> they didn’t do anyone harm.

Several of the patches are claimed to have landed in stable. Also, distributions and others (like the grsecurity people) pick up lkml patches that are not included in stable but might have security benefits. So even just publishing such a patch is harmful. Also, fixes were only provided to the maintainers privately as it seems, and unsuccessfully. Or not at all.

> If your excuse is “you knew the patch was vulnerable”, then how are you going to defend the project from bad actors?

Exactly the same way as without that "research".

If you try to pry open my car door, I'll drag you to the next police station. "I'm just researching the security of car doors" won't help you.

Actually, I think participants in an A/B test should be informed of it.

I think people should be informed when market research is being done on them.

For situations where they are already invested in the situation, it should be optional.

For other situations, such as new customer acquisition, the person would have the option of simply leaving the site to avoid it.

But either way, they should be informed.

> We should ban A/B testing then. Google didn’t tell me they were using me to understand which link color is more profitable for them.

Yes please.