Hello, welcome to the Thursday, April 22nd, 2021 edition of the Sandstone Storm Center's Stormcast. My name is Johannes Ulrich.

And today, I'm recording from Jacksonville, Florida. Well, and starting today again with yet another

software supply chain issue. Open source software, of course, was sort of in the focus of software supply chain issues

for a long time because many of these open source projects are really based more on trust

than actual code reviews.

And if parts of the community feel that trust is violated, of course, the reaction can be

quite harsh, and this is what researchers at the University of Minnesota are currently experiencing.

Late last year, researchers at the University of Minnesota did experiment with a project they called

Hypercrit Commit that affected the Linux kernel.

They identified a couple of patterns that in the past have led to security vulnerabilities.

And based on these patterns, they created patches which they submitted to the

Linux mailing list. In Linux usually patches are first discussed on these mailing lists before

they're actually being added as a commit to some Git repository. In this case whenever

a maintainer essentially indicated that the patch

looks good and was essentially approved, the researchers then pointed out why the patch shouldn't

be approved, so in this case, it was never actually committed to Git. So it was kind of the safe procedure they came up with in order to test their hypotheses

if it's possible to introduce these vulnerabilities into the Linux kernel without actually

modifying the production Linux code.

And this looked all good.

They went public with this in December.

In February, their paper was published. And earlier this week, a colonel maintainer decided

to no longer accept any commits from the University of Minnesota and to undo hundreds of

...