oneweek

https://big5.backchina.com/?273891

明大LINUX事件的反思（5）道歉了，光道歉夠不夠

作者：oneweek 於 2021-5-1 21:09 發表於最熱鬧的華人社交網路--貝殼村

通用分類:熱點雜談|已有2評論

————————檢查——————

https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/T/#u

【盧老師估計絞盡腦汁，周六（4/24）下午5：30 -0500（22：30 UTC）寫了一封致LINUX社區的公開信，覺得自己道歉。網上的評論七嘴八舌，有的人說道歉可以了，有的人說看上去不像道歉，更像解釋】

An open letter to the Linux community

Dear Community Members:
親愛的社區成員：
We sincerely apologize for any harm our research group did to the Linux kernel community. Our goal was to identify issues with the patching process and ways to address them, and we are very sorry that the method used in the 「hypocrite commits」 paper was inappropriate. As many observers have pointed out to us, we made a mistake by not finding a way to consult with the community and obtain permission before running this study; we did that because we knew we could not ask the maintainers of Linux for permission, or they would be on the lookout for the hypocrite patches. While our goal was to improve the security of Linux, we now understand that it was hurtful to the community to make it a subject of our research, and to waste its effort reviewing these patches without its knowledge or permission. 我們為本研究小組對 Linux 內核社區造成的任何傷害真誠道歉。我們的目標是找出接受補丁過程中的問題和解決方法，我們非常抱歉，在「偽裝提交」論文中使用的方法是不恰當的。正如許多旁觀家向我們指出的那樣，我們的錯誤是在進行這項研究之前沒有嘗試諮詢社區並獲得許可；我們那樣做了，是因為我們覺得我們不能向 Linux的維護者徵求許可，否則他們會對偽裝的補丁提高警覺。雖然我們的目標是提高 Linux 的安全性，但我們現在理解到，讓社區成為我們研究的對象，並在社區不知情或未經其許可的情況下浪費其精力審查這些補丁，是對社區的傷害。

We just want you to know that we would never intentionally hurt the Linux kernel community and never introduce security vulnerabilities. Our work was conducted with the best of intentions and is all about finding and fixing security vulnerabilities.我們只想讓大家知道，我們絕不會故意傷害 Linux 內核社區，也絕不會故意引入安全漏洞。我們的工作本意非常好，都是為了尋找和修復安全破綻。

The 「hypocrite commits」 work was carried out in August 2020; it aimed to improve the security of the patching process in Linux. As part of the project, we studied potential issues with the patching process of Linux, including causes of the issues and suggestions for addressing them. 「偽裝提交」的工作是在 2020 年 8 月進行的；它的目的是提高 Linux 中提交補丁程序的安全性。作為項目的一部分，我們研究了 Linux 提交補丁過程中的潛在問題，包括問題的原因和解決方法。
* This work did not introduce vulnerabilities into the Linux code. The three incorrect patches were discussed and stopped during exchanges in a Linux message board, and never committed to the code. We reported the findings and our conclusions (excluding the incorrect patches) of the work to the Linux community before paper submission, collected their feedback, and included them in the paper. 這項工作並沒有在 Linux 代碼中引入漏洞。三個不正確的補丁是在 Linux 留言板的交流中討論和停止的，從未提交到代碼中。在提交論文之前，我們向 Linux 社區分享了這項工作的發現和結論（不正確的補丁除外），收集了他們的反饋，並將其納入文章中。
* All the other 190 patches being reverted and re-evaluated were submitted as part of other projects and as a service to the community; they are not related to the 「hypocrite commits」 paper.所有其他 190 個被撤銷和重新評估的補丁都是作為其它項目的一部分和對社區的服務而提交的；它們與「偽裝提交」論文無關
* These 190 patches were in response to real bugs in the code and all correct--as far as we can discern--when we submitted them.這 190 個補丁是對代碼中真正的錯誤的回應，並且在我們提交時都是正確的 —— 就我們所能辨別的而言。
* We understand the desire of the community to gain access to and examine the three incorrect patches. Doing so would reveal the identity of members of the community who responded to these patches on the message board. Therefore, we are working to obtain their consent before revealing these patches. 我們理解社區希望獲得並檢查這三個錯誤的補丁的願望。這樣做會暴露在留言板上對這些補丁做出反應的社區成員的身份。因此，我們正在努力在披露這些補丁之前獲得他們的同意。
* Our recent patches in April 2021 are not part of the 「hypocrite commits」 paper either. We had been conducting a new project that aims to automatically identify bugs introduced by other patches (not from us). Our patches were prepared and submitted to fix the identified bugs to follow the rules of Responsible Disclosure, and we are happy to share details of this newer project with the Linux community.我們最近在 2021 年 4 月的補丁也不屬於「偽裝提交」文章的範圍。我們一直在進行一個新的項目，旨在自動識別由其他補丁（不是來自我們）引入的 bug。我們的補丁是為了修復被識別的 bug 而準備和提交的，以遵循責任披露的規則，我們很高興與 Linux 社區分享這個較新項目的細節。

We are a research group whose members devote their careers to improving the Linux kernel. We have been working on finding and patching vulnerabilities in Linux for the past five years. The past observations with the patching process had motivated us to also study and address issues with the patching process itself. This current incident has caused a great deal of anger in the Linux community toward us, the research group, and the University of Minnesota. We apologize unconditionally for what we now recognize was a breach of the shared trust in the open source community and seek forgiveness for our missteps. 我們是一個研究小組，其成員致力於改善 Linux 內核的工作。在過去的五年裡，我們一直致力於尋找和修補 Linux 的漏洞。過去對提交補丁過程的觀察促使我們也研究和解決修補過程本身的問題。目前這一事件在 Linux 社區引起了對我們、研究小組和明尼蘇達大學的極大憤怒。我們為我們現在認識到的違反開源社區共同信任的行為無條件地道歉，並為我們的錯誤行為尋求寬恕。

We seek to rebuild the relationship with the Linux Foundation and the Linux community from a place of humility to create a foundation from which, we hope, we can once again contribute to our shared goal of improving the quality and security of Linux software. We will work with our department as they develop new training and support for faculty and students seeking to conduct research on open source projects, peer-production sites, and other online communities. We are committed to following best practices for collaborative research by consulting with community leaders and members about the nature of our research projects, and ensuring that our work meets not only the requirements of the IRB but also the expectations that the community has articulated to us in the wake of this incident.我們尋求從謙遜的角度重建與 Linux 基金會和 Linux 社區的關係，以創建一個基礎，我們希望從以此可以再次為我們的共同目標作出貢獻，即提高 Linux 軟體的質量和安全性。我們將與我們的院系合作，因為他們為尋求在開源項目、同行生產網站和其他在線社區進行研究的師生開發新的培訓和支持。我們致力於遵循合作研究的最佳實踐，就我們研究項目的性質與社區領導人和成員進行協商，並確保我們的工作不僅符合 IRB（學術倫理委員會）的要求，而且符合社區在此事件後向我們闡述的期望。

While this issue has been painful for us as well, and we are genuinely sorry for the extra work that the Linux kernel community has undertaken, we have learned some important lessons about research with the open source community from this incident. We can and will do better, and we believe we have much to contribute in the future, and will work hard to regain your trust.雖然這個問題對我們來說也很痛苦，我們對 Linux 內核社區所承擔的額外工作感到由衷的抱歉，但我們從這次事件中吸取了一些關於與開源社區研究的重要教訓。我們可以而且會做得更好，我們相信我們在未來還有很多貢獻，並將努力工作以重新獲得你們的信任

Sincerely,

Kangjie Lu, Qiushi Wu, and Aditya Pakki
University of Minnesota

——————————【對方大佬說，道歉接受與否，暫時不談；我們已經發信列出要求，滿足我們的要求再說別的】

Thank you for your response.

As you know, the Linux Foundation and the Linux Foundation's Technical Advisory Board submitted a letter on Friday to your University outlining the specific actions which need to happen in order for your group, and your University, to be able to work to regain the trust of the Linux kernel community.

Until those actions are taken, we do not have anything further to discuss about this issue.

thanks,

greg k-h
謝謝你的回應。

如你們所知，Linux 基金會及其技術顧問委員會在周五向貴校提交了一封信，概述了需要採取的具體行動，以便貴組和貴校能夠努力重新獲得 Linux 內核社區的信任。
在採取這些行動之前，我們不會就這個問題進一步討論。

謝謝

---——————【這時大家才知道有很多要求，要求是什麼呢？賠款割地，肯定不是。苛刻與否？】

https://www.zdnet.com/article/the-linux-foundations-demands-to-the-university-of-minnesota-for-its-bad-linux-patches/

The letter, from Mike Dolan, the Linux Foundation's senior VP and general manager of projects, begins:

--- It has come to our attention that some University of Minnesota (U of MN) researchers appear to have been experimenting on people, specifically the Linux kernel developers, without those developers' prior knowledge or consent. This was done by proposing known-vulnerable code into the widely-used Linux kernel as part of the work "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits"; other papers and projects may be involved as well. It appears these experiments were performed without prior review or approval by an Institutional Review Board (IRB), which is not acceptable, and an after-the-fact IRB review approved this experimentation on those who did not consent.我們最近發現明州大學數個研究人員，在對人實驗，確切地說是對Linux內核開發人員實驗，而後者對實驗一無所知也沒同意過。他們的項目「測試假裝好心向內核提交含有安全漏洞的補丁，向開源軟體引入漏洞的可行性」通過建議把有缺陷的程序導入Linux內核，也可能包括別的項目和文章。看上去這些實驗沒有經過倫理道德委員會事先的審查和批准，這本身不可接受。補發的審查和批准也沒有經過經過實驗對象的同意。

This is correct. Wu and Lu opened their note to the UMN IRB by stating: "We recently finished a work that studies the patching process of OSS." They only asked the IRB's permission after they'd shared the paper's abstract on Twitter. Then after they admitted the abstract's publication had caused "heated discussion and pushback," they removed the abstract and apologized to the IRB for causing "many confusions and misunderstandings."

While the IRB appears to have approved this research after the fact, the Linux kernel community was not kept in the loop. The researchers claim that they spoke to people in the Linux community, but they are never identified. Hence, Kroah-Hartman's reaction when, once more, he was presented with "nonsense patches" and yet another attempt to waste the Linux kernel maintainers' time by "continuing to experiment on the kernel community developers."

Dolan continued:

We encourage and welcome research to improve security and security review processes. The Linux kernel development process takes steps to review code to prevent defects. However, we believe experiments on people without their consent is unethical, and likely involves many legal issues. People are an integral part of the software review and development process. The Linux kernel developers are not test subjects, and must not be treated as such. 我們鼓勵和歡迎各項研究，旨在改善安全和審查過程。內核開發過程包括很多步驟來阻止缺陷。我們認為拿人做實驗而沒有他們同意的做法是不道德的，還可能有很多法律上的問題。人是軟體審查和開發過程的有機部分。內核開發人員不是實驗對象，也不應該被當成實驗對象。

This is a major point. The researchers first claim in their IRB FAQ that: "This is not considered human research. This project studies some issues with the patching process instead of individual behaviors, and we did not collect any personal information."

In the next paragraph, though, the UMN researchers back off from this claim.

"Throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. We apologize for the raised concerns. This is an important lesson we learned -- Do not trust ourselves on determining human research; always refer to IRB whenever a study might be involving any human subjects in any form."

Dolan went on:

This also wasted their valuable time and put at risk the billions of people around the world who depend on their results. While the U of MN researchers claimed to take steps to prevent inclusion of vulnerabilities in the final software, their failure to gain consent suggests a lack of care. There are also amplified consequences because Linux kernel changes are picked up by many other downstream projects that build off of the kernel codebase. 這事浪費開發者寶貴的時間，讓世上依靠他們結果的幾十億人都陷入危險製造。雖然明大的研究人員聲稱他們採取了步驟，以便有缺陷的程序不被納入最終的軟體之中，但是他們沒有取得實驗對象的同意這件事表明他們不在乎。嚴重後果會被放大很多倍，因為下有很多項目都會納入改變候的內核程序。

Then we get the heart of the matter. While Dolan said the UMN researchers' apology was promising, the Linux community needs more.

These "requests" are:

Please provide to the public, in an expedited manner, all information necessary to identify all proposals of known-vulnerable code from any U of MN experiment. The information should include the name of each targeted software, the commit information, purported name of the proposer, email address, date/time, subject, and/or code, so that all software developers can quickly identify such proposals and potentially take remedial action for such experiments. 火速公開明大所有實驗的信息，以便確定提交涉及到的缺陷程序。信息應該包括針對的軟體名稱，提交的信息，提交人用的名稱，電郵，日期時間，提目，程序，以便我們開發者能很快找出這些提交的補丁，以便採取補救措施。

Finding all this code is a real problem. Senior Linux kernel developer, Al Viro, who spotted the first April bogus patch, noted: "The lack of data is a part of what's blowing the whole thing out of proportion -- if they bothered to attach the list (or link to such) of SHA1 of commits that had come out of their experiment, or, better yet, maintained and provided the list of message-ids of all submissions, successful and not, this mess with blanket revert requests, etc. would've been far smaller (if happened at all)."

As it is, the Linux developers and committers are now burning time reviewing several hundred UMN Linux kernel patches. They are not amused.

Dolan moved on to ask that the paper be withdrawn "from formal publication and formal presentation all research work based on this or similar research where people appear to have been experimented on without their prior consent. Leaving archival information posted on the Internet is fine, as they are mostly already public, but there should be no research credit for such works." 以此或類似的研究中出的文章要從正式出版和正式演示中撤稿，因為被做實驗的人沒有事先同意。留在網上存檔的文章沒有問題，因為已經公開，但這類研究不應該從發表文章得益。

Thanks to the paper's FAQ, we already know that it has been accepted for publication by the IEEE Symposium on Security and Privacy (IEEE S&P) 2021. This is a top forum for computer security researchers. The 2021 virtual meeting will be happening shortly between May 23 to May 27. The UMN has not said yet whether it will be withdrawn.

Dolan pressed to ensure further UMN experiments on people have IRB review prior to the experiment commencing.

"Ensure that all future IRB reviews of proposed experiments on people will normally ensure the consent of those being experimented on, per usual research norms and laws," he said. 保證未來以人為對象的實驗的倫理道德審查必須得到實驗對象的同意，這也是常規和法律的要求。

At this time, the UMN has not responded to our request for information on what the school plans to do.

The point of all this, Dolan said, is "to eliminate all potential and perception of damage from these activities, eliminate any perceived benefit from such activities, and prevent their recurrence. We would hope to see productive, appropriate open-source contributions in the future from your students and faculty as we have seen in prior years from your institution."

The Linux Foundation wants the school to respond to these requests as soon as possible. The Linux maintainers also want to know what's what with the UMN patches, so they can find them and move on. They would much rather be working on improving Linux than chasing down possible deliberately seeded errors.