Comment by rubyn00bie
4 years ago
This is supremely fucked up and I’d say is borderline criminal. It’s really lucky asshole researchers like this haven’t caused a bug that cost billions of dollars, or killed someone, because eventually shit like this will... and holy shit will “it was just research” do nothing to save them.
How come there's no ethical review for research that interacts with people? (I mean it's there in medicine and psychology, and probably for many economics experiments too.)
edit: oh, it seems they got an exemption, because it's software research - https://news.ycombinator.com/item?id=26890084 :|
I can’t imagine it will stay that way forever. As more and more critical tools and infrastructure go digital, allowing people to just whack away at them or introduce malicious/bad code in the name of research is just going to be way too big of a liability.
To bad this stuff does not go on your "permanent record"
This is actually just the elitist version of "it's just a prank, bro!"
And you're right, bugs in the linux kernel could have serious consequences.
Any organization that would deploy software that could kill someone without carefully personally reviewing it for fitness of purpose especially when the candidate software states that it waives all liability and waives any guarantee that it is fit for purpose as stated in sections 11 and 12 of the GPLv2 [1] is criminally irresponsible. Though it is scummy to deliberately introduce defects into a OSS project, any defects that result in a failure to perform are both ethically and legally completely on whoever is using Linux in a capacity that can cost billions of dollars or kill someone.
[1] https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html
I agree, I think a more broad ban might be in order. I don't know that I'd want anyone from this "group" contributing to anything.
So aren’t there tests and code reviews before pushing them to the Stable code base?
Yes, there are. Will they find everything? No. Would I be pissed, if this caused silent corruption of my filesystem, or some such crap that's hard to test, due to this uni trying to push in memory misuse vulnerabilities into the kernel into some obscure driver that is not normally that much tested, but I use it on my SBC farm? Yes.
Maybe they had some plan for immediate revert when the bogus patch got into stable, but some people update stable quickly, for a good reason, and it's just not good to do this research this way.
Well it remains to be seen if they're foreign intelligence agents, doesn't it?
very insidious foreign actors that publish papers about their op
They call that a legend in the intelligence community.
I agree that it's bad behavior, but if you have billions of dollars resting on open-source infrastructure, you better know the liabilities involved.
It’s just a shame there is no mechanism in the license to withdraw permission for this so-called university to use Linux at all
It is by design, not having these mechanism is one of the goals of free software: free for everyone, no exceptions.
See JSON.org License which says it "shall be used for Good, not Evil" and is not considered free software.
"Free" being the confusing word here, because it has two meanings, and often are used without context in open source software.
Typically, OSS is both definitions at the same time - free monetarily, and "free" as in "freedom" to use. JSON is an interesting case of "free" monetarily but not totally "free for use".
That is expressly the opposite goal of open source. If you arbitrarily say foo user cannot use your software, then it is NOT open source. That's more like source-available.
Nobody would continue to use linux if they randomly banned people from using it, regardless of the reason.
[side note] This is why I despise the term "open source". It obscures the important part of user freedom. The term "Free/libre software" is not perfect, but it doesn't obscure this.
A shame today, a godsent another day.