Advertisement
GStreamer Conference 2013, 22-23 Oct, Edinburgh
GStreamer, Embedded Linux, Android, VoD, Smooth Streaming, DRM, RTSP, HEVC, PulseAudio, OpenGL. Register now to attend.
Weekly Edition
Return to the Kernel page
| |||||||||||||
Code of uncertain origin
Recently, a set of patches
was posted for inclusion in the mainline kernel. These patches make use of
the (undocumented) "SMAPI" BIOS found in Thinkpad laptops to provide
support for a number of useful Thinkpad features. It looks like it could
be the sort of code that would be welcomed; improving hardware support is
generally considered to be a good thing to do.
There is just one little problem. The code was signed off as:
Signed-off-by: Shem Multinymous <multinymous@gmail.com>
Various developers quickly pointed out that there was little useful information here, and that code signed off by an obvious pseudonym would be difficult to trust enough to merge into the kernel. "Mr. Multinymous" argued the case for inclusion with statements like:
I hereby declare that this patch was developed solely based on
public specifications, observation of hardware behavior by
trial&e[r]ror, and specifications made available to me in clean-room
settings and with no attached obligations. So this patch is as pure
as the mainline hdaps driver it fixes (and probably purer than many
other drivers), and not a single line of it is a derivative work of
$OTHER_OS code.
The author of the code remains unwilling to reveal him or herself, however, with the result that others have refused to consider the code for inclusion. The standoff might have been broken by Pavel Machek, who has offered to sign off the code. Whether that is good enough will be decided by Linus, presumably, sometime after he returns from his travels. In the post-SCO world, it does not take a great deal of paranoia or imagination to suppose that somebody could attempt to sabotage the kernel project through the deliberate injection of illicit code. If the true nature of the code were revealed after it had been widely shipped, the result could be a great deal of trouble for kernel developers, Linux distributors, and possibly even users. So it is a good thing for the kernel developers to hold the line and not accept code from anonymous posters. The SCO episode has shown the world just how clean the kernel code base is; we would like to keep it that way. That said, it is hard to avoid the disquieting feeling that, had this code been posted under a more normal-sounding name, it would not have been subjected to such scrutiny. Code does show up from unknown names from all parts of the world, and nobody has the resources or the desire to verify that those names belong to real people who have a legitimate right to contribute that code. For this reason, people contributing code which demonstrates deep knowledge of undocumented hardware will often be asked just how they came by that knowledge. Verifying the answer can be difficult, however. Our defenses are thin, but it is hard to see how they could be improved without killing the process entirely. (Log in to post comments)
Code of uncertain origin Posted Aug 10, 2006 2:57 UTC (Thu) by jsarets (guest, #39560) [Link] I'm not an expert kernel hacker, but from briefly scanning the patches, I see plenty of evidence that the firmware interfaces was reverse engineered, and no evidence that the code was based on proprietary code. The coding style is distinctively that of a long-time Linux kernel hacker. The pseudonym might cloud the issue, but the code certainly looks pure to me.
If the RIAA can go after an name-less IP address, can the kernel community hold a name-less email address accountable? We can archive the email wherein the contributor swore that the code was legit, and if we ever need to track him down, perhaps Google could help us resolve that GMail account?
Better yet, Lenovo wants to put Linux on Thinkpads these days, so why don't we take this issue to them? If we can get their permission to merge the code, I can't imagine we have anything to worry about. They might even offer to help maintain it!
The problem with these issues is that the kernel developers aren't lawyers. They shouldn't be the ones making these decisions. This is where the OSDL should be more involved in the process, so that the kernel developers can focus on the technical merit of the patches.
Code of uncertain origin Posted Aug 10, 2006 5:11 UTC (Thu) by sitaram (subscriber, #5959) [Link] > perhaps Google could help us resolve that GMail account?
I'm sorry, but I honestly doubt if that is possible. Absolutely no personal information of any kind required to obtain an account. The invitation scheme also does not require me to know you to invite you -- this isn't like the "web of trust" model :-) Apart from the IP address used to post, Google can't really tell you anything more.
Code of uncertain origin Posted Aug 10, 2006 6:19 UTC (Thu) by ekj (subscriber, #1524) [Link] True. But Google can easily map a gmail-account to a set of ip-adresses and timestamps. It is then possible to figure out the names behind those ip-adresses as per the usual routes. Some of the time anyway.People who want to avoid this are free to use Tor offcourse.
Code of uncertain origin Posted Aug 10, 2006 16:41 UTC (Thu) by emkey (guest, #144) [Link] There is also potentially a lot of information contained in messages received by a particular mail account. How long google keeps "deleted" messages around is anyones guess of course.
Code of uncertain origin Posted Aug 12, 2006 9:47 UTC (Sat) by hingo (guest, #14792) [Link] Oh my. I'm really shocked to see 4 LWN readers (I would have understood one, but anything more than two is shocking) sincerely debating this with the assumption that Google employees would obviously have no problems whatsoever to go and look in this persons mailbox and then reveal his identity on lkml. Surely, this must be some kind of joke I'm not getting?
Code of Uncertain Origin - Google's morals Posted Aug 12, 2006 18:00 UTC (Sat) by giraffedata (subscriber, #1954) [Link] Yeah, morality aside, I would expect Google to have serious enough fears of bad publicity from privacy advocates, not to mention legal liability, that pigs would fly before Google would do that. So I figured we were probably talking about a subpoena situation. While I doubt Google maintains enough information to comply with such a subpoena, I'm not at all surprised that lots of LWN readers think it secretly does. People suspicious of big organizations seem to be very well represented here.
Code of Uncertain Origin - Google's morals Posted Aug 12, 2006 19:37 UTC (Sat) by hingo (guest, #14792) [Link] Paranoid people yes, but I got the impression these people were thinking it would actually be a good idea. I was kind of reacting to it in a "are you even worthy of being here" kind of way. On the other hand, LWN is certainly a good place for such people to be. And in any case, I probably misunderstood something from the very beginning.
Code of Uncertain Origin - Google's morals Posted Aug 21, 2006 2:07 UTC (Mon) by Baylink (subscriber, #755) [Link] I believe Pascal's Wager suggests that's the position to take.
Code of Uncertain Origin - Google's morals Posted Aug 21, 2006 3:02 UTC (Mon) by giraffedata (subscriber, #1954) [Link] Actually, Pascal's Wager suggests that it's something that should be believed, which is something different from just taking the position (i.e. assuming it's true). Pascal's Wager is bunk because of its assumption that belief is a matter of will.But the expected value analysis at the heart of Pascal's Wager definitely applies, and probably makes it wise to assume the worst of Google, even while not actually believing it.
Code of uncertain origin Posted Aug 16, 2006 22:21 UTC (Wed) by fergal (subscriber, #602) [Link] Lets say that somehow, Google is forced by a court to reveal the IPs and this guy is tracked down. He turns out to have written this in some way that was totally illegal. Then what? That still leaves the entire Linux community in receipt of stolen goods. Best case scenario everyone distributing the code has to stop. That's an enormous mess even without taking into account boxed CDs of Linux distributions.
That's just the best case.
Code of uncertain origin Posted Aug 17, 2006 2:35 UTC (Thu) by Mithrandir (subscriber, #3031) [Link] Except that code isn't "property", any more than Intellectual Property is "property".
Just a nit pick! :)
Code of uncertain origin Posted Aug 17, 2006 17:28 UTC (Thu) by fergal (subscriber, #602) [Link] Nit: I didn't use the word "property".
But even if I had, the basic point is the same. If you don't have permission to use it, you shouldn't depend on it. Good faith will only get you so far and will not get you very far if you knowingly put your faith in the modern day euivalent of some bloke in the darkest, smokiest corner of a dogy pub.
There is no SMAPI anywhere in this patch set... Posted Aug 10, 2006 4:00 UTC (Thu) by hmh (subscriber, #3838) [Link] SMAPI is used in an extremely useful (for ThinkPad owners anyway) out-of-tree driver by the same author, so that's probably the reason for the confusion...
FYI, SMAPI is a way to call SMBIOS routines that run in SMM, by requesting the ThinkPad hardware to perform a SMI. It is disgusting like all heck, and you can see the code for it in the mwave driver that has been in the kernel tree for a while, now.
Code of uncertain origin Posted Aug 10, 2006 9:37 UTC (Thu) by cate (subscriber, #1359) [Link] IANAL, but use of pseudonym is allowed by copyright law, so I don't see big problems. (Or maybe the editor (Linus in this case?) should know the real name, I don't remember).
Code of uncertain origin Posted Aug 12, 2006 18:06 UTC (Sat) by giraffedata (subscriber, #1954) [Link] It's apples and oranges. Nobody's concerned with Mr Multinymous' copyright. They're concerned with the credibility of the information he supplied as to whether the code was stolen or not. An anonymous statement like this doesn't have much credibility; a statement that could be traced back to someone who could be made to pay if it turns out to be a lie has more credibility.
Pseudonyms and reputation Posted Aug 10, 2006 12:56 UTC (Thu) by shapr (guest, #9077) [Link] It actually has nothing to do with the pseudonym itself. It's more about the lack of reputation.
If someone legally changed their name to that pseudonym and then sent the patch, it would be okay, if a bit weird.
I've had a similar experience on various academic websites. I've gone by the pseudonym 'shapr' since 1992. My use of that pseudonym has excluded me from some places, but most places accept it because I already have a years old established reputation under that pseudonym.
If there had been an anonymous kernel hacker from the very beginning of the Linux kernel process who had proved themself totally trustworthy, no one would question it. In summary, it's just reputation, not name.
Pseudonyms and reputation Posted Aug 13, 2006 18:41 UTC (Sun) by alspnost (guest, #2763) [Link] Possibly true - anyone remember "Thunder from the Hill" from the early 2.6 days? Not sure if we ever discovered who he really was, but he had quite a high profile on LKML if I remember.
Pseudonyms and reputation Posted Aug 14, 2006 17:53 UTC (Mon) by shemminger (subscriber, #5739) [Link] That was before the "Developer's Certificate of Origin" which was a lawyer response to the SCO suit.
|
|||||||||||||