Comment by DetroitThrow
4 years ago
It's deleted so I was going off of the quoted text in Greg's response that their patches were being submitted without any pretext of "don't let this reach stable".
I trust Greg to have not edited or misconstrued their response.
https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah...
Yeah, I saw that. But the whole thing is a bit too unclear to me to know what happened.
I'm not saying this is innocent, but it's not at all clear to me that vulnerabilities were deliberately introduced with the goal of allowing them to reach a release.
Anyway, like I said, too unclear for me to have an opinion.
I'm a little confused what's unclear if you happened to see that comment - as mentioned elsewhere in this thread, the bad actors state in a clarification paper that no faulty commits reached a stable branch, in the original paper state that the no patches were being applied at all and that essentially state the research was all email communication AND worded it such that they 'discovered' bad commits rather than introduced them (seemingly just obtuse enough for a review board exemption on human subject research), despite submitting patches, acknowledging they submitted commits, and Leon and Greg finding several vulnerable commits that reached stable branches and releases. For example: https://github.com/torvalds/linux/commit/8e949363f017
While I'm sure a room of people might find it useful to psychoanalyze their 'unclear' but probably malicious intent, their actions are clearly harmful to researchers, Linux contributors, direct Linux users, and indirect Linux users (such as the billions of people who trust Linux systems to store or process their PII data).