|
the kernel research group at Minnesota has released a big wet fart of a statement https://cse.umn.edu/cs/open-letter-linux-community-april-24-2021
|
# ? Apr 26, 2021 16:10 |
|
|
# ? Jun 9, 2024 06:56 |
|
revealing the patches would... reveal the identity of the reviewers? what?
|
# ? Apr 26, 2021 16:17 |
|
Solus M.D. posted:the kernel research group at Minnesota has released a big wet fart of a statement quote:Thank you for your response.
|
# ? Apr 26, 2021 16:17 |
|
I wish Linus would weigh in on this one
|
# ? Apr 26, 2021 16:24 |
|
when you find yourself in a hole you're supposed to keep digging right
|
# ? Apr 26, 2021 16:29 |
|
RFC2324 posted:I wish Linus would weigh in on this one
|
# ? Apr 26, 2021 16:29 |
|
greg has already done a pretty good rant imo
|
# ? Apr 26, 2021 16:31 |
|
I'd like to see whatever the Linux Foundation sent though.
|
# ? Apr 26, 2021 16:34 |
|
Solus M.D. posted:the kernel research group at Minnesota has released a big wet fart of a statement hobbesmaster posted:when you find yourself in a hole you're supposed to keep digging right quote:As many observers have pointed out to us, we made a mistake by not finding a way to consult with the community and obtain permission before running this study; we did that because we knew we could not ask the maintainers of Linux for permission, or they would be on the lookout for the hypocrite patches.
|
# ? Apr 26, 2021 16:42 |
|
If telling the maintainers "hey we're planning on submitting patches with deliberate security vulnerabilities but we're not going to tell you when we're going to submit them or where we'll submit them from" is enough to stop insecure patches from being accepted then maybe you should just tell them that and then the problem is solved and you don't even need to do the research?
|
# ? Apr 26, 2021 16:45 |
|
well yes, they're not just digging they're going full project plowshare
|
# ? Apr 26, 2021 16:45 |
|
mystes posted:If telling the maintainers "hey we're planning on submitting patches with deliberate security vulnerabilities but we're not going to tell you when we're going to submit them or where we'll submit them from" is enough to stop insecure patches from being accepted then maybe you should just tell them that and then the problem is solved and you don't even need to do the research? reminds me of the two part experiment with psych hospitals edit: actually misremembered the details but this is the gist of it https://en.wikipedia.org/wiki/Rosenhan_experiment quote:Rosenhan's study was done in two parts. The first part involved the use of healthy associates or "pseudopatients" (three women and five men, including Rosenhan himself) who briefly feigned auditory hallucinations in an attempt to gain admission to 12 psychiatric hospitals in five states in the United States. All were admitted and diagnosed with psychiatric disorders. After admission, the pseudopatients acted normally and told staff that they no longer experienced any additional hallucinations. As a condition of their release, all the patients were forced to admit to having a mental illness and had to agree to take antipsychotic medication. The average time that the patients spent in the hospital was 19 days. All but one were diagnosed with schizophrenia "in remission" before their release. ymgve fucked around with this message at 16:55 on Apr 26, 2021 |
# ? Apr 26, 2021 16:52 |
|
I gotta be honest while the Universities peeps are truly terrible communicators, the fact that the Linux community is so offended people would experiment on them is pretty funny. Setting aside the whole review board thing, we do controlled experiments on parts of society all the time. What makes you so special that you should be exempted from it? I’m not a part of the OSS community, so maybe I’m missing something here, but I’m far more sympathetic to the university than I am to Greg the maintainer with his ridiculous overreactions.
|
# ? Apr 26, 2021 16:58 |
|
ymgve posted:reminds me of the two part experiment with psych hospitals Mental health treatment is on the order of blood demons and poo poo from the dark ages.
|
# ? Apr 26, 2021 17:00 |
|
The Iron Rose posted:I gotta be honest while the Universities peeps are truly terrible communicators, the fact that the Linux community is so offended people would experiment on them is pretty funny. Informed consent, it's considered unethical to experiment on people without them at least knowing that SOMETHING will happen, even if it's not what they're told is what's being looked for. Otherwise, you're at the "IT'S JUST A PRANK BRO" level of consent.
|
# ? Apr 26, 2021 17:06 |
|
The Iron Rose posted:I gotta be honest while the Universities peeps are truly terrible communicators, the fact that the Linux community is so offended people would experiment on them is pretty funny. they’re extremely self-important, op unfortunately this research group is so sloppy that people are going to overlook how badly the linux maintainers are acting, because the world is divided into heroes and villains
|
# ? Apr 26, 2021 17:07 |
|
mystes posted:I wish Linus would post an extremely angry rant too but I think he's trying to improve his anger management and I suspect whatever the Linux Foundation has asked is reasonable. I'm sure that its for the best that Linus is staying out of things, I do remember his apologies when he announced stepping back because of his anger issues. I still loved them for sheer train wreck value
|
# ? Apr 26, 2021 17:08 |
|
The Iron Rose posted:I gotta be honest while the Universities peeps are truly terrible communicators, the fact that the Linux community is so offended people would experiment on them is pretty funny. idk about the individual maintainers, but the whole experiment is just mind-bogglingly dumb. of course trust can be abused. that's all this shows: that if people make mistakes in manual processes, mistakes will be made. everyone already knows this, it is not surprising. "bad actors can do bad things in code review" is not exactly ground-breaking work. so the reward for running this experiment is rather small. their remediation recommendations were literally "add a line to the code of conduct" or whatever, which may be the dumbest thing i've ever seen in a research paper (and i have read a lot of bad papers) people aren't upset (i dont think, and im not) that the community was experimented on, really. like maybe rubbed the wrong way a bit but not really mad. what sucks is that the researchers were running a risk that bad code would get into the kernel. iiuc, that didn't actually happen, but the risk was there. the linux kernel isn't fuckin' kodi or whatever where a mistake means somebody's weirdo home theatre setup dies, it's an incredibly widely-used product where DoS vulnerabilities can make people die, and security vulnerabilities are very meaningful. it does not appear that the risks incurred by this project were adequately thought through. the potential risk of this experiment is very high (or, at least, it seems to be and it's not at all clear that the researchers considered this in any meaningful way) when a failure mode of your experiment is the compromise of a very widely-used software project, you need to be really really careful. the researchers were not appropriately careful.
|
# ? Apr 26, 2021 17:20 |
|
y'all are missing the far more interesting recommendation beyond the code of conduct thing, "run a tool that looks for bugs maybe? but not just any one, the one that we're going to make some time in the future maybe"
|
# ? Apr 26, 2021 17:24 |
|
The Iron Rose posted:controlled experiments what would you say is the control in this experiment?
|
# ? Apr 26, 2021 17:28 |
|
Achmed Jones posted:what sucks is that the researchers were running a risk that bad code would get into the kernel. iiuc, that didn't actually happen, but the risk was there. i agree with a lot of what you’re saying, but this is overblown. you’re criticizing them for the possible outcomes of an alternate history that by all appearances they made reasonable efforts to prevent. the kernel development process is not just “apply patch immediately to stable tree and release”; there are plenty of opportunities to stop a patch from propagating by e.g. sending follow-up comments and patches, and if the patches are what we think then the researchers did those things
|
# ? Apr 26, 2021 17:41 |
|
Subjunctive posted:what would you say is the control in this experiment? this is a more fair point than all the rest i do agree that the quality of academic work here is not particularly great. The great academic discovery here is "malicious actors exist" which is not particularly groundbreaking. But what I see in the community and in that letter is outrage that they were the subject of an experiment. And that's the part I have a hard time feeling much sympathy towards. tl;dr: the OSS kernel community comes off like a petty fiefdom run by fragile egos, and good god someone needs to make tech nerds take more writing and communication classes.
|
# ? Apr 26, 2021 17:48 |
|
this may just be because i read a hell of a lot of aircraft incident reports but imagine if they did the same thing with counterfeit/defective plane parts to see how easy it was to get them into the supply chain. i mean sure, there's a bunch of checks and double-redundancy to make sure it hopefully can't bring a plane down by itself, and they said "no just kidding that's a bad part" immediately, but the whole "bypassed the ethics review board" and "didn't bother figuring out a way to get informed consent from the maintenance company ahead of time" bits seem like much bigger deals
|
# ? Apr 26, 2021 17:54 |
|
The Iron Rose posted:tl;dr: the OSS kernel community comes off like a petty fiefdom run by fragile egos,. It is and they report to nobody. "researchers" kicked the hornets nest, hosed around and found out. Shame Boy posted:this may just be because i read a hell of a lot of aircraft incident reports but imagine if they did the same thing with counterfeit/defective plane parts to see how easy it was to get them into the supply chain. i mean sure, there's a bunch of checks and double-redundancy to make sure it hopefully can't bring a plane down by itself, and they said "no just kidding that's a bad part" immediately, but the whole "bypassed the ethics review board" and "didn't bother figuring out a way to get informed consent from the maintenance company ahead of time" bits seem like much bigger deals I was going to make this sort of analogy but with like a nasa rocket.
|
# ? Apr 26, 2021 18:11 |
|
Shame Boy posted:this may just be because i read a hell of a lot of aircraft incident reports but imagine if they did the same thing with counterfeit/defective plane parts to see how easy it was to get them into the supply chain. i mean sure, there's a bunch of checks and double-redundancy to make sure it hopefully can't bring a plane down by itself, and they said "no just kidding that's a bad part" immediately, but the whole "bypassed the ethics review board" and "didn't bother figuring out a way to get informed consent from the maintenance company ahead of time" bits seem like much bigger deals i'm not sure if the us actually mandates the use of third-party audits of an airplane manufacturer's quality assurance processes, including the inspection of received materials. however, such audits are specifically mentioned in the sample-company qa manual the faa publishes as a guideline for how companies can be in compliance with faa regulations, so take that as you will chapter 10,000 of "real engineering companies don't treat qa like a total joke"
|
# ? Apr 26, 2021 18:27 |
|
imagine being a real engineer who just... trusts that their suppliers always send good materials
|
# ? Apr 26, 2021 18:34 |
|
rjmccall posted:i agree with a lot of what youre saying, but this is overblown. youre criticizing them for the possible outcomes of an alternate history that by all appearances they made reasonable efforts to prevent. the kernel development process is not just apply patch immediately to stable tree and release; there are plenty of opportunities to stop a patch from propagating by e.g. sending follow-up comments and patches, and if the patches are what we think then the researchers did those things its still a massive process failure, and the fact we can't even be confident what they did is certainly part of the problem. in this one instance the researchers probably did what they needed to do to prevent additional direct harms besides wasting people's time without their consent (which is a harm). the opportunity for improvement here would be to actually create the processes and policies that researchers can use to get informed consent from the individuals and communities involved while still conducting the research they want to do.
|
# ? Apr 26, 2021 18:35 |
|
rjmccall posted:imagine being a real engineer who just... trusts that their suppliers always send good materials sounds like a process that’s going to cause problems far down the line
|
# ? Apr 26, 2021 18:41 |
|
rjmccall posted:i'm not sure if the us actually mandates the use of third-party audits of an airplane manufacturer's quality assurance processes, including the inspection of received materials. however, such audits are specifically mentioned in the sample-company qa manual the faa publishes as a guideline for how companies can be in compliance with faa regulations, so take that as you will i mean that's kinda what i meant by "checks" in "checks and double-redundancy"
|
# ? Apr 26, 2021 18:45 |
|
Trabisnikof posted:its still a massive process failure, and the fact we can't even be confident what they did is certainly part of the problem. is there any reason at all to think that the researchers are lying about only sending three patches Trabisnikof posted:in this one instance the researchers probably did what they needed to do to prevent additional direct harms besides wasting people's time without their consent (which is a harm). as an open-source maintainer, having my time be regularly wasted by well-meaning people with bad patches is part of the job. sending three tiny broken patches is almost considerate compared to, say, needing a whole extended conversation in order to understand that you can't just round the result of malloc up to get aligned memory because then you won't be able to free it later
|
# ? Apr 26, 2021 18:47 |
|
rjmccall posted:is there any reason at all to think that the researchers are lying about only sending three patches no but the point is the process should be designed so that we don’t have to assume. quote:as an open-source maintainer, having my time be regularly wasted by well-meaning people with bad patches is part of the job. sending three tiny broken patches is almost considerate compared to, say, needing a whole extended conversation in order to understand that you can't just round the result of malloc up to get aligned memory because then you won't be able to free it later the ethical burden of academic researchers is higher than “do no worse than what they already have to deal with” such that it wouldn’t be ethical for researchers to go scream at cashiers about the mask mandate without informed consent even if their tantrums were shorter than the cashiers usually had to deal with. clearly the people experimented on were upset about of informed consent, and we must take that into consideration when discussing the harms this research both did and had the potential to do. likewise when determining if research is ethical it is critical to weigh the harms and potential harms against the value of the research. and this is where the meaninglessness of this research makes it ethically worse. (i also don’t find the argument that because businesses do unethical research all the time that academic researchers should be allowed to do it too)
|
# ? Apr 26, 2021 18:59 |
|
The Iron Rose posted:
Pretty universally true, including some threads in this forum
|
# ? Apr 26, 2021 19:06 |
|
Trabisnikof posted:the ethical burden of academic researchers is higher than “do no worse than what they already have to deal with” granted Trabisnikof posted:clearly the people experimented on were upset about of informed consent, and we must take that into consideration when discussing the harms this research both did and had the potential to do. ethics can't be retroactively determined by outcomes. handing out surveys at the beach doesn't become unethical just because some rear end in a top hat decides to take offense at nothing and beats the poo poo out of you. the reasonably-anticipatable harms here are that reviewers either spend a few minutes rejecting some patches, or they don't catch the problem and are somewhat embarrassed. that potential for embarrassment shouldn't be dismissed. but the reasonably-anticipated harms do not include the maintainers freaking out, reverting two years of security patches, and banning the entire university from further contributions i agree that the weakness of their suggested ameliorations makes the research a lot less valuable. maybe it's worthless enough that there's basically no level of harm that it could justify. that's a hard standard for an irb to enforce, i think, since the research by definition hasn't been done yet Trabisnikof posted:(i also don’t find the argument that because businesses do unethical research all the time that academic researchers should be allowed to do it too) i have not made this argument, unless you're sweeping in manufacturer quality control, which is different in a number of ways
|
# ? Apr 26, 2021 19:38 |
|
rjmccall posted:granted Experimenting on people without their consent or without the proper safeguards is always unethical, there's nothing retrospective here. The paper itself got ethical complaints from the research community before this Linux blow up. They could have done it ethically, it's not like this is a new problem, and chose not to do so. I know I'm biased because I know many of these people personally but the idea that they banned someone for writing a paper that made them look bad is a joke. There are constantly security papers about flaws in Linux and they are consistently well received if they help improve the security of Linux. Besides, this paper was obvious and the recommendations useless enough that no one who matters is going to think any less about Linux for the "vulnerabilities" in the paper. I don't view well meaning folks submitting bad code to my projects as a waste of time, it's an opportunity to teach folks and get more people involved. Educating well meaning folks so they become constructive contributors is part of the gig, I don't want to waste time I could be spending on an actual well meaning person dealing with malicious contributors, and if there's easy ways to identify and ban malicious contributors of course I'd do it.
|
# ? Apr 26, 2021 20:18 |
|
Amazing.The Iron Rose posted:But what I see in the community and in that letter is outrage that they were the subject of an experiment. And that's the part I have a hard time feeling much sympathy towards. evil_bunnY fucked around with this message at 20:26 on Apr 26, 2021 |
# ? Apr 26, 2021 20:23 |
|
apseudonym posted:I know I'm biased because I know many of these people personally but the idea that they banned someone for writing a paper that made them look bad is a joke. There are constantly security papers about flaws in Linux and they are consistently well received if they help improve the security of Linux. Besides, this paper was obvious and the recommendations useless enough that no one who matters is going to think any less about Linux for the "vulnerabilities" in the paper. yeah, look, i've said this entire time that this specific paper is shoddy as all hell and that these specific researchers really messed up. what i'm saying that the linux maintainers are intentionally overreacting with the clear purpose of setting a precedent that makes any similar line of research politically untenable. i do not think that is in the broader community's interest, and i think it should be criticized apseudonym posted:I don't view well meaning folks submitting bad code to my projects as a waste of time, it's an opportunity to teach folks and get more people involved. Educating well meaning folks so they become constructive contributors is part of the gig, I don't want to waste time I could be spending on an actual well meaning person dealing with malicious contributors, and if there's easy ways to identify and ban malicious contributors of course I'd do it. i have been educating contributors for over a decade, you don't need to tell me it's a valuable service to the community. i brought it up because i know exactly how small of a burden this kind of review actually is. their intentional overreaction has become a far larger timesink
|
# ? Apr 26, 2021 20:51 |
|
there's been more posts in this thread on the subject than the mailing lists combined, even the direct apology was sent to lkml and not linked elsewhere when most discussion was on linux-nfs
|
# ? Apr 26, 2021 20:56 |
|
The Iron Rose posted:I gotta be honest while the Universities peeps are truly terrible communicators, the fact that the Linux community is so offended people would experiment on them is pretty funny. hey. check your discord when you get a chance
|
# ? Apr 26, 2021 21:43 |
|
I maintain OSS projects and if I learn that some rando is running and adversarial experiment where all the effort is spent on clowning on me and wasting my free time for them to get papers published about how much I suck at what I do, I'd probably lose all trust in them and consider not reviewing any further contribution from them anymore. Like the researchers are clever enough to know that trust is integral to maintain for their experiment to work (otherwise the bad commits would be caught!), they should also be clever enough to know that running the experiment without a heads-up would deplete said trust after the fact and not act all surprised when people don't want to lose their time with them anymore. They've run their experiment, it was moderately successful, now they've blown up their lab and can keep looking for other experiments to run elsewhere.
|
# ? Apr 26, 2021 23:54 |
|
|
# ? Jun 9, 2024 06:56 |
|
this all makes sense if this is a first-year experiment with no oversight, that there's faculty involvement raises more serious questions imo
|
# ? Apr 26, 2021 23:56 |