In 2020, researchers at the University of Minnesota conducted an experiment to test how well the Linux community was able to defend against bad patches. To do so, they posed as regular developers and submitted “patches” that, if accepted, would introduce security vulnerabilities to the widely-used Linux kernel. These bad patches were rejected by the Linux community, and when Linux maintainers found that they were part of an experiment, they were “livid.” They assert that checking and rejecting these malicious submissions wasted the community’s time and that none of the maintainers consented to being experimented on. The Linux Foundation opted to review past University of Minnesota submissions and is now default-rejecting submissions from contributors with a umn.edu email. Fortunately, despite its dubious ethics, this experiment revealed that the Linux patch review process was resistant to bad-faith submissions.
