明大LINUX事件的反思（3）稍有好轉

 Wed, 21 Apr 2021 14:57:55 +0200 （這時，是明大早上8點，-0500）

 I have been meaning to do this for a while, but recent events have finally forced me to do so. 我想干這事有些時候了，最近的事件才促使我下決心

Commits from @umn.edu addresses have been found to be submitted in "bad faith" to try to test the kernel community's ability to review "known malicious" changes.  The result of these submissions can be found in a paper published at the 42nd IEEE Symposium on Security and Privacy entitled, "Open Source Insecurity: Stealthily Introducing Vulnerabilities via Hypocrite Commits" written by Qiushi Wu (University of Minnesota) and Kangjie Lu (University of Minnesota). 最近發現 通過@umn.edu 提交的補丁 屬於惡意提交， 旨在測試內核社區對已知的的惡意更改能不能鑒別出來。 這些提交寫在了42屆IEEE安全隱私大會的文章里， 文章題目「開源的不安全性：假裝好意提交 偷偷導入 弱點」 ， 作者小吳和盧老師。

Because of this, all submissions from this group must be reverted from the kernel tree and will need to be re-reviewed again to determine if they actually are a valid fix.  Until that work is complete, remove this change to ensure that no problems are being introduced into the codebase. 有鑒於此， 該組所有提交的補丁要從內核樹移除， 重新審查以確定是不是真正

有效補丁。 重審完畢之前， 移除是有必要的， 我們不希望它們導入問題。 

This patchset has the "easy" reverts, there are 68 remaining ones that need to be manually reviewed.  Some of them are not able to be reverted as they  already have been reverted, or fixed up with follow-on patches as they were determined to be invalid.  Proof that these submissions were almost universally wrong. 以下是容易的部分，還有68個需要人工審查。 有些過去早被移除，或引起弱點被其後的補丁修改過了。 這也證明他們很多提交幾乎都是錯的。

I will be working with some other kernel developers to determine if any of these reverts were actually valid changes, were actually valid, and if so, will resubmit them properly later.  For now, it's better to be safe. 我將與其他一些內核開發人員一起 ，以確定這些移除是否實際上是有效 更改。如果是，稍後 重新提交。目前，最好安全第一。 

I'll take this through my tree, so no need for any maintainer to worry about this, but they should be aware that future submissions from anyone with a umn.edu address should be by default-rejected unless otherwise determined to actually be a valid fix (i.e. they provide proof and you can verify it, but really, why waste your time doing that extra work?) 我把我的樹捋一遍，其他內核維護人員不用操心，但 要注意，未來所有出自 umn.edu 地址的提交都應該默認拒絕。 除非能證明該提交是一個有效的修復。（比如：他們能提供證據，然後你可以驗證，否則為什麼浪費時間做 額外的工作？）

thanks,

greg k-h

• [12/03]德州醫學中心 謝教授被還清白
• [04/06]清明節的特別悼念
• [04/14]一個紅色歌曲
• [04/30]明大LINUX事件的反思（1）小P點燃導火線
• [04/30]明大LINUX事件的反思（2）大鎚轟然落下
• [05/01] 明大LINUX事件的反思（3）稍有好轉
• [05/01]明大LINUX事件的反思（4） 官僚介入
• [05/01]明大LINUX事件的反思（5） 道歉了，光道歉夠不夠
• [05/01]明大LINUX事件的反思（6）全部滿足；撤稿，信息大公開
• [05/02]明大LINUX事件的反思（7）校方回應
• [05/06]明大LINUX事件的反思（8）： 皆大歡喜好結局

• 查看：[oneweek的.最新博文]
• 查看：[大家的.最新博文]
• 查看：[大家的.熱點雜談]