An update on the UMN affair
The writing of a paper on this research [PDF] was not the immediate cause of the recent events; instead, it was the posting of a buggy patch originating from an experimental static-analysis tool run by another developer at UMN. That led developers in the kernel community to suspect that the effort to submit intentionally malicious patches was still ongoing. Since then, it has become apparent that this is not the case, but by the time the full story became clear, the discussion was already running at full speed.
The old saying still holds true: one should not attribute to malice that which can be adequately explained by incompetence.
On April 22, a brief statement was issued by the Linux Foundation technical advisory board (or TAB, of which your editor is a member) stating that, among other things, the recent patches appeared to have been submitted in good faith. Meanwhile, the Linux Foundation and the TAB sent a letter to the UMN researchers outlining how the situation should be addressed; that letter has not been publicly posted, but ZDNet apparently got a copy from somewhere. Among other things, the letter asked for a complete disclosure of the buggy patches sent as part of the UMN project and the withdrawal of the paper resulting from this work.
In response, the UMN researchers posted an open letter apologizing to the community, followed a few days later by a summary of the work they did [PDF] as part of the "hypocrite commits" project. Five patches were submitted overall from two sock-puppet accounts, but one of those was an ordinary bug fix that was sent from the wrong account by mistake. Of the remaining four, one of them was an attempt to insert a bug that was, itself, buggy, so the patch was actually valid; the other three (1, 2, 3) contained real bugs. None of those three were accepted by maintainers, though the reasons for rejection were not always the bugs in question.
The paper itself has been withdrawn and will not be presented in May as was planned. One can, hopefully, assume that UMN will not be pursuing similar lines of research anytime soon.
Patch re-review
One immediate result of the attention drawn to UMN's activities was a loss of trust in its developers, combined with a desire in some quarters to take some sort of punitive action. Thus, one of the first things that happened when this whole affair exploded was the posting by Greg Kroah-Hartman of a 190-part patch series reverting as many patches from UMN as he could find. Actually, it wasn't all of them; he mentioned a list of 68 others requiring manual review because they do not revert easily.
As it happens, these "easy reverts
" also needed manual review;
once the initial anger passed there was little desire to revert patches
that were not actually buggy. That review process
has been ongoing over the course of the last week and has involved the
efforts of a number of developers. Most of the suspect patches have turned
out to be acceptable, if not great, and have been removed from the revert
list; if your editor's count is correct, 42 patches are still set to
be pulled out of the kernel.
For those 42 patches, the reasoning behind the revert varies from one to the next. In some cases, the patches apply to old and presumably unused drivers and nobody can be bothered to properly review them. In others, the intended change was done poorly and will be reimplemented in a better way. And some of the patches contained serious errors; these definitely needed to be reverted (and should not have been accepted in the first place).
A look at the full set of UMN patches reinforces some early impressions, though. First is that almost all of them do address some sort of real (if obscure and hard to hit) problem; there was a justification for writing a patch. While many of these fixes showed a low level of understanding of what the code was doing and thus contained errors, it seems unlikely that any of them were malicious in their intent.
That said, there are multiple definitions of "malice". To some of the developers involved, posting unverified patches from an experimental static-analysis tool without disclosing their nature is a malicious act. It is another form of experiment involving non-consenting humans. At a minimum, it is a violation of the trust that is required for the kernel's development community to work effectively.
The 42 bad patches out of 190 is a 22% bad-patch rate. Chances are, a detailed review of 190 patches from almost any kernel developer would turn up a few that, in retrospect, were not a good idea. Hopefully that rate would not approach 22%, though. But it must be said that all of those patches were accepted by subsystem maintainers throughout the kernel, which is not a great result. Perhaps that is a more interesting outcome than the one that the original "hypocrite commit" researchers were looking for. They failed in their effort to deliberately insert bugs, but were able to inadvertently add dozens of them.
Meanwhile, there is still the list of patches that did not revert cleanly. That list has not been posted publicly, but Kroah-Hartman did start with a subset of seven of them. He also noted that the TAB will be publishing a full report of the audit of all these patches once it is complete. Thus far, none of these patches have actually been reverted in the mainline; that seems likely to happen toward the end of the 5.13 merge window.
Lessons learned
One of the key lessons from this series of events would clearly be: do not use a free-software development community as a sort of free validation service for your experimental tool. Kernel developers are happy to see new tools created and — if the tools give good results — use them. They will also help with the testing of those tools, but they are less pleased to be recipients of tool-inspired patches that lack proper review and an explanation of what is going on.
Another lesson is something we already knew: kernel maintainers (and maintainers of many other free-software projects) are overworked and do not have the time to properly review every patch that passes through their hands. They are, as a result, forced to rely on the trustworthiness of the developers who submit patches to them. The kernel development process is, arguably, barely sustainable when that trust is well placed; it will not hold together if incoming patches cannot, in general, be trusted.
The corollary — also something we already knew — is that code going into the kernel is often not as well reviewed as we like to think. It is comforting to believe that every line of code merged has been carefully vetted by top-quality kernel developers. Some code does indeed receive that kind of review, but not all of it. Consider, for example, the 5.12 development cycle (a relatively small one), which added over 500,000 lines of code to the kernel over a period of ten weeks. The resources required to carefully review 500,000 lines of code would be immense, so many of those lines, unfortunately, received little more than a cursory looking-over before being merged.
One final lesson that one might be tempted to take is that the kernel is running a terrible risk of malicious patches inserted by actors with rather more skill and resources than the UMN researchers have shown. That could be, but the simple truth of the matter is that regular kernel developers continue to insert bugs at such a rate that there should be little need for malicious actors to add more. The 5.11 kernel, released in February, has accumulated 2,281 fixes in stable updates through 5.11.17. If one makes the (overly simplistic) assumption that each fix corrects one original 5.11 patch, then 16% of the patches that went into 5.11 have turned out (so far) to be buggy. That is not much better than the rate for the UMN patches.
So perhaps that's the real lesson to take from this whole experience: the
speed of the kernel process is one of its best attributes, and we all depend
on it to get
features as quickly as possible. But that pace may be incompatible with
serious patch review and low numbers of bugs overall. For a while, we
might see things slow down a little bit as maintainers feel the need to
more closely scrutinize changes, especially those coming from new
developers. But if we cannot institutionalize a more careful process, we
will continue to see a lot of bugs and it will not really matter whether
they were inserted intentionally or not.
Index entries for this article | |
---|---|
Kernel | Security/Patch verification |
Posted Apr 29, 2021 15:06 UTC (Thu)
by willy (subscriber, #9762)
[Link] (10 responses)
Posted Apr 29, 2021 15:55 UTC (Thu)
by yann-gael.gueheneuc (guest, #151961)
[Link] (6 responses)
Hopefully, they will continue their research but in a different, collaborative manner.
Posted Apr 29, 2021 20:37 UTC (Thu)
by mpg (subscriber, #70797)
[Link] (5 responses)
Posted Apr 30, 2021 8:43 UTC (Fri)
by patrick_g (subscriber, #44470)
[Link] (4 responses)
Could you please explain what is interesting in this research? We already know it's possible to introduce vulnerabilities by sending buggy patches to kernel maintainers. And the concept of "hypocrite commits" (minor commit introducing an exploitable issue elsewhere in the code) is not original. Only the name is new.
Posted Apr 30, 2021 10:32 UTC (Fri)
by dsommers (subscriber, #55274)
[Link] (1 responses)
Open source communities need to better understand how to defend themselves and how to detect such attempts. Which will an enormous challenge, but with more research it might be possible to find approaches to make such efforts harder to achieve.
Posted Apr 30, 2021 19:14 UTC (Fri)
by viro (subscriber, #7872)
[Link]
You seem to imply that being a part of malicious plan to introduce a security hole imparts some recognizable features to the patches, making them easier to catch than "innocent" buggy ones. Mind elaborating on that and showing some kind of evidence?
Research into the features that correlate with looser review would be very valuable, exactly because it would allow to improve the rejection rate for crap. But that would take real experiment design - valid statistics, decently-sized datasets, etc.
Posted Apr 30, 2021 12:30 UTC (Fri)
by mpg (subscriber, #70797)
[Link] (1 responses)
You know the old saying: if you want to improve something, start by measuring it. I think measuring how easily it can be done (rather than just "it can be done"), or what percentage of bad commits get caught, how that percentage can be correlated to various parameters (type of patch, its size, which area of the kernel, probably parameters I can't think of), etc. could perhaps provide insights into how to improve. And obviously it would have to be done in close collaboration with the community and aimed at producing value to the community, not taking advantage of it.
So perhaps we interpreted "similar lines of research" differently here.
Posted May 6, 2021 1:24 UTC (Thu)
by yann-gael.gueheneuc (guest, #151961)
[Link]
Posted Apr 29, 2021 16:58 UTC (Thu)
by blackwood (guest, #44174)
[Link]
I think what applies here is that generally it's best to trust people first and assume benevolent intent. But then ensure that good intent is socially enforced by playing tit-for-tat.
Which is also what happened, even if patches from UMN will land again in the future, they will definitely be subjected to a lot more scrutiny and need to clear a higher bar of usefulnees than fairly "trivial" changes to mostly unused code in very old drivers.
Posted Apr 29, 2021 22:58 UTC (Thu)
by Paf (subscriber, #91811)
[Link] (1 responses)
Posted May 1, 2021 9:37 UTC (Sat)
by dvdeug (guest, #10998)
[Link]
Posted Apr 29, 2021 15:37 UTC (Thu)
by jkingweb (subscriber, #113039)
[Link]
Posted Apr 29, 2021 17:26 UTC (Thu)
by intgr (subscriber, #39733)
[Link] (9 responses)
> The 42 bad patches out of 190 is a 22% bad-patch rate.
I don't think it's fair to call all of these patches "bad" if in some cases they will be reverted only for the reason that nobody can be bothered to review them.
In other cases, the patches touched some piece of code that was indeed found to be buggy, but did not entirely address the brokenness. I found many examples of this, e.g. https://lore.kernel.org/lkml/b43fc2b0-b3cf-15ab-7d3c-25c1... :
A far more interesting metric would be, how many of these patches were actually found to introduce a bug that wasn't present before? Looking at a random sample of the patch reviews suggests it would be quite low.
Even the one patch that triggered this whole reaction (https://lore.kernel.org/linux-nfs/20210407001658.2208535-...) was actually harmless, but added some redundant code.
I'd like to nominate this whole drama for the "overreaction of the year" title. :)
Also: shouldn't LWN issue some sort of retraction or update to the previous article? It implied that these pathces were intentionally buggy or malicious a few times, which this article admits was unfounded.
Posted Apr 29, 2021 18:29 UTC (Thu)
by deater (subscriber, #11746)
[Link]
this particular issue is complex as it affects three areas. The Linux-kernel reaction is pretty well summarized in this article.
There's the IEEESSP (Oakland) issue where a paper like this never should have made it into a "top" conference, especially as it turns out the authors were doing questionable things like modifying the abstract after the paper was already submitted, and apparently their conclusions in the paper were extremely misleading when actually compared to the actual methodology that was released later. How did this pass peer review? Sadly modern academic publications with double-blind reviews are well-known to be easily vulnerable to peer-review attacks (see the ISCA'19 incident).
The final issue is the academic side of things at UMN. Typically the university would not care at all about this (though since the people involved do not have tenure they're on thinner ice than normal). Possibly UMN is even happy as their CS department is getting a lot of publicity out of this. Universities will put up with all kinds of academic dishonesty, abuse of students, etc, as long as the researchers bring in grant money (again, see ISCA'19, also Ullman winning the Turing award). However the wildcard here is the UMN researchers listed $800k of National Science Foundation grants on the withdrawn paper. NSF has been on a *huge* ethics kick recently. I'm assuming this is why UMN is responding so strongly, there's a chance this funding will be removed, or worse, their whole school will get audited. Sadly money talks these days :(
Posted Apr 29, 2021 19:45 UTC (Thu)
by corbet (editor, #1)
[Link] (6 responses)
Posted Apr 29, 2021 20:21 UTC (Thu)
by Homer512 (subscriber, #85295)
[Link] (2 responses)
Posted Apr 29, 2021 20:29 UTC (Thu)
by corbet (editor, #1)
[Link] (1 responses)
Posted Apr 29, 2021 20:46 UTC (Thu)
by bronson (subscriber, #4806)
[Link]
Posted Apr 29, 2021 21:43 UTC (Thu)
by mpg (subscriber, #70797)
[Link]
Take this sentence from the first paragraph for example: "The patch [...] was duly questioned [...], but it is not an honest mistake; according to Kroah-Hartman, there has been an attack of sorts underway [...]". The way the semi-colon is placed makes it look (at least to my eyes, not a native speaker) like "it is not an honest mistake" is a statement of fact rather than Greg's opinion. Perhaps a more accurate wording would have been: "but, according to KH, it is not an honest mistake and there has been [...]".
Also, I think the order in which different points of views / hypotheses are presented matters. For example it's only until the end of the article (after a few paragraphs about the reversal process) that we learn the researchers claim that none of the hypocrite commits made it to the kernel. The original paper is linked early in the article and described as detailing "the process of introducing use-after-free bugs into the kernel [...]". After re-reading the paper's "Ensuring the safety of the experiment" paragraph, I think a more accurate description would have been "details the process of _nearly_introducing UAF bugs into the kernel [...]".
Of course the link to the paper is right there at the beginning of the article, so I can click and go read the paper right away. But more likely, I'll finish reading the LWN article first, and by the time I get to the end, I'll probably subjectively give more weight to the idea / hypothesis that intentional bugs made it to the kernel, perhaps in large numbers, and things might still be going on, than to the idea that no intentional bug was introduced in the kernel, and that there only were 3 hypocrite commits.
I'm afraid the previous paragraphs read like I'm picking at details in the article. I'd like to clarify that my intention is not to attack this article, but rather to try and explain why I found it less balanced than the average LWN article in a more specific (and hopefully constructive) way than "that's just how it felt to me". Also, I want to emphasize that in general I really appreciate the way LWN reports in a balanced and distanced (as in "looking at the big picture" and "cool-headed") way on all sort of topics, including those that generate heated discussion. It's only because the average quality of LWN articles is so high that I can feel perhaps this one was slightly below the usual standards on that front.
Posted Apr 29, 2021 21:48 UTC (Thu)
by intgr (subscriber, #39733)
[Link] (1 responses)
For the record, I did not mean that the article as a whole needs to be "retracted", but I guess "acknowledgement" that the assumptions reported in the article turned out to be false. I'm sorry, "retraction" was too strong a word
There is one statement that appears to be made in the voice of LWN:
> In fact, a thorough review of patches emanating from UMN over the last year or two is probably in order for other projects, particularly high-profile ones.
As published in the "hypocrite commits" paper, the known malicious patches had actually come from Gmail addresses, and we know now that suspected patches from UMN were not intentionally buggy.
Posted Apr 30, 2021 5:41 UTC (Fri)
by gfernandes (subscriber, #119910)
[Link]
Incompetent, but intentionally malicious patches they were indeed.
And we're lucky they were rejected for whatever reasons.
The fact that it happened, is reason enough for the reaction.
Posted Apr 30, 2021 17:12 UTC (Fri)
by calumapplepie (guest, #143655)
[Link]
It's also not counting the 79 patches which couldn't be auto-reverted. One of the major reasons for an inability to auto-revert is a later bugfix: which seems to be the case for many of those 79. Greg describes this in his second patchset. In short, 22% is probably on the low end.
Posted Apr 29, 2021 19:27 UTC (Thu)
by agrawal-d (guest, #141386)
[Link] (13 responses)
Posted Apr 29, 2021 23:02 UTC (Thu)
by Paf (subscriber, #91811)
[Link]
Posted Apr 29, 2021 23:03 UTC (Thu)
by Paf (subscriber, #91811)
[Link] (11 responses)
John, I would say it’s generally standard journalistic practice to disclose when reporting on actions of bodies one is involved with. (I’m not saying anything untoward happened here, not at all, just noting this.)
Posted Apr 30, 2021 0:36 UTC (Fri)
by himi (subscriber, #340)
[Link] (10 responses)
A formal disclosure would probably have been appropriate as soon as the actions of the TAB became part of the discussion, though.
Posted Apr 30, 2021 1:50 UTC (Fri)
by lutchann (subscriber, #8872)
[Link] (9 responses)
Posted Apr 30, 2021 11:25 UTC (Fri)
by sumanah (guest, #59891)
[Link] (8 responses)
Posted Apr 30, 2021 12:50 UTC (Fri)
by mathstuf (subscriber, #69389)
[Link]
For example, I know I see Ars Technica mention their Charter ownership bits whenever they cover Charter/Time Warner or affiliation with Wired when they republish an article at least.
Posted Apr 30, 2021 13:07 UTC (Fri)
by corbet (editor, #1)
[Link] (6 responses)
It honestly just didn't occur to me to add something to the article. I guess it seemed sort of like disclosing that I'm a kernel maintainer every time I write about the kernel — something a certain journalist out there has faulted me for not doing. I also had not really been involved in the TAB response up to the time the article was written.
That said, I certainly wasn't trying to hide anything, and apologize to anybody who felt otherwise. I have added a note to the article disclosing that membership.
Posted Apr 30, 2021 13:31 UTC (Fri)
by sumanah (guest, #59891)
[Link] (4 responses)
Posted Apr 30, 2021 22:28 UTC (Fri)
by Wol (subscriber, #4433)
[Link] (3 responses)
I'd be much happier with a page, linked to from the home page, that listed all staff memberships, sponsorship deals, etc etc, but then people will moan that it's not in their face and they didn't know where to look! ...
You can't win, whatever you do.
Cheers.
Posted Apr 30, 2021 22:44 UTC (Fri)
by mathstuf (subscriber, #69389)
[Link] (2 responses)
A sentence at the end of the article isn't "in your face" IMO, but experiences may vary…
Posted May 1, 2021 11:13 UTC (Sat)
by Wol (subscriber, #4433)
[Link] (1 responses)
Cheers,
Posted May 6, 2021 11:20 UTC (Thu)
by kpfleming (subscriber, #23250)
[Link]
Posted Apr 30, 2021 22:47 UTC (Fri)
by Paf (subscriber, #91811)
[Link]
I agree it would be patently absurd to mention your involvement in the kernel all the time, particularly given that it is *a public project*. I also know that you tend to mention your work as documentation maintainer when you write anything of length on that topic, which I think is nice if only because it helps the reader understand your perspective on the subject.
So, thank you. This case feels slightly different for what are probably obvious reasons.
Posted Apr 29, 2021 21:46 UTC (Thu)
by chfisher (subscriber, #106449)
[Link] (2 responses)
Posted Apr 30, 2021 7:05 UTC (Fri)
by taladar (subscriber, #68407)
[Link]
As a potential employer I certainly wouldn't want to employ either kind of person so their degrees are worth less than before whether it was stupidity or malice.
Posted May 5, 2021 10:48 UTC (Wed)
by ceplm (subscriber, #41334)
[Link]
Posted Apr 29, 2021 23:45 UTC (Thu)
by flussence (guest, #85566)
[Link] (1 responses)
(from the instability of some of that stuff, sometimes it feels like it *was* used as a trojan horse...)
Posted May 6, 2021 18:15 UTC (Thu)
by a0485302@ti.com (guest, #143318)
[Link]
Posted Apr 30, 2021 3:45 UTC (Fri)
by PengZheng (subscriber, #108006)
[Link]
However, intentionally malicious patches could introduce vulnerabilities much more difficult to find out.
Posted Apr 30, 2021 9:03 UTC (Fri)
by hejianet (subscriber, #106177)
[Link] (1 responses)
[1] https://lwn.net/ml/linux-kernel/20200821034458.22472-1-ac...
Posted May 3, 2021 10:53 UTC (Mon)
by error27 (subscriber, #8346)
[Link]
So their patch is actually fine, but I rejected it because that error path is going to crash unless they fix the use after free which I mentioned in my email. Normally "first patch" developers do go back and redo their patches. I try to not waste their time, but I do always want them to think of the bigger picture and the surrounding code.
Their patch #4 is also interesting. Part of their bugfix was correct. The patch reviewer spotted the potential for the bug that they introduced and sort of asked them about it, before asking them to re-write the patch. But that reviewer was too vague and the UMN devs misunderstood the review comments. That's why I try to write in short sentences with simple words. But people don't understand my review comments either. :P
Posted Apr 30, 2021 18:38 UTC (Fri)
by mcon147 (subscriber, #56569)
[Link] (6 responses)
Posted May 3, 2021 18:40 UTC (Mon)
by error27 (subscriber, #8346)
[Link] (5 responses)
Posted May 3, 2021 19:37 UTC (Mon)
by ttuttle (subscriber, #51118)
[Link] (4 responses)
Posted May 4, 2021 3:32 UTC (Tue)
by error27 (subscriber, #8346)
[Link] (3 responses)
Posted May 4, 2021 3:38 UTC (Tue)
by ttuttle (subscriber, #51118)
[Link] (2 responses)
Posted May 4, 2021 4:46 UTC (Tue)
by error27 (subscriber, #8346)
[Link]
But in this case it seems like they were using a fake name in order to deceive. I'm not a lawyer but I think you could be sued for that.
The other thing is we have told everyone that they are supposed to use their real name as they would for signing a legal document. In the past I have had to search for every contributed to the Sparse static checker so we could relicense it. If people use a fake name, how could you find their Facebook page and their new employer?
Posted May 4, 2021 15:20 UTC (Tue)
by Wol (subscriber, #4433)
[Link]
Cheers,
Posted Apr 30, 2021 20:49 UTC (Fri)
by ecree (guest, #95790)
[Link]
I realise that next to everything else these 'researchers' have done, forging SOBs is small fry, but it still raises my hackles. More to the point, the DCoO as written doesn't quite make crystal clear that this isn't OK. SubmittingPatches does ("sorry, no pseudonyms or anonymous contributions"); but that's a step further removed. Maintainers already reject obvious pseudonyms, but plausible-looking names can get through (although not entirely unremarked-upon in this case). Is there anything we need to fix here, and if so, how?
Posted May 1, 2021 9:11 UTC (Sat)
by emorrp1 (guest, #99512)
[Link] (2 responses)
Posted May 1, 2021 11:08 UTC (Sat)
by mathstuf (subscriber, #69389)
[Link]
Not to mention that when such a thing is cleaved, some kind of stable API needs to appear or you end up with tandem patch submissions and tandem tagging. I don't think it's worth it.
Posted May 2, 2021 14:03 UTC (Sun)
by nivedita76 (subscriber, #121790)
[Link]
Posted May 3, 2021 9:59 UTC (Mon)
by nim-nim (subscriber, #34454)
[Link]
Well, that’s not really interesting, of course submissions from uni addresses are going to be fairly low quality. The students need to gain experience somewhere (and once they do gain it scholarship is over and they change addresses).
What is surprising is when quality submissions from companies that release expensive products is not that great either.
Posted May 6, 2021 10:34 UTC (Thu)
by ededu (guest, #64107)
[Link] (4 responses)
Well, 500 000 new lines of code for a new release (2.5 months = 60 working days) means around 10 000 lines to review per working day, divided by 10 hours => 1000 lines per hour, divided by ~20 maintainers => around 50 new lines of code to review per hour per maintainer. This does not sound too much to review..., isn't it?
Posted May 6, 2021 20:56 UTC (Thu)
by micka (subscriber, #38720)
[Link] (1 responses)
I don’t know if I’m the only one, but I find both of these figures to be rather exploitative (not talking about doing one single activity for more than 20 day that would probably have me quit right away).
Posted May 7, 2021 8:36 UTC (Fri)
by ededu (guest, #64107)
[Link]
Posted May 6, 2021 21:46 UTC (Thu)
by pebolle (guest, #35204)
[Link] (1 responses)
It seems you've not yet run into that one-line patch that, after it turned out to be buggy, took you many days to fix. Because the number of lines of code changed by a patch is pointless to determine the amount of review needed for it.
Posted May 6, 2021 23:56 UTC (Thu)
by mathstuf (subscriber, #69389)
[Link]
That said, I sense a…bit of sarcasm in the GP post :) .
Posted May 6, 2021 18:52 UTC (Thu)
by david.a.wheeler (subscriber, #72896)
[Link]
You can see it here:
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
So I fail to see what is valuable in this research paper.
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
> In some cases, the patches apply to old and presumably unused drivers and nobody
> can be bothered to properly review them.
> This looks like a good commit but should be done now in a different way
> - using pm_runtime_resume_and_get(). Therefore I am fine with revert
> and I can submit later better fix.
An update on the UMN affair
So, I just went back and reread the original article, but I find nothing there that seems to be in need of retraction. It was a report on what was happening at the time, and the article itself took no position with regard to the status of the other patches. If there is something specific there that you think needs to be retracted, please point it out to us.
Retraction
Retraction
I think I must not have been clear, sorry. The comment that I was replying to was asking LWN to retract our previous article on this topic; I was saying that I don't understand why that would be necessary.
Retraction
Retraction
Retraction
Retraction
Retraction
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
Was there a general announcement somewhere in a previous article when Corbet joined the TAB, such that LWN assumes that all readers already know this? I did not know or I had forgotten.
TAB
TAB
We generally post the results of the TAB elections every year, so there have been a few such announcements.
TAB
TAB
TAB
Wol
TAB
TAB
Wol
TAB
TAB
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
Why there is no followup to fix this...?
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
Wol
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
An update on the UMN affair
Is 500 000 lines of code to much to review?
Is 500 000 lines of code to much to review?
> per working day, divided by 10 hours
Is that a cultural/country difference?
Is 500 000 lines of code to much to review?
>> per working day, divided by 10 hours
>
>I don’t know if I’m the only one, but I find both of these figures to be rather exploitative (not talking about doing one single activity for more than 20 day that would probably have me quit right away).
>Is that a cultural/country difference?
Well, I wanted simply to have a rough approximation in order to have an order of magnitude about the number of lines...
Is 500 000 lines of code to much to review?
Is 500 000 lines of code to much to review?
TAB report on this was posted 2021-05-05 (today)
<https://lkml.org/lkml/2021/5/5/1244>