Diseased Open Source Software Community - it's about ethics in Code of Conducts

  • 🐕 I am attempting to get the site runnning as fast as possible. If you are experiencing slow page load times, please report it.
I was browsing altenativeto.net, and stumbled upon this thingy: https://pyload.net
They happen to have a very specific set of plugin blacklist, which includes plugins for "racist" sites:
View attachment 2075107
> No e-commerce site
> No government site
> No private site


> No possible use cases found_

They really didn't think this over much, did they?
 
> No e-commerce site
> No government site
> No private site


> No possible use cases found_

They really didn't think this over much, did they?
i guess they want it to be for nonprofit NGOs and political activists only

all these restrictiouns are laughable anyway, it's like home depot selling you bricks but making you sign a document where you swear that you are not gonna use the bricks to build a police station or gun store lol
 
i guess they want it to be for nonprofit NGOs and political activists only

all these restrictiouns are laughable anyway, it's like home depot selling you bricks but making you sign a document where you swear that you are not gonna use the bricks to build a police station or gun store lol
The home depot thing might be more enforceable provided the contract ("agreement") is worded to be legally enforceable and signed before money exchanges hands.

Couldn't you just fork this pyload since its open source and use it how you wanted (with in the license of the GNU AGPL) and they couldn't do shit about t?
 
The home depot thing might be more enforceable provided the contract ("agreement") is worded to be legally enforceable and signed before money exchanges hands.

Couldn't you just fork this pyload since its open source and use it how you wanted (with in the license of the GNU AGPL) and they couldn't do shit about t?
they probably have some license on it that prohibits you from changing the license to a less restrictive one even after copying and modifying parts of the software

will they actually try and take you to court over it and succeed? that's a different question which i dont know the answer to
 
i guess they want it to be for nonprofit NGOs and political activists only

all these restrictiouns are laughable anyway, it's like home depot selling you bricks but making you sign a document where you swear that you are not gonna use the bricks to build a police station or gun store lol
These aren't legal restrictions. These are "this project will not pull in plugins that work with these websites." You're free to fork the project and add a plugin for niggermania or whatever, its just that the maintainers would refuse to merge the changes in and they would refuse to give support or fix bugs for it because it is an "unofficial" plugin.


Fun fact, the (A)GPL has a section explicitly forbidding "additional restrictions" on the use of licensed software:
All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying.
The GPL is explicitly written so that you cannot say things like "racists cannot use my software," even including a paragraph saying
If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all.
In order to include such a section you would have to not call it the GPL.
It is possible to make modified versions of the GPL [...]

You can legally use the GPL terms (possibly modified) in another license provided that you call your license by another name and do not include the GPL preamble, and provided you modify the instructions-for-use at the end enough to make it clearly different in wording and not mention GNU (though the actual procedure you describe may be similar).

So even if their license said "you can't use this for RACISM" you would (theoretically) be racist with it without legal ramifications. IANAL and these parts of the GPL have never been tested in court though so I might be wrong, but that's the intent of the license.
 
The Linux kernel is one of the largest software projects in the modern history; with a gigantic 28 millions lines of code.


Contributors from all over the world and from different fields submit a large number of patches each day to the Linux kernel maintainers, so that they get reviewed before being officially merged to the official Linux kernel tree.


These patches could help fix a bug or a minor issue in the kernel, or introduce a new feature.


However, some contributors have been caught today trying to submit patches stealthily containing security vulnerabilities to the Linux kernel, and they were caught by the Linux kernel maintainers.


Researchers from the US University of Minnesota were doing a research paper about the ability to submit patches to open source projects that contain hidden security vulnerabilities in order to scientifically measure the probability of such patches being accepted and merged. Which could make the open source projects vulnerable to various attacks.


They used the Linux kernel as one of their main experiments, due to its well-known reputation and adaptation around the world.


These researchers submitted patches which didn’t seem to completely fix the related issues in the kernel, but also didn’t right away seem to introduce a security vulnerability. A number of these patches they submitted to the kernel were indeed successfully merged to the Linux kernel tree.


However, today, they were caught by Linux kernel maintainers, and were publicly humiliated. In an email by Greg Kroah-Hartman, one of the major Linux kernel maintainers, their approach was disclosed and their so-called “newbie patches” were thrown under the bus:

You, and your group, have publicly admitted to sending known-buggy patches to see how the kernel community would react to them, and published a paper based on that work.
Now you submit a new series of obviously-incorrect patches again, so what am I supposed to think of such a thing?

Apparently, Greg and a number of other maintainers were not happy about this, as these experiments consume their time and efforts and make people engage by bad faith in the Linux kernel development:


Our community does not appreciate being experimented on, and being “tested” by submitting known patches that are either do nothing on purpose, or introduce bugs on purpose. If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here.

Finally, Greg announced that the Linux kernel will ban all contributions from the University of Minnesota, and that all the patches they previously submitted are going to be removed from the kernel, and no new patches will be accepted from them in the future:


Because of this, I will now have to ban all future contributions from your University and rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems.

The research paper they worked on was published back in February, 2021; around two months ago. In the paper, they disclose their approach and methods that they used to get the vulnerabilities inserted to the Linux kernel and other open source projects.


They also claim that the majority of the vulnerabilities they secretly tried to introduce to various open source projects, were successful in being inserted by around an average of %60:

It is still unclear at this moment what other open source projects they tried to hijack, and what is the actual number of vulnerabilities they succeeded in inserting to various open source projects.


Greg has sent another email in which he reverts most patches from the University of Minnesota from the Linux kernel, and puts some of them on hold.
 
The Linux kernel is one of the largest software projects in the modern history; with a gigantic 28 millions lines of code.


Contributors from all over the world and from different fields submit a large number of patches each day to the Linux kernel maintainers, so that they get reviewed before being officially merged to the official Linux kernel tree.


These patches could help fix a bug or a minor issue in the kernel, or introduce a new feature.


However, some contributors have been caught today trying to submit patches stealthily containing security vulnerabilities to the Linux kernel, and they were caught by the Linux kernel maintainers.


Researchers from the US University of Minnesota were doing a research paper about the ability to submit patches to open source projects that contain hidden security vulnerabilities in order to scientifically measure the probability of such patches being accepted and merged. Which could make the open source projects vulnerable to various attacks.


They used the Linux kernel as one of their main experiments, due to its well-known reputation and adaptation around the world.


These researchers submitted patches which didn’t seem to completely fix the related issues in the kernel, but also didn’t right away seem to introduce a security vulnerability. A number of these patches they submitted to the kernel were indeed successfully merged to the Linux kernel tree.


However, today, they were caught by Linux kernel maintainers, and were publicly humiliated. In an email by Greg Kroah-Hartman, one of the major Linux kernel maintainers, their approach was disclosed and their so-called “newbie patches” were thrown under the bus:



Apparently, Greg and a number of other maintainers were not happy about this, as these experiments consume their time and efforts and make people engage by bad faith in the Linux kernel development:




Finally, Greg announced that the Linux kernel will ban all contributions from the University of Minnesota, and that all the patches they previously submitted are going to be removed from the kernel, and no new patches will be accepted from them in the future:




The research paper they worked on was published back in February, 2021; around two months ago. In the paper, they disclose their approach and methods that they used to get the vulnerabilities inserted to the Linux kernel and other open source projects.


They also claim that the majority of the vulnerabilities they secretly tried to introduce to various open source projects, were successful in being inserted by around an average of %60:

It is still unclear at this moment what other open source projects they tried to hijack, and what is the actual number of vulnerabilities they succeeded in inserting to various open source projects.


Greg has sent another email in which he reverts most patches from the University of Minnesota from the Linux kernel, and puts some of them on hold.
Just waiting for the news that they were serious patches submitted by troons in programmer socks and that it's transphobic not to merge them.
 
The Linux kernel is one of the largest software projects in the modern history; with a gigantic 28 millions lines of code.


Contributors from all over the world and from different fields submit a large number of patches each day to the Linux kernel maintainers, so that they get reviewed before being officially merged to the official Linux kernel tree.


These patches could help fix a bug or a minor issue in the kernel, or introduce a new feature.


However, some contributors have been caught today trying to submit patches stealthily containing security vulnerabilities to the Linux kernel, and they were caught by the Linux kernel maintainers.


Researchers from the US University of Minnesota were doing a research paper about the ability to submit patches to open source projects that contain hidden security vulnerabilities in order to scientifically measure the probability of such patches being accepted and merged. Which could make the open source projects vulnerable to various attacks.


They used the Linux kernel as one of their main experiments, due to its well-known reputation and adaptation around the world.


These researchers submitted patches which didn’t seem to completely fix the related issues in the kernel, but also didn’t right away seem to introduce a security vulnerability. A number of these patches they submitted to the kernel were indeed successfully merged to the Linux kernel tree.


However, today, they were caught by Linux kernel maintainers, and were publicly humiliated. In an email by Greg Kroah-Hartman, one of the major Linux kernel maintainers, their approach was disclosed and their so-called “newbie patches” were thrown under the bus:



Apparently, Greg and a number of other maintainers were not happy about this, as these experiments consume their time and efforts and make people engage by bad faith in the Linux kernel development:




Finally, Greg announced that the Linux kernel will ban all contributions from the University of Minnesota, and that all the patches they previously submitted are going to be removed from the kernel, and no new patches will be accepted from them in the future:




The research paper they worked on was published back in February, 2021; around two months ago. In the paper, they disclose their approach and methods that they used to get the vulnerabilities inserted to the Linux kernel and other open source projects.


They also claim that the majority of the vulnerabilities they secretly tried to introduce to various open source projects, were successful in being inserted by around an average of %60:

It is still unclear at this moment what other open source projects they tried to hijack, and what is the actual number of vulnerabilities they succeeded in inserting to various open source projects.


Greg has sent another email in which he reverts most patches from the University of Minnesota from the Linux kernel, and puts some of them on hold.
Jesus they need to be nuked from orbit
"lol I put cyanide in the city water supply you guys should be really more careful"
I'd say the maintainers dealt with them adequately.
 
While kind of funny, this research was unethical as hell. Not only did the kernel devs not agree to participate in the research, but if one of these 'sploits actually made it into the wild, it could have caused harm to any number of systems. I hope the school's ERB rips the fucking neckbeard who approved it a new one.

But it's food for thought in regards to the supposition that open source is safer due to its visibility.

One way the researchers could have done this, that would have been far less slimy, would be to fork an existing project with a compatible license (so they aren't starting from scratch). Bury some shit in the project's ToS/CoC/whatever at the very end that discloses the true nature of the project. Then attract/incentivize experienced developers to the project (easy), require them to agree to the terms (YOU MUST CLICK "I AGREE TO THESE TERMS") and put them in approval roles within the project. Then submit felonious patches and see how many get approved. At least then, "well, they did claim to have read the terms" in case of legal threat. The project could be shut down the instant the paper was done, and the risk to 3rd party harm would be minimized.

Granted, if anyone ever actually reads the terms, the jig is up. But we know how often that happens.
 
An angle which I completely missed initially was the professor behind this research is Chinese. Some galaxy brains on /g/ theorize he was malicious on behalf of the CCP. How plausible does it sound to you?
Sounds more like it was malicious on behalf of Academia. Universities and some of the "people" who emerge from them are the biggest threat to FOSS lately.
 
An angle which I completely missed initially was the professor behind this research is Chinese. Some galaxy brains on /g/ theorize he was malicious on behalf of the CCP. How plausible does it sound to you?
That's definitely a galaxybrain theory. Chinese agents would slip the code in without any paper trail. These morons inserted malicious code as part of a thesis which would be/was (I can't be assed to look for the details right now) openly published. This was just sheer pig-headed stupidity.
 
  • Winner
  • Agree
Reactions: 419 and JohnDoe
An angle which I completely missed initially was the professor behind this research is Chinese. Some galaxy brains on /g/ theorize he was malicious on behalf of the CCP. How plausible does it sound to you?
Sounds plausible. Doing so while working out of a US institution, and writing a paper about it, and getting additional Indian students to keep at it to add insult to injury. Definition of unrestricted warfare no?
 
While kind of funny, this research was unethical as hell. Not only did the kernel devs not agree to participate in the research, but if one of these 'sploits actually made it into the wild, it could have caused harm to any number of systems. I hope the school's ERB rips the fucking neckbeard who approved it a new one.

But it's food for thought in regards to the supposition that open source is safer due to its visibility.

One way the researchers could have done this, that would have been far less slimy, would be to fork an existing project with a compatible license (so they aren't starting from scratch). Bury some shit in the project's ToS/CoC/whatever at the very end that discloses the true nature of the project. Then attract/incentivize experienced developers to the project (easy), require them to agree to the terms (YOU MUST CLICK "I AGREE TO THESE TERMS") and put them in approval roles within the project. Then submit felonious patches and see how many get approved. At least then, "well, they did claim to have read the terms" in case of legal threat. The project could be shut down the instant the paper was done, and the risk to 3rd party harm would be minimized.

Granted, if anyone ever actually reads the terms, the jig is up. But we know how often that happens.
This is the University of Minnesota, who up until fairly recently made you learn FORTRAN77 before letting you take courses on *any* other language. They don't care about being stupid. They have an enormous endowment and a state that loves shoveling cash into them no matter how low their undergraduate graduation rate gets. It's improved a lot because they got tired of being a massive embarassment, but in the 1990s the 4 year graduation rate was 15 percent, 6 percent for minorities.
 
This is the University of Minnesota, who up until fairly recently made you learn FORTRAN77 before letting you take courses on *any* other language. They don't care about being stupid. They have an enormous endowment and a state that loves shoveling cash into them no matter how low their undergraduate graduation rate gets. It's improved a lot because they got tired of being a massive embarassment, but in the 1990s the 4 year graduation rate was 15 percent, 6 percent for minorities.
Plus its the land of ihan omar and that oddly large somali community. Whats going on in Minnesota!? thanks for the additional context on the school.
 
  • Like
Reactions: GreeneCoDeputy
It's all so tiresome
Testimonies from people who experienced harassment or awkward situations, reports about students (notably women) who ended up not learning / using Coq because of its name, were all very important so that the community could fully recognize the impact of the current name and its slang meaning in English, especially with respect to gender-diversity in the Coq community.
For these reasons, the Coq development team is open to a renaming.
1619251014114.png
 
An angle which I completely missed initially was the professor behind this research is Chinese. Some galaxy brains on /g/ theorize he was malicious on behalf of the CCP. How plausible does it sound to you?
then they wouldnt have published it
if your goal is to inject vulnerabilities into software to exploit later on, you dont fucking tell everyone about it so they can roll it back lol

fuck this shit, we had a lot of fun back in university when this was used in a lecture on computational logic
>prof is gonna show us his coq again
>look, coq on the projector again
>damn look how he's working that coq
every single lecture we cracked these retard jokes, it was great
 
Back