Do the authors of this study honestly believe that the reason malicious actors intentionally introduce security vulnerabilities in software is because the "code of conduct of OSS" doesn't prohibit it? Do the malicious actors read the code of conduct and think, "Oops, I can't be malicious here, I'll try somewhere else".
Nope, but it will protect you from researchers with questionable ethics
I'm shocked that it had to come to this, but if the kernel developers deem it necessary to remove every commit from the university and ban them from commiting something has gone horribly wrong.
> Academic research should NOT waste the time of a community.
IRBs are typically more equipped for biological/psychological research and likely wouldn't have the technical chops to see past the software to the real world, especially if it was presented to them inadequately.
Did they evens seek IRB approval? Being from the CS department they might not have even considered it.
That being said, I think it would've made more sense for them to have created some dummy complex project for a class and have say 80% of the class introduce "good code", 10% of the class review all code and 10% of the class introduce these "hypocrite" commits. That way you could do similar research without having to potentially break legit code in use.
I say this since the crux of what they're trying to discover is:
1. In OSS anyone can commit.
2. Though people are incentivized to reject bad code, complexities of modern projects make 100% rejection of bad code unlikely, if not impossible.
3. Malicious actors can take advantage of (1) and (2) to introduce code that does both good and bad things such that an objective of theirs is met (presumably putting in a back-door).
To do otherwise is completely unethical experimentation on unwilling human subjects, plus a risk that if you "succeed" (in sneaking something by) you have harmed the public.
Getting banned from committing to the most important and critical open source project out there cannot be good for a university.
The teaching hasn't changed, and the CS field is a very large space, and the Linux kernel is a prominent but small part. That's not to say the Linux kernel is insignificant, just that the CS field is very big.
Personally, I see this as a group of researchers going about it outside well-understood ethical patterns for pentesting and getting punished for it. I think it's necessary for the university to be made an example of, but I don't think it necessarily reflects badly on the whole CS department. Hopefully the IRB does a postmortem of this and concludes that ethical review also needs to field-specialist input in general.
That said, I believe the punishment for the failing here should be measured. I don't think they should just blatantly fire a professor for doing this, though a severe reprimand is in order. Also, banning an entire university could probably be toned down a bit.
The end result of this will hopefully be much more in-depth code review, better tests, better fuzzing, and more deployment of static analysis tools that can catch errors like this.