| From: Aruna Hewapathirane via talk <talk@gtalug.org> Thanks for pointing this out. (I used to subscribe to the LKML but it just got too voluminous.) | I am still trying to understand the reason 'why' would anyone even want to | do this ? The first question is "what, exactly, is 'this'?". I've ONLY read media reports and their recent apology. So I'm not the most informed. <https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/T/#u> Some reactions. The apology starts with: "We sincerely apologize for any harm our research group did to the Linux kernel community." This common formulation rubs me the wrong way. The word "any" means that they are not actually admitting to there being harm. If they had used "the" or "all", I would interpret it as a genuine apology. Later they seem more contrite. But it is buried at the end of a paragraph, near the end of the message> "We apologize unconditionally for what we now recognize was a breach of the shared trust in the open source community and seek forgiveness for our missteps." I think that they may have done the communities a service. This kind of weakness injection has always been available to bad actors. In this case, it was an actor intending to do good. - they don't think that they actually added a vulnerability - they demonstrated how adding a vulnerability could be done GKH appears to have over-reacted. (I may be wrong: he's always seemed like a rock-steady guy.) He's reverting 190 commits that were not declared to be part of this experiment. It is claimed, in the apology, that those ones were done in good faith. I do find it odd that the "research" was done last August but that the hoax was only revealed recently. Looking more closely at a claim in the apology message: * This work did not introduce vulnerabilities into the Linux code. The three incorrect patches were discussed and stopped during exchanges in a Linux message board, and never committed to the code. We reported the findings and our conclusions (excluding the incorrect patches) of the work to the Linux community before paper submission, collected their feedback, and included them in the paper. What "message board"? Do they mean the Linux Kernel Mailing List (not a message board)? What does "stopped" actually mean? My understanding was that these changes were actually committed. Perhaps I'm wrong. This is intriguing: * We understand the desire of the community to gain access to and examine the three incorrect patches. Doing so would reveal the identity of members of the community who responded to these patches on the message board. Therefore, we are working to obtain their consent before revealing these patches. So there *must* be more disclosure. Until then, we cannot be satisfied.