Comments by "" (@grokitall) on "Linus Torvalds: XZ Utils Breach Raises Questions About Trust in Open Source Development" video.

  1. robert hienlien has a character in the moon is a harsh mistress who says "you make whatever rules make you feel comfortable, and if i need to break them i will do my best not to get caught". paraphrasing here as i don't remember the exact wording.
    4
  2. ​​ @coversine479 there are ways to do such research which protect both the subject and the researchers. they ignored all of them, acting like bad actors. upon discovery, they got roasted for it, and so did every chain in their supervision. in the meantime, the kernel was left with the only choice being to block every submission from them, until they could audit the credibility of the contributers. the reason the maintainers were pissed is that maintainer time is always less than what is needed, and they wasted a lot of it. if they had done the study properly they could have said upon being discovered, so and so knew, and here is the list of patches from only these email addresses, but that process took way too long.
    1
  3.  @coversine479  no, he meant both. the idea of doing the study was fine, but there are a number of ethical and technical steps that should be taken prior to starting it which they completely failed to even consider. the first of which is should we even do it, and if so what rules should we set up? the standard way to do this is for the university to look at the size of the project, and see if it is big enough to absorb any potential harm caused by the study, and to document the potential harm prior to beginning the study so as to minimise it when setting the rules of engagement for the study. they did not do this. as this was a code study, the next step should have been to find someone connected to the project who did not do code review who could be a point of contact and potentially could have a full audit trail of all the submissions. they did not take either step as far as i have been able to discern. this is what pissed off the devs, because having discovered someone looking like a bad actor, and tracing them back to the university, it was then impossible for a while to determine if it was student or faculty, and if this was a one off or systematic. this is what caused the fallout. yes they blocked the gmail account, but they should then have been able to ask the developer what was going on, and got a reply of here is what we were doing, these people knew about it, and here is every patch involved. they could not do any of that, so that got the university blocked until that information could be independently created and confirmed, at which time the University got unblocked. they implemented the study protocols so badly that they were not only technically bad, end ethically questionable, but due to hacking being illegal to some extent in most countries their behaviour skirted around being criminal. all of these problems would have been caught if a proper review was done by the university legal and ethics board prior to starting the project. not doing so not only slimed themselves, but brought the University into disrepute for allowing it to happen.
    1