Anyone saying that it was a bad idea to ban the entire University isn't looking at the big picture. I look at it from a very philosophical standpoint:
The entire idea of an academic (research) institution can be summarized as "an entity representing a group of trusted people who act in good faith of that institution". The moment one of your researchers acts in bad faith, or shows that they cannot be trusted, it's clear that the institute cannot be trusted until the institute takes decisive restorative action. By banning the University, you are saying "we no longer trust you in your authority as an institution until it can be made clear that this isn't a systemic problem."... you are not saying "every single person at the University is terrible" as it was framed by some commenters in the other thread.
This is why, in any broad case, it's so upsetting when an institution of any variety doesn't take clear responsibility for the behavior and actions of its members or representatives (take for example the police, or the federal government). When that is true, the behavior of any member of that institution should be subject to scrutiny and distrust. It's not a complicated social phenomena.
If one doctor at a hospital does very bad things - then yes, I would avoid that hospital completely. Because in a working environment, bad actors would be detected by colleagues, etc.
And since this not happened, one can only assume the whole hospital to be deeply flawed.
Indeed! If I heard that a doctor was deliberately and repeatedly poisoning his patients, I'd absolutely avoid the place because proper oversight is clearly lacking.
Perhaps the hospital actually has excellent oversight and it is just that the evil doctor is exceptionally clever at avoiding it. But, Occam's Razor says that is a poor bet.
Banning the university is fine to send a message, but reverting all patches from umn emails seems very shortsighted to me. Especially blindly reverting patches years before this "research" was conducted that almost certainly have had context changes around them, likely introducing more harm than good.
I think that reverting them so that they can be reviewed is entirely appropriate - sure there are lots of people at that particular university, but it's not the linux maintainer's job to know which of them are bad actors - better that the entire university gets locked out, if only to get their attention, and then let them sort out their bad actors before being let back into the fold
I could easily see sending in a bad patch to see what happens and then waiting a few years to do more and write them up; there's no realistic way to guarantee when the bad-faith contributions started.
Except that patch is clearly BS! You can't patch a double-read vulnerability by checking for a capability; that's not a thing that works. So either the description is wrong, or the patch is wrong, or both.
And the point of the reverts is that the kernel maintainers don't have the unlimited time that would be necessary to re-review all of these questionable patches for probable malicious underhanded C, so they are reverted for now for triage (not permanently).
For the linked patch, I would judge it possibly malicious as it leaves the identified vulnerability in the kernel for later exploit by the attackers, namely, the UMN research team.
You don't think reverting a patch from someone whose only relation is working(worked?) at the same university as the advisor initially responsible for the security "research" is overkill? If the goal is to prevent security bugs in mainline then maybe haphazardly reverting everything that doesn't conflict and fixing it later isn't the best approach.
I'm disappointed at seeing hackernews jump on this mindless mob justice like other sites would.
Seems like the problem was from more than one person. This doesn't seem like mob justice, it seems like a pretty measured response to a source of repeat bad faith actors.
I don't think the removal of those patches means the changes will be immediately pushed to public. If they are breaking anything it is develop branch and surely they will review all those patches and will merge the good ones back before releasing anything public
The entire idea of an academic (research) institution can be summarized as "an entity representing a group of trusted people who act in good faith of that institution". The moment one of your researchers acts in bad faith, or shows that they cannot be trusted, it's clear that the institute cannot be trusted until the institute takes decisive restorative action. By banning the University, you are saying "we no longer trust you in your authority as an institution until it can be made clear that this isn't a systemic problem."... you are not saying "every single person at the University is terrible" as it was framed by some commenters in the other thread.
This is why, in any broad case, it's so upsetting when an institution of any variety doesn't take clear responsibility for the behavior and actions of its members or representatives (take for example the police, or the federal government). When that is true, the behavior of any member of that institution should be subject to scrutiny and distrust. It's not a complicated social phenomena.