Comment by devit
4 years ago
The project is interesting, but how can they be so dumb as to post these patches under an @umn.edu address instead of using a new pseudonymous identity for each patch?!?
I mean, sneakily introducing vulnerabilities obviously only works if you don't start your messages by announcing you are one of the guys known to be trying to do so...
That's kind of the rub. They used a university email to exploit the trust afforded to them as academics and then violated that trust. As a result that trust was revoked. If they want to submit future patches they'll need to do it with random email addresses and will be subject to the scrutiny afforded random email addresses.
I doubt an university e-mail gives you significantly increased trust in the kernel community, since those are given to all students in all majors (most of which are of course much less competent at kernel development than the average kernel developer).
There are two different kinds of trust: trust that you're a legitimate person with good intentions, and trust that you're competent.
A university or corporate e-mail address helps with the former: even if the individual doesn't put their real name into their email address, the institution still maintains that mapping. The possibility of professional, legal, or social consequences attaching to your real-world identity (as is likely to happen here) is a generally-effective deterrent.
University students could be naive and could be rapped by community if they unintentionally commit harmful patches, but if they send intentionally harmful patches, maintainers can report them to university and they risk getting expelled. In this particular case the research was approved and encouraged by university and hence, and in this process they broke trust placed on university.
Why should an academic institution be afforded any extra trust in the first place?
One guess would be that an edu address would be tied to your real identity, whereas a throwaway email could be pseudonymous.
Because there are quite a few academics working on the kernel in the first place (not a in a similar order of magnitude compared to industry, of course). Even GKH gets invited by academics to work together regularly.