104 comments

[ 2.9 ms ] story [ 216 ms ] thread
what are the specific actions that the university has to take that were mentioned here?
i don’t believe those have been made public.
I do think that is a mistake. They should have sent an open letter for transparency.
¯\_(ツ)_/¯ it's not really anyone's business. If it's super unfair the uni would disclose it. I was just kind of curious.
I agree with someguy101010. I don't think it's anyone's business outside the university since this is between them and the kernel team.

I would imagine the kernel folks wouldn't be apt to make it public since it would draw even more attention to this than really needs to be brought, at least from the university's perspective. It would start to smell a bit of airing dirty laundry.

The damage has already been done. There's no need to make it worse.

Perhaps we'll find out more details when the research group and university start to perform those actions.
It seems to me like it’s in the best interest of the community to have an understanding of what steps were asked to be taken in the event contributions are made by those parties in the future. I feel it is important for regaining trust, overall project transparency and for setting a certain degree of precedent.
(comment deleted)
That is strange given that the linux side of this dispute has always been more transparent (or straightforward). I would have to assume the terms are more punitive and personal to not be releasable at this time.
Well, not really an apology rejection.. just a comment that the demands they have need to be met.
Leaving aside the fact that I don't think he rejected their apology, accepting an apology doesn't mean everything goes back to normal. It's reasonable for there to be consequences even if the other party is legitimately sorry.
Yeah this title is editorialized badly.

This is not a rejection - it’s just stating their terms for reengagement were already provided.

The rest is just fluff if they don’t meet those terms, it doesn’t matter.

I wonder what the terms are - they're not public, are they?
It's worth noting that:

a) The vulnerabilities being introduced to the kernel for previous research were not done from university accounts (so banning the university would not have helped)

b) The static analysis research was completely unrelated, it had nothing to do with the work to insert vulns into the kernel.

I'm not sure how relatable this is, but I have been hesitant to accept apologies that are not backed by action. Call it trauma, but I have been burned too many times in the past to accept the words "I am sorry" at face value. Someone who has wronged you is often someone who will make an apology that is insincere.
Besides, love means never having to say you're sorry. Like you said, if you let them go, and they say sorry but don't follow it up with action, maybe they were not yours to begin with.
It’s a gift either way (love or truth).
"Now go and sin no more."
It's curious the specific actions haven't been made public given how public the denouncements and reactions have been.
I think it's asking a lot for them to generate the specific actions in under a week, particularly as these actions will presumably not be needed until the start of the Summer semester at the earliest.
I really liked Greg's response to the non-apology from the UMN researchers. Based on their communication, this research group does not have any idea of what have they done wrong.

At the very least they should have said: we're sorry, we won't do this again, and here is what we will do different next time.

But frankly, this research group should have been mostly apologizing for the way they communicated with the kernel group. Slimy, underhanded attempts to play the victim and use social pressure to silence the valid criticism from the kernel group. No excuse for that in my book. I suspect it's their internal culture that was coming through. They should be nowhere near the kernel or any other important software projects.

It's really hard to just say "I fucked up"

I've seen it multiple time and had strong urges to do it myself. The way I see it, when such become normal is when the organization starts its painful decline.

> But frankly, this research group should have been mostly apologizing for the way they communicated with the kernel group.

???

They submitted patches to the kernel based on a static analysis tool they were building, and then Greg started accusing them of malice, and banned the entire univirsity - how is it the research group that communicated poorly?

Why would they not "do this again" ? They were trying to contribute to the kernel, whether their patches were low quality or not, there was no malice from this group.

They haven't used any social pressure - on the contrary, it's Greg who began this inflammatory, overblown reaction to ban an entire university based on previous research done under non university affiliated email addresses.

Greg made numerous false accusations against Aditya.

edit: Oh and to everyone who I'm sure will just downvote,

https://lwn.net/Articles/854319/

Here's kernel maintainers explaining this mess that Greg made. People are conflating multiple unrelated events because Greg did.

There's two separate research groups involved in this, and while the one that most recently submitted patches did nothing wrong the one behind the "hypocrite commits" did.
"separate" if you ignore that they have the same faculty advisor.
So what? Who cares if they do? Static analysis fixes, whether they're good or bad, are harmless and not malicious. Greg attributed malice to them.

I'm sure many advisors have tons of students contributing to the Kernel or other projects, every single year.

> So what?

For research groups, the faculty advisor is the responsible party; once that party has been shown to act maliciously, extra scrutiny is warranted, unless there is some evidence that durable reform has occurred. (The same might be said less strongly of the institutional source, as well.)

> I'm sure many advisors have tons of students contributing to the Kernel or other projects, every single year.

And virtually all of them have not been—either advisor or institution—responsible for malicious kernel patches.

Actions have consequences.

> once that party has been shown to act maliciously, extra scrutiny is warranted

It's nonsense that they acted maliciously. The original research was handled terribly, but it was not malicious. They intended to help, not hurt, even if they did so very poorly.

Further, that is one advisor, whose name is not being dragged. Aditya's name, however, is, thanks to Greg's slanderous comments.

https://twitter.com/trishalynn/status/1385410960278491137 "I am disgusted by the actions of Aditya Pakki"

https://twitter.com/hedleyroos/status/1386290204298735617 "Aditya Pakki is going to have a hard time finding employment." (this one directly retweeted Greg's post)

https://twitter.com/_mackal/status/1384910754151866370 "The simple fact that Aditya Pakki is so butt hurt proves this wasn't in good faith and their only reason for doing it is to shit out another hit piece. That email you quoted is fucking insane."

https://twitter.com/BeardyNotes/status/1384900450059788288 "Sleazeballs like Aditya Pakki should be fired and disbarred from doing any "research" anywhere in the world!"

https://twitter.com/seakoz/status/1384895697414148096 "Aditya Pakki will forever be googleable as the guy who deliberately tried to make Linux insecure."

Does that seem right to you? Are these the "consequences" you think are justified, because Aditya was trying to add legitimate patches for a tool he was working on to contribute to the kernel?

Greg should publicly apologize to Aditya.

all of those examples are randos with single digit likes/retweets
That faculty advisor has presumably done nothing wrong as part of this group either.
> and while the one that most recently submitted patches did nothing wrong the one behind the "hypocrite commits" did.

The commit that spurred this whole mess was for static analysis research, totally unrelated to the previous commits from quite some time ago related to bugdoors in the kernel.

Greg's reaction was to the static analysis commits, and he alleged (in an incredibly insulting and hostile way) that they were made with malice.

His reaction was that after the previous incident, from a year ago, he couldn't blindly trust something coming from the same source. That group has done no wrong, but they are barely a part of this overall discussion.
> he couldn't blindly trust something coming from the same source.

This is not the same source! It's the same UNIVERSITY, which has thousands of students every year. And the source of the bugs wasn't even from university addresses, it was from random gmail addresses.

Aditya submitted LEGITIMATE patches based on his static analysis tool.

He is being slandered because people won't take 5 seconds to learn the facts.

From what I've been told, UMN aren't active kernel contributors, not making a submission between 2014 and the relevant paper in 2020.

>And the source of the bugs wasn't even from university addresses, it was from random gmail addresses.

I don't know why this really matters. They could be running a similar experiment this time pretending UMN was compromised.

I'm not sure who Pakki is, if he's not part of the first research group at all it is truly unfortunate he is receiving the blame for it. If he was, the internet's reaction is still unwarranted but frankly typical. I don't see how Kroah-Hartman is at fault though.

> I don't know why this really matters.

Because Greg's response doesn't actually address any problem, it's purely grandstanding. The researchers explicitly performed their work not using university addresses, so banning the university does nothing. As Kees Cook has already noted, the vast majority of patches from the university are legitimate.

> I'm not sure who Pakki is

The researcher who submitted output from his legitimate research to try to fix bugs. Greg responded by insulting him, saying he is incompetent, stating that he is malicious, and then that he would ban the university over this.

How could Greg not be at fault? His post made false allegations against Aditya, claiming that he was acting maliciously, and because no one fucking reads anymore, people think Aditya was trying to insert vulnerabilities into the kernel.

I agree that it's terrible that people did not read before tweeting.

I believe Greg was not saying Aditya was both incompetent and malicious. Greg was saying incompetent or malicious. The incompetence stemmed from how Aditya handled his static analysis patches: seemingly no manual review and no explicit statement that the patches were from a tool (which is apparently standard procedure).

I don't know why you're trying to defend Greg so vehemently when all of the facts show that he slandered Aditya - Greg's own words, factual accounts of reality.

Most of Aditya's patches were legitimate. Multiple upstream developers have confirmed this:

> https://lore.kernel.org/lkml/CACRpkdbw_sF2FO0jjq47KStUjvhKvW...

Other kernel maintainers have already picked up on this.

> You, and your group, have publicly admitted to sending known-buggy patches to see how the kernel community would react to them, and published a paper based on that work.

Here is a direct quote from Greg where he falsely alleges that Aditya is responsible for the previous work.

> Now you submit a new series of obviously-incorrect patches again,

Many of the patches are correct - see the above link where one maintainer points this out.

> So what am I supposed to think here, other than that you and your group are continuing to experiment on the kernel community developers by sending such nonsense patches?

Another false allegation that Aditya is experimenting on the kernel, attributing malice.

> You were not asking for help, you were claiming that these were legitimate fixes, which you KNEW to be incorrect.

Many were legitimate. Again, a false accusation from Greg.

Then Greg goes on to attack him some more, instead of just explaining things to him, like "Hey, in the future can you add 'found by tool xyz'". In other mailing lists kernel maintainers point out that that would have been the sane response, not going to bother to link that.

> Our community welcomes developers who wish to help and enhance Linux. That is NOT what you are attempting to do here, so please do not try to frame it that way.

In fact, that is exactly what Aditya was trying to do.

> Our community does not appreciate being experimented on, and being "tested" by submitting known patches that are either do nothing on purpose, or introduce bugs on purpose.

Aditya did no such thing.

Greg's response is indefensible. It's just littered with insults and attacks, and factually incorrect allegations against a legitimate security researcher.

(comment deleted)
Kroah-Hartman saw a number of patches containing possibly critical bugs, and given past events he assumed they were malicious rather than merely low quality. He soon seemed to realize the mistake, and instigated a second review.

99% of his reaction was related to the previous paper's actions, it's unfortunate that Pakki is getting the blame but from the first post Kroah-Hartman tried to deflect blame away from him.

> but from the first post Kroah-Hartman tried to deflect blame away from him.

Where are people getting this from? Greg literally, explicitly, accuses Aditya of malice. I have repeatedly quoted him doing so.

>Your professor is playing around with the review process...
OK? Greg explicitly accuses Aditya.
He accuses him of doing what his professor told him to do, a deflection of blame. Even the "explicit" accusations you mention reference that he was not acting alone.
Aditya has nothing to do with the research where vulnerabilities were submitted to the kernel.

Again, quoting for the millionth time,

"> You, and your group, have publicly admitted to sending known-buggy patches to see how the kernel community would react to them, and published a paper based on that work."

YOU. The first word. In a response to Aditya. It's a false allegation, it's literally incorrect.

Aditya was NOT one of the researchers involved in that previous work.

>The first word

Followed by "and your group," which is exactly what my last post said. And even if he was not part of the group that carried out the previous work, he would still be part of the UMN CS research program that "publicly admitted to sending known-buggy patches..."

I've said multiple times it seems that Pakki is receiving far more blame than he deserves. He merely submitted bad patches and got defensive about the manner in which they were rejected.

His supervisor published the hypocrite paper with the introduced vulnerabilities so they are far more linked than just both being at UMN.
I agree with this post.

Greg has conflated Aditya Pakki with the hypocrite commits. Aditya wrote a static analysis tool that generated some bad commits and many acceptable commits.

Greg accused him of intentionally submitting bad patches. That accusation appears to be false. Greg should apologize to Aditya.

It's a testament to how damaging Greg's comments are that this factual account of the situation is not what people are talking about. Greg's comments were outright slanderous and incorect - he wrongfully alleged that Aditya was knowingly contributing bugs to the kernel, when he was only reporting results from a static analysis research tool.

And then Linux mob mentality took over, and Aditya has been dragged through the mud over it.

Again, based on false accusations. Aditya did NOTHING that Greg alleged. Again, NOTHING.

But facts will be downvoted because the Linux mob loves grandstanding on mailing lists.

Aditya should’ve talked to his advisor before suggesting the gatekeepers were, gasp, gatekeeping
The hell are you talking about?

Aditya submitted patches, and Greg alleged that they were malicious and insulted him repeatedly, completely crossing the line from any reasonable technical review over to a direct attack.

Aditya's reputation has suffered massively as a result of doing research to try to help the Linux kernel.

These are the facts of the situation.

No, Aditya's reputation has suffered because he is associated with the University of Minnesota. This is what happens when someone screws up, then all their associates get tarred with the same broad brush, no matter how much they were involved.

I'm familiar with a case where a faculty member engaged in a case of autoplagiarism and submitted the same paper to two high-profile journals. His graduate students had trouble publishing in reputable journals for years after, and he also earned himself a ban from the national funding agency.

For that kind of breach of trust retribution is savage, and that's why you don't engage in it to begin with.

I don't want to write out a thought out response to such a joke of a post, so I'll just jot down some notes:

1. Aditya being affiliated with UMN should not damn him to being falsely accused of malice. Greg and others have repeatedly falsely accused Aditya of making malicious contributions, and your answer is "well he goes to UMN"?

2. Plagiarism is irrelevant, as is your entire reference to some unrelated event.

3. Aditya didn't engage in it, though 'savage' is a fine word for how Greg behaved.

"Joke of a post" is inappropiate.

You are saying what perhaps ought to happen (and that's a matter of debate), and I am saying what has happened, I was talking of a past event that happened as described. A professor committed an act of misconduct, and his students suffered for it. Well, it's happening again.

That's what happens in a reputation-based environment and it's happening again here. We hope the University of Minnesota offers support to the affected students.

Yeah it's utter nonsense. This isn't comparable to plagiarism, and even if it were your story is about a stupid situation just like this one, where innocent, unrelated parties were associated with something they had nothing to do with. That you're somehow saying that this is justified or normal is absurd - we should accuse all students of the university of malice? Everyone tangentially related is guilty? Ridiculous, not even worth arguing against.

The university already apologized. Where is Greg's apology? Where is Greg's retraction for falsely accusing Adity?

Dr. Lu’s research is asking dangerous, thoughtful questions. The answers are sort of unsurprising. It’s not ethical.

As I read the discussion archive carefully: 1) A submits patch 2) G suggests a particular patch was “wasting his time”, and that he’s suspicious of this kind of submission from Dr. Lu and UofM. 3) Nearly a day later, A accuses G of ‘wild accusations, bordering on slander’.

In fact, no one denies that what G claimed is in fact true - that Dr. Lu and his students had a history of submitting “hypocrite” patches. They published about it!

But according to A, it’s G that is being ‘unwelcoming’ and ‘intimidating’, due to ‘preconceived biases’. To me, this is where it starts feeling dramatically personal in nature.

4) I don’t see the language in G’s response to (3) as nearly so personal as (3) itself. It does question A’s professionalism. I’m sympathetic. What was A thinking?

> In fact, no one denies that what G claimed is in fact true

What Greg claims w.r.t. Aditya seems to be false and highly damaging.

Greg wrote: “You, and your group, have publicly admitted to sending known-buggy patches to see how the kernel community would react to them”

It now appears that Aditya’s patch was submitted in good faith. Greg accused him of intentionally submitting bad patches. That accusation was false.

Aditya’s is upset because a powerful figure in the Linux community had made false and damaging accusations against him. Aditya’s reputation has been damaged by Greg’s false accusations. Greg should apologize.

> It now appears that Aditya’s patch was submitted in good faith.

Citation needed.

> Greg accused him of intentionally submitting bad patches.

From GKH's response to Pakki's claims:

They obviously were _NOT_ created by a static analysis tool that is of any intelligence, as they all are the result of totally different patterns, and all of which are obviously not even fixing anything at all. So what am I supposed to think here, other than that you and your group are continuing to experiment on the kernel community developers by sending such nonsense patches?

When submitting patches created by a tool, everyone who does so submits them with wording like "found by tool XXX, we are not sure if this is correct or not, please advise." which is NOT what you did here at all. You were not asking for help, you were claiming that these were legitimate fixes, which you KNEW to be incorrect.

A few minutes with anyone with the semblance of knowledge of C can see that your submissions do NOT do anything at all, so to think that a tool created them, and then that you thought they were a valid "fix" is totally negligent on your part, not ours. You are the one at fault, it is not our job to be the test subjects of a tool you create.

> That accusation was false.

The accusation is that either Aditya "KNEW" the fixes he claimed to be legitimate were incorrect, or he has not a "semblance of knowledge of C" to see that his submission do NOT do anything at all, or that he was "negligent" on his part.

I've seen no evidence of this accusation being false.

> Citation needed.

Scroll Up. Find https://lwn.net/Articles/854319/ point 2

Consider:

Aditya is not an author on the hypocrite commits paper.

Aditya admitted his “garbage” commit when made aware it was not correct.

Aditya is author of other papers on static analysis. Aditya’s other commits have generally survived this bulk review.

Aditya maintains his claims even as other members of UMN have explained their role in the hypocrite commits.

Aditya’s commits come from a UMN address where as hypocrite commits came from gmail.

It seems likely Aditya is a bad static analyst not a malicious committer.

Greg’s accusations:

> You, and your group, have publicly admitted to sending known-buggy patches [1]

The “you” there is false. Aditya consistently denied being part of the research they has Greg so worked up.

Greg also wrote: > Please stop submitting known-invalid patches. [2]

The evidence above strongly suggests Aditya never did that.

Greg KH has accused Aditya of submitting known buggy patches. Aditya did not do that. Greg should apologize to Aditya for the false accusation.

[1] https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah...

[2] https://lore.kernel.org/linux-nfs/YH5%2Fi7OvsjSmqADv@kroah.c...

They're idiot cultists, they won't listen to facts.
Such radical generalisation isn't helping anyone. It contributes nothing but discouragement at best, and spite and bile at worst, to the conversation. Twitter is nearly a lost cause; let's not turn this place into that too.

I have plainly put forth evidence and openly asked for evidence. Emotional outrage is not a fair return.

The evidence is all out there in the open, I've linked and quoted repeatedly throughout here, and there's a link in the header to UMN's response.

The bias is so blatant, as always - the Linux community continues to refuse to hold maintainers accountable. If people can't be bothered to read the evidence I'm not going to continue to discuss this in good faith.

> The evidence is all out there in the open

But, clearly, not everyone is reading the same things. How could they? Humans aren't a hivemind. I understand that other people can have read different things than I have, that they can have a different view of things than I do, so I present my side of the argument with the evidence that I can find.

Even given the same evidence, I understand that other people can have different interpretations of them, so I present my interpretations while asking for theirs, in the hope that they're sensible people.

> I've linked and quoted repeatedly throughout here

Your discourse with me here has consisted solely of you calling me names (specifically, "idiot cultist") and complaining about other people. Other people that you passive-aggressively lump me into.

> there's a link in the header to UMN's response.

Plenty have seen and read it. I don't know what point you're trying to make by alluding to a curt announcement that can be reduced to "we've paused the research group's activities and are looking into the matter".

Or perhaps you meant to point to the professor's response instead of UMN's. You and I clearly aren't reading it the same way, but I did not bring it up in our discussion and I do not want to now because I do not believe you are being sensible here.

> The bias is so blatant, as always - the Linux community continues to refuse to hold maintainers accountable.

Whatever their crimes are, your behaviour here has been unmitigably worse, and you refuse to hold yourself accountable.

> If people can't be bothered to read the evidence I'm not going to continue to discuss this in good faith.

You haven't been. But, what's worse, you've been trying to prevent others (like me and the person you replied to when you called me an "idiot cultist") from doing so as well.

I posted the evidence above but you didn’t really engage with it much.

Do you think Aditya was acting in bad faith?

> https://lwn.net/Articles/854319/ point 2

That is the opinion of Al Viro, who's one Linux contributor. It does not prove that Pakki was unaware his "patches were utter crap", but does accuse him of being academically dishonest and negligent.

No of course it doesn’t prove anything about Aditya’s state of mind. That’s not something we can really expect to *prove* per se, but it’s supporting evidence. As I said it *appears* he was acting in good faith.

It’s one person reaching the conclusion Aditya’s work was clumsy not malicious.

I listed a bunch of reasons why I also believe that to be so.

Do you disagree? What evidence do you see that Aditya’s commits were malicious? Do you agree with the evidence I listed above?

> No of course it doesn’t prove anything about Aditya’s state of mind. That’s not something we can really expect to prove per se

But you make plenty of statements claiming it's been proven.

> but it’s supporting evidence. As I said it appears he was acting in good faith.

To one (1) person in the group of Linux core contributors. There are multiple others that do not agree with him, from among the same group of people, and just as qualified, as your person.

> I listed a bunch of reasons why I also believe that to be so. > Do you disagree? What evidence do you see that Aditya’s commits were malicious?

I do disagree. The evidence that I see (and find myself agreeing with):

1. The work itself. It is so badly broken that I have to suspect foul play. And Greg's right when claiming that, if Pakki did not know the code he was submitting was broken, he had to have been horribly negligent or incompetent.

2. When presenting the patches, he tried to pass them off as his own. When the flaws were pointed out, then he reveals that the work wasn't his but that of a poorly written automated program. This sounds awfully like an excuse, and a poor one at that.

3. His first response to being called out was to play the "innocent victim" card, with barely an attempt to explain why he submitted code so badly broken. I also disagree with his passive-aggressive, subtly-hidden, claim that it was because he was just "a newbie and a non-expert".

4. I do agree that GKH was quite aggressive in labelling Pakki's work, and that he had no direct evidence for it, but he also explained his reasoning and supplied supporting evidence (I have quoted both in my GP comment), and I find it reasonable for a person in his position (i.e., an unwitting subject of an unethical human experiment) to feel that way.

For these reasons, and for the close association of Pakki and Prof. Lu (who I believe still does not see or accept any wrongdoing on his part), I cannot yet rule out the possibility, nor do I think it is low, that Pakki was also participating in a new, similar experiment.

I am not excusing GKH's rush to conclusion either, though I understand what led him to it. But the matter is still ongoing, though sadly not in public anymore, so I am waiting to see how everyone acts moving forward.

> Do you agree with the evidence I listed above?

I agree partially with some of them. Not enough to reach a conclusion like you.

Some of the rest of it, I think, actually points the other way. For example, the claim that "Aditya’s other commits have generally survived this bulk review" begs the question: If Pakki has demonstrated competence enough for some of his commits to survive subsequent close inspections by experts, then how could he have allowed patches as poor as the ones that sparked this whole brouhaha?

As for the rest of the "evidence" you listed: I simply cannot accept them as evidence, rather as just unsubstantiated claims and expert opinions. The latter has value, though not enough yet to settle the question.

> But you make plenty of statements claiming it's been proven.

Citation needed.

I wrote

> That accusation appears to be false

> What Greg claims w.r.t. Aditya seems to be false

> It now appears that Aditya’s patch was submitted in good faith.

Those aren’t claims of proof. appears, seems, appears.

They are weighing evidence and making a conclusion.

> I cannot yet rule out the possibility, nor do I think it is low, that Pakki was also participating in a new, similar experiment.

Cool we’re close to on the same page, do you think it’s more likely he was participating in a new, similar hypocrite commit experiment or more likely he was submitting buggy patches inadvertently?

(comment deleted)
Fair enough that Greg can’t know whether Aditya is playing a game. But when Greg says “You, and your group” - it’s surely not Greg’s responsibility to untangle the knot at this point. This comes after Aditya had the opportunity to recognize that Dr. Lu and UofM were on Greg’s radar. There was a window of opportunity for working out the details, having some situational awareness, detangling things. Instead, Aditya just hit back, in a personal and to my mind fairly repugnant way. I maintain he should have talked to Dr. Lu at this point because Dr. Lu could have sought a better resolution at this point. Everyone would be better off.

Yeah, Greg seemed angry in response - I think that’s understandable. Should Greg apologize? Sure, why not. But from the skid marks on the road, I’m pretty convinced about who was driving unsafely here.

> surely not Greg’s responsibility to untangle the knot at this point.

This is where we differ. Before you make a false permanent career damaging accusation you should do some basic checking if it’s true?

Greg lost his temper and now can’t back down.

He should have asked himself is it logical that a guy who has dozens of good commits over a period of a year is suddenly submitting known bad commits as part of a research paper that he is not an author of that was published months ago.

> This comes after Aditya had the opportunity to recognize that Dr. Lu and UofM were on Greg’s radar.

It’s not Aditya’s responsibility to read Greg’s mind.

> Instead, Aditya just hit back, in a personal and to my mind fairly repugnant way.

Those are strong accusations can you cite the text Aditya wrote that you believe is “repugnant” ?

Aditya wrote : “ respectfully ask you to cease and desist from making wild accusations that are bordering on slander.”

That’s extremely polite given Greg K H was spreading the phony and damaging story that Aditya was intentionally damaging the Linux kernel.

> he wrongfully alleged that Aditya was knowingly contributing bugs to the kernel, when he was only reporting results from a static analysis research tool.

From GKH's response to Pakki's claims:

They obviously were _NOT_ created by a static analysis tool that is of any intelligence, as they all are the result of totally different patterns, and all of which are obviously not even fixing anything at all. So what am I supposed to think here, other than that you and your group are continuing to experiment on the kernel community developers by sending such nonsense patches?

When submitting patches created by a tool, everyone who does so submits them with wording like "found by tool XXX, we are not sure if this is correct or not, please advise." which is NOT what you did here at all. You were not asking for help, you were claiming that these were legitimate fixes, which you KNEW to be incorrect.

A few minutes with anyone with the semblance of knowledge of C can see that your submissions do NOT do anything at all, so to think that a tool created them, and then that you thought they were a valid "fix" is totally negligent on your part, not ours. You are the one at fault, it is not our job to be the test subjects of a tool you create.

(comment deleted)
Rejects? Responds would be far more accurate. All he said was "we have said what you need to do, other than that nothing needs to be said". He didn't say "you failed to do so, therefore banished forever".
"you failed to do so, therefore banished forever"- Personally I hope that's the next article on this topic. The level of trust that these people have violated is simply beyond the pale.
Agree. Some major changes need to be made to their ethics review process.
The submission title should be changed to something accurate like "Response from Greg Kroah-Hartman to University of Minnesota Researchers".
It is pretty clearly a rejection to me, though a polite one. He's stating that their message is irrelevant and he doesn't care for it.
> It is pretty clearly a rejection to me, though a polite one. He's stating that their message is irrelevant and he doesn't care for it.

Considering he thanks them for their response, this is not a rejection. It's a tacit acceptance while simultaneously stating what's necessary because an email apology is simply inadequate.

Like I said, it's polite, but does not seem like acceptance to me. It's a little hard to capture the sentiment but:

"It’s not an apology if it comes with an excuse."

cool. so can someone unflag it now
only after you have completed [REDACTED] actions!
Best to email the mods about that.
(comment deleted)
If they can just ban an entire university for a few students actions then someone remind me again why a "code of conduct" is needed at all, and what rule in that document was broken? It's clearly not needed, and will only be abused IMO.
Did University of Minnesota have any type of IRB? I sorta hope this can be the "come to Jesus moment" for academic CS to implement safeguards (such as IRBs) to prevent harm.
They did approve because the research is not a human study, which in my opinion is a correct decision. But, this decision does not endorse the study to be totally ethical, which is a totally different issue.
How can you categorize this as "not a human study"? They were experimenting on "the patching process" which is not some abstract concept, it's a system that humans designed and execute by individual action.

If it was not a human study, then why couldn't they just stimulate it on a computer where the maintainers are completely uninvolved? Obviously that's not possible. Why? Because they were studying the humans themselves. This is so clear even from the apology email that is the topic of this thread, I don't understand how people are still confused here.

This is not a US patent grant where simply adding "yeah that but on a computer" gives you an instant rubber stamp.

I'm just going to quote part of the UMN response, which should clear up the constant misconceptions I see from people who are doing real harm to legitimate researchers.

The “hypocrite commits” work was carried out in August 2020; it aimed to improve the security of the patching process in Linux. As part of the project, we studied potential issues with the patching process of Linux, including causes of the issues and suggestions for addressing them.

This work did not introduce vulnerabilities into the Linux code. The three incorrect patches were discussed and stopped during exchanges in a Linux message board, and never committed to the code. We reported the findings and our conclusions (excluding the incorrect patches) of the work to the Linux community before paper submission, collected their feedback, and included them in the paper.

All the other 190 patches being reverted and re-evaluated were submitted as part of other projects and as a service to the community; they are not related to the “hypocrite commits” paper.

These 190 patches were in response to real bugs in the code and all correct--as far as we can discern--when we submitted them.

We understand the desire of the community to gain access to and examine the three incorrect patches. Doing so would reveal the identity of members of the community who responded to these patches on the message board. Therefore, we are working to obtain their consent before revealing these patches.

Our recent patches in April 2021 are not part of the “hypocrite commits” paper either. We had been conducting a new project that aims to automatically identify bugs introduced by other patches (not from us). Our patches were prepared and submitted to fix the identified bugs to follow the rules of Responsible Disclosure, and we are happy to share details of this newer project with the Linux community.

tl;dr Greg attacked a researcher, alleging malice where there was none. This was someone trying to legitimately help the kernel.

p.s. here's Linus's response

> Linus Torvalds: "most of the patches are valid (and the ones that aren't are generally 'useless' rather than 'actively malicious'), so it's basically a huge waste of people's time to now go over those things again just because one source has shown itself to not be above board."

Submitting patches you know contain vulnerabilities to a project as part of a social engineering experiment shows a fundamental lack of ethics -- it doesn't matter if the patches themselves were merged, the intent itself matters. Since the research was sanctioned by the University, the University has shown they do not have strong ethical controls for their research and thus any work they conduct should be considered suspect until those issues are resolved.

Saying "the three incorrect[sic] patches were discussed and stopped during exchanges in a Linux message board, and never committed to the code" is a non-sequitur. Nobody claimed the malicious patches were merged, everyone is saying that the simple act of submitting in bad faith them is the issue.

(I also find it funny they use the word "incorrect" when the correct word is "malicious".)

If someone sent patches to your project that you later discovered were malicious and sent in bad faith, would you seriously allow them to continue being part of your community? I sure as hell wouldn't.

Malice implies that the intent was to cause harm, which there was not. The execution was negligent, at worst, but not malicious.

And you've ignored the rest of the post, which is that the patches that Greg was blowing up about had nothing to do with that research. Please actually read the whole post and try to understand the situation.

This entire thing started with Greg alleging that legitimate patches from a security researcher were malicious. They were not. Previous patches, from another group, a year ago, are what you're referring to.

> Please actually read the whole post and try to understand the situation.

I'm aware of what has happened, I personally think they should've banned the University last year. And the quote in your post only tells one side of the story. This latest incident was just the trigger for the response and as usual the internet ends up confusing the trigger and the original issue (in Greg's original email he simply said to not accept patches because of the previous research which was being run by the same supervisor -- only later did he get into the argument with the researcher where he said they were either incompetent or malicious.)

I agree that a lot of people have assumed that the current patches were malicious when they are not, though they were submitted in a way that isn't in line with how automated tool patches are usually submitted. But that's the internet for you, they manage to misinterpret even the most basic situations.

> Malice implies that the intent was to cause harm, which there was not.

How is submitting patches which you know have bugs to a review process where they may end up being merged not count as "intending to cause harm"? If the patches had not been blocked by the review process, what would have the end result have been?

More importantly, as a reviewer there is no difference to me whether the person really is a an attacker or a researcher cosplaying as an attacker -- the end result is that I'm being asked to review patches that are known by the author to contain security bugs and were submitted under false pretenses.

> I agree that a lot of people have assumed that the current patches were malicious when they are not

Who can blame them when Greg says things like

"> You, and your group, have publicly admitted to sending known-buggy patches to see how the kernel community would react to them, and published a paper based on that work."

Greg is explicitly alleging, "You", that Aditya is being malicious. So of course the idiot readers will think so. He repeatedly alleges that Aditya is malicious.

This isn't just "the internet", it's Greg's false accusations, which he has yet to retract.

Look at the damage. I'm linking LKML, links from other maintainers, a quote from Linus, and facts and all of my posts are downvoted. Greg's bungling has caused a massive false perception.

> How is submitting patches which you know have bugs to a review process where they may end up being merged not count as "intending to cause harm"?

Because they did not intend to cause harm. They intended the opposite - to improve Linux security by demonstrating flaws in the process. Obviously they did a bad job of it, no one is defending that research, UMN apologized for it explicitly.

But they did not intend harm. They were not hoping to exploit those vulnerabilities. It was not malicious. It was negligent. I think it's very important to recognize the difference, critical really.

As they say, the road to hell is paved with good intentions.

And their apology basically stated "I'm sorry that you don't understand we are trying to help you". Nowhere did they claim their research caused harm.

Their apology was excellent...

> > We sincerely apologize for any harm our research group did to the > Linux kernel community. Our goal was to identify issues with the > patching process and ways to address them, and we are very sorry that > the method used in the “hypocrite commits” paper was inappropriate. As > many observers have pointed out to us, we made a mistake by not > finding a way to consult with the community and obtain permission > before running this study; we did that because we knew we could not > ask the maintainers of Linux for permission, or they would be on the > lookout for the hypocrite patches. While our goal was to improve the > security of Linux, we now understand that it was hurtful to the > community to make it a subject of our research, and to waste its > effort reviewing these patches without its knowledge or permission. >

They explicitly admit fault and address what they did wrong and what they should have done better.

You said that they didn't admit harm but the very first sentence is an acknowledgement and apology for the harm.

In fact, they repeatedly address that they caused harm, and apologize:

> we now understand that it was hurtful to the > community

> apologize for any harm

They didn't state they caused harm, they stated they apologize for "any" harm.

> it was hurtful to the community

Basically state "sorry to hurt your feelings", which I clearly pointed out in my comment. It's definitely not a "we are wrong" apology.

This has a vibe of "we couldn't have done it any other way, and we still feel it was better. Sorry that you don't agree"

Their letter of "apology" was already torn apart in the other thread at https://news.ycombinator.com/item?id=26930056

What nonsense, they explicitly state they caused harm.

"we now understand that it was hurtful to the > community to make it a subject of our research, and to waste its > effort reviewing these patches without its knowledge or permission."

They EXPLICITLY state that they wasted community effort and explicitly, repeatedly acknowledge that they did things the wrong way.

Remember the Sokal Hoax [1] and the New Sokal Hoax [2]? And other publishing stings [3]?

How are they different? Honest question.

At least those journals did not ban researchers from the whole university...

1. https://en.wikipedia.org/wiki/Sokal_affair

2. https://www.theatlantic.com/ideas/archive/2018/10/new-sokal-...

3. https://en.wikipedia.org/wiki/List_of_scholarly_publishing_s...

If those hoaxes were along the lines of 'vaccines cause autism', they might be cause for concern too.
> How are they different? Honest question.

The security of the Linux kernel affects millions of people.

Submitting fake papers to omphaloskeptic social science journals affects thousands at most.

Really? How many computers were hacked because of their fake patches?
If really only three fake patches were involved, then I don't understand gkh's response.

He hasn't been able to show further intent, and the tendency to dismiss even a grovelling apology as not sincere enough is plain stupid.

What should they do? Immolate themselves and burn down the university.

A group piling on individuals seems to be the new sport of the 21st century.

> If really only three fake patches were involved, then I don't understand gkh's response.

No, not only three fake patches. Those three fake patches were in 2020. This year's affair was precipitated by another known-invalid patch [1] and furthered by the research group playing victim [2].

1: https://lore.kernel.org/linux-nfs/YH5%2Fi7OvsjSmqADv@kroah.c...

2. https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah...

> He hasn't been able to show further intent

From [2] above: "So what am I supposed to think here, other than that you and your group are continuing to experiment on the kernel community developers by sending such nonsense patches?"

> ... to dismiss even a grovelling apology as not sincere enough

1. From TFA, it hasn't been dismissed. Nor has it been labelled anything, let alone "not sincere enough".

2. The apology was hardly "grovelling"; more like, "we're sorry we got caught, we're sorry you felt bad about it, but we see no other way to do what we did."

> What should they do?

As the TFA says, the steps for reconciliation have been sent to them through the appropriate legal channels.

> Immolate themselves and burn down the university. > A group piling on individuals seems to be the new sport of the 21st century.

You seem to be reading a lot of things that aren't there. It'd help if you take off the outrage hat.