 Notice. New forum software under development. It's going to miss a few functions and look a bit ugly for a while, but I'm working on it full time now as the old forum was too unstable. Couple days, all good. If you notice any issues, please contact me. |
Forum Index : Microcontroller and PC projects : Dev's try to introduce dangerous commit to Linux - Linus shuts it down
| Author | Message | ||||
Grogster Admin Group  Joined: 31/12/2012 Location: New ZealandPosts: 9590 |
VERY interesting, and scary all at the same time. Amazing that Linus continues to protect the Linux kernel from crap like this.... LINK... ....assuming this is TRUE, and not BS. Edited 2025-06-03 17:43 by Grogster Smoke makes things work. When the smoke gets out, it stops! |
||||
| stef123 Regular Member  Joined: 25/09/2024 Location: United KingdomPosts: 89 |
Indeed. Even if somthing like that -would- make it finally into the Kernel, hundreds, thousands of other s would try to fix that immediately (if possible), while "some others" would maybe leave the exploit open up until "Patch Tuesday", maybe even months or years, depending on how actively the exploit is being used or how much the changes compromise the system. Additionally with the risk that the entire System wouldnt work anymore after an update (remember the ACPI.sys-Fault recently?) Thats why especially the Kernel Maintainers but also the OSS Community, are in the need of strong financial support, in order to being able spending most of their working time on monitoring Kernel changes like these and other vulnerable bugs in their OSS. But thats also a sign that the Kernel itself must be reduced in Size by throwing out old and mostly unused components to keep its size small and being more/faster verifiable for vulnerable changes. At least for productivity Kernels. |
||||
Mixtel90 Guru  Joined: 05/10/2019 Location: United KingdomPosts: 7843 |
I suspect that was an unfortunate combination of circumstances. Luckily Linus has ultimate say on what goes into the kernel and the commits would have to get past him - and he's on the ball. On the whole I think the situation was handled very well. Because Linux is so transparent you get to see stuff like this. Yes, it's a bit of dirty laundry, but at least it helps give you confidence in the OS when you know stuff like this gets spotted. I always liked modular kernels. I've never been a fan of integrating a lot of stuff, even if it is more efficient. Mick Zilog Inside! nascom.info for Nascom & Gemini Preliminary MMBasic docs & my PCB designs |
||||
| lizby Guru Joined: 17/05/2016 Location: United StatesPosts: 3354 |
FWIW a poster in the thread asserts that the developer sanctioned by Linus has been re-instated after the vast problem was shown to be replicable as a mistake (so not now thought to have been malicious). Still, it was carelessness that that developer had suspended his own quality checks because he thought they were false. Good to know that Linus has his own quality checks and uses them to maintain the integrity of the Linux system. ~ Edited 2025-06-03 23:10 by lizby PicoMite, Armmite F4, SensorKits, MMBasic Hardware, Games, etc. on fruitoftheshed |
||||
| JohnS Guru Joined: 18/11/2011 Location: United KingdomPosts: 4036 |
I think the SHA1 and other checks will have made git report errors (in effect refusing to merge the bad stuff) and Linus then investigated why ... and the rest is in the video. Of course it's possible (at least in theory) for a malicious trusted developer to add bad stuff, but this isn't how because it was bound to be rejected immediately (I think). The usual way bad stuff gets in is that it's code that looks OK, tests OK, etc, but has a (usually subtle) bug. John |
||||
 Print this page |
 |
The Back Shed's forum code is written, and hosted, in Australia. | © JAQ Software 2025 |
