Unpopular opinion: The UMN security researchers that executed a successful supply chain attack on the kernel did a public service.

Can state actors get away with this too? Did they already?

We need serious reform in open source code review.


I am a Linux kernel contributor and a security researcher.

Will the Linux Kernel team ban me if I too attempt to test the ability of the code review process to catch malicious commits?

Good luck figuring out which pseudonyms are mine.

I have no intention of actually doing this, but the point stands.

Domains of a number of past kernel contributors have expired.

Someone could just take one of those over and submit a patch from the same email.

Email domain bans are not a solution.

If a state actor threatens a popular and trusted kernel contributor to slip in a subtle exploit, I now have strong reason to believe they would be successful.

The UMN researchers pointed out a very serious problem.


@lrvick The issue is real but they completely fucked up the execution of the test. The number one thing to do is get approval for testing which they didn't. They could've worked with the maintainers but chose not to. They totally deserved what they got.

@nob0dy get approval from who? The actual people that sign off on the commits?

Meanwhile anyone can still submit code anonymously and do this again, only this time for a state actor.

The university exposed a massive process flaw banning emails from a particular EDU won't fix.

@nob0dy I committed anonymously to the kernel. If someone coerced me I could do it again, only this time I could be asked to slip in something extra.

How will they catch me? Clearly the review process is not sufficient.

The security researchers proved a point very successfully.

Sign in to participate in the conversation

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.