Anyone sporting a University of Minnesota email has been banned from posting on the open-source Linux Kernel Archives after a group of researchers from the institution knowingly submitted buggy patches in order to gauge community reactions for their research.
Brought to our attention via a LinusTechTips forum post (opens in new tab), it seems it all began with some researchers from the university utilising the Linux Kernel site to gauge its level of security. The way they went about this research, however, has been considered somewhat unethical by the site's standards, resulting in the blanket ban of future contributions from the university at large.
The researchers had been posting what the maintainer of the site, Greg Kroah-Hartman, identified as 'known-buggy' patches, after which—and without owning up to their machinations—they went on to publish a paper (opens in new tab) on the topic.
When the site maintainer confronted them (opens in new tab), their response was gold:
"I respectfully ask you to cease and desist from making wild accusations that are bordering on slander."
They go on to claim the patches were sent in the hopes of getting feedback, and end with: "Obviously, it is a wrong step but your preconceived biases are so strong that you make allegations without merit nor give us any benefit of doubt. I will not be sending any more patches due to the attitude that is not only unwelcome but also intimidating to newbies and non experts."
Rather than admitting to their somewhat questionable methods, they managed to spin it back around. But Kroah-Hartman's response takes them down a notch, calling them out on a public admission to "sending known-buggy patches to see how the kernel community would react."
Kroah-Hartman criticizes their "continuing to experiment on the kernel community developers" after the group submitted "a new series of obviously-incorrect patches." He notes that, rather than asking for help as most users would in the instance of being unsure about a patch, the group claimed these were legitimate fixes which they "KNEW to be incorrect."
Kroah-Hartman then denotes a ban on "all future contributions" from the University, as well as a pull of the researchers prior posts, due to their being "obviously submitted in bad-faith with the intent to cause problems."
After all this went off on the site, the University of Minnesota submitted a statement (opens in new tab) of concern over the research, in which it explains the research was being "conducted by one of its faculty members and graduate students," and that the methods undertaken "raised serious concerns." Following this, the Linux Foundation sent a request to the University (opens in new tab), outlining the steps that should be taken in order to rectify the misstep.
The University of Minnesota has since issued an open apology letter (opens in new tab) to the Linux community, in which it notes that the patches submitted "did not introduce vulnerabilities into the Linux code."
That's good to know, but the main issue was the non-consensual nature of the experimentation. To which the university nods: "While our goal was to improve the security of Linux, we now understand that it was hurtful to the community to make it a subject of our research."
Finally, after all the back and forth, the University's department of Computer Science and Engineering issued a response (opens in new tab) that goes through all the ways it has been making amends.
So it looks like the ruckus has died down a bit, and although there's no word on whether the ban will be lifted from the Linux Foundation as yet, it seems the institutions have come to an accord.
Let's hope this serves as a warning to anyone planning to experiment on unknowing developers—they won't take it lying down.