Re: Report on University of Minnesota Breach-of-Trust Incident

From: Kees Cook <keescook@chromium.org>
To: Kangjie Lu <kjlu@umn.edu>
Cc: open list <linux-kernel@vger.kernel.org>,
	tech-board@lists.linux-foundation.org
Subject: Re: Report on University of Minnesota Breach-of-Trust Incident
Date: Sun, 9 May 2021 10:56:43 -0700	[thread overview]
Message-ID: <202105090945.2B5129E9@keescook> (raw)
In-Reply-To: <CAK8Kejr8bggXruciJT=JW3mk2z=WxYrtN+HBouPq4E2FU=6GrQ@mail.gmail.com>

On Fri, May 07, 2021 at 08:30:21PM -0500, Kangjie Lu wrote:
> We again extend our apologies to the Linux Kernel Community for the
> concerns and extra work caused by our inappropriately designed
> "hypocrite commits" project. We also want to express our appreciation
> for the thoughtful report released by the Linux Technical Advisory
> Board (TAB)  on May 5, 2021
> (https://lore.kernel.org/lkml/202105051005.49BFABCE@keescook/ ), and
> the willingness of the Linux Foundation to meet with us on May 6,
> 2021.

Awesome; thank you for the apology, and thanks for working with us on
sorting this all out.

> The University of Minnesota team has reviewed the TAB findings and
> want to confirm that the findings are comprehensive with an exception
> discussed below.
> 
> One email address missing is a visiting student in the team who used
> the account “Wenjia Zhao <driverfuzzing@gmail.com>” to send four
> patches for bugs found by a tool:
> https://lore.kernel.org/patchwork/project/lkml/list/?series=&submitter=29945&state=*&q=&archive=both&delegate=.
> None of those patches were accepted or merged.

Ah-ha; thanks for pointing this out!

For my own reference, here's the public-inbox search:
https://lore.kernel.org/lkml/?q=f%3A%22Wenjia+Zhao%22

> All Minnesota patches submitted before August 9, 2020 were part of
> previous bug-finding research projects and submitted in good faith and
> intended to address bugs in the Linux Kernel. The four patches

Yes, and speaking for myself and the larger community: thank you for
this work! There are a lot of bugs, and while exploring new ways to
find bugs is certainly useful, it's the _fixing_ of them that is the
most important thing for Linux. (Best, of course, is discovering and
removing entire bug _classes_, of course.)

There is a lot of research done on the Linux code base, but only a
small set of researchers actually take the extra time and effort to
send patches. So, thank you (and them) for doing that.

It sounds like we're now all on the same page about creating spaces
to further support mentoring (both internally within your group and
externally in public for all interested researchers) to help with both
patch submission process and technical improvements. This will be an
ongoing process, and as plans solidify on our side in the coming weeks
we'll keep you in the loop.

> Furthermore, we want to state unequivocally that no other Linux
> components or any other open software systems were affected by the
> 'hypocrite commits' case study or by any of our other research
> projects. Our “hypocrite commit” work was limited to the Linux Kernel
> only and consisted of only the four patches (one is valid) submitted
> between August 9, 2020 and August 21, 2020.

Thanks for this clarification, too. We had fielded several questions
about this, and I'm sure they weren't the only folks wondering. :)

> We reiterate our apology, and we rededicate ourselves to educating our
> faculty and students in conducting research that is not only of the
> highest technical quality, but also follows the highest ethical
> standards.

Thank you again. I think we all have a good opportunity here to make
the best of the situation and come out the other side for the better.

-Kees

-- 
Kees Cook