undefined | Better HN

0 pointsjedimastert4y ago0 comments

Out of curiosity, what would be an actually good way to poke at the pipeline like this? Just ask if they'd OK a patch w/o actually submitting it? A survey?

0 comments

saagarjha4y ago

Probably ask the maintainers to consent and add some blinding so that the patches look otherwise legitimate.

ajuc4y ago

Ask about this upfront, get consent, wait rand()*365 days and do the same thing they did. Inform people immediately after it got accepted.

roca4y ago

Ask Linus to approve it.

throwawaybbq14y ago

No .. Linus can approve it on himself. Linus cannot approve such a thing on behalf of other maintainers.

roca4y ago

That's fair, but asking for and getting Linus' approval would have at least put them in a much stronger position. They didn't even do that. (And I doubt Linus would have even given his approval, in which case they wouldn't be in this mess.)

mafuy4y ago

Agree. Since these researchers did not even ask him, they did not fulfill even the most basic requirement. If, and only if, he approves, then we can talk about who else needs to be in the know, etc.

throwawaybbq14y ago

This is a good question. You would recruit actual maintainers, [edit: or whoever is your intended subject pool] (who would provide consent, perhaps be compensated for their time). You could then give them a series of patches to approve (some being bug free and others having vulnerabilities).

[edit: specifying the population of a study is pretty important. Getting random students from the University to approve your security patch doesn't make sense. Picking students who successfully completed a computer security course and got a high grade is better than that but again, may not generalize to the real world. One of the most impressive ways I have seen this being done by grad students was a user study by John Ousterhout and others on Paxos vs. Raft. IIRC, they wanted to claim that Raft was more understandable or led to fewer bugs. Their study design was excellent. See here for an example: https://www.youtube.com/watch?v=YbZ3zDzDnrw&ab_channel=Diego... ]

dataflow4y ago

If an actual maintainer (i.e. an "insider") approves your bug, then you're not testing the same thing (i.e. the impact an outsider can have), are you?

throwawaybbq14y ago

I meant the same set of subjects they wanted to focus on.

1 more reply

ret2plt4y ago

This wouldn't really be representative. If people know they are being tested, they will be much more careful and cautious than when they are doing "business as usual".

robertlagrant4y ago

> This took 1 min of thinking btw.

QFT.

j / k navigate · click thread line to collapse

0 comments

saagarjha4y ago

Probably ask the maintainers to consent and add some blinding so that the patches look otherwise legitimate.

ajuc4y ago

Ask about this upfront, get consent, wait rand()*365 days and do the same thing they did. Inform people immediately after it got accepted.

roca4y ago

Ask Linus to approve it.

throwawaybbq14y ago

No .. Linus can approve it on himself. Linus cannot approve such a thing on behalf of other maintainers.

roca4y ago

mafuy4y ago

Agree. Since these researchers did not even ask him, they did not fulfill even the most basic requirement. If, and only if, he approves, then we can talk about who else needs to be in the know, etc.

throwawaybbq14y ago

dataflow4y ago

If an actual maintainer (i.e. an "insider") approves your bug, then you're not testing the same thing (i.e. the impact an outsider can have), are you?

throwawaybbq14y ago

I meant the same set of subjects they wanted to focus on.

1 more reply

ret2plt4y ago

This wouldn't really be representative. If people know they are being tested, they will be much more careful and cautious than when they are doing "business as usual".

robertlagrant4y ago

> This took 1 min of thinking btw.

QFT.

j / k navigate · click thread line to collapse