Code of uncertain origin
There is just one little problem. The code was signed off as:
Signed-off-by: Shem Multinymous <multinymous@gmail.com>
Various developers quickly pointed out that there was little useful information here, and that code signed off by an obvious pseudonym would be difficult to trust enough to merge into the kernel. "Mr. Multinymous" argued the case for inclusion with statements like:
The author of the code remains unwilling to reveal him or herself, however, with the result that others have refused to consider the code for inclusion. The standoff might have been broken by Pavel Machek, who has offered to sign off the code. Whether that is good enough will be decided by Linus, presumably, sometime after he returns from his travels.
In the post-SCO world, it does not take a great deal of paranoia or imagination to suppose that somebody could attempt to sabotage the kernel project through the deliberate injection of illicit code. If the true nature of the code were revealed after it had been widely shipped, the result could be a great deal of trouble for kernel developers, Linux distributors, and possibly even users. So it is a good thing for the kernel developers to hold the line and not accept code from anonymous posters. The SCO episode has shown the world just how clean the kernel code base is; we would like to keep it that way.
That said, it is hard to avoid the disquieting feeling that, had this code
been posted under a more normal-sounding name, it would not have been
subjected to such scrutiny. Code does show up from unknown names from all
parts of the world, and nobody has the resources or the desire to verify
that those names belong to real people who have a legitimate right to
contribute that code. For this reason, people contributing code which
demonstrates deep knowledge of undocumented hardware will often be asked
just how they came by that knowledge. Verifying the answer can be
difficult, however. Our defenses are thin, but it is
hard to see how they could be improved without killing the process
entirely.
| Index entries for this article | |
|---|---|
| Kernel | Copyright issues |
Posted Aug 10, 2006 2:57 UTC (Thu)
by jsarets (guest, #39560)
[Link] (11 responses)
If the RIAA can go after an name-less IP address, can the kernel community hold a name-less email address accountable? We can archive the email wherein the contributor swore that the code was legit, and if we ever need to track him down, perhaps Google could help us resolve that GMail account?
Better yet, Lenovo wants to put Linux on Thinkpads these days, so why don't we take this issue to them? If we can get their permission to merge the code, I can't imagine we have anything to worry about. They might even offer to help maintain it!
The problem with these issues is that the kernel developers aren't lawyers. They shouldn't be the ones making these decisions. This is where the OSDL should be more involved in the process, so that the kernel developers can focus on the technical merit of the patches.
Posted Aug 10, 2006 5:11 UTC (Thu)
by sitaram (guest, #5959)
[Link] (7 responses)
I'm sorry, but I honestly doubt if that is possible. Absolutely no personal information of any kind required to obtain an account. The invitation scheme also does not require me to know you to invite you -- this isn't like the "web of trust" model :-) Apart from the IP address used to post, Google can't really tell you anything more.
Posted Aug 10, 2006 6:19 UTC (Thu)
by ekj (guest, #1524)
[Link] (6 responses)
People who want to avoid this are free to use Tor offcourse.
Posted Aug 10, 2006 16:41 UTC (Thu)
by emkey (guest, #144)
[Link] (5 responses)
Posted Aug 12, 2006 9:47 UTC (Sat)
by hingo (guest, #14792)
[Link] (4 responses)
Posted Aug 12, 2006 18:00 UTC (Sat)
by giraffedata (guest, #1954)
[Link] (3 responses)
Yeah, morality aside, I would expect Google to have serious enough fears of bad publicity from privacy advocates, not to mention
legal liability, that pigs would fly before Google would do that.
So I figured we were probably talking about a subpoena situation.
While I doubt Google maintains enough information to comply with such a subpoena, I'm not at all surprised that lots of LWN readers think it secretly does. People suspicious of big organizations seem to be very well represented here.
Posted Aug 12, 2006 19:37 UTC (Sat)
by hingo (guest, #14792)
[Link]
Posted Aug 21, 2006 2:07 UTC (Mon)
by Baylink (guest, #755)
[Link] (1 responses)
Posted Aug 21, 2006 3:02 UTC (Mon)
by giraffedata (guest, #1954)
[Link]
But the expected value analysis at the heart of Pascal's Wager definitely applies, and probably makes it wise to assume the worst of Google, even while not actually believing it.
Posted Aug 16, 2006 22:21 UTC (Wed)
by fergal (guest, #602)
[Link] (2 responses)
That's just the best case.
Posted Aug 17, 2006 2:35 UTC (Thu)
by Mithrandir (guest, #3031)
[Link] (1 responses)
Just a nit pick! :)
Posted Aug 17, 2006 17:28 UTC (Thu)
by fergal (guest, #602)
[Link]
But even if I had, the basic point is the same. If you don't have permission to use it, you shouldn't depend on it. Good faith will only get you so far and will not get you very far if you knowingly put your faith in the modern day euivalent of some bloke in the darkest, smokiest corner of a dogy pub.
Posted Aug 10, 2006 4:00 UTC (Thu)
by hmh (subscriber, #3838)
[Link]
FYI, SMAPI is a way to call SMBIOS routines that run in SMM, by requesting the ThinkPad hardware to perform a SMI. It is disgusting like all heck, and you can see the code for it in the mwave driver that has been in the kernel tree for a while, now.
Posted Aug 10, 2006 9:37 UTC (Thu)
by cate (subscriber, #1359)
[Link] (1 responses)
Posted Aug 12, 2006 18:06 UTC (Sat)
by giraffedata (guest, #1954)
[Link]
Posted Aug 10, 2006 12:56 UTC (Thu)
by shapr (subscriber, #9077)
[Link] (2 responses)
If someone legally changed their name to that pseudonym and then sent the patch, it would be okay, if a bit weird.
I've had a similar experience on various academic websites. I've gone by the pseudonym 'shapr' since 1992. My use of that pseudonym has excluded me from some places, but most places accept it because I already have a years old established reputation under that pseudonym.
If there had been an anonymous kernel hacker from the very beginning of the Linux kernel process who had proved themself totally trustworthy, no one would question it. In summary, it's just reputation, not name.
Posted Aug 13, 2006 18:41 UTC (Sun)
by alspnost (guest, #2763)
[Link] (1 responses)
Posted Aug 14, 2006 17:53 UTC (Mon)
by shemminger (subscriber, #5739)
[Link]
I'm not an expert kernel hacker, but from briefly scanning the patches, I see plenty of evidence that the firmware interfaces was reverse engineered, and no evidence that the code was based on proprietary code. The coding style is distinctively that of a long-time Linux kernel hacker. The pseudonym might cloud the issue, but the code certainly looks pure to me.Code of uncertain origin
> perhaps Google could help us resolve that GMail account?Code of uncertain origin
True. But Google can easily map a gmail-account to a set of ip-adresses and timestamps. It is then possible to figure out the names behind those ip-adresses as per the usual routes. Some of the time anyway.Code of uncertain origin
There is also potentially a lot of information contained in messages received by a particular mail account. How long google keeps "deleted" messages around is anyones guess of course.Code of uncertain origin
Oh my. I'm really shocked to see 4 LWN readers (I would have understood one, but anything more than two is shocking) sincerely debating this with the assumption that Google employees would obviously have no problems whatsoever to go and look in this persons mailbox and then reveal his identity on lkml. Surely, this must be some kind of joke I'm not getting?
Code of uncertain origin
Code of Uncertain Origin - Google's morals
Paranoid people yes, but I got the impression these people were thinking it would actually be a good idea. I was kind of reacting to it in a "are you even worthy of being here" kind of way. On the other hand, LWN is certainly a good place for such people to be. And in any case, I probably misunderstood something from the very beginning.
Code of Uncertain Origin - Google's morals
I believe Pascal's Wager suggests that's the position to take.Code of Uncertain Origin - Google's morals
Actually, Pascal's Wager suggests that it's something that should be believed, which is something different from just taking the position (i.e. assuming it's true). Pascal's Wager is bunk because of its assumption that belief is a matter of will.
Code of Uncertain Origin - Google's morals
Lets say that somehow, Google is forced by a court to reveal the IPs and this guy is tracked down. He turns out to have written this in some way that was totally illegal. Then what? That still leaves the entire Linux community in receipt of stolen goods. Best case scenario everyone distributing the code has to stop. That's an enormous mess even without taking into account boxed CDs of Linux distributions.Code of uncertain origin
Except that code isn't "property", any more than Intellectual Property is "property".Code of uncertain origin
Nit: I didn't use the word "property".Code of uncertain origin
SMAPI is used in an extremely useful (for ThinkPad owners anyway) out-of-tree driver by the same author, so that's probably the reason for the confusion...There is no SMAPI anywhere in this patch set...
IANAL, but use of pseudonym is allowed by copyright law, so I don't see big problems. (Or maybe the editor (Linus in this case?) should know the real name, I don't remember).Code of uncertain origin
It's apples and oranges. Nobody's concerned with Mr Multinymous' copyright. They're concerned with the credibility of the information he supplied as to whether the code was stolen or not. An anonymous statement like this doesn't have much credibility; a statement that could be traced back to someone who could be made to pay if it turns out to be a lie has more credibility.
Code of uncertain origin
It actually has nothing to do with the pseudonym itself. It's more about the lack of reputation.Pseudonyms and reputation
Possibly true - anyone remember "Thunder from the Hill" from the early 2.6 days? Not sure if we ever discovered who he really was, but he had quite a high profile on LKML if I remember.
Pseudonyms and reputation
That was before the "Developer's Certificate of Origin" which was a lawyer response to the SCO suit.Pseudonyms and reputation