This isn't friendly pen-testing in a community, this is an attack on critical infrastructure using a university as cover. The foundation should sue the responsible profs personally and seek criminal prosecution. I remember a bunch of U.S. contractors said they did the same thing to one of the openbsd vpn library projects about 15 years ago as well.
What this professor is proving out is that open source and (likely, other) high trust networks cannot survive really mendacious participants, but perhaps by mistake, he's showing how important it is to make very harsh and public examples of said actors and their mendacity.
I wonder if some of these or other bug contributors have also complained that the culture of the project governance is too aggressive, that project leads can create an unsafe environment, and discourage people from contributing? If counter-intelligence prosecutors pull on this thread, I have no doubt it will lead to unravelling a much broader effort.
Not everything can be fixed with the criminal justice system. This should be solved with disciplinary action by the university (and possibly will be [1]).
I am not knowledgeable enough to know if this intent is provable, but if someone can frame the issue appropriately, it feels like it could be good to report this to the FBI tip line so it is at least on their radar.
Organizing an effort, with a written mandate, to knowingly introduce kernel vulnerabilities, through deception, that will spread downstream into other Linux distributions, likely including firmware images, which may not be patched or reverted for months or years - does not warrant a criminal investigation?
The foundation should use recourse to the law to signal they are handling it, if only to prevent these profs from being mobbed.
I think you are misunderstanding what happened. They emailed the patches to the maintainers, and when the maintainers responded "this looks good", then told them there was a bug in the patch. They never committed a bad patch to the source tree. The problem is they were deceptive in their initial email, not that they actually introduced kernel vulnerabilities. No bad code was ever committed, and they had a written mandate to verify that.
Both of those reverts suggest those were just non-malicious contributions that the maintainers reverted just in case (and reapplied after review). If that's the proof, then I think you are mistaken. Maybe put another way, if someone says "noptd has bad intentions, so I'm reverting all of noptd's contributions that were committed to stable" the reverts themselves are not proof that malicious commits made it to stable, and that noptd has bad intentions.
It doesn't sound like either of those reverts are necessarily for malicious patches. They are reverting all commits from umn.edu addresses regardless of their involvement with this professor.
"""Romanovsky reported that he had looked at four accepted patches from Pakki "and 3 of them added various severity security 'holes.'" Sudip Mukherjee, Linux kernel driver and Debian developer, followed up and said "a lot of these have already reached the stable trees." These patches are now being removed."""
However, if you click the links, you'll see that "have already reached stable trees" is about non-buggy patches, and "3 of them added various [holes]" are not one of those. So the articles seem to be intentionally deceiving the reader to think those are connected, when they're separate events. I actually feel like the media has been doing this (putting together non-related facts together in a way that readers reasonably infer a connection between the two).
Again, there's nothing that says the patches with vulnerabilities made it to stable.
Did you read the ZDnet article and look at the links that in that article in the relevant paragraph? I'm not "disagreeing", I'm saying that they are misleading the reader (and it looks like many were fooled).
The two sentences they put together are not related, but put next to each other, they make it seem like they're related. We have to be careful when reading these articles. So the researchers have made commits to stable, and the researchers have introduced vulnerabilities, but they are not referring to the same patches. So no vulnerabilities have been committed to stable.
What this professor is proving out is that open source and (likely, other) high trust networks cannot survive really mendacious participants, but perhaps by mistake, he's showing how important it is to make very harsh and public examples of said actors and their mendacity.
I wonder if some of these or other bug contributors have also complained that the culture of the project governance is too aggressive, that project leads can create an unsafe environment, and discourage people from contributing? If counter-intelligence prosecutors pull on this thread, I have no doubt it will lead to unravelling a much broader effort.