Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp609447pxy; Wed, 21 Apr 2021 10:24:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxwc7mrh95XgEvtrY/71Ip1X9Qrbp2IMvEPLE0Sj+5EHw+Qf8zVcviBVIhpCqSHevwzLpfw X-Received: by 2002:aa7:d587:: with SMTP id r7mr38529061edq.388.1619025899509; Wed, 21 Apr 2021 10:24:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619025899; cv=none; d=google.com; s=arc-20160816; b=CM8cgANYN1PVMqLE0I0U5nx3erxWgjjzqQJg4GOKDsvl5GFMlGHIDZIkpyXqmLA933 5dnmRBb5n21A5VwL00uP1SFj00Ey0yjp6CFBwwrz6ld8xtCfnd1ek2GjuXIGfCXy1x7Z mLnYhbKDXsOU7A4mRM1BG/Gg+SgPDn2gl4EIPBjnPVTyzMyNRf25tDs+1w4MHHC9xgHW ZB1vzeA+7F3Va70p2dD9gWD+hOrl4huQKMG4RcxOQJ3/sJTFAWnqag7GCDxVsNjlyxWQ MMzt49nKLF7Dt7FnDpcDXLoLmzYYs/5w3FhkJkGrXBFAtLQEQYfxV8BFHzwkV3I6mNkS 7aaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature:dkim-filter; bh=tjOxuzcLacggqXWCTUNTvs2fobdJVc3yZMllyUvmCbM=; b=KP/HCHys4CLTsJLSDjsXr3NgQRolGZZcqfY6W++Paxt/vn4rvtsG7tkyjIopc+UmpR 3+Uv062Krfjxp6blszx2Se/Q+6drZLyRysNPXaij1SamV8m7OvXhsQo7830K+QN8V/HW 6s77H2DJ0nMXgQco7WVfbXuau/Z6AwvfMsTw4QKvpTxyNTBbLqSBaRaPVYkcVBVlsBg+ IlUGBvWfQsEAUN9gVHtPsSp2s1lxmvBRoXORGIDtQnAhKLNFxIRpl7ZI8kBT38X7Qn26 fQbUxmPM6FeSHXyctToLRNdyMdAwLHJKjlnYx9agKjbCOMLkECNHj+65aZMPXwnHL8oT CS5Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@fieldses.org header.s=default header.b=M0UxqnsN; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v5si2317972ejq.224.2021.04.21.10.24.35; Wed, 21 Apr 2021 10:24:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@fieldses.org header.s=default header.b=M0UxqnsN; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240046AbhDUNiC (ORCPT + 99 others); Wed, 21 Apr 2021 09:38:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45878 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230000AbhDUNiC (ORCPT ); Wed, 21 Apr 2021 09:38:02 -0400 Received: from fieldses.org (fieldses.org [IPv6:2600:3c00:e000:2f7::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 71E1FC06174A; Wed, 21 Apr 2021 06:37:29 -0700 (PDT) Received: by fieldses.org (Postfix, from userid 2815) id 3EAEB727A; Wed, 21 Apr 2021 09:37:27 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.11.0 fieldses.org 3EAEB727A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fieldses.org; s=default; t=1619012247; bh=tjOxuzcLacggqXWCTUNTvs2fobdJVc3yZMllyUvmCbM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=M0UxqnsN9bqRqwQiu9nnZuah8FRUAHfjlm/Ki6GwkkXjskEFA4Lt6gDHc2BLTBvCM lxYsCyo0/lZ/wEe9vranLzQcBzJKSFsUC9D+1OjFf6KQBZoLl8B3WDAP0yqPKyVxjc jAsV/xHKqpQEBUJvlZcMoA6Y8/gUIWJvuXGEwitI= Date: Wed, 21 Apr 2021 09:37:27 -0400 From: "J. Bruce Fields" To: "Shelat, Abhi" Cc: Greg KH , Sudip Mukherjee , Leon Romanovsky , Aditya Pakki , Chuck Lever , Trond Myklebust , Anna Schumaker , "David S. Miller" , Jakub Kicinski , Dave Wysochanski , "linux-nfs@vger.kernel.org" , netdev , linux-kernel Subject: Re: [PATCH] SUNRPC: Add a check for gss_release_msg Message-ID: <20210421133727.GA27929@fieldses.org> References: <20210407001658.2208535-1-pakki001@umn.edu> <20210420171008.GB4017@fieldses.org> <3B9A54F7-6A61-4A34-9EAC-95332709BAE7@northeastern.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3B9A54F7-6A61-4A34-9EAC-95332709BAE7@northeastern.edu> User-Agent: Mutt/1.5.21 (2010-09-15) Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Wed, Apr 21, 2021 at 11:58:08AM +0000, Shelat, Abhi wrote: > Academic research should NOT waste the time of a community. > > If you believe this behavior deserves an escalation, you can contact > the Institutional Review Board (irb@umn.edu) at UMN to investigate > whether this behavior was harmful; in particular, whether the research > activity had an appropriate IRB review, and what safeguards prevent > repeats in other communities. For what it's worth, they do address security, IRB, and maintainer-time questions in "Ethical Considerations", starting on p. 8: https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf (Summary: in that experiment, they claim actual fixes were sent before the original (incorrect) patches had a chance to be committed; that their IRB reviewed the plan and determined it was not human research; and that patches were all small and (after correction) fixed real (if minor) bugs.) This effort doesn't appear to be following similar protocols, if Leon Romanvosky and Aditya Pakki are correct that security holes have already reached stable. Also, I still don't understand the explanation of the original SUNRPC patch. I don't know much about static analyzers, but it really doesn't look like the kind of mistake I'd expect one to make. --b.