Thanks to the Solarwinds security breach[1], software supply chain attacks[2] have become an important issue. Naturally enough, there's a lot of research being done into these attacks. Two graduate students at the University of Minnesota working on a paper entitled, "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits[3]" tried to put the Use-After-Free (UAF)[4] vulnerability into the Linux kernel. This kind of Red Team security testing[5] is commonplace… when the project includes people who know what's going on beforehand. That wasn't the case here. When they tried it again, Greg Kroah-Hartman, the Linux kernel maintainer for the stable branch, had had enough.
Kroah-Hartman, one of the most respected of all the Linux kernel developers, tweeted, "Linux kernel developers do not like being experimented on[6], we have enough real work to do."
In the Linux Kernel Mailing List (LKML), Kroah-Hartman made this even clearer when they tried again to introduce a bogus patch. "If you look at the code, this is impossible to have happen[ed]. Please stop submitting known-invalid patches.[7] Your professor is playing around with the review process in order to achieve a paper in some strange and bizarre way. This is not ok, it is wasting our time, and we will have to report this, AGAIN, to your university…"
Leon Romanovsky, a senior Linux kernel developer explained to those who came in late that, "They introduce kernel bugs on purpose[8]." That's a huge no-no in any open-source community, but especially in the Linux kernel community where trust between programmers is a vital part of the development process. As Kroah-Hartman continued, "All contributions by this group of people