How the University of Minnesota Was Banned from Contributing to Linux

TL;DR

Researchers at the University of Minnesota ran an experiment that submitted deliberately deceptive kernel patches, sparking outrage among Linux maintainers. After review, senior kernel maintainers moved to block contributions from the university, citing breaches of community trust and safety.

What happened

In April 2021 a student submitted a patch to Linux kernel mailing lists; within two weeks the University of Minnesota (UMN) was barred from contributing to the kernel. The controversy traces back to work by assistant professor Kangjie Lu and collaborators, who had previously developed automated bug-finding tools and published a 2019 paper reporting 278 bugs found with 151 accepted fixes. Later research by Lu and a coauthor described 'hypocrite commits'—patches that look like fixes while hiding harmful changes—to test whether vulnerabilities could be slipped into the kernel review process. The paper and its public announcement drew strong backlash from volunteer maintainers, who said the experiment squandered their time and violated trust. After maintainers inspected recent UMN submissions and found several that introduced security issues, Linux Foundation fellow Greg Kroah-Hartman publicly demanded the submissions stop and moved to ban UMN contributions. The university says its Institutional Review Board granted an exemption for the work; community members dispute the ethics and approach.

Why it matters

• Open-source projects rely on voluntary trust and review; experiments that exploit that trust can damage collaboration.
• Volunteer maintainers shoulder the cost of triaging submissions—deliberate misuse of that process imposes real time and security costs.
• Introducing or testing covert vulnerabilities raises questions about responsible disclosure and research ethics in live ecosystems.
• Policy and vetting practices for major open-source projects may need reassessment to prevent similar incidents.

Key facts

• A patch from a UMN-affiliated student was sent to kernel developers on April 6, 2021; the university was banned within 15 days.
• Kangjie Lu joined the University of Minnesota as an assistant professor in 2017 and published multiple papers using the Linux kernel as a testbed.
• A 2019 UMN project (Crix) reportedly discovered 278 bugs and had 151 fixes accepted by maintainers.
• Lu and a coauthor published research on 'hypocrite commits' that deliberately combined apparent fixes with hidden vulnerabilities to test the review process.
• Many kernel contributors criticized the work as unethical and wasteful of maintainers' volunteer time.
• The University of Minnesota applied for and received an Institutional Review Board exemption after the controversy.
• Maintainers examining more recent UMN submissions reportedly found that several accepted patches introduced security issues.
• Greg Kroah-Hartman, a Linux Foundation fellow, led the response urging UMN to stop submitting known-invalid patches and enforcing a ban.

What to watch next

• Whether the Linux kernel community completes a comprehensive audit of past submissions from umn.edu (not confirmed in the source).
• Any formal response, internal review, or sanctions from the University of Minnesota addressing the incident (not confirmed in the source).
• Changes to kernel contribution policies or stricter vetting processes for academic or institutional submissions (not confirmed in the source).

Quick glossary

• Linux kernel: The core software component that manages hardware, memory, processes, and drivers for Linux-based operating systems.
• Maintainer: A volunteer or appointed developer responsible for reviewing, accepting, and caring for a specific part of a codebase.
• Patch: A submitted change to code intended to fix bugs, add features, or modify behavior; subject to review before acceptance.
• Institutional Review Board (IRB): A committee that evaluates research involving human subjects to ensure ethical standards and regulatory compliance.
• Hypocrite commit: A term used by the researchers involved to describe a change that appears to fix an issue while secretly introducing a vulnerability.

Reader FAQ

Was the University of Minnesota actually banned from the Linux kernel?
Yes. After maintainers reviewed recent submissions and raised concerns, senior kernel maintainers moved to block contributions from the university.

Did any of the deliberate test patches cause real-world harm?
According to reporting cited by maintainers, at least one patch from the study entered repositories but did not cause documented harm; broader impact is disputed among developers.

Did the university seek ethical approval for the research?
The University of Minnesota applied for and received an exemption from its Institutional Review Board after the controversy.

Were the researchers trying to maliciously attack Linux?
The researchers said the experiment aimed to expose weaknesses and improve security; many community members characterized the approach as unethical and harmful to trust.

Will the kernel change its contribution process because of this?
Not confirmed in the source.

TECH LINUX SECURITY How a university got itself banned from the Linux kernel The University of Minnesota’s path to banishment was long, turbulent, and full of emotion by Monica Chin…

Sources

• A university got itself banned from the Linux kernel (2021)
• Linux incident | Department of Computer Science & Engineering
• How a university got itself banned from the Linux kernel
• The University of Minnesota is banned from Linux

Related posts

• University Account Barred from Linux Kernel Development Following Incident
• Man to plead guilty to hacking US Supreme Court filing system
• 118 hours offline: 90 million people cut off as a nation vanishes online