Keeping Open Source Safe
Written by Kay Ewbank   
Friday, 15 August 2014

While large open source software projects benefit from having thousands of people contributing, that openness also leaves them open to problems, as a recent spate of patches for the Linux kernel shows.

The Linux kernel is the granddaddy of open software projects; it’s the largest software project being written cooperatively and has thousands of conscientious developers working to improve it. The tricky bit is what happens if someone isn’t attempting to be helpful, but to actively (or possibly incompetently) harm it.

A case in point has been causing problems recently. A developer called Nick Krause has been sending lots of patches; unfortunately, none of them work. At first the other developers assumed he was just a not-very-good programmer, but the fact he’s been ignoring everything the other more experienced developers have told him makes it increasingly likely that his motive is malicious.

The main developers of the kernel have been remarkably patient with Krause’s patches, but their patience is increasingly running out; in response to Krause ‘apologizing’ for yet another non-working patch with a comment of “Seems I need to have tested this code first”, Dave Airlie replied:

“For all that is sacred, STOP.

Go and do something else, you are wasting people's valuable time,

Don't send any patches you haven't tested ever. If you aren't capable of setting up a VM to run compressed btrfs volumes in, what makes you think you can patch the code.”

More recent responses have been more irate, and the contributor's motives are increasingly being questioned. oN Dave Airlie suggested that Krause “sends random broken patches to random subsystems in the hope that one will slip past a sleepy maintainer and end up in the kernel.”

In a recent thread on Theodore Ts’o pointed out that Krause has tried to insert non-working code into the ext4, btrfs, scsi, and usb subsystems and tried to come up with an explanation for his behavior. Among the suggestions is one from Airlie that Krause is trying to write a University Thesis on trolling the kernel development process. Other theories are that he's a badly written AI chatbot, or just a clueless high school student with more tenacity than one usually expects at that age. Or maybe he's trying to win a bet, or is trying to get extra credit or to complete some course assignment by getting a patch into the kernel.

Or maybe this is just the universe trying to demonstrate exactly how true the Dunning-Krueger effect really is.

Whatever the motives, the problem is slowing down the work of development, and shows that open source doesn’t necessarily mean angelic developers working for the common good. The fact that Krause’s code just doesn’t work makes its problems obvious; but raises the question - would better written but actually malicious code be as easy for the kernel team to spot?



Developers Like Code Assistants Even When They Are Incorrect

Over half of ChatGPT answers to programming questions contain misinformation, yet the majority of developers are still keen to use AI tools and report both personal satisfaction and increased producti [ ... ]

Raspberry Pi To Go Public - Are We Worried?

Raspberry Pi used to be the enthusiast's enthusiasm and this provided a base to expand into commercial applications. For some time now, some of the enthusiasts have been expressing concern that the co [ ... ]

More News


C book



or email your comment to:

Last Updated ( Friday, 15 August 2014 )