Web Excursions 2021-04-30

🌟 [Post of The Day] An update on the UMN affair

  • Background

    • On April 20, the world became aware of a research program conducted out of the University of Minnesota (UMN) that involved submitting intentionally buggy patches for inclusion into the Linux kernel.

    • Since then, a paper resulting from this work has been withdrawn, various letters have gone back and forth, and numerous patches from UMN have been audited.

    • On April 22, a brief statement was issued by the Linux Foundation technical advisory board (TAB) stating that, among other things, the recent patches appeared to have been submitted in good faith.

  • The old saying still holds true: one should not attribute to malice that which can be adequately explained by incompetence.

  • Five patches were submitted overall from two sock-puppet accounts

    • but one of those was an ordinary bug fix that was sent from the wrong account by mistake.

    • Of the remaining four

      • one of them was an attempt to insert a bug that was, itself, buggy, so the patch was actually valid

      • the other three contained real bugs.

      • None of those three were accepted by maintainers, though the reasons for rejection were not always the bugs in question.

  • Patch re-review

    • one of the first things that happened when this whole affair exploded was the posting by Greg Kroah-Hartman of a 190-part patch series reverting as many patches from UMN as he could find

      • it wasn't all of them; he mentioned a list of 68 others requiring manual review because they do not revert easily.

    • As it happens, these "easy reverts" also needed manual review;

      • once the initial anger passed there was little desire to revert patches that were not actually buggy

    • Most of the suspect patches have turned out to be acceptable

      • 42 patches are still set to be pulled out of the kernel.

    • the reasoning behind the revert varies from one to the next.

      • apply to old and presumably unused drivers and nobody can be bothered to properly review them

      • the intended change was done poorly and will be reimplemented in a better way

      • contained serious errors

    • A look at the full set of UMN patches reinforces some early impressions

      • almost all of them do address some sort of real (if obscure and hard to hit) problem;

      • seems unlikely that any of them were malicious in their intent.

    • The 42 bad patches out of 190 is a 22% bad-patch rate.

      • accepted by subsystem maintainers throughout the kernel, which is not a great result.

      • Perhaps that is a more interesting outcome than the one that the original "hypocrite commit" researchers were looking for.

    • TAB will be publishing a full report of the audit of all these patches once it is complete.

  • Lessons learned

    • do not use a free-software development community as a sort of free validation service for your experimental tool.

    • kernel maintainers (and maintainers of many other free-software projects) are overworked and do not have the time to properly review every patch that passes through their hands.

    • code going into the kernel is often not as well reviewed as we like to think.

    • regular kernel developers continue to insert bugs at such a rate that there should be little need for malicious actors to add more.

    • the real lesson

      • the speed of the kernel process is one of its best attributes, and we all depend on it to get features as quickly as possible.

        • But that pace may be incompatible with serious patch review and low numbers of bugs overall.

        • if we cannot institutionalize a more careful process, we will continue to see a lot of bugs and it will not really matter whether they were inserted intentionally or not.


Google is saving $1 billion per year as a result of employees working from home

  • During the first quarter, Google parent Alphabet Inc. saved $268 million in expenses from company promotions, travel and entertainment, compared with the same period a year earlier, “primarily as a result of COVID-19,” according to a company filing.

  • On an annualized basis, that would be more than $1 billion.

    • Indeed, Alphabet said in its annual report earlier this year that advertising and promotional expenses dropped by $1.4 billion in 2020

    • as the company reduced spending,

    • paused or rescheduled campaigns, and c

    • hanged some events to digital-only formats due to the pandemic.

    • Travel and entertainment expenses fell by $371 million.


Google is saving $1B per year as a result of employees working from home | Hacker News

  • paxys, doubting: Google is saving $1 billion per year because of COVID-19, not because employees are working from home. This is literally mentioned in the article, but the headline is twisted

  • seoaeu, providing context: one expense they saved on is sending out recruiters and engineers to likely thousands of career fairs, recruiting sessions, etc. Nobody would reasonably argue that skipping all of them is a sustainable strategy long term even if it hasn't hurt them much so far.