An update on the UMN affair

Posted Apr 30, 2021 10:32 UTC (Fri) by dsommers (subscriber, #55274)
In reply to: An update on the UMN affair by patrick_g
Parent article: An update on the UMN affair

It is interesting in the view of seeing and understanding better how an open source community can be tricked into committing code which looks reasonable separately, but will be stepping stones to create a functional attack vector combined. This is highly relevant in today's security discussions related to supply chain attacks.

Open source communities need to better understand how to defend themselves and how to detect such attempts. Which will an enormous challenge, but with more research it might be possible to find approaches to make such efforts harder to achieve.

An update on the UMN affair

Posted Apr 30, 2021 19:14 UTC (Fri) by viro (subscriber, #7872) [Link]

Bloody hell... What is the relevance of malicious intent, other than improving the odds of acceptance by the conference where they planned to present that... research?

You seem to imply that being a part of malicious plan to introduce a security hole imparts some recognizable features to the patches, making them easier to catch than "innocent" buggy ones. Mind elaborating on that and showing some kind of evidence?

Research into the features that correlate with looser review would be very valuable, exactly because it would allow to improve the rejection rate for crap. But that would take real experiment design - valid statistics, decently-sized datasets, etc.