Comments (7)
I hadn't actually noticed that and don't believe it is the correct source to use.
A better one to use would have been the The Linux Backdoor Attempt of 2003, however that's so long ago now it's likely sign-off process now is more stringent.
I don't believe this source even needs to exist, so I would be happy to see it's removal.
from privacyguides.org.
Welp, I suppose we could mention the liblzma/xz exploit. Not sure if we could get a more clear example than that! ๐ค
from privacyguides.org.
Should I submit a pull request?
from privacyguides.org.
I'd have to look again, but my understanding was that the patches didn't make it in because they were pulled by UMN, not because they were caught by the review process. Thus it was a suitable warning about the development process' shortcomings.
In their paper, Lu and Wu claimed that none of their bugs had actually made it to the Linux kernel โ in all of their test cases, theyโd eventually pulled their bad patches and provided real ones. Kroah-Hartman, of the Linux Foundation, contests this โ he told The Verge that one patch from the study did make it into repositories, though he notes it didnโt end up causing any harm.
https://www.theverge.com/2021/4/30/22410164/linux-kernel-university-of-minnesota-banned-open-source
from privacyguides.org.
The kernel's report on the issue says:
Summary of "Hypocrite Commits" patch attempts
All patch submissions that were invalid were caught, or ignored, by the Linux kernel developers and maintainers. Our patch-review processes worked as intended when confronted with these malicious patches.
But there was one patch which the kernel devs say was valid, but the researchers said was invalid?
This change was valid. The author's attempt to create an invalid change
failed as they did not understand how the PCI driver model worked within
the kernel. They asked for clarification about this change after the
maintainer accepted the change, and were told that it was acceptable.
Why the authors claimed in the submitted paper that this was an
incorrect change is not clear.
It seems like there is some ambiguity as to whether or not the kernel review system is actually something to be majorly concerned about. Given that the risk for vulnerabilities being purposely introduced into the linux kernel has not been clearly demonstrated, I think link on privacyguides should be changed to a more clear-cut example (if there even is one for a big open source project), or perhaps instead the section should talk about the much more concerning practice of supply-chain attacks where malicious code one way or another gets introduced into a small project which then gets included as a dependency in bigger projects. SolarWinds might be the biggest example of this, but there are many, many others.
from privacyguides.org.
I think link on privacyguides should be changed to a more clear-cut example
This would be something I would be open to, if you know of one off the top of your head. I know about various module mis-names in various language pkg managers, but I'd like something a bit more substantial than that
I guess there's the backdoor attempt of 2003, but that is quite some time ago and no doubt processes have improved since then such as only having one source repo in git
and using signed commits.
from privacyguides.org.
Might incorporate this in with #2467 as it's all really related in the same way.
from privacyguides.org.
Related Issues (20)
- Accessibility meta page
- Changes in PR #2471 are not reflected on the site HOT 1
- Call for translators HOT 2
- Add yourself to the contributors list HOT 28
- Different font size for "Contributors" label on mobile UI HOT 2
- Contributors table doesn't scale well on mobile devices HOT 1
- Broken LanguageTool logo after 2024.04.16 update HOT 4
- Cannot load infomation in "Multi-Factor Authenticators" popup. HOT 5
- Remove the outdated information regarding Notesnook's encryption
- Invidious video embeds are broken HOT 2
- Website still lists Local Monero HOT 1
- Onion site is broken again
- Slight rewording of a minimum requirement for Search Engines
- Tuta Logo Change
- Linux is now making an effort to incorporate rust into the Kernel and userspace
- ente Auth repo link HOT 3
- Split up Productivity Tools page
- Regarding the last criterion on the MFA tools page HOT 1
- Find My privacy policy changed to increase iOS version required for E2EE location sharing
- Split up Android recommendations page and use mkdocs index page
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from privacyguides.org.