Slashdot Mirror

← Back to Stories (view on slashdot.org)

Drive-By Contributors to the Linux Kernel

Posted by timothy on from the what-are-the-gang-signs-to-safely-employ dept.

eldavojohn writes "There's an interesting post over at the Kernel Trap that focuses on a man's attempt to find out how many one-time contributors Linux averages per release. Although imperfect due to some obvious unavoidable flaws, he got a few dirty numbers of 'never seen from agains' in the commits from patches 2.6.11 through 2.6.25 and the numbers are: {63, 148, 128, 92, 96, 122, 137, 140, 135, 95, 136, 153, 179, 179, 304}. This makes sense as another reader, Greg KH, pointed out that the distribution curve is tilted towards one-hit contributions, 'the distribution of all of our users are: 50% only contributed 1 patch; 25% contributed 2; 12% contributed 3; 6% contributed 4 and so on ...'"

61 comments

  1. won't something think of the children? by hostyle · · Score: 4, Funny

    How long til we get Jack Thompson on the case? Drive-bys and other kernel related violence is just not on! ~

    --
    Caesar si viveret, ad remum dareris.
    1. Re:won't something think of the children? by Kamokazi · · Score: 1, Offtopic

      He's busy getting disbarred, and hopefully imprisoned.

      --
      As our way of thanking you for your positive contributions to Slashdot, you are eligible to disable Slashdot 2.0.
    2. Re:won't something think of the children? by bsDaemon · · Score: 3, Funny

      That's why I use FreeBSD -- JAILS make it the law-and-order OS of choice :-p

    3. Re:won't something think of the children? by Anonymous Coward · · Score: 0

      I feel safer with OpenBSD's pro Police. :)

    4. Re:won't something think of the children? by sirmonkey · · Score: 1

      +5 funny allready!
      also someone needs to add a "butt to jokes" section on wikipedia and add this to jack's :-p hehe

      --
      bored? try this http://jadmadi.net/blog/2005/01/27/linux-wine-how-to-running-windows-viruses-with-wine/
    5. Re:won't something think of the children? by Anonymous Coward · · Score: 0

      FAIL

  2. Suggestions for evil? by Henry+V+.009 · · Score: 5, Insightful

    There doesn't seem to be a lot of room for a web of trust here. I wonder how hard it would be to inject some sort of extremely non-obvious race condition hidden in a large and useful patch that just so happens to let you execute arbitrary code?

    If you were found out, you could just claim, plausibly, that you hadn't seen the possibility of the race. Or maybe just be a one-time contributor so there is no way to track you down if the hole is discovered.

    1. Re:Suggestions for evil? by menace3society · · Score: 1

      More importantly, if you covered your tracks properly, you wouldn't need an excuse at all. Set up a fake persona to submit it, and you can even have your real self speak out against this sort of behavior.

    2. Re:Suggestions for evil? by Henry+V+.009 · · Score: 5, Funny

      Well, I for one am willing to subvert the entire open source movement this way, but only for the United States government, and only for a great deal of money.

      Representatives of the NSA: if you're reading this, you know who I am and how to get in touch with me. And probably what I'm doing at exactly this moment.

    3. Re:Suggestions for evil? by Rycross · · Score: 2, Informative

      I'm pretty sure submitted code is reviewed, so you'd have to be pretty clever.

      It has been tried before. In this case, someone attempted to use the common C programming mistake of using the assignment operator instead of the comparison operator to backdoor the kernel.

    4. Re:Suggestions for evil? by Anonymous Coward · · Score: 5, Funny

      Representatives of the NSA: if you're reading this, you know who I am and how to get in touch with me. And probably what I'm doing at exactly this moment.
      Yes, we do. And we've got a request: next time you post something that will prompt us to monitor the surveillance cameras in your home, could you please put on some pants first?
    5. Re:Suggestions for evil? by Azghoul · · Score: 1

      Kent!

      Stop touching yourself!

    6. Re:Suggestions for evil? by ShawnX · · Score: 1

      I'm apparently on the drive-by list, but I'm not evil. Userspace is more fun.

      --
      Everyone wants a Tux in their life.
    7. Re:Suggestions for evil? by RiotingPacifist · · Score: 1

      Given the difficulty certain repeated contributors have getting code into the kernel, id guess that most of the one-timers are submitting small easily understood bug fixes. Sure its not like linux code is read as thoroughly as BSD but stuff doesn't just get stuck in there on trust either.

      --
      IranAir Flight 655 never forget!
  3. How many security vulnerabilities have they added? by Anonymous Coward · · Score: 0

    And how many years will it take to find and fix them?

  4. Well.... by Darkness404 · · Score: 4, Insightful

    Well when you think about it, 1 patch just happens to be the number that most people will use. For example, a hardware business may put in one patch to get a device to work, a software company may put in one patch to make other things work, an individual may put in one patch to fix an obvious bug, etc. The kernel, though needed is not what the end-user generally uses, so for the most part it is in the background as a stable kernel should be, making it less of a chance someone would find many bugs to have to fix.

    --
    Taxation is legalized theft, no more, no less.
    1. Re:Well.... by taniwha · · Score: 4, Insightful

      well, as an occasional patch submitter I think you're probably right - mine have all been itches I've needed to scratch (stuff that was broken that I needed) or bugs I found while wandering thru the code for other reasons - I don't do that often and as things have gotten more mature I'm just not finding problems I need fixing

  5. Drive-by by Rydia · · Score: 4, Interesting

    My own confusion as to the meaning of "drive by" in this context did make me wonder about ease of contribution.

    What if there were a bifurcation or distribution of the bug-fixing/feature-adding problem? This may be really stupid, but I imagine a situation where testers go through finding things that are wrong or where they go wrong, then submit that bit of code.

    On top of this, there is a system which grabs the trace and shows the bit of code where everything got derailed, and in other panes the stuff it called to, so anybody could look over the "offending" code, without having to be intimately familiar with the kernel or the library or whatever, since it is all laid out for them. Then, people can tinker with the code and submit them for (automatic, since you know what to look for) testing, maybe leave comments on the ticket to help others' or as a group try to figure it out.

    I don't have time to wade through mountains of kernel code looking for bugs, but I would be more than willing to look over a (relatively) small bit of code in a collaborative fashion to see if I pick up on something others had missed.

    1. Re:Drive-by by McGiraf · · Score: 1

      That is a very good idea, you should submit it to the kernel maintainers. I would be interested in contributing bug fixes like this.

  6. I'm one! by Kev+Vance · · Score: 4, Interesting

    Nice to see my name in 2.6.25 :)

    I submitted a workaround for a buggy USB device a few months ago, which was my first patch after using linux for more than 10 years. Usually when I find a problem in the kernel it's either already been fixed in a later version, or it looks too complicated for me to risk wasting my time on. I would bet that a lot of my one-off colleagues have had the same experience.

    --
    F0 07 C7 C8
    1. Re:I'm one! by smittyoneeach · · Score: 1, Flamebait

      I'm hoping to acquire the skillz.
      While stuck in the Manchester, NH airport, I've just had my first bootable 2.6.26-rc4 compile.
      With my Intel ICH7 drive, the ata_piix module apparently wasn't initializing things, and I had no /sys/block entries, and thus no /dev entries available after mdev to mount and boot.
      Everything is easy when you know how to do it, but the make menuconfig options had change enough from my previous bootable 2.6.25.x image that I was hating life for a while.
      Documentation? Stuff that: let's easter egg!
      Also, whatever change was made to change the resulting device from /dev/sda to /dev/hda was _particularly_ painful. Hope that doesn't flop around like a politician too much in the future. :/
      (Thank god that ordeal's over)

      --
      Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
  7. Re:How many security vulnerabilities have they add by Darkness404 · · Score: 1

    Hmm? I would say it would take less time and effort to find the malicious changes to the Linux kernel then it is for MS to fix all the (hopefully) non-malicious changes to Windows. Basically, the system isn't perfect, but it is Linux or Windows if you want an OS (yes, there are Macs but they are more expensive then most computers and the OS doesn't work on non-Macs without a bit of hacking) and it seems that Linux is much more secure then Windows can ever hope to be.

    --
    Taxation is legalized theft, no more, no less.
  8. They probably gave up... by Anonymous Coward · · Score: 4, Insightful

    ... whenever I've tried to submit a patch, it's a nightmare of process. Make sure you have the latest build, use the right diff tool, package it the right way, submit it to the right place, get the attention of the right person. Even then, you have to convince whomever that your patch is actually needed (are you sure you have the latest code, I'm not convinced that this is a real bug), and that your code doesn't stink -- "not invented here" is a huge problem.

    1. Re:They probably gave up... by Anonymous Coward · · Score: 2, Interesting

      I agree. The experience is pretty trying. It's worse if you're young and care too much about what people think of you, because you're trying to look really professional throughout the whole process. (My experience was with Git, not the kernel--but it's the same process.)

  9. Anonymous Cowards by Thelasko · · Score: 2, Funny

    I predict a record number of AC posts on this article.

    --
    One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
    1. Re:Anonymous Cowards by Anonymous Coward · · Score: 0

      I can try

    2. Re:Anonymous Cowards by smittyoneeach · · Score: 2, Funny

      Better still, record number of one-off accounts with names like d1b946b97d71423f365fa797d1428e1847c0bec1 that look like
      #include "small_patch_preempted_by_fascist_Filter_error_ hmm_wonder_what_that_means_WRT_popularity_of_once_great_site as_I_break_this_up_to_work_around_yet_another_asinine_error.c"

      --
      Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
    3. Re:Anonymous Cowards by Anonymous Coward · · Score: 1, Funny

      I've had some success getting modded up here on /., so I tried a one-off submission to the Linux kernel. Haven't heard back from them so far. Here it is:

      --- filetable.c.orig
      +++ filetable.c
      +//
      +// You must be new here!
      +//
        exit(1);
        }

    4. Re:Anonymous Cowards by Anonymous Coward · · Score: 0

      Hey, that's the combination for my luggage!

  10. I've been thinking of doing this myself. by whoever57 · · Score: 2, Interesting

    I have been thinking of a single contribution to the kernel myself. I would like to see a link somewhere in /proc that points to the location of kernel source code used to build the currently running kernel. This would remove the need to the current hacks of using a link in /usr/src/kernel that may or may not point to the correct kernel source. This would be used by scripts that build kernel modules for code that is not in the normal kernel. If not a link, then a file whose contents is a file (somewhere in /proc) containing the pathname would also provide a similar capability.

    --
    The real "Libtards" are the Libertarians!
    1. Re:I've been thinking of doing this myself. by McGiraf · · Score: 1

      some distributions (all?) have a link to the headers somewhere in /lib/modules/kernel-version .

    2. Re:I've been thinking of doing this myself. by piojo · · Score: 1

      Wouldn't you rather have it as a configured variable whose value shows up in /proc/config.gz? The problem I see with it actually being a value in /proc is that this would imply that it's accurate at runtime, which is impossible to ensure. (For example, if a user moves or updates the sources.)

      --
      A cat can't teach a dog to bark.
    3. Re:I've been thinking of doing this myself. by bfields · · Score: 1

      I would like to see a link somewhere in /proc that points to the location of kernel source code used to build the currently running kernel.

      Of course, chances are if you're patching kernels and such then the source at that path will change, and you'll forget about it.

      The reason that, e.g., /proc/config.gz is useful, is that that config file is actually built in to the running kernel image. So it's pretty hard for it to get out of sync with the running kernel. But few people are going to want the entire kernel source tree copied into their kernel image, so that trick's not going to work here.

      The better way to solve this problem is using the kernel version number; e.g. if you're building from a git repository, the name of the git commit that the kernel was actually built from is automatically included:

      # uname -r
      2.6.26-rc4-00107-g4b7a993

      But you can do this sort of thing yourself--see e.g. CONFIG_LOCALVERSION in the kernel config.

    4. Re:I've been thinking of doing this myself. by whoever57 · · Score: 1

      The problem I see with it actually being a value in /proc is that this would imply that it's accurate at runtime, which is impossible to ensure. (For example, if a user moves or updates the sources.)
      As opposed to say a link in /usr/src, which may or may not be correct? Yes, it's not perfect, but it would be better than what is used today. And, as for "updating the sources" -- the point is that when you want to run one of these scripts that needs to know where the kernel sources are, it doesn't want to know what was the location of the latest kernel version you built was, it wants to know the location of the running version.
      --
      The real "Libtards" are the Libertarians!
    5. Re:I've been thinking of doing this myself. by piojo · · Score: 2, Interesting

      The fact that I disagree aside, you might be interested in this. It's Linus Torvalds explaining why /usr/src/linux actually shouldn't contain the sources of the kernel that is running, but the sources that glibc is linked against.

      --
      A cat can't teach a dog to bark.
    6. Re:I've been thinking of doing this myself. by whoever57 · · Score: 1

      It's Linus Torvalds explaining why /usr/src/linux actually shouldn't contain the sources of the kernel that is running, but the sources that glibc is linked against.
      I don't read it that way. He appears to be complaining about a symbolic link called /usr/include/asm.
      --
      The real "Libtards" are the Libertarians!
  11. I'm... by fitten · · Score: 1

    I'm a drive by contributor to the "Drive-By Contributors to the Linux Kernel" thread!

  12. Not the way to do it by mbessey · · Score: 2, Interesting

    That's not a very good example. Hacking a CVS repository and adding a relatively easy to detect root exploit isn't how you'd want to go about this. It's far too likely to get noticed.

    As the parent poster mentioned, you'd ideally want to submit a fairly large patch that does something useful (fixes a bug, adds a minor feature), but whicvh itself contains an exploitable bug.

    The trick would be in making the submission large enough and the bug subtle enough that it just skates past review. Of course, it'd be *much* easier to insert bugs into any other Linux project, rather than the kernel. Not as much exposure to ultimately exploit, but there are quite a few executables and libraries that nearly every Linux system uses.

    1. Re:Not the way to do it by Rycross · · Score: 2, Interesting

      Kinda like the OpenSSH fix that went in and removed the entropy collection, thus severly weakening the security? Except done maliciously. Hmm, that would be interesting.

    2. Re:Not the way to do it by Anonymous Coward · · Score: 1, Informative

      Please don't confuse OpenSSH and OpenSSL. Especially the OpenSSL from Debian.

    3. Re:Not the way to do it by Rycross · · Score: 1

      My mistake. Too bad I can't edit the posts. I even Googled it before posting too.

    4. Re:Not the way to do it by LingNoi · · Score: 1

      It's a good idea but the problem is that you first have to come up with a useful patch which is then going to move its way up the branches before it hits Linus's kernel tree. By the time it gets there it's probably been reviewed quite a few times by different people.

      Also patches get rejected all the time, even useful ones because they aren't up to standard.

  13. Really good idea by Enderandrew · · Score: 2, Interesting

    I think this is a very good idea as well. Right now I wish I had mod points. The kernel is just massive code-wise, not to mention there are tons of legacy bits of code that can be reduced, or just removed, or rewritten but people don't have the time to hunt them all down.

    Quite frankly, I'd love to see professors assign this sort of thing as homework to their students. Grab a piece of OSS, and squash a bug. Or give them a reasonable size chunk of code and have them review it.

    --
    http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
    1. Re:Really good idea by i.r.id10t · · Score: 1

      I teach an "intro to linux admin" course at a local comm. college, and I offer an A for anyone who gets a kernel patch into the main tree and submitted it using their student email address. No takers yet, but I'm hoping one day...

      --
      Don't blame me, I voted for Kodos
  14. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  15. How many contributed 0 patches? by Gavin+Scott · · Score: 4, Interesting

    'the distribution of all of our users are: 50% only contributed 1 patch; 25% contributed 2; 12% contributed 3; 6% contributed 4 and so on ...'"
    Ah, but how many people wanted or attempted to contribute a patch but the process was either too complex or the powers that be just couldn't be convinced of the patch's value and so it didn't make it in?

    I think that would be a very interesting statistic.

    G.
    1. Re:How many contributed 0 patches? by JasterBobaMereel · · Score: 1

      Sounds like a good way of stopping lazy, stupid, and pointless patches getting into the kernel ...

      It is the old principal of 'stupid' managers, anything someone is still trying to explain to you after 15 minutes is probably worth paying attention to ...

      If someone can actually be bothered to go through the process of submitting a patch and do it correctly then they the code they are submitting is much more likely to be useful....

      --
      Puteulanus fenestra mortis
  16. Yeah, that was what I had in mind by mbessey · · Score: 2, Insightful

    I was even going to call out the Debian OPENSSL debacle as an example, but I figured they'd had enough grief over it already.

  17. Ego by mqduck · · Score: 3, Insightful

    Sorry if someone already said this, but here's what I think: All you have to do is write a patch that gets in *once* and you can forever brag about how your code is in the Linux kernel.

    --
    Property is theft.
    1. Re:Ego by chunk08 · · Score: 1

      SCO didn't even go that far. They just bragged (or whined) about their code being in Linux. No contribution necessary.

      --
      Do away with our corrupt tax code. Support the Fair Tax
    2. Re:Ego by Icarium · · Score: 1

      ... Until you check the source code a year later and see the "Removed - What idiot wrote this? " comment where your precious code used to be.

  18. Re:How many security vulnerabilities have they add by Anonymous Coward · · Score: 0

    You are an idiot if you think there is only Linux, Windows, and OS X to choose from.

    And it's far more secure and logically built than Linux.

  19. Why put it in one patch? by patio11 · · Score: 3, Interesting

    The Internet is a wide open place. Software testing is inadequate. I'm sure there is no way you could possibly have known that when combined with that patch from the florist in Scotland, your code could possibly overwrite a few bytes of memory if called with an unlikely sequence of parameters. Whoops, I clobbered the userid? How silly of me.

    Alternatively, accomplish the same thing via 2+ patches to 2+ projects which are likely to be used together. One patch against httpd + one patch against php = potential for a lot of mischief. Its not hard to fit a key to a lock when you're allowed to modify both the key and the lock to suit your tastes.

    --
    Help poke pirates in the eyepatch, arr.
  20. They prob. had good reasons to refuse your patches by this+great+guy · · Score: 3, Interesting

    These stringent development procedures are precisely what make the Linux kernel that robust. It's not the code, it's the coding procedures. Your patches should be documented, easy to review, QA, and apply. I wouldn't accept patches from a sloppy developer who wouldn't be bothered following the appropriate procedures.

  21. Re:They prob. had good reasons to refuse your patc by Anonymous Coward · · Score: 0

    Maybe not straight into the kernel tree, but if a person can only contribute 25% of what needs doing and do so, shouldn't inherently prevent a patch from being accepted.

    Patch submission shouldn't inherently require the patch to be 'complete' to be catalogued (and potentially included).

    However, this barrier to entry may help ensure that the patches that do get submitted are only of a reasonably high quality. (If you're going to take the time to figure out how to do the rest, you're probably fairly thorough/methodical).

  22. Re:How many security vulnerabilities have they add by Anonymous Coward · · Score: 2, Funny

    it is Linux or Windows if you want an OS You just really pissed off the whole freeBSD userbase. Both of them.

  23. another reader, Greg KH ??? by gwniobombux · · Score: 1

    Would you please get a clue, who Greg Kroah-Hartman is? Thanks.

  24. Re:They prob. had good reasons to refuse your patc by quanticle · · Score: 1

    Maybe not straight into the kernel tree, but if a person can only contribute 25% of what needs doing and do so, shouldn't inherently prevent a patch from being accepted.

    I'm not sure about that. Arguably, if you're not experienced enough to follow good coding procedures and have proper tests and documentation, you have no business to be messing about with the kernel. Same if you don't have knowledge of the concepts behind low level OS code.

    As a user of the Linux kernel, I expect it to perform reliably. Having a high code quality standards helps ensure that. In the open source model you only get an opportunity to have your code included, not a right.

    --
    We all know what to do, but we don't know how to get re-elected once we have done it
  25. Obvious flaw by jgoemat · · Score: 1

    The most obvious flaw I can think of is that the newer releases have fewer follow-up releases with which to submit extra patches. This doesn't seem to be mentioned in the article. For instance the 2.6.25 release is the most current. Of course all 'new' submitters to the 2.6.25 release will not have submitted any more patches. All 'new' submitters to the 2.6.24 release will have had the chance to also submit a patch for 2.6.25.

    Let's assume that each release has 100 'new' submitters and that the chance they will submit another patch in each following release decreases by 50%.

    1. Release 1 will have 100 new submitters that will never have released another patch.
    2. Release 2 will have 100 new submitters that will never have released another patch, but now 50 of release 1 submitters will have released another patch.
    3. By release 3, 75 R1 submitters will have released another patch, 50 R2 submitters will have also and of course no R3 submitters will have released a second patch.

    This makes perfect sense if 'new' submitters start submitting all the time. Anyone that expects someone that 'just' submitted a patch to have submitted a patch to a non-existent future release already is an idiot. This would only make any kind of sense if you included the number of 'new' submitters in each release, not just the ones that were never heard from again. Having the number of future patches and how long it took for them to release another patch would help you understand the numbers even better. For instance, if there were 304 new submitters to 2.6.11 and it took them on average 8 releases to submit another patch then the 304 number for 2.6.25 could be the same and simply the sign of a continually growing developer community. Give those people that first submitted to 2.6.25 another 14 releases to submit more patches and maybe the number of "one-time" submitters would shrink to 63.