Seems to be a repost - article dated Apr 30, 2021 at 4:45 PM GMT+2 Original HN discussion is linked in the current topic.

From the mailing list:

Date: Wed, 21 Apr 2021 14:57:55 +0200 [thread overview]

Note this is a rather old topic.

The article says “One could argue that their process was similar, in principle, to that of white-hat hacking: play around with software, find bugs, let the developers know.”. I’m not buying this crap; what the university of Minnesota did was closer to an adult randomly beating the neighbourhood’s kids, stealing their money, and then someone claiming “he’s teaching them self defence”. It is completely unethical and immoral.

I also think both Greg and Dolan were pushovers, trying to be reasonable and co-operative towards a clearly hostile entity. And, in the process, bringing guns to a sword fight:

• submissions with a umn.edu address should not be “default” rejected; they should not be accepted at all. If you belong to a hostile entity you don’t get to put on your CV “I contriboot with OS projex”
• Dolan’s demands boil down to “help us to fix your mess, don’t benefit from it, and ensure it won’t happen again”. That’s the bare minimum.

It reminds me how xz was attacked even worsely : a very long term to become co-maintainer and then trigger a hidden attack, detected only because someone working on postgreSQL saw a lag that should not have been. In my opinion, the main issue is not hypocrite commits, but profiting of maintainer burn out to push some malvolent code through core packages with small maintainer teams. As users, we have a responsability to not be assholes, or pushy to maintainers

I’d cry if Linus was this mad at me