The Linux community doesn’t like being played for a fool, no matter how much funding your university can throw behind your research.
Last week, the Linux Foundation took the unprecedented step of banning an entire university from contributing to the Linux kernel as a result of some controversial research that graduate students at the University of Minnesota were doing. The research essentially involved trying to see if they could get intentionally bad patches into the Linux code base as a “test” to see what would happen.
Now, they have their answer. Greg Kroah-Hartman, a primary Linux kernel developer who is usually quite a kind fellow, ripped on a Ph.D. student who had accused him of slander after he pointed out the effort to intentionally place bad code in the Linux kernel.
“Our community does not appreciate being experimented on, and being ‘tested’ by submitting known patches that are either do nothing on purpose, or introduce bugs on purpose,” Kroah-Hartman wrote on a Linux kernel mailing list. “If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here.”
(By comparison, this is how Kroah-Hartman usually responds to people on the internet.)
Even Linus Torvalds was speechless, admitting to IT Wire that he didn’t even know what to say about the whole endeavor.
“I don't think it has been a huge deal technically, but people are pissed off, and it's obviously a breach of trust,” he said.
The Golden Gopher researchers went to the step of writing a lengthy apology to the Linux community, but Kroah-Hartman was quick to shut that line of discussion down.
In many ways, what the university’s researchers did reflects questionable decision-making just as much as it does unnecessary risk-taking. Sure, I get it—they were penetration testing. But when the basic tenets of the open-source contract are undermined, the result is that it damages the relationship with everyone who uses that software.
I found myself thinking about this issue this morning after I got a note from a platform called Winter CMS, a fork of a content management system called October CMS. I had looked closely at October CMS and nearly went with it for my site, but chose in the end against it because I did not feel the community was strong enough to reach out to in case something broke.
It turns out that was a great idea, because October CMS’ primary developers left earlier this year after the organization decided to commercialize the CMS. As the existence of Winter CMS shows, changing the contract or not following the set rules is a breach of trust. (For disclosure’s sake: Craft CMS, the platform for Tedium I eventually went for, is free to download but proprietary, but I knew that going in.)
As communities go, it’s important to keep in mind the fact that lots of people rely on projects like Linux to do their jobs. If the contract breaks or something changes, it can deeply affect their work. And other examples of this exist, too—the whole to-do over Red Hat reframing CentOS last year is a great example.
I’m sure the researchers at the University of Minnesota thought they were doing the community a service, just as the researchers at Objective-See did when they reported a significant MacOS bug to Apple recently.
But the breach of trust is not a minor thing in the world of open-source communities. For one thing, it could have affected a lot of people had the exploit gotten through.
And plus, it made Greg Kroah-Hartman mad. And why would anyone want that?
Time limit given ⏲: 30 minutes
Time left on clock ⏲: 3 minutes, 26 seconds