University of Minnesota (UMN) assistant professor Kangjie Lu, along with graduate students Qiushi Wu and Aditya Pakki, apologized to the Linux community on Saturday for the controversial research into “hypocrite commits” that got the entire university system banned from contributing to the Linux kernel.
In an email to the Linux kernel mailing list, the trio said that the research in question, which sought to highlight one of the ways open source projects such as Linux can be undermined, was carried out in August 2020. The findings were published to GitHub on February 10; they didn’t appear to attract much attention for several months.
Then last week, Greg Kroah-Hartman, the Linux developer who oversees the stable release channel, banned UMN from contributing to the Linux kernel. He also said in an email to Pakki that he’d have to “rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems.”
This quickly became a hot-button issue among the Linux developer community, and the UMN Department of Computer Science and Engineering (CSE) apologized for the incident a day later. But the need to double-check all of the university’s contributions to the Linux kernel still raised the ire of many already-quite-busy Linux developers.
Lu, Wu, and Pakki remained silent—it seems Linux creator Linus Torvalds publicly responded to the controversy before the UMN trio did. That changed with the email to the Linux kernel mailing list on Saturday, in which the researchers attempted to explain the situation while simultaneously apologizing for the trouble it’s caused.
“This current incident has caused a great deal of anger in the Linux community toward us, the research group, and the University of Minnesota,” they said. “We apologize unconditionally for what we now recognize was a breach of the shared trust in the open source community and seek forgiveness for our missteps.”
The UMN researchers also clarified that the “hypocrite commits” research didn’t introduce vulnerabilities to the Linux kernel, said “all the other 190 patches being reverted and re-evaluated were submitted as part of other projects and as a service to the community,” and offered more details about the commits made in early April.
“We had been conducting a new project that aims to automatically identify bugs introduced by other patches (not from us),” they said. “Our patches were prepared and submitted to fix the identified bugs to follow the rules of Responsible Disclosure, and we are happy to share details of this newer project with the Linux community.”
The researchers ended their message with another apology and a promise that they’ve learned from the incident. “We can and will do better,” they said, “and we believe we have much to contribute in the future, and will work hard to regain your trust.” Whether or not they’ll be afforded the chance to do so will likely depend on both the Linux community and the results of the UMN CSE’s investigation.