明大LINUX事件的反思(3)稍有好转

作者:oneweek  于 2021-5-1 00:41 发表于 最热闹的华人社交网络--贝壳村

通用分类:热点杂谈


网上GREG 的twitter的回复很热烈,转发回复的很快上百, 大部分都觉得卢老师的研究有道德问题。 几个小时后,技术方面的新闻纷纷扬扬, 都是人云亦云、鹦鹉学舌。

估计卢老师早上醒来,估计看了第一条消息, 应该脑袋里翁的一声。 往下看看, 估计应该长出一口气。 

Greg发出禁令的之后两个小时,可能觉得也是过分,把过去所有都剔除? 自己也觉得,过了。 改成重新审查吧。 重审之后有效的接着再用就可以了。 https://lore.kernel.org/lkml/20210421130105.1226686-1-gregkh@linuxfoundation.org/

 Wed, 21 Apr 2021 14:57:55 +0200 (这时,是明大早上8点,-0500)
 I have been meaning to do this for a while, but recent events have finally forced me to do so. 我想干这事有些时候了,最近的事件才促使我下决心

Commits from @umn.edu addresses have been found to be submitted in "bad faith" to try to test the kernel community's ability to review "known malicious" changes.  The result of these submissions can be found in a paper published at the 42nd IEEE Symposium on Security and Privacy entitled, "Open Source Insecurity: Stealthily Introducing Vulnerabilities via Hypocrite Commits" written by Qiushi Wu (University of Minnesota) and Kangjie Lu (University of Minnesota). 最近发现 通过@umn.edu 提交的补丁 属于恶意提交, 旨在测试内核社区对已知的的恶意更改能不能鉴别出来。 这些提交写在了42届IEEE安全隐私大会的文章里, 文章题目“开源的不安全性:假装好意提交 偷偷导入 弱点” , 作者小吴和卢老师。

Because of this, all submissions from this group must be reverted from the kernel tree and will need to be re-reviewed again to determine if they actually are a valid fix.  Until that work is complete, remove this change to ensure that no problems are being introduced into the codebase. 有鉴于此, 该组所有提交的补丁要从内核树移除, 重新审查以确定是不是真正
有效补丁。 重审完毕之前, 移除是有必要的, 我们不希望它们导入问题。 

This patchset has the "easy" reverts, there are 68 remaining ones that need to be manually reviewed.  Some of them are not able to be reverted as they  already have been reverted, or fixed up with follow-on patches as they were determined to be invalid.  Proof that these submissions were almost universally wrong. 以下是容易的部分,还有68个需要人工审查。 有些过去早被移除,或引起弱点被其后的补丁修改过了。 这也证明他们很多提交几乎都是错的。

I will be working with some other kernel developers to determine if any of these reverts were actually valid changes, were actually valid, and if so, will resubmit them properly later.  For now, it's better to be safe. 我将与其他一些内核开发人员一起 ,以确定这些移除是否实际上是有效 更改。如果是,稍后 重新提交。目前,最好安全第一。 

I'll take this through my tree, so no need for any maintainer to worry about this, but they should be aware that future submissions from anyone with a umn.edu address should be by default-rejected unless otherwise determined to actually be a valid fix (i.e. they provide proof and you can verify it, but really, why waste your time doing that extra work?) 我把我的树捋一遍,其他内核维护人员不用操心,但 要注意,未来所有出自 umn.edu 地址的提交都应该默认拒绝。 除非能证明该提交是一个有效的修复。(比如:他们能提供证据,然后你可以验证,否则为什么浪费时间做 额外的工作?)

thanks,

greg k-h

高兴

感动

同情

搞笑

难过

拍砖

支持
1

鲜花

刚表态过的朋友 (1 人)

评论 (0 个评论)

facelist doodle 涂鸦板

您需要登录后才可以评论 登录 | 注册

关于本站 | 隐私政策 | 免责条款 | 版权声明 | 联络我们 | 刊登广告 | 转手机版 | APP下载

Copyright © 2001-2013 海外华人中文门户:倍可亲 (http://www.backchina.com) All Rights Reserved.

程序系统基于 Discuz! X3.1 商业版 优化 Discuz! © 2001-2013 Comsenz Inc. 更新:GMT+8, 2021-5-1 05:13

倍可亲服务器位于美国圣何塞、西雅图和达拉斯顶级数据中心,为更好服务全球网友特统一使用京港台时间

返回顶部