linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Kees Cook <keescook@chromium.org>
To: Pavel Machek <pavel@ucw.cz>
Cc: linux-kernel@vger.kernel.org, Kangjie Lu <kjlu@umn.edu>,
	tech-board@lists.linux-foundation.org
Subject: Re: Report on University of Minnesota Breach-of-Trust Incident
Date: Thu, 6 May 2021 11:40:41 -0700	[thread overview]
Message-ID: <202105061042.E99B414F0A@keescook> (raw)
In-Reply-To: <20210506082616.GA20224@duo.ucw.cz>

On Thu, May 06, 2021 at 10:26:16AM +0200, Pavel Machek wrote:
> Hi!
> 
> > Report on University of Minnesota Breach-of-Trust Incident
> > 
> > 	or
> > 
> > "An emergency re-review of kernel commits authored by members of the
> >  University of Minnesota, due to the Hypocrite Commits research paper."
> > 
> > May 5, 2021
> 
> Thanks for doing this. I believe short summary is that there was some
> deception from UMN researches in 2020:
> 
> > 2020 August:
> >   - "Hypocrite Commits" patches from UMN researchers sent to kernel developers
> >     under false identities:
> >     - Aug 4 13:36-0500
> > 	https://lore.kernel.org/lkml/20200804183650.4024-1-jameslouisebond@gmail.com
> >     - Aug 9 17:14-0500
> > 	https://lore.kernel.org/lkml/20200809221453.10235-1-jameslouisebond@gmail.com
> >     - Aug 20 22:12-0500
> > 	https://lore.kernel.org/lkml/20200821031209.21279-1-acostag.ubuntu@gmail.com
> >     - Aug 20 22:44-0500
> > 	https://lore.kernel.org/lkml/20200821034458.22472-1-acostag.ubuntu@gmail.com
> >     - Aug 21 02:05-0500
> > 	https://lore.kernel.org/lkml/20200821070537.30317-1-jameslouisebond@gmail.com
> 
> But there was no deception from UMN in 2021. Yet, we were
> spreading... let's say inaccurate information as late as this:
> 
> > 2021 April 29:
> >   - Greg posts an update on the re-review along with some more reverts.
> > 	https://lore.kernel.org/lkml/20210429130811.3353369-1-gregkh@linuxfoundation.org
> 
> # Commits from @umn.edu addresses have been found to be submitted in "bad
> # faith" to try to test the kernel community's ability to review "known
> # malicious" changes.

I would agree that the phrasing here is sub-optimal in that it could
more clearly separate a few related things (e.g. "malicious change" vs
"valid fix"). If I were writing this, I would have said something along
the lines of:

  Commits from UMN authors have been found to be submitted with intentional
  flaws to try to test the kernel community's ability to review "known
  malicious" changes. ...
  During review of all submissions, some patches were found to be
  unintentionally flawed. ...
  Out of an abundance of caution all submissions from this group must be
  reverted from the tree and will need to be re-review again. ...

I would also note that in that thread Greg reviewed all the mentioned
patches, clearing all but two of them (which were duplicates to earlier
review).

> UMN apologized. Our reaction to their apology was:
> 
> https://lore.kernel.org/lkml/YIV+pLR0nt94q0xQ@kroah.com/#t
> 
> Do we owe them apology, too?

I will defer to Greg on what he thinks his duties are there, but in
trying to figure out who "we" is, I'll just point out that I attempted
to clarify the incorrect assumptions about the intent of historical UMN
patches, and spoke for the entire TAB (Greg included) here:
https://lore.kernel.org/lkml/202104221451.292A6ED4@keescook/
The report repeated this in several places, and we explained our need
for due diligence.

-Kees

-- 
Kees Cook

  reply	other threads:[~2021-05-06 18:40 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-05 17:07 Report on University of Minnesota Breach-of-Trust Incident Kees Cook
2021-05-06  8:26 ` Pavel Machek
2021-05-06 18:40   ` Kees Cook [this message]
2021-05-06 21:02     ` Metztli Information Technology
2021-05-11 15:39       ` Richard Guy Briggs
2021-05-06 21:40     ` Pavel Machek
2021-05-08  1:30 ` Kangjie Lu
2021-05-09 17:56   ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202105061042.E99B414F0A@keescook \
    --to=keescook@chromium.org \
    --cc=kjlu@umn.edu \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pavel@ucw.cz \
    --cc=tech-board@lists.linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).