Web Excursions 2021-04-30
🌟 [Post of The Day] An update on the UMN affair
Background
On April 20, the world became aware of a research program conducted out of the University of Minnesota (UMN) that involved submitting intentionally buggy patches for inclusion into the Linux kernel.
Since then, a paper resulting from this work has been withdrawn, various letters have gone back and forth, and numerous patches from UMN have been audited.
On April 22, a brief statement was issued by the Linux Foundation technical advisory board (TAB) stating that, among other things, the recent patches appeared to have been submitted in good faith.
The old saying still holds true: one should not attribute to malice that which can be adequately explained by incompetence.
Five patches were submitted overall from two sock-puppet accounts
but one of those was an ordinary bug fix that was sent from the wrong account by mistake.
Of the remaining four
one of them was an attempt to insert a bug that was, itself, buggy, so the patch was actually valid
the other three contained real bugs.
None of those three were accepted by maintainers, though the reasons for rejection were not always the bugs in question.
Patch re-review
one of the first things that happened when this whole affair exploded was the posting by Greg Kroah-Hartman of a 190-part patch series reverting as many patches from UMN as he could find
it wasn't all of them; he mentioned a list of 68 others requiring manual review because they do not revert easily.
As it happens, these "easy reverts" also needed manual review;
once the initial anger passed there was little desire to revert patches that were not actually buggy
Most of the suspect patches have turned out to be acceptable
42 patches are still set to be pulled out of the kernel.
the reasoning behind the revert varies from one to the next.
apply to old and presumably unused drivers and nobody can be bothered to properly review them
the intended change was done poorly and will be reimplemented in a better way
contained serious errors
A look at the full set of UMN patches reinforces some early impressions
almost all of them do address some sort of real (if obscure and hard to hit) problem;
seems unlikely that any of them were malicious in their intent.
The 42 bad patches out of 190 is a 22% bad-patch rate.
accepted by subsystem maintainers throughout the kernel, which is not a great result.
Perhaps that is a more interesting outcome than the one that the original "hypocrite commit" researchers were looking for.
TAB will be publishing a full report of the audit of all these patches once it is complete.
Lessons learned
do not use a free-software development community as a sort of free validation service for your experimental tool.
kernel maintainers (and maintainers of many other free-software projects) are overworked and do not have the time to properly review every patch that passes through their hands.
code going into the kernel is often not as well reviewed as we like to think.
regular kernel developers continue to insert bugs at such a rate that there should be little need for malicious actors to add more.
the real lesson
the speed of the kernel process is one of its best attributes, and we all depend on it to get features as quickly as possible.
But that pace may be incompatible with serious patch review and low numbers of bugs overall.
if we cannot institutionalize a more careful process, we will continue to see a lot of bugs and it will not really matter whether they were inserted intentionally or not.
Google is saving $1 billion per year as a result of employees working from home
During the first quarter, Google parent Alphabet Inc. saved $268 million in expenses from company promotions, travel and entertainment, compared with the same period a year earlier, “primarily as a result of COVID-19,” according to a company filing.
On an annualized basis, that would be more than $1 billion.
Indeed, Alphabet said in its annual report earlier this year that advertising and promotional expenses dropped by $1.4 billion in 2020
as the company reduced spending,
paused or rescheduled campaigns, and c
hanged some events to digital-only formats due to the pandemic.
Travel and entertainment expenses fell by $371 million.
Google is saving $1B per year as a result of employees working from home | Hacker News
paxys, doubting: Google is saving $1 billion per year because of COVID-19, not because employees are working from home. This is literally mentioned in the article, but the headline is twisted
seoaeu, providing context: one expense they saved on is sending out recruiters and engineers to likely thousands of career fairs, recruiting sessions, etc. Nobody would reasonably argue that skipping all of them is a sustainable strategy long term even if it hasn't hurt them much so far.