The University of Minnesota has been banned of contributing to the Linux kernel by one of its administrators after researchers at the school apparently knowingly submitted code with security flaws.
Earlier this year, two researchers came from the university has released a paper detailing how they submitted known security vulnerabilities to the Linux kernel to show how potentially malicious code could pass the approval process. Now, after another college student submitted code that allegedly does nothing, kernel maintainer and Linux Foundation colleague Greg Kroah-Hartman has issued a statement calling all kernel administrators to refuse to send code from anyone using an umn.edu email address.
In addition to not accepting new code from the university, all code submitted in the past will be deleted and reassessed. Looks like it’s going to be a lot of work, but Kroah-Hartman made it clear that the developer community doesn’t appreciate being “experimented on” and that the investigation has called into question all of the university’s code.
The university has giving a statement, saying it has been made aware of the investigation and subsequent ban on contributing. It says it has suspended that line of research and will investigate how the research was approved and conducted.
In a statement intended to clarify the study, the researchers said they wanted to draw attention to issues with the submission process – mainly the fact that bugs, including bugs that may have been maliciously crafted, could slip through. Kernel developer Laura Abbot countered this in a blog post, saying that the possibility of bugs slipping through is well known in the open-source software community. In what looks like a private message, the person who submitted the allegedly non-functional code, named Kroah-Hartman’s allegations that the code was known as invalid “wild” and “bordering on slander”.
It is unclear whether that submission – which started the current controversy – was actually part of a research project. The person who submitted it did so with their umn.edu email address, while the patches submitted in the study were done through random Gmail addresses, and the petitioner claimed that the faulty code was created by a tool. In fact, Kroah-Hartman’s response said he felt it was unlikely that a tool had created the code, and given the investigation, he could not rely on the patch being made in good faith anyway.
There has been criticism from some in the open source community, saying that Kroah-Hartman’s decision to remove patches submitted personally by U or M is an overreaction, which can lead to bugs fixed by legitimate patches re-introduced. However, it is worth noting that the plan is to reassess the patches and resubmit them if found valid.