The Linux Technical Advisory Board (TAB) released a new report to show the remediation measures that were undertaken after researchers from the University of Minnesota (UMN) submitted compromised code submissions to the Linux kernel.
UMN previously submitted many big fixes that were merged into kernel releases as part of an, but the breach of trust between the community and UMN first started when UMN researchers did an experimental research project on “Hyprocrite Commits” that involved intentionally submitting patches that caused issues with the kernel in August last year.
As a result, Greg Kroah-Hartman, a Linux kernel maintainer, asked the community to stop accepting patches from UMN and began a re-review of all submissions previously accepted from the university after perceiving that they were sending compromised code.
The university has since retracted the “Hypocrite Commits” paper and Kroah-Hartman posted a final set of reverts this week.
The university allowed researchers to use fake identities when agreeing to the “Developers Certificate of Origin,” a legal statement that is required about the work being submitted.
The university researchers then submitted five problematic patches that were submitted to the public Linux kernel mailing list.
Patches 1 was rejected and put under a false name. Patch 2 tried to gain acceptance by quoting the syzbot tool, although it was quickly rejected. Patches 3 and 4 were reviewed to be incorrect and a reviewer offered possible changes, which the original submitter did not fix. Patch 5 was rejected after a reviewer noticed a similar fake name that was used for Patch 2.
The Linux Advisory Board hopes that with due diligence in fixing the errors, it can restore faith in the kernel community to accept submissions from researchers.
“The developer community should be able to trust that researchers are sending quality patches meant to improve the kernel, and researchers should trust the developer community will not undermine the researchers’ reputations when mistakes are made,” the Linux Technical Advisory Board stated in the report. “The recommendations in this report aim to move beyond this conflict, providing a way to help both communities to work together better.”