Confused on Steam Play and Proton? Be sure to check out our guide.
We do often include affiliate links to earn us some pennies. See more here.

Linux Kernel dev bans University of Minnesota for sending malicious patches

By -
Last updated: 22 Apr 2021 at 8:44 am UTC

Here is your daily dose of WTF. Linux Kernel developer Greg Kroah-Hartman has called out "researchers" from the University of Minnesota and banned them from submitting code to the Linux Kernel.

This story is pretty wild and completely ridiculous. In the name of some apparent research and a written paper titled, "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits", the people involved have now been called out on "sending known-buggy patches to see how the kernel community would react to them".

Part of it goes further, as patches have continued to roll in after the paper was published so they are "continuing to experiment on the kernel community developers by sending such nonsense patches" with the patches not actually doing anything at all. Kroah-Hartman certainly wasn't holding back:

Our community does not appreciate being experimented on, and being "tested" by submitting known patches that are either do nothing on purpose, or introduce bugs on purpose. If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here.

Because of this, I will now have to ban all future contributions from your University and rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems.

In a further post Kroah-Hartman sent in a patch to revert a bunch of changes done from the group, so they can go over them fully to ensure they're safe and actually do something.

From a certain point of view, it's nice to know that the Kernel team are good at picking up malicious code and attempts to introduce bugs - but doing this to such a huge important project, live and in the open in the name of research? That's just not right.

Update: so the plot thickens it seems! Sarah Jamie Lewis, the Executive Director of Open Privacy, pointed out on Twitter (be sure to read the thread) that they and others expressed concerns about it in 2020 in a co-signed letter to the IEEE S&P (IEEE Symposium on Security and Privacy). It really doesn't look good.

Update 2: Leadership in the University of Minnesota Department of Computer Science & Engineering department released a statement on Twitter, noting that it has suspended the research and will be looking into how it got approved in the first place.

Article taken from GamingOnLinux.com.
Tags: Kernel, Misc
39 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly checked on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly. You can also follow my personal adventures on Bluesky.
See more from me
The comments on this article are closed.
All posts need to follow our rules. For users logged in: please hit the Report Flag icon on any post that breaks the rules or contains illegal / harmful content. Guest readers can email us for any issues.
43 comments Subscribe
Page: 1/3»
  Go to:

Lofty 21 Apr 2021
Everyday we step closer to the brink of idiocracy.
Alm888 21 Apr 2021
I have a research proposition: let's get ourselves a pharmaceutical company and force this company to introduce poison in some of its medications and distribute those poisoned drugs trough common distribution network. In the name of research, of course! I think we must determine the pharmaceutical industry's ability to identify and block malicious drugs!

HINT: That was a sarcasm.


Last edited by Alm888 on 21 Apr 2021 at 5:16 pm UTC
Photon 21 Apr 2021
I have a research proposition: let's get ourselves a pharmaceutical company and force this company to introduce poison in some of its medications and distribute those poisoned drugs trough common distribution network. In the name of research, of course! I think we must determine the pharmaceutical industry's ability to identify and block malicious drugs!

Have you seen the list of side effects on drugs? I think pharma's do that on their own.
Mohandevir 21 Apr 2021
So, following that logic, we are better served with closed source proprietary code that got well know unpatched and exploited flaws for years... Yeah right!

Edit: Wondering who paid for this non-sense "research"? Could we follow the money, please?


Last edited by Mohandevir on 21 Apr 2021 at 5:33 pm UTC
Lachu 21 Apr 2021
Sorry, but my English knowledge is poor.
Are these patches introduced to mainline/merged?
Lachu 21 Apr 2021
I will subscribe.
ElectricPrism 21 Apr 2021
Good. Introducing intentionally defective code into the kernel is criminal. Don't fuck with my FOSS. GTFO.
Alm888 21 Apr 2021
I have a research proposition: let's get ourselves a pharmaceutical company and force this company to introduce poison in some of its medications and distribute those poisoned drugs trough common distribution network. In the name of research, of course! I think we must determine the pharmaceutical industry's ability to identify and block malicious drugs!

Have you seen the list of side effects on drugs? I think pharma's do that on their own.
1) Those are documented side effects;
2) Sadly, no drug is flawless (no panacea was invented yet).
What those "researchers" have done was experimenting on unwitting victims with possible lethal "side-effects".
So, following that logic, we are better served with closed source proprietary code that got well know unpatched and exploited flaws for years... Yeah right!

Edit: Wondering who paid for this non-sense "research"? Could we follow the money, please?
What mind-bending yoga has made you to come to this conclusion? Since when prohibiting "scientific" rm -rf /* patches leads to "closed source proprietary code" propaganda?
There are other means of code audition/inspection/scrutiny than willful injection of malicious code into working industry-level software possibly managing critical infrastructure objects like hospitals, nuclear power plants, stock exchange servers or ship navigation systems.
It is all joy and games only until someone gets killed due to this kind of "research".


Last edited by Alm888 on 21 Apr 2021 at 5:45 pm UTC
Mohandevir 21 Apr 2021
Good. Introducing intentionally defective code into the kernel is criminal. Don't fuck with my FOSS. GTFO.

Oh! I would like to see the Linux Foundation sueing the Minnesota University... Getting my Pop Corn ready!


Last edited by Mohandevir on 21 Apr 2021 at 5:52 pm UTC
ElectricPrism 21 Apr 2021
Good. Introducing intentionally defective code into the kernel is criminal. Don't fuck with my FOSS. GTFO.

Oh! I would like to see the Linux Foundation sueing the Minnesota Unniversity... Getting my Pop Corn ready!

Find penalty laws of "fucking with nuclear facilities" and "hospitals" and I'm sure there could be a pretty long list of felonies drawn up.

Honestly, I wouldn't mind seeing the EFF sue the shit out of them.

(Oops I didn't mean to Poison the water of the Children's Hospital and Old Folks Homes, "It was just a paper bro")


Last edited by ElectricPrism on 21 Apr 2021 at 5:54 pm UTC
Mohandevir 21 Apr 2021
So, following that logic, we are better served with closed source proprietary code that got well know unpatched and exploited flaws for years... Yeah right!

Edit: Wondering who paid for this non-sense "research"? Could we follow the money, please?
What mind-bending yoga has made you to come to this conclusion? Since when prohibiting "scientific" rm -rf /* patches leads to "closed source proprietary code" propaganda?
There are other means of code audition/inspection/scrutiny than willful injection of malicious code into working industry-level software possibly managing critical infrastructure objects like hospitals, nuclear power plants, stock exchange servers or ship navigation systems.
It is all joy and games only until someone gets killed due to this kind of "research".

You are probably right it's probably just this:

Everyday we step closer to the brink of idiocracy.

I tend to give too much credit to some people...

Edit: Still... What I don't understand is that the Minnesota University gave it a "Go!"? How come?!


Last edited by Mohandevir on 21 Apr 2021 at 6:11 pm UTC
TheSHEEEP 21 Apr 2021
View PC info
  • Supporter Plus
Daily WTF worthy, indeed.
redneckdrow 21 Apr 2021
Good grief, now the script-kiddies are coming from actual accredited universities with ~49,000 students! Is this really what the world has come to? Lord, I hope not.

This should be added to UMN's Wikipedia page, it's egregious enough!
jens 21 Apr 2021
  • Supporter
I hope those kids and especially their mentors at that university will never get again a food down in IT. I have really no understanding for this "supposed to be innocent" behavior.
Cyril 21 Apr 2021
Just WTF. It's not funny, I can't see this as a serious work of research, it's just plain stupid.
What did they thought? That the Kernel is widely open to everyone who can write anything without verification?
#Facepalm
seanbutnotheard 21 Apr 2021
View PC info
  • Supporter
This is a pretty ridiculous way to test the Linux community, but also shows that the kernel devs need to stay top of their game... just imagine what could happen when (not if) malicious code does slip through the review process. (Reminds me a bit of the so-called "Grievance studies affair").
Liam Dawe 21 Apr 2021
The plot thickens and it's not good on the side of the researchers: https://twitter.com/SarahJamieLewis/status/1384871385537908736

It was condemned ethically back in 2020, seems they didn't care enough.
Another 'experiment' was conducted on PyPi earlier this year: https://www.theregister.com/2021/03/02/python_pypi_purges/ — not as spectacularly stupid & irresponsible as the one on kernel devs, though.
The plot thickens and it's not good on the side of the researchers: https://twitter.com/SarahJamieLewis/status/1384871385537908736

It was condemned ethically back in 2020, seems they didn't care enough.

I don't understand all the details in that thread, but as someone in academia (in a field unrelated to CS), my heart sinks once again to see the lengths that people will go to, to churn out a few more papers, & inflate their CVs by a couple more lines.

Inventing clever ways to waste other people's time to advance one's career is a vital skill in today's academia.
Liam Dawe 21 Apr 2021
Update 2: Leadership in the University of Minnesota Department of Computer Science & Engineering released a statement on Twitter, noting that it has suspended the research and will be looking into how it got approved in the first place.
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
The comments on this article are closed.