- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
Official statement regarding recent Greg’ commit 6e90b675cf942e from Serge Semin
Hello Linux-kernel community,
I am sure you have already heard the news caused by the recent Greg’ commit 6e90b675cf942e (“MAINTAINERS: Remove some entries due to various compliance requirements.”). As you may have noticed the change concerned some of the Ru-related developers removal from the list of the official kernel maintainers, including me.
The community members rightly noted that the quite short commit log contained very vague terms with no explicit change justification. No matter how hard I tried to get more details about the reason, alas the senior maintainer I was discussing the matter with haven’t given an explanation to what compliance requirements that was. I won’t cite the exact emails text since it was a private messaging, but the key words are “sanctions”, “sorry”, “nothing I can do”, “talk to your (company) lawyer”… I can’t say for all the guys affected by the change, but my work for the community has been purely volunteer for more than a year now (and less than half of it had been payable before that). For that reason I have no any (company) lawyer to talk to, and honestly after the way the patch has been merged in I don’t really want to now. Silently, behind everyone’s back, bypassing the standard patch-review process, with no affected developers/subsystem notified - it’s indeed the worse way to do what has been done. No gratitude, no credits to the developers for all these years of the devoted work for the community. No matter the reason of the situation but haven’t we deserved more than that? Adding to the GREDITS file at least, no?..
I can’t believe the kernel senior maintainers didn’t consider that the patch wouldn’t go unnoticed, and the situation might get out of control with unpredictable results for the community, if not straight away then in the middle or long term perspective. I am sure there have been plenty ways to solve the problem less harmfully, but they decided to take the easiest path. Alas what’s done is done. A bifurcation point slightly initiated a year ago has just been fully implemented. The reason of the situation is obviously in the political ground which in this case surely shatters a basement the community has been built on in the first place. If so then God knows what might be next (who else might be sanctioned…), but the implemented move clearly sends a bad signal to the Linux community new comers, to the already working volunteers and hobbyists like me.
Thus even if it was still possible for me to send patches or perform some reviews, after what has been done my motivation to do that as a volunteer has simply vanished. (I might be doing a commercial upstreaming in future though). But before saying goodbye I’d like to express my gratitude to all the community members I have been lucky to work with during all these years.
You must log in or register to comment.
Honestly must be incredibly stressful managing a project like the Linux kernel. Governments constantly wanting changes made for their own purposes, companies leeching off the work of volunteers, neck beards losing their minds over some change they don’t like.
I don’t envy them at all. This sort of change was inevitability going to piss people off - it could have been handled better but I think it was going to be lose/lose no matter which way it was done.
I personally think this is a cop out. Obviously people would have been outraged either way, but personally my only issue is about how it was done. The whole point of the FOSS community is openness and transparency. The senior maintainers of arguably the most important FOSS project trying to operate secretively on something like this has shattered my trust in them, as well as many others.
The senior maintainers of arguably the most important FOSS project trying to operate secretively on something like this has shattered my trust in them, as well as many others.
Basically, my stand on this.
And that it was dismissed like it was “no big deal” by Linus and some of the other senior maintainers.
But seriously, Linus’s comment regarding this was… just… I have no words… he basically put every Russian in the same basket, called them trolls and added a racist comment on top of that, I mean… yeah, I lost all respect for him. At least his previous fits were about code and only if someone fucked up something, this is completely different.
But seriously, Linus’s comment regarding this was… just… I have no words… he basically put every Russian in the same basket, called them trolls
There are a huge number of online Russian trolls. That part of his response was not hyperbolic. They do have troll factories there to influence public opinion.
The problem is this still leads to questions about transparency about the project in general and how this decision was made and whether it was made by those involved in the project or was an order from the US government.
Exactly, that’s also my view. In Serge’s thread somebody else said Linus used to be his role model but now he is questioning his own beliefs. Sums up my feelings perfectly.
It sucks so bad, Linus really screwed up big time, and GKH dropped the ball as well. What kind of a hellish timeline is this?
My main concern with this happening is how much secret control the US government has over top Linux maintainers. Many commenters say that Linus couldn’t refuse the request from the government because he lives in the US and Linux Foundation is in the US. So what other requests from the government known to put backdoors into software they couldn’t refuse in the past or won’t be able to refuse in the future?
Yes, this is exactly my same thoughts.
This is terrifying.
I don’t like what the Russian government is doing and Putin is cruel and evil, albeit intelligent (which makes him even more terrible).
That being said, in the US, government agencies can order a company to do certain things, put in certain code, or whatever and then issue a gag order as part of that preventing disclosure. And although there’s a limit to how much that can screw over open-source software users, we do not know what exploits nation-states have, we don’t know what backdoors are in different chipsets or closed-source firmware.
If a developer writing open source code can be blacklisted so easily without transparency into the process, it suggests the company is being ordered to do certain things and not disclose them by the US government, which is a government that still engages in torture.
Notice how they are not coming out and saying “We were not ordered to do this by any government agency.”
Could the foundation be forced to elevate a developer with government ties who then is able to “accidentally” put in an extremely hard to detect exploit into linux that won’t be detected at first and only patched later?
I really wish companies associated with linux were not in a country that lacked transparency with government regulations and in which gag orders were not possible.
It sucks if well meaning people are caught up in this, but it also sucks if you’re living in the aggressor state of an ongoing war.
These people allegedly work for companies that work for the Russian war machine. They will regain privileges if they don’t work for them. So if they find a moral job, they’ll be treated morally.
deleted by creator
Later in that thread:
Please accept all of our apologies for the way this was handled. A summary of the legal advice the kernel is operating under is
If your company is on the U.S. OFAC SDN lists, subject to an OFAC sanctions program, or owned/controlled by a company on the list, our ability to collaborate with you will be subject to restrictions, and you cannot be in the MAINTAINERS file.
Anyone who wishes to can query the list here: https://sanctionssearch.ofac.treas.gov/
Which is exactly what anyone who wasn’t wanting to just snort some concentrated outrage knew was the case.
And you can argue as to if OFAC list should apply to things like this or not, but the problem is that the enforcement options for OFAC violations include ‘stomp you into the ground until you’re powder’, most people are just going to comply.
Also from that thread.
Again, we’re really sorry it’s come to this, but all of the Linux infrastructure and a lot of its maintainers are in the US and we can’t ignore the requirements of US law. We are hoping that this action alone will be sufficient to satisfy the US Treasury department in charge of sanctions and we won’t also have to remove any existing patches.
US law CAN’T apply on foreign ground, period. Nothing can. Just because they can bully their way around that, doesn’t mean they are right.
And it should be only fair that Israeli maintainers be removed as well.
They should also rethink their infrastructure policy and whether they still want it on US soil.
This is all wishful thinking, I know, but this just goes to show you how they have absolutely no backbone whatsoever. As if anybody is gonna touch the Linux kernel and jeopardize the safety of millions of systems. We all know that is never going to happen, but they still bent over for the US… so typical… just goes to show you how little backbone everyone has, including Linus.
Oh, and don’t get me started on the Russia/Finland history comment…
Does everyone here just not understand how international sanctions work?
As someone with a STEM degree in a STEM field, I’m consistently bummed out by how clearly silo’d my colleagues’ educations were. It is so plainly obvious as soon as you try to have a conversation with them about anything outside of their area of expertise.
And don’t bother trying to correct or teach them anything, because in their minds, they’re smarter than you, and you have nothing worthwhile to teach them.
This thread is full of software engineers with just no concept of how society functions, or even a basic understanding of the geopolitical context of any of this.
This thread is full of software engineers with just no concept of how society functions, or even a basic understanding of the geopolitical context of any of this.
The whole idea of open source is that you can contribute without restrictions and regardless where you live.
I don’t think free software/open source has ever guaranteed the ability to maintain a specific project. Only the freedom to modify the software. They haven’t been stripped of that core freedom from the GPL which is the closest thing there to what I think you’re talking about.
They have been stripped of a role because of a thing that has nothing to do with their competence to contribute to the project. Quality of code is all that matters in open source, not who you are or who you work for.
Philosophically I agree, but legally the reality is different.
If the company is in the USA they can restrict who you colloborate with. They also can control what you export as a oftware product under ITAR/EAR rules. It is why when some encryotion work had to be done the devs crossed the border into Canada to work on development, because under USA law encryption code is a controlled export product even if opensource
Then why in the hell was the LF founded in the US? That is something that clearly needs explaining. For example, Sweden is a much better place to do these sorts of things, their software laws are very liberal.
Some of these things need to be rethought if you ask me, this is not something that should be left like this. If no one in the kernel, including Linus, doesn’t see a serious problem with “we have to move people around to code”, then most of these people are probably braindead… I’m sorry, but if it was me, once I found out I had to move devs around to code, I would have been “fuck this we’re moving the foundation”.
You might be surprised to learn that Sweden also has sanctions against Russia, together with the rest of the EU, Norway, Switzerland, Japan, Australia, South Korea and a bunch of other countries. Because this is not about the US being an ass, it’s about Russia being an ass.
I wasn’t saying that Russia is not an ass, I was just saying that the whole point of open source is that it’s above borders and nationalities, religion, sexual orientation, etc. It should be an imperative to keep these core values, not bend over backwards when even no warning has been issued, which I’m fairly certain it would have never happened. And on top of that, Linus’es reaction to them being Russian, I mean… come on!
I’m sorry but that is absolutely not “the whole point of open source”.
The point of open source is the ability to read, modify, keep and share the source code of the software you use.
You don’t get it. It’s the lack of transparency about kicking these people out, not the kicking these people out, that is the problem. Who made the decision?
It makes sense to sanction Russia for being an ass but the way this was done doesn’t feel open, and many people sense it.
It would be much better if the company were not in a place in which gag orders can be issued, leaving questions as to transparency.
As it stands now, it isn’t clear if Linus is just “grouchy” about this with a unique personality or if the foundation got a NSL and can’t say anything. And that leads to questions about whether there were other NSLs other than this one and if it’s had an impact on the code.
Exploits are so hard to detect sometimes if done well and often although they get patched… eventually… the damage is done prior to the patch. The US government, despite doing lots of good things, engages in torture. And even if the US government is the “good guy,” this leads to less trust in the open-source ecosystem, no matter what the justification.
But folks who work for US companies building weapons for Israel are totes okay?
It’s honestly fucking wild that an internationally developed open source project has to play by the US government’s rules when the US government is out here helping commit genocide right the fuck now.
Like, look in the fucking mirror on this why don’t you.
Maybe the better rule is that if you work for a company that produces weaponry for war you shouldn’t be allowed to contribute, period.
You may be amazed to learn that there aren’t many international sanctions against the USA at this time, but I imagine you could probably get into legal trouble for collaborating with Americans if you’re in, I don’t know, North Korea maybe.
US isn’t helping fund a genocide in Israel or anything! /s
Address your complaints to the government of the USA. Or, if you have the right to do so, cast a vote in the upcoming election there to prevent it taking a big step in the opposite direction from a world in which it might consider anything like similar sanctions against Israel.
“Write a stern letter to a foreign government” and “Vote against ‘very probable 101% genocide’ and for ‘proven 100% genocide’” are some weak tea, and beside the point being made.
Wow, I didn’t know that being a Linux/open source contributor meant you don’t have to follow your country’s laws.
It’s developed internationally but devs still reside somewhere and have to abide by the rules at that place. Linux in this case being represented by an US entity means they have to follow the gov’s sanctions. If you want more or less of those, that’s where (the government) you act.
This isn’t about them being kicked out, this is about the fact we don’t know the process that resulted in this. Was this a decision Linus made after a night coding and thinking about the world? Was the foundation ordered to do it?
It lacks transparency into the process even if the outcome is fine and the way it was done doesn’t feel transparent, even if it makes sense not to include Russian coders in the project.
Wait linux community is removing maintainters because of their nationality???!!
Not nationality but alleged involvement with sanctioned organizations. There are plenty of Russian names on maintainers list remaining.
I still don’t think something so important should be beholden to the whims of one company (Linux Foundation) or their country’s laws (USA).
I would strongly prefer to use an operating system that didn’t have this problem. Do any even exist?
