Arbitrary anonymous submissions don't go into the kernel in general. The point[1] behind the Signed-off-by line is to associate a physical human being with real contact information with the change.

One of the reason this worked is likely that submissions from large US research universities get a "presumptive good faith" pass. A small company in the PRC, for an example, might see more intensive review. But given the history of open source, we trust graduate students maybe more than we should.

[1] Originally legal/copyright driven and not a security feature, though it has value in both domains.

> A small company in the PRC, for an example, might see more intensive review.

Which is a bit silly, isn't it? Grad students are poor and overworked, it seems easy to find one to trick/bribe into signing off your code, if you wanted to do something malicious.

Grad students have invested years of their life, for no reward, in research on a niche topic. Any ding to their reputation will adversely effect their entire career. I doubt this guy would get a post doc fellowship anywhere after this.

> Any ding to their reputation will adversely effect their entire career.

If this is foolproof, then no-one should be talking about the replication crisis.

People don't do bad things _expecting_ to be caught, if they haven't already convinced themselves they're not doing anything bad at all. And I suspect it's surprisingly easy to convince people that they won't get caught.

But they published papers about their misconduct... I don't know how they haven't been sanctioned already.

Replication is really a different problem. It's possible for you to do nothing wrong, run hundreds of trials, get a great result and publish it. But it was due to noise/error/unknown factors, and can't be replicated. The crisis is also that replication receives no academic recognition.

When people fabricate results they know it's an offence, the problem with these guys is they don't even acknowledge/understand the ethical rule they are breaking.

Well, there's nothing easier to corrupt than a small company (not just in the PRC), because you could found one specifically to introduce vulnerabilities without breaking any laws in any country I know of.

They do if the patch "looks good" to the right people.

In late January I submitted a patch with no prior contributions, and it was pushed to drm-misc-next within an hour. It's now filtered it's way through drm-next and will likely land in 5.13.

But your signed-off-by was a correct email address with your real identity, as per:

https://github.com/torvalds/linux/blob/master/Documentation/...

Right? It's true that all systems can be gamed and you could no doubt fool the right maintainer to take a patch from a fraudulent source. But the point is that it's not as simple as this grad student just resubmitting work under a different name.

> But your signed-off-by was a correct email address with your real identity, as per

Maybe?

My point with the above comment was more to point out that there is no special '"presumptive good faith" pass' that comes along with a .edu e-mail address, not that it's possible to subvert the system (that's already well known).

Everyone, including some random dude with a Hackers (1995) reference for an e-mail address (myself) gets that "presumptive good faith" pass.

The ban is aimed more at the UMN dept overseeing the reserach than at preventing continued "experiments." I imagine it would also make continued experiments even more unethical.

I think it is more of a message than a solution

> How is such a ban going to be effective?

It trashes University of Minnesota in the press. What is going to happen is that the president of the university now is going to hear about it, so will the provost and so will people in charge of doling money. That will rapidly fix the professor problem.

While people may think that tenure professors get to do what they want, they never win in a war with a president and a provost. That professor is toast. And so are his researchers

The professor's site says that he is an assistant professor, i.e., he doesn't actually have tenure yet.

Well his career is over. He's now unemployable in academia.

Oh no, now he'll just have to make twice the salary in private industry. We really stuck it to him.

Any data collected from such "research" would be unpublishable and therefore worthless.

Their whole department/university just got officially banned. If they attempt to circumvent that, the authorities would probably be involved due to fraud.

Thus moving from merely unethical to actually fraudulent? Although from the email exchanges it seems they are already making fraudulent statements...

At least it might prompt the University to take action against the researchers.

I believe this is so that the university treats the reports seriously. It's basically a "shit's broken, fix it". The researchers are probably under a lot of pressure from the rest of the university right now.

If you're a young hacker that wants to get into kernel development as a career, are you going to consider going to a university that has been banned from officially participating in development for arguably the most prolific kernel?

The next batch of "researchers" won't be attending the University of Minnesota, and other universities scared of the same fate (missing out on tuition money) will preemptively ban such research themselves.

"Effective" isn't binary, and this is a move in the right direction.

The kernel that runs on mars now and on home/work desktops.