I'm giving you an upvote. Look around your house and count the number of linux kernels running. My count is 6 that I know about. I haven't seen the actual vulnerable code submitted to know how critical the vulnerabilities are but I believe these grad students are liable both civilly and criminally. Not advocating for mob justice but there needs to be more than a slap on the wrist. For those of us who live and breath software security everyday this is kind of a big deal.
zekrioca|4 years ago
I understand that what they did was, and is bad and shouldn't be done. However how many other people do not also purposely submit buggy patches? In the end of the day, this happening just show vulnerabilities of the merging system itself.
weagle05|4 years ago
These grad students wanted to make a splash and went after one of the most important code bases on the planet. It stopped being an ethical problem when the kernel maintainers had to manually search for vulnerabilities. They are using hours that could be used elsewhere. The Linux Foundation is paying Greg Kroah-Hartman to solve this problem, so they have a financial loss due to the actions of these grad students. There's your civil liability. They "knowingly cause(d) the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer" so there's your criminal liability from the Computer Fraud and Abuse Act. There's probably criminal liability in the state where they live as well.
threatofrain|4 years ago
The issue is that U of Minnesota, and universities in general, had a good standing reputation with the Linux kernel group. Students at the University can still submit patches, but not currently with the strength of institutional credibility standing behind them.
Knowing who to trust and updating your trust when you’re wrong is part of healthy security.