| General > General Technical Chat |
| University of Minnesota Linux code security issues; banned and to be removed |
| << < (4/23) > >> |
| bd139:
Yep :( |
| magic:
Anyone has seen links to the bad patches and how the review process went for them? :popcorn: A quick glance at responses to Greg's mass-revert shows that most stuff from that university was legit fixes. |
| DrG:
I'm probably thinking about this more than I should, but I was reading this thread: https://github.com/QiushiWu/qiushiwu.github.io/issues/1 (That is the PHD candidate - right?) First off, let this be a lesson to the kids out there- don't piss off the people above you unless you are really, really good (ok, I am saying that with a :) One big issue that comes to mind, and I don't know enough to even speculate, does this constitute penetration testing without authorization? If so, that would have some consequences, I would think - anybody have a more educated opinion than mine? The other issue concerns the IRB, when did they get approval and the waiver, and whether that is going to be 'changed', the process or otherwise, in the near future. I already weighed in on that and I am sticking with that opinion. From that thread, this fellow is gearing up to make an apology (not a clarification) and, as could be anticipated, is getting a lot of heat. Some justifiable, some maybe not so not so much. I wonder how the presentation goes (if it is not retracted) - a lengthy apology to begin? Concentration on this idea of “immature vulnerability”, which does not seem all that original, but I don't know. Right now, I think there is a lot of scrambling going on - what do we have to change and how do we do that?....I once had to take a mandatory Jeep Safety Training and Motorcycle Safety Training...as far as I know, I have never been in a Jeep and except for a brief period of time in my youth (EZ-Rider period :) ) I don't own or use a motorcycle. It took me a while to understand how those mandates came to be and it was quite a lesson in bureaucratic processes. |
| bd139:
There’s no contributor contract as such so there’s no legal agreement in place. Usually your only agreement would be to surrender copyright to the project in some way. Thus you could roll up and steaming turd and drop the patch and if they accept it then it’s the maintainer’s funeral, which in this case it should be. There is a lot of distraction here by the community from the fact that there is a massive vulnerability in the process. Imagine how many times that has been exploited potentially. There are a hell of a lot of contributors. Both sides of this process are to blame. The whole OpenBSD IPSEC and DARPA thing is another example of the plausible scenarios. |
| DrG:
--- Quote from: bd139 on April 23, 2021, 10:50:59 pm ---There’s no contributor contract as such so there’s no legal agreement in place. Usually your only agreement would be to surrender copyright to the project in some way. Thus you could roll up and steaming turd and drop the patch and if they accept it then it’s the maintainer’s funeral, which in this case it should be. There is a lot of distraction here by the community from the fact that there is a massive vulnerability in the process. Imagine how many times that has been exploited potentially. There are a hell of a lot of contributors. Both sides of this process are to blame. The whole OpenBSD IPSEC and DARPA thing is another example of the plausible scenarios. --- End quote --- Do you think that there will be some substantial process changes as a result of this or a lot of saber rattling until the smoke clears and then business as usual...or something in between? |
| Navigation |
| Message Index |
| Next page |
| Previous page |