University Of Minnesota Apologizes To Unwavering Linux Community Over Kernel Kerfuffle
Last week, we reported on a Linux Kernel developer banned The University of Minnesota for some ethically questionable research. Since then, UMN issued an apology and started an investigation into how this all happened, but some people are having none of it. This week in the Linux Kernel security saga, Greg Kroah-Hartman announced that the Linux Foundation and its Technical Advisory Board sent a letter to UMN outlining what must be done to regain the trust of the Linux community, and no further discussion will be had.
Earlier this year, three researchers from UMN published a paper that proved that vulnerabilities could be slipped past Linux Kernel maintainers. The team used three easily fixed bugs in the Linux kernel, which all had the trappings of becoming a vulnerability, and submitted them to see if the maintainers detected a problem. Once the maintainers replied to the patch, the UMN researchers explained the bug and gave an actual patch instead of the one originally submitted.
This methodology and the lack of telling anyone about the plan struck a chord among the Linux community, and especially with Greg Kroah-Hartman. "Greg K-H," as he is known online, is a senior Linux kernel developer that decided to stick up for the other developers who were subjected to research. He first called out UMN and then reverted 68 patches from anyone with a @umn.edu address. Following that, he instantiated a "block by default" rule for the school, with no clear way forward.
Then, UMN issued a public apology while the researchers more recently did so on the Linux Kernel Mailing List, but the latter was not taken as well as the researchers likely hoped. Greg K-H replied with the following to the 800-word apology letter:
Thank you for your response.At present, we do not know what the contents of that letter Greg mentioned are; however it likely entails some sort of apology and requirement to cease research like this in the future. In any case, it seems that a small divide is forming in the Linux community in which some believe that UMN did nothing wrong. One person in the apology letter thread compared UMN to "kids laughing loud that 'the emperor has no clothes.' More precisely, that the emperor STILL has no clothes. Ten year later."
As you know, the Linux Foundation and the Linux Foundation's Technical
Advisory Board submitted a letter on Friday to your University outlining
the specific actions which need to happen in order for your group, and
your University, to be able to work to regain the trust of the Linux
Until those actions are taken, we do not have anything further to
discuss about this issue.
This person further claims that the outcry from Greg and others is merely a distraction from the Linux community's pitfalls. On the other hand, someone else explains that UMN's methodology lacked tact and kindness and was more a point and laugh sort of project. They specifically state, "Demonstrating a well-known weakness is easy. Pointing the finger is easy. Helping however, requires another level."
Whatever your view is, it is certainly a complex and continually evolving situation with many outcomes to consider. Perhaps more people will come to support each side in a healthy discussion about cybersecurity and how research should be executed in the future. Either way, let us know what you think of all of this in the comments down below.