Keeping Open Source Safe
Keeping Open Source Safe
Written by Kay Ewbank   
Friday, 15 August 2014

While large open source software projects benefit from having thousands of people contributing, that openness also leaves them open to problems, as a recent spate of patches for the Linux kernel shows.

The Linux kernel is the granddaddy of open software projects; it’s the largest software project being written cooperatively and has thousands of conscientious developers working to improve it. The tricky bit is what happens if someone isn’t attempting to be helpful, but to actively (or possibly incompetently) harm it.

A case in point has been causing problems recently. A developer called Nick Krause has been sending lots of patches; unfortunately, none of them work. At first the other developers assumed he was just a not-very-good programmer, but the fact he’s been ignoring everything the other more experienced developers have told him makes it increasingly likely that his motive is malicious.

The main developers of the kernel have been remarkably patient with Krause’s patches, but their patience is increasingly running out; in response to Krause ‘apologizing’ for yet another non-working patch with a comment of “Seems I need to have tested this code first”, Dave Airlie replied:

“For all that is sacred, STOP.

Go and do something else, you are wasting people's valuable time,

Don't send any patches you haven't tested ever. If you aren't capable of setting up a VM to run compressed btrfs volumes in, what makes you think you can patch the code.”

More recent responses have been more irate, and the contributor's motives are increasingly being questioned. oN Dave Airlie suggested that Krause “sends random broken patches to random subsystems in the hope that one will slip past a sleepy maintainer and end up in the kernel.”

In a recent thread on Theodore Ts’o pointed out that Krause has tried to insert non-working code into the ext4, btrfs, scsi, and usb subsystems and tried to come up with an explanation for his behavior. Among the suggestions is one from Airlie that Krause is trying to write a University Thesis on trolling the kernel development process. Other theories are that he's a badly written AI chatbot, or just a clueless high school student with more tenacity than one usually expects at that age. Or maybe he's trying to win a bet, or is trying to get extra credit or to complete some course assignment by getting a patch into the kernel.

Or maybe this is just the universe trying to demonstrate exactly how true the Dunning-Krueger effect really is.

Whatever the motives, the problem is slowing down the work of development, and shows that open source doesn’t necessarily mean angelic developers working for the common good. The fact that Krause’s code just doesn’t work makes its problems obvious; but raises the question - would better written but actually malicious code be as easy for the kernel team to spot?



Wire Up The Programmer To Avoid Bugs

This isn't a new idea, but it seems to have hit the headlines again. Why not monitor programmer stress levels to discover when things are getting tricky and take bug avoidance measures?

Half Price Computer Science On Coursera For A Limited Time

If you sign up for a course today, look out for a nice surprise. For a limited but unspecified time Atlassian's offering to subsidize. The offer extends to all Computer Science and today's a day there [ ... ]

More News


blog comments powered by Disqus

Last Updated ( Friday, 15 August 2014 )

RSS feed of news items only
I Programmer News
Copyright © 2016 All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.