明大LINUX事件的反思(5) 道歉了,光道歉够不够

作者:oneweek  于 2021-5-1 21:09 发表于 最热闹的华人社交网络--贝壳村


【卢老师估计绞尽脑汁,周六(4/24)下午5:30 -0500(22:30 UTC)写了一封致LINUX社区的公开信, 觉得自己道歉。网上的评论七嘴八舌, 有的人说道歉可以了, 有的人说看上去不像道歉,更像解释】
 An open letter to the Linux community

Dear Community Members:
We sincerely apologize for any harm our research group did to the Linux kernel community. Our goal was to identify issues with the patching process and ways to address them, and we are very sorry that the method used in the “hypocrite commits” paper was inappropriate. As many observers have pointed out to us, we made a mistake by not finding a way to consult with the community and obtain permission before running this study; we did that because we knew we could not ask the maintainers of Linux for permission, or they would be on the lookout for the hypocrite patches. While our goal was to improve the security of Linux, we now understand that it was hurtful to the community to make it a subject of our research, and to waste its effort reviewing these patches without its knowledge or permission. 我们为本研究小组对 Linux 内核社区造成的任何伤害真诚道歉。我们的目标是找出接受补丁过程中的问题和解决方法,我们非常抱歉,在“伪装提交”论文中使用的方法是不恰当的。正如许多旁观家向我们指出的那样,我们的错误是在进行这项研究之前没有尝试咨询社区并获得许可;我们那样做了, 是因为我们觉得我们不能向 Linux的维护者征求许可,否则他们会对伪装的补丁提高警觉。 虽然我们的目标是提高 Linux 的安全性,但我们现在理解到,让社区成为我们研究的对象,并在社区不知情或未经其许可的情况下浪费其精力审查这些补丁,是对社区的伤害。

We just want you to know that we would never intentionally hurt the Linux kernel community and never introduce security vulnerabilities. Our work was conducted with the best of intentions and is all about finding and fixing security vulnerabilities.我们只想让大家知道,我们绝不会故意伤害 Linux 内核社区,也绝不会故意引入安全漏洞。 我们的工作本意非常好,都是为了寻找和修复安全破绽。

The “hypocrite commits” work was carried out in August 2020; it aimed to improve the security of the patching process in Linux. As part of the project, we studied potential issues with the patching process of Linux, including causes of the issues and suggestions for addressing them. “伪装提交”的工作是在 2020 年 8 月进行的;它的目的是提高 Linux 中提交补丁程序的安全性。作为项目的一部分,我们研究了 Linux 提交补丁过程中的潜在问题,包括问题的原因和解决方法。
* This work did not introduce vulnerabilities into the Linux code. The three incorrect patches were discussed and stopped during exchanges in a Linux message board, and never committed to the code. We reported the findings and our conclusions (excluding the incorrect patches) of the work to the Linux community before paper submission, collected their feedback, and included them in the paper. 这项工作并没有在 Linux 代码中引入漏洞。三个不正确的补丁是在 Linux 留言板的交流中讨论和停止的,从未提交到代码中。 在提交论文之前,我们向 Linux 社区分享了这项工作的发现和结论 (不正确的补丁除外),收集了他们的反馈,并将其纳入文章中。
* All the other 190 patches being reverted and re-evaluated were submitted as part of other projects and as a service to the community; they are not related to the “hypocrite commits” paper.所有其他 190 个被撤销和重新评估的补丁都是作为其它项目的一部分和对社区的服务而提交的;它们与 “伪装提交”论文无关
* These 190 patches were in response to real bugs in the code and all correct--as far as we can discern--when we submitted them.这 190 个补丁是对代码中真正的错误的回应, 并且在我们提交时都是正确的 —— 就我们所能辨别的而言。
* We understand the desire of the community to gain access to and examine the three incorrect patches. Doing so would reveal the identity of members of the community who responded to these patches on the message board. Therefore, we are working to obtain their consent before revealing these patches. 我们理解社区希望获得并检查这三个错误的补丁的愿望。这样做会暴露在留言板上对这些补丁做出反应的社区成员的身份。因此,我们正在努力在披露这些补丁之前获得他们的同意。
* Our recent patches in April 2021 are not part of the “hypocrite commits” paper either. We had been conducting a new project that aims to automatically identify bugs introduced by other patches (not from us). Our patches were prepared and submitted to fix the identified bugs to follow the rules of Responsible Disclosure, and we are happy to share details of this newer project with the Linux community.我们最近在 2021 年 4 月的补丁也不属于“伪装提交”文章的范围。我们一直在进行一个新的项目,旨在自动识别由其他补丁(不是来自我们)引入的 bug。我们的补丁是为了修复被识别的 bug 而准备和提交的,以遵循责任披露的规则,我们很高兴与 Linux 社区分享这个较新项目的细节。

We are a research group whose members devote their careers to improving the Linux kernel. We have been working on finding and patching vulnerabilities in Linux for the past five years. The past observations with the patching process had motivated us to also study and address issues with the patching process itself. This current incident has caused a great deal of anger in the Linux community toward us, the research group, and the University of Minnesota. We apologize unconditionally for what we now recognize was a breach of the shared trust in the open source community and seek forgiveness for our missteps. 我们是一个研究小组,其成员致力于改善 Linux 内核的工作。在过去的五年里,我们一直致力于寻找和修补 Linux 的漏洞。 过去对提交补丁过程的观察促使我们也研究和解决修补过程本身的问题。 目前这一事件在 Linux 社区引起了对我们、研究小组和明尼苏达大学的极大愤怒。 我们为我们现在认识到的违反开源社区共同信任的行为无条件地道歉,并为我们的错误行为寻求宽恕。

We seek to rebuild the relationship with the Linux Foundation and the Linux community from a place of humility to create a foundation from which, we hope, we can once again contribute to our shared goal of improving the quality and security of Linux software. We will work with our department as they develop new training and support for faculty and students seeking to conduct research on open source projects, peer-production sites, and other online communities.  We are committed to following best practices for collaborative research by consulting with community leaders and members about the nature of our research projects, and ensuring that our work meets not only the requirements of the IRB but also the expectations that the community has articulated to us in the wake of this incident.我们寻求从谦逊的角度重建与 Linux 基金会和 Linux 社区的关系,以创建一个基础,我们希望从 以此可以再次为我们的共同目标作出贡献,即提高 Linux 软件的质量和安全性。我们将与我们的院系合作,因为他们为寻求在开源项目、同行生产网站和其他在线社区进行研究的师生开发新的培训和支持。我们致力于遵循合作研究的最佳实践,就我们研究项目的性质与社区领导人和成员进行协商,并确保我们的工作不仅符合 IRB(学术伦理委员会) 的要求,而且符合社区在此事件后向我们阐述的期望。

While this issue has been painful for us as well, and we are genuinely sorry for the extra work that the Linux kernel community has undertaken, we have learned some important lessons about research with the open source community from this incident. We can and will do better, and we believe we have much to contribute in the future, and will work hard to regain your trust.虽然这个问题对我们来说也很痛苦,我们对 Linux 内核社区所承担的额外工作感到由衷的抱歉,但我们从这次事件中吸取了一些关于与开源社区研究的重要教训。 我们可以而且会做得更好,我们相信我们在未来还有很多贡献,并将努力工作以重新获得你们的信任


Kangjie Lu, Qiushi Wu, and Aditya Pakki
University of Minnesota

——————————【对方大佬说,道歉接受与否, 暂时不谈; 我们已经发信列出要求,满足我们的要求再说别的】
Thank you for your response.

As you know, the Linux Foundation and the Linux Foundation's Technical Advisory Board submitted a letter on Friday to your University outlining the specific actions which need to happen in order for your group, and your University, to be able to work to regain the trust of the Linux kernel community.

Until those actions are taken, we do not have anything further to discuss about this issue.


greg k-h

如你们所知,Linux 基金会及其技术顾问委员会在周五向贵校提交了一封信,概述了需要采取的具体行动,以便贵组和贵校能够努力重新获得 Linux 内核社区的信任。

---——————【这时大家才知道有很多要求, 要求是什么呢? 赔款割地, 肯定不是。 苛刻与否?】

The letter, from Mike Dolan, the Linux Foundation's senior VP and general manager of projects, begins:

--- It has come to our attention that some University of Minnesota (U of MN) researchers appear to have been experimenting on people, specifically the Linux kernel developers, without those developers' prior knowledge or consent. This was done by proposing known-vulnerable code into the widely-used Linux kernel as part of the work "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits"; other papers and projects may be involved as well. It appears these experiments were performed without prior review or approval by an Institutional Review Board (IRB), which is not acceptable, and an after-the-fact IRB review approved this experimentation on those who did not consent.我们最近发现明州大学数个研究人员,在对人实验,确切地说是对Linux内核开发人员实验,而后者对实验一无所知也没同意过。 他们的项目“测试假装好心向内核提交含有安全漏洞的补丁,向开源软件引入漏洞的可行性” 通过建议把有缺陷的程序导入Linux内核,也可能包括别的项目和文章。 看上去这些实验没有经过伦理道德委员会事先的审查和批准,这本身不可接受。 补发的审查和批准也没有经过经过实验对象的同意。 

This is correct. Wu and Lu opened their note to the UMN IRB by stating: "We recently finished a work that studies the patching process of OSS." They only asked the IRB's permission after they'd shared the paper's abstract on Twitter.  Then after they admitted the abstract's publication had caused "heated discussion and pushback," they removed the abstract and apologized to the IRB for causing "many confusions and misunderstandings." 

While the IRB appears to have approved this research after the fact, the Linux kernel community was not kept in the loop. The researchers claim that they spoke to people in the Linux community, but they are never identified. Hence, Kroah-Hartman's reaction when, once more, he was presented with "nonsense patches" and yet another attempt to waste the Linux kernel maintainers' time by "continuing to experiment on the kernel community developers."

Dolan continued:

We encourage and welcome research to improve security and security review processes. The Linux kernel development process takes steps to review code to prevent defects. However, we believe experiments on people without their consent is unethical, and likely involves many legal issues. People are an integral part of the software review and development process. The Linux kernel developers are not test subjects, and must not be treated as such. 我们鼓励和欢迎各项研究,旨在改善安全和审查过程。 内核开发过程包括很多步骤来阻止缺陷。 我们认为拿人做实验而没有他们同意的做法是不道德的, 还可能有很多法律上的问题。 人是软件审查和开发过程的有机部分。 内核开发人员不是实验对象, 也不应该被当成实验对象。

This is a major point. The researchers first claim in their IRB FAQ that: "This is not considered human research. This project studies some issues with the patching process instead of individual behaviors, and we did not collect any personal information." 

In the next paragraph, though, the UMN researchers back off from this claim.

"Throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. We apologize for the raised concerns. This is an important lesson we learned -- Do not trust ourselves on determining human research; always refer to IRB whenever a study might be involving any human subjects in any form."

Dolan went on: 

This also wasted their valuable time and put at risk the billions of people around the world who depend on their results. While the U of MN researchers claimed to take steps to prevent inclusion of vulnerabilities in the final software, their failure to gain consent suggests a lack of care. There are also amplified consequences because Linux kernel changes are picked up by many other downstream projects that build off of the kernel codebase. 这事浪费开发者宝贵的时间,让世上依靠他们结果的几十亿人都陷入危险制造。 虽然明大的研究人员声称他们采取了步骤,以便有缺陷的程序不被纳入最终的软件之中, 但是他们没有取得实验对象的同意这件事表明他们不在乎。 严重后果会被放大很多倍, 因为下有很多项目都会纳入改变候的内核程序。

Then we get the heart of the matter. While Dolan said the UMN researchers' apology was promising, the Linux community needs more.  

These "requests" are:

Please provide to the public, in an expedited manner, all information necessary to identify all proposals of known-vulnerable code from any U of MN experiment. The information should include the name of each targeted software, the commit information, purported name of the proposer, email address, date/time, subject, and/or code, so that all software developers can quickly identify such proposals and potentially take remedial action for such experiments. 火速公开明大所有实验的信息, 以便确定提交涉及到的缺陷程序。 信息应该包括 针对的软件名称, 提交的信息, 提交人用的名称, 电邮, 日期时间,提目, 程序, 以便我们开发者能很快找出这些提交的补丁, 以便采取补救措施。

Finding all this code is a real problem. Senior Linux kernel developer, Al Viro, who spotted the first April bogus patch, noted: "The lack of data is a part of what's blowing the whole thing out of proportion -- if they bothered to attach the list (or link to such) of SHA1 of commits that had come out of their experiment, or, better yet, maintained and provided the list of message-ids of all submissions, successful and not, this mess with blanket revert requests, etc. would've been far smaller (if happened at all)."

As it is, the Linux developers and committers are now burning time reviewing several hundred UMN Linux kernel patches. They are not amused.

Dolan moved on to ask that the paper be withdrawn "from formal publication and formal presentation all research work based on this or similar research where people appear to have been experimented on without their prior consent. Leaving archival information posted on the Internet is fine, as they are mostly already public, but there should be no research credit for such works." 以此或类似的研究中出的文章要从正式出版和正式演示中撤稿, 因为被做实验的人没有事先同意。 留在网上存档的文章没有问题, 因为已经公开,但这类研究不应该从发表文章得益。 

Thanks to the paper's FAQ, we already know that it has been accepted for publication by the IEEE Symposium on Security and Privacy (IEEE S&P) 2021. This is a top forum for computer security researchers. The 2021 virtual meeting will be happening shortly between May 23 to May 27. The UMN has not said yet whether it will be withdrawn.

Dolan pressed to ensure further UMN experiments on people have IRB review prior to the experiment commencing. 

"Ensure that all future IRB reviews of proposed experiments on people will normally ensure the consent of those being experimented on, per usual research norms and laws," he said. 保证未来以人为对象的实验的伦理道德审查必须得到实验对象的同意, 这也是常规和法律的要求。

At this time, the UMN has not responded to our request for information on what the school plans to do.

The point of all this, Dolan said, is "to eliminate all potential and perception of damage from these activities, eliminate any perceived benefit from such activities, and prevent their recurrence. We would hope to see productive, appropriate open-source contributions in the future from your students and faculty as we have seen in prior years from your institution."

The Linux Foundation wants the school to respond to these requests as soon as possible. The Linux maintainers also want to know what's what with the UMN patches, so they can find them and move on. They would much rather be working on improving Linux than chasing down possible deliberately seeded errors.  









发表评论 评论 (2 个评论)

回复 fanlaifuqu 2021-5-1 21:49
回复 oneweek 2021-5-1 21:55
fanlaifuqu: 落伍了!不太了解!好久不见了,一周好!
翻老 问好。 这是技术届的小事情, 有些值得思考的地方

facelist doodle 涂鸦板

您需要登录后才可以评论 登录 | 注册

关于本站 | 隐私政策 | 免责条款 | 版权声明 | 联络我们 | 刊登广告 | 转手机版 | APP下载

Copyright © 2001-2013 海外华人中文门户:倍可亲 (http://www.backchina.com) All Rights Reserved.

程序系统基于 Discuz! X3.1 商业版 优化 Discuz! © 2001-2013 Comsenz Inc. 更新:GMT+8, 2021-5-1 21:56