One of the reason this worked is likely that submissions from large US research universities get a "presumptive good faith" pass. A small company in the PRC, for an example, might see more intensive review. But given the history of open source, we trust graduate students maybe more than we should.
[1] Originally legal/copyright driven and not a security feature, though it has value in both domains.
Which is a bit silly, isn't it? Grad students are poor and overworked, it seems easy to find one to trick/bribe into signing off your code, if you wanted to do something malicious.
In late January I submitted a patch with no prior contributions, and it was pushed to drm-misc-next within an hour. It's now filtered it's way through drm-next and will likely land in 5.13.
https://github.com/torvalds/linux/blob/master/Documentation/...
Right? It's true that all systems can be gamed and you could no doubt fool the right maintainer to take a patch from a fraudulent source. But the point is that it's not as simple as this grad student just resubmitting work under a different name.
It trashes University of Minnesota in the press. What is going to happen is that the president of the university now is going to hear about it, so will the provost and so will people in charge of doling money. That will rapidly fix the professor problem.
While people may think that tenure professors get to do what they want, they never win in a war with a president and a provost. That professor is toast. And so are his researchers
At least it might prompt the University to take action against the researchers.
The next batch of "researchers" won't be attending the University of Minnesota, and other universities scared of the same fate (missing out on tuition money) will preemptively ban such research themselves.
"Effective" isn't binary, and this is a move in the right direction.
