> Does this project waste certain efforts of maintainers?
> Unfortunately, yes. We would like to sincerely apologize to the maintainers involved in the corresponding patch review process; this work indeed wasted their precious time. We had carefully considered this issue, but could not figure out a better solution in this study.
Here’s a better solution: don’t do it. You do not have a divine right to carry out this “research” no matter what.
> Does this project waste certain efforts of maintainers?
> Unfortunately, yes. We would like to sincerely apologize to the maintainers involved in the corresponding patch review process; this work indeed wasted their precious time. We had carefully considered this issue, but could not figure out a better solution in this study.
Have they ever heard about carbon offsets? How about finding/performing work that offsets the abuse of time of the maintainers involved? (Hint: it's not too late to do this to show you really are sorry. You won't be trusted at first but it's the right thing to do.)
Beyond any other damage they did, they are wasting the life time and energy of the kernel developers currently sorting out this mess. To me, that is on the same level as locking them up in a room against their will. This could be considered a felony.
In any case, they should make up for the economical part of the damage they caused, that is be billed for the hours the kernel developers spend in resolving the matter at hand at a high market rate (and probably above for punitive damages).
It would handle the issue of consent, but not answer the question they were researching: "Would this bug get into the kernel?" Because if the maintainers knew that this was research, not an actual ordinary patch, they'd be answering a hypothetical: "Would I accept this, if it were an actual ordinary patch?" I don't think people are wired to answer that exactly the same if they know it's a hypothetical as if they were answering it non-hypothetically, "Should we accept this patch into the kernel?" So the only way to really find out what would happen in reality is to really do it for real... So that's what they did.
What's weird is of course that they didn't tell anyone. In the fairly analogous situation of "white-hat hacker" penetration testing, the penetrators have authorization from either someone (fairly high up in) the security department of the organisation to be tested, or if that whole department is being evaluated someone even higher than that; without that authorization it's not white-hat testing but just black-hat cracking. They should have privately contacted mr Kroah-Hartman, and/or Linus himself, beforehand and asked if they were amenable to this. Then they could have had the option to accept and be in on it, not comment on but silently monitor the patches in question, and at the end of the experiment reveal the results to their fellow maintainers and revert any specific patches -- which they would have been continuously kept informed about out-of-band -- that had made it through review.
Provided of course that they, Greg K-H or Linus or whoever, would have been comfortable with temporarily deceiving -- or letting be deceived -- their fellow maintainers, of course. Or, well, even if they weren't exactly "comfortable" with it, seems to me there's a chance they might have gone for it because of the valuable knowledge it would have gained the community. The "reveal" afterwards, coming first from one of these trusted people, would probably go down a lot better in the maintainer community than it did as this secret external attack.
and Kangjie Lu's response: https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....