The email thread continues. Linus later responded with:
>No, but I'm not a lawyer, so I'm not going to go into the details that
I - and other maintainers - were told by lawyers.
>I'm also not going to start discussing legal issues with random
internet people who I seriously suspect are paid actors and/or have
been riled up by them.
Which I find pretty concerning statements, quite a disservice to the community. It's a global community, and here the maintainers take some action without explanation. They don't even have a communiqué at hand to tell people what this action is, why it was taken, and which alternatives were considered but rejected. This is the bare minimum that I expect of the maintainers of a piece of software that is very critical to many millions of systems worldwide.
Counting on the goodwill of users is not acceptable for an operating system that underpins the security of people's computers.
Open source means put up or shut up. If you don’t like the institutions, then build it yourself.
You can’t cry foul when the group is literally providing you with free software. Open source institutions don’t own anyone anything beyond open software.
That is the letter of the law, yes. I would suggest though that the spirit / intent behind the law includes fostering a community, which in turn encourages open and clear communication.
And right now Linus is not putting up, is suddenly actively refusing to put up, and we're all very concerned about that.
As an open source community leader, putting up consists of leading well, and transparently. It's not just a coding role. He may have inherited the leadership role by being the original coder but he has to keep it by being a worthy leader.
I speculate Linus or Greg received the equivalent of a National Security Letter. Otherwise they could point to the regulations.
While a little bit too much of a guess, it's quite possible that whatever three letter agency finally had a high-confidence note on who was behind the XZ backdoor and decided to issue an (blatant) order to kick out all Russian maintainers, because that's how USG usually works.
The quoted text is a great mechanism to turn your brain off. "Oh, they giving me stuff. They must be good then and can do no wrong. I can turn my brain off and go sleep."
If you scroll down on the thread linked, someone mentions the reason isn't that the developers are Russian, but because their employers in Russia are sanctioned companies.
I don't know if that's accurate, but seems feasible. If so I'm 100% behind it.
It'd be nice to know the exact reasoning for this, rather than just see a commit without any context of why they're being removed. I'm pretty sure we'll know in due time.
I think it's more likely that everyone will forget in a few days and we will never know. Maybe there will be few more random bans.
I highly doubt anyone banned will even try to send "sufficient documentation". The wording is as vague and arbitrary as it gets, and the underlying tone sounds to me not like "we have such and such requirements", but like "some Russian-sounding names are banned, but we still have to demonstrate there is a due process".
Reminds me of banks. Banks are fined for not having processes for detecting money laundering. Not money laundering, mind it, just having "inadequate" processes. If such a process flags someone, that someone is blocked and they should provide "sufficient documents", but the bank is not allowed to tell them why or what, that would be "tipping off", which is illegal. And then it all comes down to bank's internal policies (that the bank is not allowed to disclose) or even a personal relationship with a branch manager.
> Banks are fined for not having processes for detecting money laundering. Not money laundering, mind it, just having "inadequate" processes. If such a process flags someone, that someone is blocked and they should provide "sufficient documents",
Isn't that how most compliance regulation works? You can't force companies to have a perfect record of preventing something, no matter how you structure things, so instead of trying to do so, you setup something that will at least preventing it somewhat. And then you fine the companies who don't do anything to prevent the issue.
I'm not a lawyer, but I don't think so. For example, there is no penalty for not having an accountant on payroll. But there are some for not keeping adequate records. I suspect it's irrelevant whether you have a full-time accountant so your records are always in order, or if you do nothing all year and hire someone for a big overhaul each December and also every time authorities need something.
> "some Russian-sounding names are banned, but we still have to demonstrate there is a due process".
That's not true! There are still many Russian maintainers in the kernel, but they are not based in Russia. They only banned individuals, based in Russia, who are employed by sanctioned companies.
As a neighboring comment mentioned, at least one banned individual seems to be based in the US is employed by Amazon, as per their LinkedIn, including some old posts: https://news.ycombinator.com/item?id=41933300
They just happened to still use their older .ru email in the MAINTAINERS file.
Huawei is under same level of sanctions, but nobody with `xxx@huawei.com` is removed from Maintainers list. So, probably "sanctions" are not the reason.
is it? the actual specifics of the sanctions matter, I don't think any of the US sanctions would prevent them from participating in kernel programming.
I don't but with Huawei, the situation is mostly that we don't want to import their technology or give them our technology. With Russia, we basically prohibit all business in general with the entire country.
Do you have any example of a removed person with .ru email who lives and works in the US?
I saw some comments on Reddit about people with @gmail.com (I think), but other comments pointed out that these people were not actually removed and were just present on a screenshot.
It's not a geopolitical drama or melodrama, Linux Foundation needs to follow the laws of US where it's located. It's the same as any other American company
Linux Foundation was never supposed to stifle collaboration in the kernel. They are supposed to be a way to support Linux in a tax-advantaged way, full stop.
EFF should start a fork if any part of them still stands for what's in their name.
I agree. It's not big deal. The Russian team can just fork the kernel, and manage it under their own legal structures. It's really not that hard. Indeed CentOS was maintained by just one person for many years.
It's not a big deal for Linux either, the code in question is mostly for devices that are not sold in the west. So no loss there.
That's the beauty of open source, you can say no to contributions for any reason whatsoever, and the contributor can fork your code and continue to develop it as they please.
Maintainers ≠ developers, and it wasn't that long ago when we heard Linus moaning about maintainer shortage and nobody wanting to pick up their work. Now we get this. Whatever you think of this particular decision, it won't help with finding more maintainers, especially from countries other than the US and its closest allies.
I live in a country which may one day find itself under US sanctions, and I'm been busy cutting reliance on American services, just to avoid having to migrate everything in a rush if that happens. Everyone here understands this (for example, my day job migrated off GitHub to self hosted gitlab back in 2022), and I can't imagine many people will be interested in spending years of effort to then possibly be kicked from the project because they chose to be born in a wrong country.
Probably the best thing that can happen to the kernel... this type of measure generally backfires spectacularly by giving talent the opportunity to thrive, if anything as a way to fight back against injustice and arbitrary decisions, or for sanctioned opposition to invest in resilience by dumping more money in things otherwise not consider a priority. I always thought Argentine music from the 80's and early 90s was legendary, and this stems from a post-Falklands war, self-inflicted sanction against anglo music... regional bands thrived and created gems that even today can be appreciated as masterpieces...
Tell that to Palestinians or Afgani or Iraki or one of the many countries US invaded or where they financed coups and mass killings...
If Americans want to participate in international communities they are free to leave the US. Aren't they?
BTW Linus is Finnish and Sergey Mikhailovich Brin is Russian
The harsh reality is that the west is now that place where people think it's a crime to be born in a place instead of another...
I'll quote something for you
criminalizing individuals based on their place of birth or nationality is generally considered a violation of international human rights law. Principles of non-discrimination are central to international agreements like the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights. These treaties emphasize that all people, regardless of origin, have the right to equality before the law and protection from discrimination.
My sense is they simply believe it actually, drawing on sources that seem organic and Western to them; the propaganda is that effective.
In any case: (1) there has never been a "civil war" in Ukraine in modern times; (2) Azov was formed in May 2014, well after Russia's invasions of both the Donbas and the Crimea were well underway; and (3) nevermind the rest.
In 2016, Amnesty International and Human Rights Watch received several credible allegations of abuse and torture by the regiment. Reports published by the Office of the United Nations High Commissioner for Human Rights (OHCHR) documented looting of civilian homes and unlawful detention and torture of civilians between September 2014 and February 2015 "by Ukrainian armed forces and the Azov regiment in and around Shyrokyne".
Another OHCHR report documented an instance of rape and torture, writing: "A man with a mental disability was subject to cruel treatment, rape and other forms of sexual violence by 8 to 10 members of the 'Azov' and the 'Donbas' battalions (both Ukrainian battalions) in August–September 2014. The victim's health subsequently deteriorated and he was hospitalized in a psychiatric hospital." A report from January 2015 stated that a Donetsk People's Republic supporter was detained and tortured with electricity and waterboarding and struck repeatedly on his genitals, which resulted in his confessing to spying for pro-Russian militants.
I used to pirate a lot of random music in early 00’s and went through a Latin phase. Downloaded one album by Fabiana Cantilo full of covers by what seemed to be other Argentine artists and some names are Soda Stereo and Andres Calamaro.
They seem to have a lot of what kids today would call bangers.
Some of my favorite Argentine songs: Donde Manda Marinero, En La Ciudad De la Furia. Fabiana’s album that I torrented back in the day happens to be covers of the famous songs and I like a lot of them too
Disclaimer, I just happened to know some Argentine songs that are total ear worms, not necessarily an expert in Argentine music
If Project P in Country A is identified by Country B as a potential target for planting cyber-attack-enabling backdoors, Country B has an incentive to find people to put a backdoor in P.
If Country B is a free country with rights and ethics, they will say "Help us put a backdoor in P. We'll pay you very well for services rendered," or try to get someone who already works for Country B intelligence into P's management structure.
If Country B is an "evil" country, they will do all of the above, but will also tell people of influence in P who live or have family in Country B or its allies, "Help us put a backdoor in P. If you refuse or if the backdoor doesn't work or if the legitimate workers of P find it and remove it before it helps us, you'll be arrested and/or tortured and/or killed and/or your family too."
Removing Russian based kernel maintainers from positions in which they could conceivably help insert a backdoor into the kernel hopefully removes the incentive for the Russian government to threaten (or carry out) horrific violence against these individuals and their families.
It allows you to get code into the kernel by way of sending patches. Eventually you may earn enough trust to get into some kind of power position. Surely you remember the liblzma/xz story.
These people don't even remember that the man in the telly told them something completely different a month ago. As far as they are concerned, they've always been at war with Eastasia. And you are expecting them to remember something and draw parallels?
Either country can also say: "we have this law that requires people to help law enforcement agencies to implement backdoo^W special technical measures to advance national security interests, and also a gag order because it's a matter of national security".
I think Australia had something called Technical Capability Notices (TCNs) back in 2018? For legal entities for sure, not sure about hobbyists.
The last paragraph also makes the whole situation sound like someone cares for Russian developers' well-being. I highly doubt it was ever the intention.
Really appreciate informative comments like this, basically explaining from first principles and not assuming people are idiots for not immediately understanding the implications.
It also made me realise what a cushy, insular world I live in not having to worry about those threats when I write software. Made me more aware of what others might face.
It’s a made up scenario that has never been documented to happen with a major OSS project. The solution seems like an incredibly poor fit and this justification is retroactive. The notion that they are actually doing the Russian maintainers a favor is ridiculous.
When a society starts shadowboxing figments of its own imagination, that is not a good sign for the health of the society.
While everything you mention is absolutely true, to the credit of the opinion of whimsicalism, any maintainer worldwide could get offered tons of bitcoins to integrate a backdoor / "bug".
Completely irrelevant. They are not the owner of the Linux kernel.
Linus holds the trademark. The copyright holders are the contributors to the source code. Nobody "owns" it, that's the point, it's an international project.
Linus, who since 2010 is an American citizen. Effectively, the US is probably the country closest to "owning" the Kernel, in that if the US wanted to put an abrupt cease to kernel development, they could, if only for a short period until the project re-organizes. I don't think any other country posses even the ability of doing so.
Removing US based kernel maintainers from positions in which they could conceivably help insert a backdoor into the kernel hopefully removes the incentive for the US government to threaten (or carry out) horrific violence against these individuals and their families.
It would only work if the specific government agency/actor could successfully conceal such actions from the rest of the government agencies, courts, media etc. etc. No such safety checks exist in Russia or other pseudo-fascist states.
If the Russian government is blackmailing you your are certainly screwed. In US.. well it depends but you could quite easily bring down the people doing this to you with yourself if you chose not to comply. Therefore no rational US government "actor" would engage in something like that outside of extreme circumstances.
> In US.. well it depends but you could quite easily bring down the people doing this to you with yourself
I personally don't see much difference between "going down" and "going down together with other people". At least for myself and my family. I'm screwed anyway.
what next? removing all developers who have ever visited russia (because they have probably been told they would be tortured unless they put a backdoor)? removing all developers that have family ties to china? removing anyone who hasn't been born in US and who has family outside of US? if Linus father, who lives in Finland, visits Russia should Linus be removed then?
What you wrote is very logical but it doesn't explain who defines how "evil" the country is. And the answer is "US". All your 4 paragraphs could be rewritten with "US defines if you are worthy or not". Which sounds real and quite disappointing to many people who thought Linux is a shared effort of the humanity
I haven't followed the original events but I understand their actions. Probably they need to have "no russian developers" ticked for compliance for some defense contractor. So they have run "grep -rF .ru .git/" and found russian developers to remove to tick that requirement. I would have probably done the same -- it's easier to do it that to explain to many people why those people aren't evil
Such a blatant BS rationalization... The commit literally talks about "compliance". This is nothing more than an easy alternative to navigating the obscure sanctioning regime. It's like self-censorship, people/companies do this because of the fear that their activity may fall under sanctions, even though it highly likely does not.
If your system relies on people being in "a free country with rights and ethics", then you have a bad system widely open to abuse. After all, who decides which country is "free" and which is not? White house? Should you exclude people from all "non-free" countries?
> people/companies do this because of the fear that their activity may fall under sanctions, even though it highly likely does not.
People/companies do this because lawyers tell them that there is a risk that the activity may violate sanctions. And yes the lawyers are probably overly conservative, but that's because there often isn't a way to know for sure whether something is actually a violation until you end up in the courtroom.
> And yes the lawyers are probably overly conservative, but that's because there often isn't a way to know for sure whether something is actually a violation until you end up in the courtroom.
You've outlined a justification based on a kafkaesque stockholm syndrome vibe. The system doesn't work as well as it's being advertised, does it?
I'm not saying the Russia invasion is not evil, but man, did you watch too many popcorn movies?
How child play and naive you're thinking of politics. If Russia ever had that degree of power to control the behavior of its citizens, it would have already ruled the world.
You can't even fully control a 5-person band and you're telling us that magically Russia is able to control millions of people, amongst which none of them know justice or human rights enough to leak any info. You know, even under the infamous assassin attempts from FBI, Snowden managed to flee to Russia. How can Russia be more powerful than the US in this way?
I'm not saying good words to any regime. I mean both the US sanction and the Russian invasion suck. I don't want another country bossing over what you can do, and I don't want another country pointing guns on your head either.
> You can't even fully control a 5-person band and you're telling us that magically Russia is able to control millions of people, amongst which none of them know justice or human rights enough to leak any info.
They’ve literally killed most powerful and influential opposition leader on open display. Use your brain, it’s not hard.
To this casual bystander it seems like they usually hurt innocent citizens far more than the leaders of the usually authoritarion regime that it targets.
>To this casual bystander it seems like they usually hurt innocent citizens far more than the leaders of the usually authoritarion regime that it targets.
That's kinda the point. The common folk put pressure on their leaders to correct their behavior.
western people had plenty of time to stop buying russian oil after the Crimea was stolen in 2014, but alas, they wanted to sponsor russian military and police so badly
That assumes the common folk can put pressure on their leaders, which is usually not the case for countries targeted by sanctions from the US, which usually have autocratic or otherwise authoritarian governments.
History is full of violent revolutions against autocratic governments. We should inflict maximum pain on the Russian populace. Be as cruel as possible. Keep the pressure on. Eventually it might pay off. And even if it doesn't work, it serves as an object lesson to other countries on the consequences of opposing US policies.
Do you not think that at least 50% of all people in Russia would vote for Putin or his affiliates (even if the elections weren't falsified)? Therefore most people in Russia are certainly not innocent.
We don't know and can't know that, there hasn't been a single election without major falsifications since about 2004. I personally don't know anyone who voted for him, but I don't keep many ties to the "lowest classes". If your image of the Russian society is based solely on US left-wing media, then it has even less resemblance to reality.
Even (pseudo)opposition polls generally show that most people support Putin? Yes I understand that polls in such a society might not be particularly meaningful. But I'm not even saying that most Russians actively support the government, implicit support (i.e. being unwilling to risk anything to change the status quo) is almost as good.
> "lowest classes"
I find it hard to believe that there aren't plenty of people who are middle class and above who support the regime. After all Russia's economy is almost entirely based on raw resources extraction and (now) military related industries.
> If your image of the Russian society is based solely on US left-wing media
And yours is based on Kremlin propaganda channels and media sources? See what I did there? Both assumptions are equally valid/invalid and neither contributes anything to a meaningful discussion besides immediately shutting down the possibility of one existing.
Ok, lots of Russian trolls out and about. It's entirely clear why the change was done, it's not getting reverted, and using multiple random anonymous accounts to try to "grass root" it by Russian troll factories isn't going to change anything. And FYI for the actual innocent bystanders who aren't troll farm accounts - the "various compliance requirements" are not just a US thing.
If you haven't heard of Russian sanctions yet, you should try to read the news some day. And by "news," I don't mean Russian state-sponsored spam. As to sending me a revert patch - please use whatever mush you call brains. I'm Finnish. Did you think I'd be _supporting_ Russian aggression? Apparently it's not just lack of real news, it's lack of history knowledge too.
That's fine, but we would like to see the orders he received and the evidence. This patch is outrageous because of the lack of transparency, not the patch itself if there's a good reason for it. Linus and Greg appear to be not only not posting a reason, but trying to keep the reason secret.
What about them? I can say "it's illegal for me to murder someone" without a lawyer being involved and so I can say "it's illegal for me to collaborate with company X" if that is true. Lawyers wouldn't stop me saying that unless something fishy was happening.
> The ban complies with the EU’s 12th sanctions package adopted in December, which ordered companies in and outside the bloc to stop exporting products and technology to Russia by March 20.
That would mean that either A) it's not what triggered this change or B) the kernel wasn't legally following compliance requirements for almost a year
But besides that, that sanction is between EU<>Russia, not sure if that would ultimately enforce the kernel to implement those compliance requirements, unless also agreed and followed by the US.
Sounds like overreach by a company that is heavily invested in Linux as a base for its products, and is having a difficult time with US trade regulations.
Its pandering. I hope these developers petition to be added back.
Have to say that a lot of hacker news contributors really show their colors around events like this. This is a completely good thing to do and well past due.
Why should this be a problem for anyone outside of China? It's only when the same people can read your messages and send dudes with guns to your doorstep if they don't like what they see that things actually get dangerous.
That's interesting, but these seem like they are just a slightly more structured form of the ways in which the CCP has been known to keep track of their own nationals abroad for many years. Not only is there no evidence or reason to expect that they would interact with people who are not PRC nationals, they presumably don't have guns and certainly have no actual policing powers either. If these "Chinese police stations" were to dispatch someone to my door, I could just call the actual police to have them removed. Meanwhile, I doubt I could call the "Chinese police stations" to protect me from the police of the country I live in, if they were to act upon a friendly request from the US like the Swedes and British did with Assange or the New Zealanders did with Kim Dotcom.
How convoluted, insidious, and camouflaged can a hidden backdoor or exploitable intentional defect be?
If hacking or subversion is possible, it has been tried and will be again. If anyone is going to try it, chances are Putin's people will.
It's by far the sneakiest, most advanced cheating and infiltration apparatus humanity has ever known. It inherited a large "meddling war chest" from the Soviet Union, then invested heavily into it for 25 years. The Internet increased its opportunities a million-fold. Its semitransparent tentacles are now embedded into nearly every consequential organization on the planet.
Consider the xz episode as a baseline. It was fairly sneaky, but it was introduced by a newcomer to the project and affected mostly existing code. A more elaborate exploit might be submitted with a new feature by an established maintainer.
This could get messy in other projects, depending where this rule came from.
I know there are .ru maintainers in at least one other ; and what about distros?
It is wrong - plain and simple.
It is no different to racism.
As for Linus comments,
it is really surprising how many proper idiots working in IT industry.
It was not like that before..
Not long ago, simply reading Linux magazine was considered a terrorism.
Not sure this is really what anyone had in mind when sanctioning Russia? The maintainers probably aren't pleased but can't see a direct route from there to Putin's opinion of the war in Ukraine.
Probably not sanctions, but national security concerns.
The former aims to punish and worsen the situation of the other country, the latter aims to reduce the attack vector and improve the situation of the US.
If I were a KGB (FSB) agent with a task to undermine US infrastructure with my commits in Linux kernel, using my real russian name and .ru TLD would be the last thing to do.
Sure, but if I were an agency tasked with protecting US from security threats, I would begin with the lowest hanging fruit.
Yes, probably the guy who holds up the number "3" using his thumb, index, and middle finger shouldn't be allowed in the Super Secret Vault. But the dude right behind him who has "I'm Russian" tattooed on his forehead shouldn't be allowed in either, and he's a bit easier to spot.
It’s pretty evident at this point that any Russian citizen in Russia or with family in Russia can be coerced, and it’s also pretty clear that Putin specifically does not have good intentions.
There are lots of good people there. It’s too bad there is a crazy person at the helm.
It is evident everyone CAN be coerced. Not that everyone WILL BE, because some people still think of themselves as people, not some “honest citizens” or “economic agents”.
It is also evident that someone quite far from Russia HAS ALREADY BEEN coerced to make that unannounced change, but you try really hard to look the other way. “Those Linux nerds” were shown who's the boss in the room when it comes to “important matters”. Don't you feel that the form of that change itself is a sign of silent disobedience, and you are expected to participate in public outcry forcing further developments instead of just bending over willingly?
It is totally possible that there was some direct intelligence that those accounts can be used in some clandestine operation in the future, probably without even asking some of the owners. After all, spies are #1 information source to other spies, they run the global spectacle together. Still, accepting “this is secret” as an excuse, you are already accepting defeat.
The cost/risk to the Russian government of coercing someone to do anything is approximately zero. Not so much in the US/etc., the risk of negative consequences is not insignificant?
> were shown who's the boss in the room when it comes to “important matters”.
Or Linus just doesn't like Russia(ns)? Why is there a need for some conspiracy?
all you have to look at is the number of russian oligarchs being defenstrated since the invasion began to know that if it served russian aims to inject malware into the kernel somehow via their maintainers it would probably be tried. the maintainers are probably not oligarch level rich so imagine the pressure on them if needed.
if you believe Russian government would coerce its own citizens, why do you not believe they would coerce foreigners? they have a world class intelligence agency that routinely assassinates regime enemies in foreign countries after all, so why should it be any harder for them?
This was a very bad move by the Linux foundation. They should get new lawyers. Linux development should probably be moved outside of wartime/unstable jurisdictions like the US.
My worry is less about big projects being inclusive and multinational, and more about whether there are clear guidelines and specific reasons given when people are kicked off or otherwise demoted.
Nobody likes being at the mercy of a system that feels capricious.
I guess that's it. Open source is a fantasy that started coming to an end about 15 years ago. We lived in a fantasy world in 90s-00s, where there were no governments, no corporations and almost no people that make you shake your head. It was so easy (and of course silly, in the hindsight) to believe, that the internet is some another world, where earthly matters do not concern us. And everything was just about improving this world for ourselves. It's not like people often agree to work for free otherwise. Working for free is incompatible with capitalism, and we learn to believe that nothing else is truly possible in the real world. It's not like "open source" doesn't have a point in that imperfect world with governments, corporations and 8B people, that the internet seemed disconnected from for a while, it just doesn't have place. It simply almost doesn't happen there.
So, now the real world has slowly catched up to that fantasy world of ours. The winter has really come.
Can we please get a fraction of the resources currently put into Linux kernel development and start developing a robust userland ecosystem for SeL4?
Microkernels in general already mitigate the possible damage that could be done by rogue code in large monolithic kernels. A formally verified microkernel like SeL4 is an even better guarantee. And performance concerns of microkernels are practically solved at this point.
These sorts of nation-state sponsored malicious code practices could be made mostly irrelevant. We just need a little momentum to get us there.
>No, but I'm not a lawyer, so I'm not going to go into the details that I - and other maintainers - were told by lawyers. >I'm also not going to start discussing legal issues with random internet people who I seriously suspect are paid actors and/or have been riled up by them.
Which I find pretty concerning statements, quite a disservice to the community. It's a global community, and here the maintainers take some action without explanation. They don't even have a communiqué at hand to tell people what this action is, why it was taken, and which alternatives were considered but rejected. This is the bare minimum that I expect of the maintainers of a piece of software that is very critical to many millions of systems worldwide. Counting on the goodwill of users is not acceptable for an operating system that underpins the security of people's computers.