- Joined
- Mar 20, 2019
> No e-commerce site
> No government site
> No private site
> No possible use cases found_
They really didn't think this over much, did they?
Diseased Open Source Software Community - it's about ethics in Code of Conducts
- Thread starter CrunkLord420
- Start date
-
🐕 I am attempting to get the site runnning as fast as possible. If you are experiencing slow page load times, please report it.
> No government site
> No private site
> No possible use cases found_
They really didn't think this over much, did they?
DumbDude42
kiwifarms.net
- Joined
- Sep 12, 2019
i guess they want it to be for nonprofit NGOs and political activists only
all these restrictiouns are laughable anyway, it's like home depot selling you bricks but making you sign a document where you swear that you are not gonna use the bricks to build a police station or gun store lol
- Joined
- Sep 18, 2018
The home depot thing might be more enforceable provided the contract ("agreement") is worded to be legally enforceable and signed before money exchanges hands.
Couldn't you just fork this pyload since its open source and use it how you wanted (with in the license of the GNU AGPL) and they couldn't do shit about t?
DumbDude42
kiwifarms.net
- Joined
- Sep 12, 2019
they probably have some license on it that prohibits you from changing the license to a less restrictive one even after copying and modifying parts of the software
will they actually try and take you to court over it and succeed? that's a different question which i dont know the answer to
- Joined
- Dec 16, 2019
These aren't legal restrictions. These are "this project will not pull in plugins that work with these websites." You're free to fork the project and add a plugin for niggermania or whatever, its just that the maintainers would refuse to merge the changes in and they would refuse to give support or fix bugs for it because it is an "unofficial" plugin.
Fun fact, the (A)GPL has a section explicitly forbidding "additional restrictions" on the use of licensed software:
The GPL is explicitly written so that you cannot say things like "racists cannot use my software," even including a paragraph saying
In order to include such a section you would have to not call it the GPL.
So even if their license said "you can't use this for RACISM" you would (theoretically) be racist with it without legal ramifications. IANAL and these parts of the GPL have never been tested in court though so I might be wrong, but that's the intent of the license.
- Joined
- May 8, 2020
The Linux kernel is one of the largest software projects in the modern history; with a gigantic 28 millions lines of code.
Contributors from all over the world and from different fields submit a large number of patches each day to the Linux kernel maintainers, so that they get reviewed before being officially merged to the official Linux kernel tree.
These patches could help fix a bug or a minor issue in the kernel, or introduce a new feature.
However, some contributors have been caught today trying to submit patches stealthily containing security vulnerabilities to the Linux kernel, and they were caught by the Linux kernel maintainers.
Researchers from the US University of Minnesota were doing a research paper about the ability to submit patches to open source projects that contain hidden security vulnerabilities in order to scientifically measure the probability of such patches being accepted and merged. Which could make the open source projects vulnerable to various attacks.
They used the Linux kernel as one of their main experiments, due to its well-known reputation and adaptation around the world.
These researchers submitted patches which didn’t seem to completely fix the related issues in the kernel, but also didn’t right away seem to introduce a security vulnerability. A number of these patches they submitted to the kernel were indeed successfully merged to the Linux kernel tree.
However, today, they were caught by Linux kernel maintainers, and were publicly humiliated. In an email by Greg Kroah-Hartman, one of the major Linux kernel maintainers, their approach was disclosed and their so-called “newbie patches” were thrown under the bus:
Apparently, Greg and a number of other maintainers were not happy about this, as these experiments consume their time and efforts and make people engage by bad faith in the Linux kernel development:
Finally, Greg announced that the Linux kernel will ban all contributions from the University of Minnesota, and that all the patches they previously submitted are going to be removed from the kernel, and no new patches will be accepted from them in the future:
The research paper they worked on was published back in February, 2021; around two months ago. In the paper, they disclose their approach and methods that they used to get the vulnerabilities inserted to the Linux kernel and other open source projects.
They also claim that the majority of the vulnerabilities they secretly tried to introduce to various open source projects, were successful in being inserted by around an average of %60:
It is still unclear at this moment what other open source projects they tried to hijack, and what is the actual number of vulnerabilities they succeeded in inserting to various open source projects.
Greg has sent another email in which he reverts most patches from the University of Minnesota from the Linux kernel, and puts some of them on hold.
Contributors from all over the world and from different fields submit a large number of patches each day to the Linux kernel maintainers, so that they get reviewed before being officially merged to the official Linux kernel tree.
These patches could help fix a bug or a minor issue in the kernel, or introduce a new feature.
However, some contributors have been caught today trying to submit patches stealthily containing security vulnerabilities to the Linux kernel, and they were caught by the Linux kernel maintainers.
Researchers from the US University of Minnesota were doing a research paper about the ability to submit patches to open source projects that contain hidden security vulnerabilities in order to scientifically measure the probability of such patches being accepted and merged. Which could make the open source projects vulnerable to various attacks.
They used the Linux kernel as one of their main experiments, due to its well-known reputation and adaptation around the world.
These researchers submitted patches which didn’t seem to completely fix the related issues in the kernel, but also didn’t right away seem to introduce a security vulnerability. A number of these patches they submitted to the kernel were indeed successfully merged to the Linux kernel tree.
However, today, they were caught by Linux kernel maintainers, and were publicly humiliated. In an email by Greg Kroah-Hartman, one of the major Linux kernel maintainers, their approach was disclosed and their so-called “newbie patches” were thrown under the bus:
Apparently, Greg and a number of other maintainers were not happy about this, as these experiments consume their time and efforts and make people engage by bad faith in the Linux kernel development:
Finally, Greg announced that the Linux kernel will ban all contributions from the University of Minnesota, and that all the patches they previously submitted are going to be removed from the kernel, and no new patches will be accepted from them in the future:
The research paper they worked on was published back in February, 2021; around two months ago. In the paper, they disclose their approach and methods that they used to get the vulnerabilities inserted to the Linux kernel and other open source projects.
They also claim that the majority of the vulnerabilities they secretly tried to introduce to various open source projects, were successful in being inserted by around an average of %60:
It is still unclear at this moment what other open source projects they tried to hijack, and what is the actual number of vulnerabilities they succeeded in inserting to various open source projects.
Greg has sent another email in which he reverts most patches from the University of Minnesota from the Linux kernel, and puts some of them on hold.
- Joined
- May 9, 2017
Just waiting for the news that they were serious patches submitted by troons in programmer socks and that it's transphobic not to merge them.
Shoggoth
kiwifarms.net
- Joined
- Aug 9, 2019
Jesus they need to be nuked from orbit
"lol I put cyanide in the city water supply you guys should be really more careful"
I'd say the maintainers dealt with them adequately.
- Joined
- Mar 20, 2019
While kind of funny, this research was unethical as hell. Not only did the kernel devs not agree to participate in the research, but if one of these 'sploits actually made it into the wild, it could have caused harm to any number of systems. I hope the school's ERB rips the fucking neckbeard who approved it a new one.
But it's food for thought in regards to the supposition that open source is safer due to its visibility.
One way the researchers could have done this, that would have been far less slimy, would be to fork an existing project with a compatible license (so they aren't starting from scratch). Bury some shit in the project's ToS/CoC/whatever at the very end that discloses the true nature of the project. Then attract/incentivize experienced developers to the project (easy), require them to agree to the terms (YOU MUST CLICK "I AGREE TO THESE TERMS") and put them in approval roles within the project. Then submit felonious patches and see how many get approved. At least then, "well, they did claim to have read the terms" in case of legal threat. The project could be shut down the instant the paper was done, and the risk to 3rd party harm would be minimized.
Granted, if anyone ever actually reads the terms, the jig is up. But we know how often that happens.
But it's food for thought in regards to the supposition that open source is safer due to its visibility.
One way the researchers could have done this, that would have been far less slimy, would be to fork an existing project with a compatible license (so they aren't starting from scratch). Bury some shit in the project's ToS/CoC/whatever at the very end that discloses the true nature of the project. Then attract/incentivize experienced developers to the project (easy), require them to agree to the terms (YOU MUST CLICK "I AGREE TO THESE TERMS") and put them in approval roles within the project. Then submit felonious patches and see how many get approved. At least then, "well, they did claim to have read the terms" in case of legal threat. The project could be shut down the instant the paper was done, and the risk to 3rd party harm would be minimized.
Granted, if anyone ever actually reads the terms, the jig is up. But we know how often that happens.
Shoggoth
kiwifarms.net
- Joined
- Aug 9, 2019
An angle which I completely missed initially was the professor behind this research is Chinese. Some galaxy brains on /g/ theorize he was malicious on behalf of the CCP. How plausible does it sound to you?
- Joined
- Jan 12, 2019
Sounds more like it was malicious on behalf of Academia. Universities and some of the "people" who emerge from them are the biggest threat to FOSS lately.
- Joined
- Dec 28, 2014
- Joined
- Apr 25, 2020
That's definitely a galaxybrain theory. Chinese agents would slip the code in without any paper trail. These morons inserted malicious code as part of a thesis which would be/was (I can't be assed to look for the details right now) openly published. This was just sheer pig-headed stupidity.
- Joined
- Feb 27, 2019
clownworld
kiwifarms.net
- Joined
- Mar 8, 2019
Sounds plausible. Doing so while working out of a US institution, and writing a paper about it, and getting additional Indian students to keep at it to add insult to injury. Definition of unrestricted warfare no?
- Joined
- Feb 4, 2013
This is the University of Minnesota, who up until fairly recently made you learn FORTRAN77 before letting you take courses on *any* other language. They don't care about being stupid. They have an enormous endowment and a state that loves shoveling cash into them no matter how low their undergraduate graduation rate gets. It's improved a lot because they got tired of being a massive embarassment, but in the 1990s the 4 year graduation rate was 15 percent, 6 percent for minorities.
clownworld
kiwifarms.net
- Joined
- Mar 8, 2019
Plus its the land of ihan omar and that oddly large somali community. Whats going on in Minnesota!? thanks for the additional context on the school.
Shoggoth
kiwifarms.net
- Joined
- Aug 9, 2019
DumbDude42
kiwifarms.net
- Joined
- Sep 12, 2019
then they wouldnt have published it
if your goal is to inject vulnerabilities into software to exploit later on, you dont fucking tell everyone about it so they can roll it back lol
fuck this shit, we had a lot of fun back in university when this was used in a lecture on computational logic
>prof is gonna show us his coq again
>look, coq on the projector again
>damn look how he's working that coq
every single lecture we cracked these retard jokes, it was great
clownworld
kiwifarms.net
- Joined
- Mar 8, 2019
ah yes, calling it "LeCoq" surely will solve the problem here.