LINUX KERNEL: Researchers from University of Minnesota had no bad intentions- lift ban

I have been meaning to do this for a while, but recent events havefinally forced me to do so.Commits from @umn.edu addresses have been found to be submitted in "badfaith" to try to test the kernel community's ability to review "knownmalicious" changes.  The result of these submissions can be found in apaper published at the 42nd IEEE Symposium on Security and Privacyentitled, "Open Source Insecurity: Stealthily IntroducingVulnerabilities via Hypocrite Commits" written by Qiushi Wu (Universityof Minnesota) and Kangjie Lu (University of Minnesota).[....]but they should be aware that future submissions from anyonewith a umn.edu address should be by default-rejected unless otherwisedetermined to actually be a valid fix (i.e. they provide proof and youcan verify it, but really, why waste your time doing that extra work?)thanks,greg k-h

April 24, 2021An open letter to the Linux communityDear Community Members:We sincerely apologize for any harm our research group did to theLinux kernel community. Our goal was to identify issues with thepatching process and ways to address them, and we are very sorry thatthe method used in the hypocrite commits paper was inappropriate. Asmany observers have pointed out to us, we made a mistake by notfinding a way to consult with the community and obtain permissionbefore running this study; we did that because we knew we could notask the maintainers of Linux for permission, or they would be on thelookout for the hypocrite patches. While our goal was to improve thesecurity of Linux, we now understand that it was hurtful to thecommunity to make it a subject of our research, and to waste itseffort reviewing these patches without its knowledge or permission.We just want you to know that we would never intentionally hurt theLinux kernel community and never introduce security vulnerabilities.Our work was conducted with the best of intentions and is all aboutfinding and fixing security vulnerabilities.The hypocrite commits work was carried out in August 2020; it aimedto improve the security of the patching process in Linux. As part ofthe project, we studied potential issues with the patching process ofLinux, including causes of the issues and suggestions for addressingthem.* This work did not introduce vulnerabilities into the Linux code. Thethree incorrect patches were discussed and stopped during exchanges ina Linux message board, and never committed to the code. We reportedthe findings and our conclusions (excluding the incorrect patches) ofthe work to the Linux community before paper submission, collectedtheir feedback, and included them in the paper.* All the other 190 patches being reverted and re-evaluated weresubmitted as part of other projects and as a service to the community;they are not related to the hypocrite commits paper.* These 190 patches were in response to real bugs in the code and allcorrect--as far as we can discern--when we submitted them.* We understand the desire of the community to gain access to andexamine the three incorrect patches. Doing so would reveal theidentity of members of the community who responded to these patches onthe message board. Therefore, we are working to obtain their consentbefore revealing these patches.* Our recent patches in April 2021 are not part of the hypocritecommits paper either. We had been conducting a new project that aimsto automatically identify bugs introduced by other patches (not fromus). Our patches were prepared and submitted to fix the identifiedbugs to follow the rules of Responsible Disclosure, and we are happyto share details of this newer project with the Linux community.We are a research group whose members devote their careers toimproving the Linux kernel. We have been working on finding andpatching vulnerabilities in Linux for the past five years. The pastobservations with the patching process had motivated us to also studyand address issues with the patching process itself. This currentincident has caused a great deal of anger in the Linux communitytoward us, the research group, and the University of Minnesota. Weapologize unconditionally for what we now recognize was a breach ofthe shared trust in the open source community and seek forgiveness forour missteps.We seek to rebuild the relationship with the Linux Foundation and theLinux community from a place of humility to create a foundation fromwhich, we hope, we can once again contribute to our shared goal ofimproving the quality and security of Linux software. We will workwith our department as they develop new training and support forfaculty and students seeking to conduct research on open sourceprojects, peer-production sites, and other online communities.  We arecommitted to following best practices for collaborative research byconsulting with community leaders and members about the nature of ourresearch projects, and ensuring that our work meets not only therequirements of the IRB but also the expectations that the communityhas articulated to us in the wake of this incident.While this issue has been painful for us as well, and we are genuinelysorry for the extra work that the Linux kernel community hasundertaken, we have learned some important lessons about research withthe open source community from this incident. We can and will dobetter, and we believe we have much to contribute in the future, andwill work hard to regain your trust.Sincerely,Kangjie Lu, Qiushi Wu, and Aditya PakkiUniversity of Minnesota