Several Russian developers lose kernel maintainership status
lwn.netThe email thread continues. Linus later responded with:
>No, but I'm not a lawyer, so I'm not going to go into the details that I - and other maintainers - were told by lawyers. >I'm also not going to start discussing legal issues with random internet people who I seriously suspect are paid actors and/or have been riled up by them.
Which I find pretty concerning statements, quite a disservice to the community. It's a global community, and here the maintainers take some action without explanation. They don't even have a communiqué at hand to tell people what this action is, why it was taken, and which alternatives were considered but rejected. This is the bare minimum that I expect of the maintainers of a piece of software that is very critical to many millions of systems worldwide. Counting on the goodwill of users is not acceptable for an operating system that underpins the security of people's computers.
Open source means put up or shut up. If you don’t like the institutions, then build it yourself.
You can’t cry foul when the group is literally providing you with free software. Open source institutions don’t own anyone anything beyond open software.
That is the letter of the law, yes. I would suggest though that the spirit / intent behind the law includes fostering a community, which in turn encourages open and clear communication.
> spirit / intent behind the law
What specific law are you talking about?
the GPL
The GNU General Public Law?
No, the legally binding licenses that fall under the purview of Copyleft enforcement. A critical component of modern Free Software is licenses that absolve the primary author of liability that is implicitly agreed-upon when contributing third-party code. If these contributors disagreed with the terms of the GPL then they had 30 years to realize it.
And right now Linus is not putting up, is suddenly actively refusing to put up, and we're all very concerned about that.
As an open source community leader, putting up consists of leading well, and transparently. It's not just a coding role. He may have inherited the leadership role by being the original coder but he has to keep it by being a worthy leader.
I speculate Linus or Greg received the equivalent of a National Security Letter. Otherwise they could point to the regulations.
That's the first thing came to my mind too.
While a little bit too much of a guess, it's quite possible that whatever three letter agency finally had a high-confidence note on who was behind the XZ backdoor and decided to issue an (blatant) order to kick out all Russian maintainers, because that's how USG usually works.
>the group is literally providing you with free software
It's not their software. Linux kernel is written by thousands of people from all around the world.
The quoted text is a great mechanism to turn your brain off. "Oh, they giving me stuff. They must be good then and can do no wrong. I can turn my brain off and go sleep."
If you scroll down on the thread linked, someone mentions the reason isn't that the developers are Russian, but because their employers in Russia are sanctioned companies.
I don't know if that's accurate, but seems feasible. If so I'm 100% behind it.
It'd be nice to know the exact reasoning for this, rather than just see a commit without any context of why they're being removed. I'm pretty sure we'll know in due time.
I think it's more likely that everyone will forget in a few days and we will never know. Maybe there will be few more random bans.
I highly doubt anyone banned will even try to send "sufficient documentation". The wording is as vague and arbitrary as it gets, and the underlying tone sounds to me not like "we have such and such requirements", but like "some Russian-sounding names are banned, but we still have to demonstrate there is a due process".
Reminds me of banks. Banks are fined for not having processes for detecting money laundering. Not money laundering, mind it, just having "inadequate" processes. If such a process flags someone, that someone is blocked and they should provide "sufficient documents", but the bank is not allowed to tell them why or what, that would be "tipping off", which is illegal. And then it all comes down to bank's internal policies (that the bank is not allowed to disclose) or even a personal relationship with a branch manager.
> Banks are fined for not having processes for detecting money laundering. Not money laundering, mind it, just having "inadequate" processes. If such a process flags someone, that someone is blocked and they should provide "sufficient documents",
Isn't that how most compliance regulation works? You can't force companies to have a perfect record of preventing something, no matter how you structure things, so instead of trying to do so, you setup something that will at least preventing it somewhat. And then you fine the companies who don't do anything to prevent the issue.
I'm not a lawyer, but I don't think so. For example, there is no penalty for not having an accountant on payroll. But there are some for not keeping adequate records. I suspect it's irrelevant whether you have a full-time accountant so your records are always in order, or if you do nothing all year and hire someone for a big overhaul each December and also every time authorities need something.
> "some Russian-sounding names are banned, but we still have to demonstrate there is a due process".
That's not true! There are still many Russian maintainers in the kernel, but they are not based in Russia. They only banned individuals, based in Russia, who are employed by sanctioned companies.
As a neighboring comment mentioned, at least one banned individual seems to be based in the US is employed by Amazon, as per their LinkedIn, including some old posts: https://news.ycombinator.com/item?id=41933300
They just happened to still use their older .ru email in the MAINTAINERS file.
Then he should send that info and he will be reinstated :shrug:
Well, we have a response from Linus himself, in his usual style: https://lore.kernel.org/all/CAHk-=whNGNVnYHHSXUAsWds_MoZ-iEg...
Not much exact reasoning added, if you ask me. Quoting:
> Ok, lots of Russian trolls out and about.
> It's entirely clear why the change was done, it's not getting reverted, ...
> And FYI for the actual innocent bystanders who aren't troll farm accounts - the "various compliance requirements" are not just a US thing.
> If you haven't heard of Russian sanctions yet, ...
> As to sending me a revert patch - please use whatever mush you call brains. I'm Finnish. ...
Huawei is under same level of sanctions, but nobody with `xxx@huawei.com` is removed from Maintainers list. So, probably "sanctions" are not the reason.
>Huawei is under same level of sanctions
is it? the actual specifics of the sanctions matter, I don't think any of the US sanctions would prevent them from participating in kernel programming.
Would you happen to know which specific sanctions text relates to kernel programming?
I don't but with Huawei, the situation is mostly that we don't want to import their technology or give them our technology. With Russia, we basically prohibit all business in general with the entire country.
Spying and invading are different things. Huawei can’t be under same level of sanctions by definition.
It's not accurate. Everyone with .ru email was removed regardless of actual sanctions, including people who currently live and work in US.
Do you have any example of a removed person with .ru email who lives and works in the US?
I saw some comments on Reddit about people with @gmail.com (I think), but other comments pointed out that these people were not actually removed and were just present on a screenshot.
What about maintainers employed by huawei, they still on that file, any difference here?
Not a good idea for Linux to get involved in geopolitical drama.
Any self-respecting maintainer will not come back after this.
Linux might have a lot of developers, but has a hard time finding and retaining maintainers.
This is not a good development.
It's not a geopolitical drama or melodrama, Linux Foundation needs to follow the laws of US where it's located. It's the same as any other American company
Linux Foundation was never supposed to stifle collaboration in the kernel. They are supposed to be a way to support Linux in a tax-advantaged way, full stop.
EFF should start a fork if any part of them still stands for what's in their name.
The EFF is also a US organization subject to the whims of the US government.
What percentage of LF budget goes towards Linux?
I agree. It's not big deal. The Russian team can just fork the kernel, and manage it under their own legal structures. It's really not that hard. Indeed CentOS was maintained by just one person for many years.
It's not a big deal for Linux either, the code in question is mostly for devices that are not sold in the west. So no loss there.
That's the beauty of open source, you can say no to contributions for any reason whatsoever, and the contributor can fork your code and continue to develop it as they please.
Most of the developers are paid by US companies. I don’t think this will really affect anything at all.
Maintainers ≠ developers, and it wasn't that long ago when we heard Linus moaning about maintainer shortage and nobody wanting to pick up their work. Now we get this. Whatever you think of this particular decision, it won't help with finding more maintainers, especially from countries other than the US and its closest allies.
I live in a country which may one day find itself under US sanctions, and I'm been busy cutting reliance on American services, just to avoid having to migrate everything in a rush if that happens. Everyone here understands this (for example, my day job migrated off GitHub to self hosted gitlab back in 2022), and I can't imagine many people will be interested in spending years of effort to then possibly be kicked from the project because they chose to be born in a wrong country.
IIRC the single biggest source of contributions are Intel, Google, RedHat, AMD, and Huewei. Not necessarily in that order.
Something like 80-90% of said contributions are essentially corporate.
Probably the best thing that can happen to the kernel... this type of measure generally backfires spectacularly by giving talent the opportunity to thrive, if anything as a way to fight back against injustice and arbitrary decisions, or for sanctioned opposition to invest in resilience by dumping more money in things otherwise not consider a priority. I always thought Argentine music from the 80's and early 90s was legendary, and this stems from a post-Falklands war, self-inflicted sanction against anglo music... regional bands thrived and created gems that even today can be appreciated as masterpieces...
[flagged]
Tell that to Palestinians or Afgani or Iraki or one of the many countries US invaded or where they financed coups and mass killings...
If Americans want to participate in international communities they are free to leave the US. Aren't they?
BTW Linus is Finnish and Sergey Mikhailovich Brin is Russian
The harsh reality is that the west is now that place where people think it's a crime to be born in a place instead of another...
I'll quote something for you
criminalizing individuals based on their place of birth or nationality is generally considered a violation of international human rights law. Principles of non-discrimination are central to international agreements like the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights. These treaties emphasize that all people, regardless of origin, have the right to equality before the law and protection from discrimination.
I guess you can tell the same to the russian speaking people of Donbas that have been bombarded by Azov before Russia entered the Ukrainian civil war.
[flagged]
My sense is they simply believe it actually, drawing on sources that seem organic and Western to them; the propaganda is that effective.
In any case: (1) there has never been a "civil war" in Ukraine in modern times; (2) Azov was formed in May 2014, well after Russia's invasions of both the Donbas and the Crimea were well underway; and (3) nevermind the rest.
You are wrong. Azov was formed on February 2024
And BTW, speaking about Azov:
In 2016, Amnesty International and Human Rights Watch received several credible allegations of abuse and torture by the regiment. Reports published by the Office of the United Nations High Commissioner for Human Rights (OHCHR) documented looting of civilian homes and unlawful detention and torture of civilians between September 2014 and February 2015 "by Ukrainian armed forces and the Azov regiment in and around Shyrokyne".
Another OHCHR report documented an instance of rape and torture, writing: "A man with a mental disability was subject to cruel treatment, rape and other forms of sexual violence by 8 to 10 members of the 'Azov' and the 'Donbas' battalions (both Ukrainian battalions) in August–September 2014. The victim's health subsequently deteriorated and he was hospitalized in a psychiatric hospital." A report from January 2015 stated that a Donetsk People's Republic supporter was detained and tortured with electricity and waterboarding and struck repeatedly on his genitals, which resulted in his confessing to spying for pro-Russian militants.
[flagged]
[flagged]
[flagged]
[flagged]
Because it's written here ...
Pointing to a footnote that explodes into 15 other footnotes.
Meaning none of them actually apply.
[flagged]
You don't tell me! Can I get paid for this? How much do you charge?
By removing a few Russians who are more than likely to leave the country anyway?
Regional bands thrived and created gems that even today can be appreciated as masterpieces...
Care to name a few?
I used to pirate a lot of random music in early 00’s and went through a Latin phase. Downloaded one album by Fabiana Cantilo full of covers by what seemed to be other Argentine artists and some names are Soda Stereo and Andres Calamaro.
They seem to have a lot of what kids today would call bangers.
Some of my favorite Argentine songs: Donde Manda Marinero, En La Ciudad De la Furia. Fabiana’s album that I torrented back in the day happens to be covers of the famous songs and I like a lot of them too
Disclaimer, I just happened to know some Argentine songs that are total ear worms, not necessarily an expert in Argentine music
Fantastico, gracias
Strongly opposed to any sort of sanction regime that results in this.
Let me spell it out for you:
If Project P in Country A is identified by Country B as a potential target for planting cyber-attack-enabling backdoors, Country B has an incentive to find people to put a backdoor in P.
If Country B is a free country with rights and ethics, they will say "Help us put a backdoor in P. We'll pay you very well for services rendered," or try to get someone who already works for Country B intelligence into P's management structure.
If Country B is an "evil" country, they will do all of the above, but will also tell people of influence in P who live or have family in Country B or its allies, "Help us put a backdoor in P. If you refuse or if the backdoor doesn't work or if the legitimate workers of P find it and remove it before it helps us, you'll be arrested and/or tortured and/or killed and/or your family too."
Removing Russian based kernel maintainers from positions in which they could conceivably help insert a backdoor into the kernel hopefully removes the incentive for the Russian government to threaten (or carry out) horrific violence against these individuals and their families.
So all that an evil Russian who wants to commit murder by way of a git commit has to do is...
register a free gmail account and come up with a fake name. Gotcha. Certainly no bad guy will ever think of this.
a random free gmail account and a fake name does not give you the ability to commit to the linux kernel, so no.
It allows you to get code into the kernel by way of sending patches. Eventually you may earn enough trust to get into some kind of power position. Surely you remember the liblzma/xz story.
These people don't even remember that the man in the telly told them something completely different a month ago. As far as they are concerned, they've always been at war with Eastasia. And you are expecting them to remember something and draw parallels?
Either country can also say: "we have this law that requires people to help law enforcement agencies to implement backdoo^W special technical measures to advance national security interests, and also a gag order because it's a matter of national security".
I think Australia had something called Technical Capability Notices (TCNs) back in 2018? For legal entities for sure, not sure about hobbyists.
The last paragraph also makes the whole situation sound like someone cares for Russian developers' well-being. I highly doubt it was ever the intention.
Really appreciate informative comments like this, basically explaining from first principles and not assuming people are idiots for not immediately understanding the implications.
It also made me realise what a cushy, insular world I live in not having to worry about those threats when I write software. Made me more aware of what others might face.
It’s a made up scenario that has never been documented to happen with a major OSS project. The solution seems like an incredibly poor fit and this justification is retroactive. The notion that they are actually doing the Russian maintainers a favor is ridiculous.
When a society starts shadowboxing figments of its own imagination, that is not a good sign for the health of the society.
Yeah im sure those Chinese and NK hackers are keen to document their blackmail, no way that could go badly for them
It's open source, any exploit introduced by a maintainer is self-documenting. Provide a single example for the Linux kernel, please.
I would argue nobody needs to provide an example. IMO, we can assume an action to be taken if:
1. The mechanisms for its existence exist
2. There is motivation of a large enough scale
3. The scale of the actors is large enough
The Linux kernel is very large, and nation-states like Russia are also very large. There is a very high motivation for a backdoor to exist for the Russian government. And the mechanisms are certainly in place to create such a backdoor.
So, I conclude there would absolutely be a Russian backdoor planted, if it isn't already. For the same reasons I conclude Windows probably has multiple backdoors for US agencies.
As a side-note, the scale of the Linux Kernel matters here. It's over a billion lines of code. It's truly trivial to sneak in an exploit and have it never be discovered. You can't prove a negative here - just because we haven't seen an exploit doesn't mean they don't exist. Also, we have found MANY bugs in the Linux kernel. Are they exploits intentionally planted? Virtually impossible to tell. Some bugs have existed for decades before discovery.
You should assume your operating systems already contain many exploits. Thus, we have tools like encryption, firewalls, and trusted repos to protect us anyway.
Note this doesn't mean I support the move. Certainly, any other country could implant backdoors (and probably have already). However, the Linux kernel kind of sort of belongs to the West, and the West kind of sort of has an alliance. So it makes sense why Russia is singled out.
The world is a chaotic and complicated place, you cannot deductively prove things about the world in the manner you are trying. I do not support further securitization based on this style of reasoning. I think we lose more than we gain. If I should assume my OS already contains many exploits, it seems like the risk from Russians is just that they read the source code carefully.
> the Linux kernel kind of sort of belongs to the West,
I don't agree.
I'm not proving anything, I'm assuming, and I think it's a reasonable assumption. My argument is that I don't need proof, so I won't even bother providing it. Based on what I've seen, I can be highly confident there exists backdoors in the Linux Kernel without explicitly having to find those backdoors.
For the same reason, I can be highly confident there is at least one person stealing office supplies at Amazon. And I can be highly confident there are some examples of data theft in automobiles. I just use the same principles as above.
> I don't agree.
Okay. How?
The vast majority of Kernel developers are from the West and live in the West. The kernel was created in the West. Management is in the West. And the majority of large tech companies are Western, so probably the majority of Kernel users are also in the West.
Therefore, the West has a majority control over the kernel, and they have a huge incentive to "protect" it to how they define that. That's that, and we can tell this is the case because it wasn't Russia banning western devs from kernel development, was it?
Also: on the topic of chaos, this is why the "motivation" bullet point exists. If there's no motivation, I can't be sure, due to chaos. Chaos means even things that should happen may not. Motivation, particularly of the financial variety, cuts through the chaos of humanity. I am very confident in asserting that and I think pretty much all of history supports that.
While everything you mention is absolutely true, to the credit of the opinion of whimsicalism, any maintainer worldwide could get offered tons of bitcoins to integrate a backdoor / "bug".
True life-changing money, in all absolute sense.
Exactly. And that's how the west / america would approach it. Throw money at it until u get what u want
That’s generally how you incentivize humans, yes.
Cool. Which country owns the Linux kernel?
Not that I disagree with the move 100%, but I don't think it's that clear cut.
Linux foundation is 501(c)(6) organization based in US.of.A
Completely irrelevant. They are not the owner of the Linux kernel.
Linus holds the trademark. The copyright holders are the contributors to the source code. Nobody "owns" it, that's the point, it's an international project.
Linus, who since 2010 is an American citizen. Effectively, the US is probably the country closest to "owning" the Kernel, in that if the US wanted to put an abrupt cease to kernel development, they could, if only for a short period until the project re-organizes. I don't think any other country posses even the ability of doing so.
Any other person from any other country in the world can and could fork it in a heartbeat 100% legally. It wouldn't stop diddly squat, except that it loses its BDFL and finds another one in short order. There is absolutely zero the US could do about this.
Removing US based kernel maintainers from positions in which they could conceivably help insert a backdoor into the kernel hopefully removes the incentive for the US government to threaten (or carry out) horrific violence against these individuals and their families.
cough xz cough
It would only work if the specific government agency/actor could successfully conceal such actions from the rest of the government agencies, courts, media etc. etc. No such safety checks exist in Russia or other pseudo-fascist states.
If the Russian government is blackmailing you your are certainly screwed. In US.. well it depends but you could quite easily bring down the people doing this to you with yourself if you chose not to comply. Therefore no rational US government "actor" would engage in something like that outside of extreme circumstances.
> In US.. well it depends but you could quite easily bring down the people doing this to you with yourself
I personally don't see much difference between "going down" and "going down together with other people". At least for myself and my family. I'm screwed anyway.
It has more to do with shifting the cost/incentives for the other side which would reduce the likelihood of you ending up in such a position.
why would they threaten violence when they can offer money?
the Linux User Group of Northern Virginia, the suburb of DC with all of the money, used to hold their events at local Palantir office.
lotta Red Hat contracts with the FedGov. And RH commits a lot of code to the kernal and other FOSS projects.
what next? removing all developers who have ever visited russia (because they have probably been told they would be tortured unless they put a backdoor)? removing all developers that have family ties to china? removing anyone who hasn't been born in US and who has family outside of US? if Linus father, who lives in Finland, visits Russia should Linus be removed then?
What you wrote is very logical but it doesn't explain who defines how "evil" the country is. And the answer is "US". All your 4 paragraphs could be rewritten with "US defines if you are worthy or not". Which sounds real and quite disappointing to many people who thought Linux is a shared effort of the humanity
I haven't followed the original events but I understand their actions. Probably they need to have "no russian developers" ticked for compliance for some defense contractor. So they have run "grep -rF .ru .git/" and found russian developers to remove to tick that requirement. I would have probably done the same -- it's easier to do it that to explain to many people why those people aren't evil
Such a blatant BS rationalization... The commit literally talks about "compliance". This is nothing more than an easy alternative to navigating the obscure sanctioning regime. It's like self-censorship, people/companies do this because of the fear that their activity may fall under sanctions, even though it highly likely does not.
If your system relies on people being in "a free country with rights and ethics", then you have a bad system widely open to abuse. After all, who decides which country is "free" and which is not? White house? Should you exclude people from all "non-free" countries?
> people/companies do this because of the fear that their activity may fall under sanctions, even though it highly likely does not.
People/companies do this because lawyers tell them that there is a risk that the activity may violate sanctions. And yes the lawyers are probably overly conservative, but that's because there often isn't a way to know for sure whether something is actually a violation until you end up in the courtroom.
> And yes the lawyers are probably overly conservative, but that's because there often isn't a way to know for sure whether something is actually a violation until you end up in the courtroom.
You've outlined a justification based on a kafkaesque stockholm syndrome vibe. The system doesn't work as well as it's being advertised, does it?
> After all, who decides which country is "free" and which is not?
Not being in active occupation war would be a good start.
And not killing journalists or the opposition would be also a nice touch. Or not jailing people for having an opinion about the army.
I'm not saying the Russia invasion is not evil, but man, did you watch too many popcorn movies?
How child play and naive you're thinking of politics. If Russia ever had that degree of power to control the behavior of its citizens, it would have already ruled the world.
You can't even fully control a 5-person band and you're telling us that magically Russia is able to control millions of people, amongst which none of them know justice or human rights enough to leak any info. You know, even under the infamous assassin attempts from FBI, Snowden managed to flee to Russia. How can Russia be more powerful than the US in this way?
I'm not saying good words to any regime. I mean both the US sanction and the Russian invasion suck. I don't want another country bossing over what you can do, and I don't want another country pointing guns on your head either.
> You can't even fully control a 5-person band and you're telling us that magically Russia is able to control millions of people, amongst which none of them know justice or human rights enough to leak any info.
They’ve literally killed most powerful and influential opposition leader on open display. Use your brain, it’s not hard.
Do sanctions ever actually work as intended?
To this casual bystander it seems like they usually hurt innocent citizens far more than the leaders of the usually authoritarion regime that it targets.
>To this casual bystander it seems like they usually hurt innocent citizens far more than the leaders of the usually authoritarion regime that it targets.
That's kinda the point. The common folk put pressure on their leaders to correct their behavior.
"Here, we'll hurt you so you'll go fight the guy who claims he's the only one protecting you from us."
Has that strategy ever worked?
South Africa? Rhodesia?
But sure.. usually it doesn't really work out.
Of course weakening the target country economically, politically and militarily is still better than nothing,
Russians had every opportunity to kick out nuclear gnome before sanctions kicked in, but alas.
western people had plenty of time to stop buying russian oil after the Crimea was stolen in 2014, but alas, they wanted to sponsor russian military and police so badly
That assumes the common folk can put pressure on their leaders, which is usually not the case for countries targeted by sanctions from the US, which usually have autocratic or otherwise authoritarian governments.
History is full of violent revolutions against autocratic governments. We should inflict maximum pain on the Russian populace. Be as cruel as possible. Keep the pressure on. Eventually it might pay off. And even if it doesn't work, it serves as an object lesson to other countries on the consequences of opposing US policies.
So, what you want is essentially pushing a whole country's population around for your own amusement? Very motivating, not gonna lie!
Amusement has nothing to do with it. This is one method among many for pursuing national geopolitical goals. It's a shame that the Russian populace has to suffer, I bear them no ill will. But if they ever want to get out of international sanctions then they know what they need to do.
Like it or not, the leader derives his power from the populace. An autocrat is powerless without people going along.
Buy a ticket to Ukraine right about now and ask Ukrainians how amused are they. And don’t forget to visit every country that had to take millions of refugees.
> innocent citizens
Do you not think that at least 50% of all people in Russia would vote for Putin or his affiliates (even if the elections weren't falsified)? Therefore most people in Russia are certainly not innocent.
> most people in Russia are certainly not innocent.
Nor are Americans, by this standard - what we've done directly in Syria & Iraq is quite bad and enjoyed substantial popular support.
Perhaps. However on the whole not particularly worse what the local governments were already doing there (more so in Iraq, though)
We don't know and can't know that, there hasn't been a single election without major falsifications since about 2004. I personally don't know anyone who voted for him, but I don't keep many ties to the "lowest classes". If your image of the Russian society is based solely on US left-wing media, then it has even less resemblance to reality.
> We don't know and can't know that, there hasn't been a single election without major falsifications since about 2004.
We can and know that. Just talk with your fellow Russians.
Even (pseudo)opposition polls generally show that most people support Putin? Yes I understand that polls in such a society might not be particularly meaningful. But I'm not even saying that most Russians actively support the government, implicit support (i.e. being unwilling to risk anything to change the status quo) is almost as good.
> "lowest classes"
I find it hard to believe that there aren't plenty of people who are middle class and above who support the regime. After all Russia's economy is almost entirely based on raw resources extraction and (now) military related industries.
> If your image of the Russian society is based solely on US left-wing media
And yours is based on Kremlin propaganda channels and media sources? See what I did there? Both assumptions are equally valid/invalid and neither contributes anything to a meaningful discussion besides immediately shutting down the possibility of one existing.
by that logic N.Korean subjugates should also get maintainer rights
if you really think so strongly about it maybe you should run "Red Star OS" instead
North Korean maintainers should be allowed, imo
Apparently (quelle surprise) Linus is getting swarmed by Russian trolls like a US swing-state voter. From https://www.phoronix.com/news/Linus-Torvalds-Russian-Devs
Ok, lots of Russian trolls out and about. It's entirely clear why the change was done, it's not getting reverted, and using multiple random anonymous accounts to try to "grass root" it by Russian troll factories isn't going to change anything. And FYI for the actual innocent bystanders who aren't troll farm accounts - the "various compliance requirements" are not just a US thing.
If you haven't heard of Russian sanctions yet, you should try to read the news some day. And by "news," I don't mean Russian state-sponsored spam. As to sending me a revert patch - please use whatever mush you call brains. I'm Finnish. Did you think I'd be _supporting_ Russian aggression? Apparently it's not just lack of real news, it's lack of history knowledge too.
That's fine, but we would like to see the orders he received and the evidence. This patch is outrageous because of the lack of transparency, not the patch itself if there's a good reason for it. Linus and Greg appear to be not only not posting a reason, but trying to keep the reason secret.
It's pretty obvious that it's due to sanctions, but they don't want to say it.
But if that's the case, why don't they?
What about them? I can say "it's illegal for me to murder someone" without a lawyer being involved and so I can say "it's illegal for me to collaborate with company X" if that is true. Lawyers wouldn't stop me saying that unless something fishy was happening.
Is there any new "compliance requirements" (sanctions I suppose?) that made this happen? Or is a delayed change since the sanctions started?
The latest change would be EU sanctions that disallow export of technology from March 2024: https://www.themoscowtimes.com/2024/05/17/microsoft-blocks-r...
But this change here feels like there was pressure from the DoD or White House. A lot of sanctions seems to be introduced and enforced informally.
That cited change is actually from December 2023:
> The ban complies with the EU’s 12th sanctions package adopted in December, which ordered companies in and outside the bloc to stop exporting products and technology to Russia by March 20.
That would mean that either A) it's not what triggered this change or B) the kernel wasn't legally following compliance requirements for almost a year
But besides that, that sanction is between EU<>Russia, not sure if that would ultimately enforce the kernel to implement those compliance requirements, unless also agreed and followed by the US.
It’s surprising to see that there are any compliance requirements Linux adheres to.
I'm wondering does the latest events of N.Korean troops joining the attack against Ukraine have something to do with this?
If it is because of national security concerns, will Israelis and Chinese lose kernel maintainership status as well?
> If it is because of national security concerns, will Israelis and Chinese lose kernel maintainership status as well?
Some of them, yes, some of them, no. /s
I doubt anything would happen the next time US invades a country.
Russian government is cancer but this is pointless. It would be much easier to hide a backdoor in an npm or python package.
It's an economic sanction not an attack avoidance mechanism.
Which HOPEFULLY don't run at kernel privilege level (but I do know better).
Sounds like overreach by a company that is heavily invested in Linux as a base for its products, and is having a difficult time with US trade regulations.
Its pandering. I hope these developers petition to be added back.
Have to say that a lot of hacker news contributors really show their colors around events like this. This is a completely good thing to do and well past due.
I really wish that we have an operating system that's not controlled by a U.S. person.
Here you go: https://qubes-os.org.
Welcome to using a Chinese OS lol
Harmony on mobile is pretty sweet.
So what, now you can directly watched by CCP?
Why should this be a problem for anyone outside of China? It's only when the same people can read your messages and send dudes with guns to your doorstep if they don't like what they see that things actually get dangerous.
FBI makes arrests over alleged secret Chinese 'police stations' in New York
That's interesting, but these seem like they are just a slightly more structured form of the ways in which the CCP has been known to keep track of their own nationals abroad for many years. Not only is there no evidence or reason to expect that they would interact with people who are not PRC nationals, they presumably don't have guns and certainly have no actual policing powers either. If these "Chinese police stations" were to dispatch someone to my door, I could just call the actual police to have them removed. Meanwhile, I doubt I could call the "Chinese police stations" to protect me from the police of the country I live in, if they were to act upon a friendly request from the US like the Swedes and British did with Assange or the New Zealanders did with Kim Dotcom.
How convoluted, insidious, and camouflaged can a hidden backdoor or exploitable intentional defect be?
If hacking or subversion is possible, it has been tried and will be again. If anyone is going to try it, chances are Putin's people will.
It's by far the sneakiest, most advanced cheating and infiltration apparatus humanity has ever known. It inherited a large "meddling war chest" from the Soviet Union, then invested heavily into it for 25 years. The Internet increased its opportunities a million-fold. Its semitransparent tentacles are now embedded into nearly every consequential organization on the planet.
Consider the xz episode as a baseline. It was fairly sneaky, but it was introduced by a newcomer to the project and affected mostly existing code. A more elaborate exploit might be submitted with a new feature by an established maintainer.
For those confused: GitHub has comments for commits, and some are piling up for this particular Linux kernel mirror.
This could get messy in other projects, depending where this rule came from. I know there are .ru maintainers in at least one other ; and what about distros?
It is wrong - plain and simple. It is no different to racism. As for Linus comments, it is really surprising how many proper idiots working in IT industry. It was not like that before.. Not long ago, simply reading Linux magazine was considered a terrorism.
Not sure this is really what anyone had in mind when sanctioning Russia? The maintainers probably aren't pleased but can't see a direct route from there to Putin's opinion of the war in Ukraine.
Probably not sanctions, but national security concerns.
The former aims to punish and worsen the situation of the other country, the latter aims to reduce the attack vector and improve the situation of the US.
If I were a KGB (FSB) agent with a task to undermine US infrastructure with my commits in Linux kernel, using my real russian name and .ru TLD would be the last thing to do.
Sure, but if I were an agency tasked with protecting US from security threats, I would begin with the lowest hanging fruit.
Yes, probably the guy who holds up the number "3" using his thumb, index, and middle finger shouldn't be allowed in the Super Secret Vault. But the dude right behind him who has "I'm Russian" tattooed on his forehead shouldn't be allowed in either, and he's a bit easier to spot.
It’s pretty evident at this point that any Russian citizen in Russia or with family in Russia can be coerced, and it’s also pretty clear that Putin specifically does not have good intentions.
There are lots of good people there. It’s too bad there is a crazy person at the helm.
It is evident everyone CAN be coerced. Not that everyone WILL BE, because some people still think of themselves as people, not some “honest citizens” or “economic agents”.
It is also evident that someone quite far from Russia HAS ALREADY BEEN coerced to make that unannounced change, but you try really hard to look the other way. “Those Linux nerds” were shown who's the boss in the room when it comes to “important matters”. Don't you feel that the form of that change itself is a sign of silent disobedience, and you are expected to participate in public outcry forcing further developments instead of just bending over willingly?
It is totally possible that there was some direct intelligence that those accounts can be used in some clandestine operation in the future, probably without even asking some of the owners. After all, spies are #1 information source to other spies, they run the global spectacle together. Still, accepting “this is secret” as an excuse, you are already accepting defeat.
The cost/risk to the Russian government of coercing someone to do anything is approximately zero. Not so much in the US/etc., the risk of negative consequences is not insignificant?
> were shown who's the boss in the room when it comes to “important matters”.
Or Linus just doesn't like Russia(ns)? Why is there a need for some conspiracy?
all you have to look at is the number of russian oligarchs being defenstrated since the invasion began to know that if it served russian aims to inject malware into the kernel somehow via their maintainers it would probably be tried. the maintainers are probably not oligarch level rich so imagine the pressure on them if needed.
if you believe Russian government would coerce its own citizens, why do you not believe they would coerce foreigners? they have a world class intelligence agency that routinely assassinates regime enemies in foreign countries after all, so why should it be any harder for them?
"Putins opinion on the war he started" undersells the issue that Russia has actively been undermining, killing, and sabotaging in western countries.
> The maintainers probably aren't pleased but can't see a direct route from there to Putin's opinion of the war in Ukraine.
Then they should be reminded that their military is actively using Linux to kill Ukrainian civilians https://en.wikipedia.org/wiki/Astra_Linux
Alternative title: Nobody with an email ending in .ru left in the MANTAINERS file.
That would be a nice explanation, but some people with @gmail.com were also removed from the list.
This was a very bad move by the Linux foundation. They should get new lawyers. Linux development should probably be moved outside of wartime/unstable jurisdictions like the US.
Are US corporations going to be forced to fire their Russian coders?
They should have already based on the sanctions two years ago, Belarus also.
Some examples:
https://www.theverge.com/2022/6/8/23159656/microsoft-russia-...
https://www.reuters.com/business/russia-shrugs-off-jobs-impa...
https://www.hpe.com/us/en/newsroom/statement/2022/06/hpe-ann...
https://newsroom.ibm.com/Update-on-IBMs-Business-Operations-...
"Coders in Russia" != "Russian coders".
The new chapter in the McCarthyan witch hunt.
My initial reaction reading the thread was just to shake my head. What's the point of open source?
My worry is less about big projects being inclusive and multinational, and more about whether there are clear guidelines and specific reasons given when people are kicked off or otherwise demoted.
Nobody likes being at the mercy of a system that feels capricious.
I guess that's it. Open source is a fantasy that started coming to an end about 15 years ago. We lived in a fantasy world in 90s-00s, where there were no governments, no corporations and almost no people that make you shake your head. It was so easy (and of course silly, in the hindsight) to believe, that the internet is some another world, where earthly matters do not concern us. And everything was just about improving this world for ourselves. It's not like people often agree to work for free otherwise. Working for free is incompatible with capitalism, and we learn to believe that nothing else is truly possible in the real world. It's not like "open source" doesn't have a point in that imperfect world with governments, corporations and 8B people, that the internet seemed disconnected from for a while, it just doesn't have place. It simply almost doesn't happen there.
So, now the real world has slowly catched up to that fantasy world of ours. The winter has really come.
Can we please get a fraction of the resources currently put into Linux kernel development and start developing a robust userland ecosystem for SeL4?
Microkernels in general already mitigate the possible damage that could be done by rogue code in large monolithic kernels. A formally verified microkernel like SeL4 is an even better guarantee. And performance concerns of microkernels are practically solved at this point.
These sorts of nation-state sponsored malicious code practices could be made mostly irrelevant. We just need a little momentum to get us there.