Experimentation on humans without their consent is unacceptable

In this case, the researchers didn't send their proposal to their IRB before doing the experiment - which is *already* a huge problem. IRBs are supposed to protect humans from experiments, how can that possibly work if the experiments happen first??? Their IRB then approved doing these experiments on humans without their consent, which is beyond the pale. GregKH specifically called the researchers out on this: "Our community does not appreciate being experimented on". Saying the word "process" does not suddenly change the rules or eliminate the humans; humans were fundamentally involved in the Linux kernel review process. If using the word "process" eliminated IRBs, then every medical experiment would suddenly investigate "metabolic processes" instead :-). I had to go through detailed IRBs just for surveys and interviews; this failure of oversight is a black mark on the whole university.

I think these researchers clearly acted unethically, and since they didn't ask for prior consent, they may have attacked other systems no matter what they say. I used the following shell command to search for potentially-concerning commits in git in one of my projects, other projects may want to do the same:

git shortlog --summary --numbered --email | grep -E '(wu000273|kjlu|@umn.edu)'

*All* OSS projects should review proposed changes for potential security issues, and harden their software & supply chain against attacks. I also welcome research to make that better!

But we don’t need researchers who perform attacks on production systems without authorization, or researchers who perform attacks on developers without their consent. Research is great, but you need to get permission from those you're attacking first.