I for one am going through quite a culture shock. I always assumed the nature of FOSS software made it immune to be confined within the policies of nations; I guess if one day the government of USA starts to think that its a security concers for china to use and contribute to core opensource software created by its citizens or based in their boundaries, they might strongarm FOSS communities and projects to make their software exclude them in someway or worse declare GPL software a threat to national security.
Not really, open source projects don’t necessarily have to be open to all contributors and I was aware of this already. They have to be open to anyone doing what they want with the code, by definition, which is good, but they don’t have to allow everyone to contribute to upstream. I’m not sure if there’s any particular defence against this being used in a discriminatory manner, but I do think this effect is significantly mitigated by the decentralised nature of open source and the fact that it’s not too uncommon for forks to become preferred over the original, the fact that open source projects rise and fall in popularity, etc.
I wonder if there’s some way to manage an open source project so that it’s not subject to particular national laws in this way.
It’s not decentralized on the level of project development, the visible proof of which is what we’ve seen happen.
How many times have you seen two branches of a significant project to coexist with comparable popularity?
I wonder if there’s some way to manage an open source project so that it’s not subject to particular national laws in this way.
Yes. Pseudonymous software development. I’ve seen Ross Ulbricht’s name today, so we also know the risks.
Naturally this is closer to some underground warez than to copyleft, because the legal ways of protecting copylefted information against appropriation will not be available. A different paradigm.
What happened this time?
Edit, answered elsewhere:
Recently, Linux removed several people from their organization that have Russian email addresses. Linus made a statement that confirmed this was done intentionally. I believe that there was some mention of following sanctions on Russia due to the war. I haven’t looked into the details of it all, so take my analysis with a grain of salt. From what I understand, it sounded like it was only Russian maintainers that were removed and normal users submitting code from Russia can still contribute. Maintainers have elevated permissions and can control what code gets accepted into a project, meaning that a bad actor could allow some malicious code to sneak past. This may have also contributed to the decision since this type of attack has happened before and Russia seems like a likely culprit. The reactions to this change have been varied. Some people feel it is somewhat justified or reasonable, some people think that it means it is no longer open source, and some people think it is unfairly punishing Russian civilians (it is worth noting that that is part of the point of sanctions).
Well, in theory open source is immune to all that. However, the country a project is registered at, matters. That’s why the RISC-V project, for example, took its headquarters from the US to Switzerland. For that exact reason: so no country could strong arm it, especially since Chinese were the major contributors to the project (Switzerland is not 100% neutral, but it’s more neutral than other countries).
Removed by mod
One of the big weaknesses of open source is the same as democracy. Nobody has time to review every piece of code (or research and hold accountable every politician) which leads to risks.
How is that weakness different to installing closed source software?
It’s a different risk vector. While companies want your information to sell, they don’t want to take over your computer to use it in a bot net or steal your bank information and clean out your account.
Open source by it’s very nature relies on a lot of people having good intentions, free time, and knowledge for it to work well and safely.
Actually - a lot of closed source programs are still vulnerable to the supply chain attacks you mention where a bad actor has got access to their codebase. This has happened and been reported on, plus I’m sure, plenty of occasions where it was hushed up for reputational reasons. And - much commercial software still uses FOSS dependencies, so is also vulnerable to the same situation you describe for that. Worst of both worlds.
I don’t think either system is inherantly better than the other in terms of computer security. Each has different and overlapping vulnerabilities.
And it’s why people stress to death that documenting is important. Even if you may not have time to review every single code, it wouldn’t hurt to leave footnotes as to where someone could take said code to pick up from where it left off.
If you leave somebody with nothing then it’s dead code.
Absolutely that’s always good. I was talking more about someone intentionally adding malicious code though.
It changed my view on how true to their ideas some people are.
Just this one. The philosophy is still there, Linus and TLF have abandoned it with great hubris. I am very disappointed in them.
I’m thinking about that conspiracy theory of Linus having been made an offer one can’t refuse, when some time ago he took a vacation and returned with news about seeing the error of his ways.
It almost coincided with Stallman being canceled for one of his usual highly socially unacceptable, but in principle consistent opinions. With most of the attackers being frankly some new random corporate-associated people, not very active in real communities.
Maybe I’ll re-read J4F and compare Linus from there to these events. Canary and all.
EDIT: Before you downvote this for the mush in my head (thx Linus) propagating conspiracy theories, offers one can’t refuse are not exactly an impossible thing. And WWII radio games, where, having captured an enemy station’s operator, one of the sides could either imitate their style in transmissions or just force them to transmit what it wanted.
I mean he has accepted a position as a luminary at the x86 ecosystem advisory group the most dominant and proprietary instruction set ever formed by companies with vested interest to keeping it in use and prevent competition (RISC-V & ARM) from catching up.
No, only of Linux
No.
I think the prestige of “maintainers” and contributions/control are what is being torn down. Anyone anywhere is still welcome to contribute, they are simply limited from direct control. They can still fork at any time, anyone can. Getting people to follow your fork is another thing entirely, and your open source code will still likely be incorporated directly or indirectly. The only thing that has changed is the misguided prestige that has grown around the project and is not a required or relevant part of the project as a whole.
So like what happened
Recently, Linux removed several people from their organization that have Russian email addresses. Linus made a statement that confirmed this was done intentionally. I believe that there was some mention of following sanctions on Russia due to the war. I haven’t looked into the details of it all, so take my analysis with a grain of salt. From what I understand, it sounded like it was only Russian maintainers that were removed and normal users submitting code from Russia can still contribute. Maintainers have elevated permissions and can control what code gets accepted into a project, meaning that a bad actor could allow some malicious code to sneak past. This may have also contributed to the decision since this type of attack has happened before and Russia seems like a likely culprit. The reactions to this change have been varied. Some people feel it is somewhat justified or reasonable, some people think that it means it is no longer open source, and some people think it is unfairly punishing Russian civilians (it is worth noting that that is part of the point of sanctions).
As per usual, the discussion of the Linux drama far exceeds the actual drama. I’m guessing most of those people will still contribute.
Nothing is devoid of global politics.
Russian maintainers were unceremoniously kicked out citing compliance issues.
This shows that no open-source project can really be directed from the US, or if they are then a fork should exist and be maintained by BRICS citizens who are obviously viewed as lesser, at least in the Linux project.
Hasn’t changed my view much. I already knew Linux was a company that has a legal presence in the US and so would be subject to their laws. The only real surprise is that it’s taken so long to action this particular set of sanctions.
I do think the announcement was poorly handled - it should have been explained either before or immediately afterwards to cut back on the conjecture. The git notice only said that these contributors’ names had been removed from the credits, not that they’d been stopped from contributing completely. Any company, including Linux, that does something they know is going to be contentious like this should bloody well get ahead of that curve and put the facts out.
The world is at war. It’s not a bloody world war as we’ve seen before, but it is nation against nation by other means. FOSS is used so widely it is absolutely a target and nobody can be so idealistic that they cannot see the conflict, nor not know that it’s constantly being attacked. Where you live does matter. I wish that wasn’t the case - I truly do, but it’s naive in the extreme to pretend otherwise.
This wasn’t a decision made based on sanctions, it was just an excuse given but no actual evidence of Linux being required to act on them was ever given.
Why do you think Linus is not being truthful?
Other countries are similarly sanctioned, and hundreds of maintainers from those sanctions are still there. So the sanctions thing is absolutely just an excuse.
What Linus just did to Russians is scaring a lot of people right now, who are probably wondering if they should keep working in association with a project which has just demonstrated its unreliability.
If someone really wants to use the contribution of the expelled maintainers they can just make their own fork. Part of the Free in FOSS is the freedom to associate or not associate with contributors.
Unfortunately no.
I remember the selinux controversy and the nsa trying to slip bad algorithms in.
I get that it’s a nice daydream to think of open source projects as existing in some kind of independent, ethereal vacuum just because the code is out there and accessible from any place on Earth. But every software project is (mostly?) dependent on the jurisdiction in one country, in this case it’s the US, and so their laws about sanctions and so on apply. And yes, this means that unless conflicts/wars between nations happen to cease, that we will eventually have completely separated blocks of politics/culture/military and also IT. Globalization is over. China will have their own stuff, Russia will have their own stuff, and US+EU will have their own stuff. And none of those countries should continue using high-tech products made by the other because they could be sabotaged and it might be hard to find, so it’s best to not use them at all and just cook your own stuff. It’s unfortunate, but bound to happen in the current state of the political world.
