Open Source Market Segment LS
Open Source Market Segment RS
Thursday, 22 April 2021 08:46

Uni group slammed over submitting known buggy patches to Linux kernel Featured

Uni group slammed over submitting known buggy patches to Linux kernel Image by OpenClipart-Vectors from Pixabay

A group from the University of Minnesota has come in for a tongue-lashing from the normally mild-mannered Linux developer Greg Kroah-Hartman, the maintainer of the stable kernel.

Kroah-Hartman blew up after the group submitted patches to the kernel which were known to be buggy.

He said in a post addressed to Aditya Pakki at the university that he, and his group, had sent the buggy patches to see how the kernel community would react, and put out a paper based on that. 

The university has now reacted by saying that it has suspended this line of research.

The university's Qiushi Wu and Kangjie Lu published the paper in question, which is titled "On the feasibility of stealthily introducing vulnerabilities in open-source software via hypocrite commits".

It claimed to explore the possibility of stealthily introducing vulnerabilities in open-source software, in this case the Linux kernel.

In one email addressed to Pakki, who had made several claims about a patch he had sent, Kroah-Hartman responded: "Please stop submitting known-invalid patches. Your professor is playing around with the review process in order to achieve a paper in some strange and bizarre way.

"This is not ok, it is wasting our time, and we will have to report this, AGAIN, to your university..."

Another kernel developer, Leon Romanovsky, pointed out that the commits sent by Pakki were part of some research.

"They introduce kernel bugs on purpose. Yesterday [20 April], I took a look on 4 accepted patches from Aditya and 3 of them added various severity security 'holes'," he added.

Pakki attempted to whitewash his attempts to send patches with known vulnerabilities, writing to Kroah-Hartman: "These patches were sent as part of a new static analyser that I wrote and it's sensitivity is obviously not great. I sent patches on the hopes to get feedback. We are not experts in the Linux kernel and repeatedly making these statements is disgusting to hear.

"Obviously, it is a wrong step but your preconceived biases are so strong that you make allegations without merit nor give us any benefit of doubt.

"I will not be sending any more patches due to the attitude that is not only unwelcome but also intimidating to newbies and non experts."

But Kroah-Hartman was not buying this and did not mince his words when he responded. "When submitting patches created by a tool, everyone who does so submits them with wording like 'found by tool XXX, we are not sure if this is correct or not, please advise." which is NOT what you did here at all," he wrote.

"You were not asking for help, you were claiming that these were legitimate fixes, which you KNEW to be incorrect.

"A few minutes with anyone with the semblance of knowledge of C can see that your submissions do NOT do anything at all, so to think that a tool created them, and then that you thought they were a valid 'fix' is totally negligent on your part, not ours. You are the one at fault, it is not our job to be the test subjects of a tool you create."

And he added, in conclusion: "Because of this, I will now have to ban all future contributions from your University and rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems."

Read 1997 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News