Comment by jovial_cavalier
15 hours ago
See another comment I made in this thread about GKH's response - the UMN group submitted a handful of small patches as part of this study, and "wasted" probably a handful of man hours or at worst a few man days of maintainer time. I don't really consider it a waste because evidence that critical open source infrastructure doesn't bother to run static analysis before merging code from randos is actually useful information that the public deserves to have.
GKH's response was to waste man weeks or man months of maintainer time persecuting every last commit that happened to come from umn.edu, despite having zero reason to believe these commits were more suspect than any other institution's commits.
> evidence that critical open source infrastructure doesn't bother to run static analysis before merging code from randos is actually useful information that the public deserves to have.
It's totally possible to obtain evidence of that without being an asshole to kernel maintainers. Which is the kind of thing that an ethics review conducted before the experiment could have pointed out. If the goal of the experiment was merely to demonstrate the lack of routine static analysis capable of catching such vulnerabilities, then the experiment's design was not justified and the experiment was needlessly harmful to non-consenting participants.