Banned UMN Researchers Apologize to Linux Community

By Nathaniel Mott
published

Pull requesting forgiveness.

University of Minnesota
(Image credit: Shutterstock)

University of Minnesota (UMN) assistant professor Kangjie Lu, along with graduate students Qiushi Wu and Aditya Pakki, apologized to the Linux community on Saturday for the controversial research into "hypocrite commits" that got the entire university system banned from contributing to the Linux kernel.

In an email to the Linux kernel mailing list, the trio said that the research in question, which sought to highlight one of the ways open source projects such as Linux can be undermined, was carried out in August 2020. The findings were published to GitHub on February 10; they didn't appear to attract much attention for several months.

Then last week, Greg Kroah-Hartman, the Linux developer who oversees the stable release channel, banned UMN from contributing to the Linux kernel. He also said in an email to Pakki that he'd have to "rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems."

This quickly became a hot-button issue among the Linux developer community, and the UMN Department of Computer Science and Engineering (CSE) apologized for the incident a day later. But the need to double-check all of the university's contributions to the Linux kernel still raised the ire of many already-quite-busy Linux developers.

Lu, Wu, and Pakki remained silent—it seems Linux creator Linus Torvalds publicly responded to the controversy before the UMN trio did. That changed with the email to the Linux kernel mailing list on Saturday, in which the researchers attempted to explain the situation while simultaneously apologizing for the trouble it's caused.

"This current incident has caused a great deal of anger in the Linux community toward us, the research group, and the University of Minnesota," they said. "We apologize unconditionally for what we now recognize was a breach of the shared trust in the open source community and seek forgiveness for our missteps."

The UMN researchers also clarified that the "hypocrite commits" research didn't introduce vulnerabilities to the Linux kernel, said "all the other 190 patches being reverted and re-evaluated were submitted as part of other projects and as a service to the community," and offered more details about the commits made in early April.

"We had been conducting a new project that aims to automatically identify bugs introduced by other patches (not from us)," they said. "Our patches were prepared and submitted to fix the identified bugs to follow the rules of Responsible Disclosure, and we are happy to share details of this newer project with the Linux community."

The researchers ended their message with another apology and a promise that they've learned from the incident. "We can and will do better," they said, "and we believe we have much to contribute in the future, and will work hard to regain your trust." Whether or not they'll be afforded the chance to do so will likely depend on both the Linux community and the results of the UMN CSE's investigation.

Nathaniel Mott
Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

14 Comments Comment from the forums
  • ginthegit
    I am going to post again what I put on the other Forum as I find this article is downplaying the Universities role in trying to insert Code to the Kernel that could damage the security.

    this is just another downplay of the truth

    The following was written about the issue

    The Linux Foundation has banned the entire University of Minnesota from contributing to the Linux kernel. The expulsion comes after researchers from the school published a paper titled "Open Source Insecurity: Stealthily Introducing Vulnerabilities via Hypocrite Commits."

    This implies that they were banned for bad reason, but I more likely believe this one.

    Greg Kroah-Hartman bans University of Minnesota from Linux development for deliberately buggy patches
    Which is happening alot in this Bi partisan world, where Leftist technocrats want to control or have a backdoor to everything. The CIA and FBI have always tried, but LINUX is free and for the people. And if Greg did this, I am sure that it was for good reason, and the Woke! University has been caught red handed. Greg has shown that he takes his job seriously and has checked every line of code and found that the University's programmers have been nafarious.
    Reply
  • CerianK
    The activity of UMN would have been perfectly acceptable if had been done with full knowledge of (perhaps only a few) leaders in the Linux community as part of a broader security audit, with specifically defined goals and controls.

    Failing that, I take the stance that Linux, and other open-source projects, should treat the code as if it personally belonged to each individual, therefore would never intentionally introduce code that is contrary to the code integrity.

    How the above logic would not be obvious to legitimate researchers escapes me. That lapse might be the topic for a whole other discussion.
    Reply
  • Kamen Rider Blade
    I think the entire Open Source Community should just Black List those specific Contributors and the entire University of Minnesota as well just to be safe.

    Spread the word, have them Black Listed for life.
    Reply
  • ginthegit
    CerianK said:
    The activity of UMN would have been perfectly acceptable if had been done with full knowledge of (perhaps only a few) leaders in the Linux community as part of a broader security audit, with specifically defined goals and controls.

    Failing that, I take the stance that Linux, and other open-source projects, should treat the code as if it personally belonged to each individual, therefore would never intentionally introduce code that is contrary to the code integrity.

    How the above logic would not be obvious to legitimate researchers escapes me. That lapse might be the topic for a whole other discussion.

    I don't want to be Racist here, its more the political Ideology I wish to get at. Look at the names and nationalities of the Contributors from the UMN. Chinese, and China have been causght with thier fingers in the cookie jars fairly often recently. Windows is so buggy even script Kiddies can hoax people into running malicious code and spying with the result.

    Greg, the guy in charge who got them banned, said it was nothing to do with their written article, it was purly on him checking their code, line by line, and finding code that was redundant. When checking the code more closely, he could see that is was not only weakening the Kernel, it was intentionally adding security Flaws.

    This cover story is down playing the truth... GO TO THE SOURCE, GO TO GREG'S MESSAGE AS HE WAS THE ONE THAT BANNED THEM...

    There is conjecture of Bull crap narrative, and there is the truth... and Greg said the truth!
    Reply
  • CerianK
    ginthegit said:
    ... When checking the code more closely, he could see that is was not only weakening the Kernel, it was intentionally adding security Flaws.
    I wasn't aware of that. If that is the case, then the time needs to be taken to write and publish an exploit against the commit(s). Then the argument takes on a new life and UMN needs an additional slap with it.

    Failing that, and regarding racism/political ideology you mentioned... that computer science researchers are Chinese is not surprising at a university (unless the university uses racist quotas for admission)... a significant fraction of the researchers in my area of computer science expertise are Chinese (and some of my Chinese friends in this country are the most passionate anti-socialists, which is why they came to this country in the first place) .
    Reply
  • cryoburner
    CerianK said:
    The activity of UMN would have been perfectly acceptable if had been done with full knowledge of (perhaps only a few) leaders in the Linux community as part of a broader security audit, with specifically defined goals and controls.
    It's possible that those leaders wouldn't want there to be a paper highlighting how vulnerable open source software is to malicious contributions though, and would go out of their way to make sure that the code gets caught, even if it wouldn't have been otherwise. It's in their best interest to have people believe that their software is secure, after all, so they can't necessarily be trusted to not manipulate the results in their favor.

    Realistically, there's probably malicious code inside widely-used open-source software that manages to get past audits and go undiscovered. When there are organizations spending billions to actively seek out ways to compromise devices, you can be almost sure that the operating system used on the vast majority of the world's servers has been compromised to at least some degree.
    Reply
  • ginthegit
    CerianK said:
    I wasn't aware of that. If that is the case, then the time needs to be taken to write and publish an exploit against the commit(s). Then the argument takes on a new life and UMN needs an additional slap with it.

    Failing that, and regarding racism/political ideology you mentioned... that computer science researchers are Chinese is not surprising at a university (unless the university uses racist quotas for admission)... a significant fraction of the researchers in my area of computer science expertise are Chinese (and some of my Chinese friends in this country are the most passionate anti-socialists, which is why they came to this country in the first place) .

    Not all Ethic Chinese are communists, But the rich ones that get money seemingly from nowhere, these are the ones to take note of.
    China sends many of its young learners here and expect them to return to the communist revolution of the world.. But like some of my Chinese pals from my Uni days, they had no intention of returning after they completed their degree.
    Reply
  • ginthegit
    Greg Kroah-Hartman bans University of Minnesota from Linux development for deliberately buggy patches. Some researchers tried to slip bad patches into the Linux kernel as a "test." When they kept trying, Greg Kroah-Hartman, the Linux kernel maintainer for the stable branch, put an end to their efforts.5 days ago

    The fact that the press completely changed the narrative tells you alot. Then this excuse was made that was completely different...

    We were just testing you Greg.... OVER AND OVER AND OVER AGAIN... Never thinking to tell you if one managed to get though. Greg the Hero Kicks Azz.

    Greg Kroah-Hartman bans University of Minnesota from Linux ...
    https://www.zdnet.com/article/greg-kroah-hartman-bans-university-of-minnesota-from-linux-development-for-deliberately-buggy-patches/
    Reply
  • ottonis
    The involved researchers have broken all rules of good scientific practices by not telling anyone what they intend to do and without asking anyone for permission to do so. Actually, such unscrupulous people should be banned from doing scientific research at all.
    It would have been extremely easy to talk to Linus Torvalds or some other person and discuss with them the proposed research project: "Look, we want to test the hypothesis that a malevolent person could introduce some patches with a backdoor or other bugs and thus compromise the Liux kernel. Let us test this hypothesis by submitting anonymously such faulty patches and let's have look if the Linux kernel team will be able to detect the malicious code parts or not."

    This would have been the only right way to do that kind of research. Does the university of Minnesota even have some sort of research ethics committee? Is there an instance that checks the ethical implications of the research conducted at this university? Doesn't seem so, or there is no good use of it, it seems.

    I mean, Linux is used in all kind of computers and machines and introducing a bug that would lead to a malfunction could harm goods or even put people's lives in danger.

    Inexcusable!
    Reply
  • ottonis
    Kamen Rider Blade said:
    I think the entire Open Source Community should just Black List those specific Contributors and the entire University of Minnesota as well just to be safe.

    Spread the word, have them Black Listed for life.

    I fully agree, and on top of that these guys should be banned from doing any scientific work at all. They have disregarded all good scientific practices and potentially may have put human lives at risk (for example if a Linux based machine that is involved in some medical processes gets compromised and turns out wrong numbers)
    Reply