report repeated this in several places, and we explained our need
> for due diligence.

Well, in https://lore.kernel.org/lkml/YIV+pLR0nt94q0xQ@xxxxxxxxx/#t
Greg says:

"Until those actions are taken, we do not have anything further to
discuss about this issue."

I'm not sure on behalf of whom he is speaking in the email (and I
believe he is unneccessarily harsh with them).

I could reply to that saying "hey, Greg is probably speaking only for
himself there, he certainly can't speak for whole linux community",
but I believe it would be better if TAB did that.

Best regards,
Pavel
--
http://www.livejournal.com/~pavelmachek

Attachment: signature.asc
Description: Digital signature

Next message: Jesse Brandeburg: "[PATCH net] igb: fix netpoll exit with traffic"
Previous message: Daniel Borkmann: "Re: [PATCH bpf] bpf: Don't WARN_ON_ONCE in bpf_bprintf_prepare"
In reply to: Metztli Information Technology: "Re: Report on University of Minnesota Breach-of-Trust Incident"
Next in thread: Kangjie Lu: "Re: Report on University of Minnesota Breach-of-Trust Incident"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]