All of the patches submitted to the Linux Kernel by researchers from the University of Minnesota have been reverted and all future contributions from @umn.edu email addresses will be flatly ignored. What follows is a cautionary tale of how not to conduct research using human subjects.

In short, the Linux kernel developers noticed that researchers from the University of Minnesota were submitting patches to the kernel that were introducing vulnerabilities. The researchers claimed that these patches contained bug-fixes generated by their static analysis tool. Upon digging deeper, kernel developers realised that previous patches submitted by this group were intentionally malicious as part of "research" on using hypocrite commits to inject vulnerabilities into OSS projects (using Linux as an example). To make matters worse, it was discovered that some of these patches had already propagated to "stable" trees meaning they could potentially affect devices in the wild.

When accused of submitting bad-faith patches, the researchers doubled down on their arguments. At this point famed kernel developer and overall badass Greg Koah-Hartman (@gregkh on twitter) banned their institution from future submissions and began ripping out all of their patches. In his email to the researchers, he signed off the message with a dreaded *plonk*: the sound of someone or something dumped into the email oubliette.

Greg holding down the kernel fort.

Greg holding down the kernel fort.

While the researchers claim that they were trying to test the OSS contribution vetting/security system, they did so without informing any of the kernel developers. Since the kernel patch review process is largely a human one, by attacking the process the researchers were effectively experimenting on the kernel developers and maintainers themselves. The researchers failed to see that ultimately they were studying the trust levels of the developers and not the "system". Furthermore, by submitting purposefully malicious patches they were using up human time and effort (in a project that depends on volunteers) for their own benefit with little to no contribution to the kernel efforts itself. This type of one-sided behaviour found in nature can be described as parasitic.

During the damage control, it came to light that the University's own ethics board had greenlit the research despite initially trying to distance themselves from their own CS department. Overall, the entire situation was a clusterbomb of mistakes, and arrogance.

Performing research on unaware humans is — it turns out — not the way to go. That is the type of malicious behaviour reserved for authoritarian governments, and mindless corporations. As potential supervillains, we understand that human experimentation is sometimes necessary, but that unsanctioned experimentation on humans is not just bad, it is stupid.

The kernel developers themselves suggested a way to have gone about it. Work with a select group of higher-ups (such as Greg) to target specific parts of the kernel with known patches. When these patches arrive in Greg's email, he notifies the researcher that the patches have gone through, and they work together to notify and educate the developers that the patches fooled. In this scenario, everybody wins and you graduate to a symbiotic relationship. If you are tempted to perform experiments on humans, do it in the open with clearance and you can get away with it. Try to do so surreptitiously, and you will be publicly ousted — or worse get plonked.


Some links: