lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20210506214009.GA6494@amd>
Date:   Thu, 6 May 2021 23:40:09 +0200
From:   Pavel Machek <pavel@....cz>
To:     Kees Cook <keescook@...omium.org>
Cc:     linux-kernel@...r.kernel.org, Kangjie Lu <kjlu@....edu>,
        tech-board@...ts.linux-foundation.org
Subject: Re: Report on University of Minnesota Breach-of-Trust Incident

Hi!

> > # Commits from @umn.edu addresses have been found to be submitted in "bad
> > # faith" to try to test the kernel community's ability to review "known
> > # malicious" changes.
> 
> I would agree that the phrasing here is sub-optimal in that it could
> more clearly separate a few related things (e.g. "malicious change" vs
> "valid fix"). If I were writing this, I would have said something along
> the lines of:
> 
>   Commits from UMN authors have been found to be submitted with intentional
>   flaws to try to test the kernel community's ability to review "known
>   malicious" changes. ...
>   During review of all submissions, some patches were found to be
>   unintentionally flawed. ...
>   Out of an abundance of caution all submissions from this group must be
>   reverted from the tree and will need to be re-review again. ...

Thank you.

> > UMN apologized. Our reaction to their apology was:
> > 
> > https://lore.kernel.org/lkml/YIV+pLR0nt94q0xQ@kroah.com/#t
> > 
> > Do we owe them apology, too?
> 
> I will defer to Greg on what he thinks his duties are there, but in
> trying to figure out who "we" is, I'll just point out that I attempted
> to clarify the incorrect assumptions about the intent of historical UMN
> patches, and spoke for the entire TAB (Greg included) here:
> https://lore.kernel.org/lkml/202104221451.292A6ED4@keescook/
> The report repeated this in several places, and we explained our need
> for due diligence.

Well, in https://lore.kernel.org/lkml/YIV+pLR0nt94q0xQ@kroah.com/#t
Greg says:

"Until those actions are taken, we do not have anything further to
discuss about this issue."

I'm not sure on behalf of whom he is speaking in the email (and I
believe he is unneccessarily harsh with them).

I could reply to that saying "hey, Greg is probably speaking only for
himself there, he certainly can't speak for whole linux community",
but I believe it would be better if TAB did that.

Best regards,
								Pavel
-- 
http://www.livejournal.com/~pavelmachek

Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ