Comment by eatbitseveryday
4 years ago
> The foundation should sue the responsible profs personally and seek criminal prosecution.
This is overkill and uncalled for.
4 years ago
> The foundation should sue the responsible profs personally and seek criminal prosecution.
This is overkill and uncalled for.
Organizing an effort, with a written mandate, to knowingly introduce kernel vulnerabilities, through deception, that will spread downstream into other Linux distributions, likely including firmware images, which may not be patched or reverted for months or years - does not warrant a criminal investigation?
The foundation should use recourse to the law to signal they are handling it, if only to prevent these profs from being mobbed.
I think you are misunderstanding what happened. They emailed the patches to the maintainers, and when the maintainers responded "this looks good", then told them there was a bug in the patch. They never committed a bad patch to the source tree. The problem is they were deceptive in their initial email, not that they actually introduced kernel vulnerabilities. No bad code was ever committed, and they had a written mandate to verify that.
No the parent is correct- malicious commits made it into stable.
https://lore.kernel.org/lkml/78ac6ee8-8e7c-bd4c-a3a7-5a90c7c...
https://lore.kernel.org/linux-nfs/CADVatmNgU7t-Co84tSS6VW=3N...
3 replies →
Except Greg K-H disagrees with the students, stating it did make it to stable.
I trust Greg over the students.
3 replies →
How exactly is a lawsuit overkill? If the researchers are in the right, the court will find in their favor.
And if they aren't and it doesn't, will the maintainers be happier? No, just older and poorer.