On 2021-04-25 4:41 p.m., D. Hugh Redelmeier via talk wrote:
| From: Alvin Starr via talk <talk@gtalug.org>
| If the zdnet report is to be believed then There was at least one attempt to | insert code after being found out and asked to stop. | | https://www.zdnet.com/article/greg-kroah-hartman-bans-university-of-minnesot...
See: <https://lore.kernel.org/linux-nfs/20210407001658.2208535-1-pakki001@umn.edu/>
I don't think that Steven J. Vaughan-Nichols' interpretation is correct (it seems to be GKH's). If you look at the email exchange in question, the "attempt to insert code" was an attempt to submit a real bug-fix, not an attempt to add a bug. But:
- the fix was to a bug that didn't exist. Careful reading of the surrounding code shows that the problem addressed could not happen.
- it is hard to understand leaks and non-leaks, so this submission only shows that Pakki is not yet a good kernel programmer.
- it does not introduce a vulnerability
This is kind of getting into the weeds. The offending paper that looks to describe what was done can be found at https://github.com/QiushiWu/qiushiwu.github.io/blob/main/papers/OpenSourceIn... The paper appears to have been posted 3 months ago along with all the other content in the site. This would appear to predate the email thread where this all blew up. On the other hand I am not sure how much to trust the github posting dates. I think https://davisjam.medium.com/ethical-conduct-in-cybersecurity-research-86d13b... provides an eloquent description of the events and actions of most of the actors involved. -- Alvin Starr || land: (647)478-6285 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||