If Project P in Country A is identified by Country B as a potential target for planting cyber-attack-enabling backdoors, Country B has an incentive to find people to put a backdoor in P.
If Country B is a free country with rights and ethics, they will say "Help us put a backdoor in P. We'll pay you very well for services rendered," or try to get someone who already works for Country B intelligence into P's management structure.
If Country B is an "evil" country, they will do all of the above, but will also tell people of influence in P who live or have family in Country B or its allies, "Help us put a backdoor in P. If you refuse or if the backdoor doesn't work or if the legitimate workers of P find it and remove it before it helps us, you'll be arrested and/or tortured and/or killed and/or your family too."
Removing Russian based kernel maintainers from positions in which they could conceivably help insert a backdoor into the kernel hopefully removes the incentive for the Russian government to threaten (or carry out) horrific violence against these individuals and their families.
It allows you to get code into the kernel by way of sending patches. Eventually you may earn enough trust to get into some kind of power position. Surely you remember the liblzma/xz story.
These people don't even remember that the man in the telly told them something completely different a month ago. As far as they are concerned, they've always been at war with Eastasia. And you are expecting them to remember something and draw parallels?
Either country can also say: "we have this law that requires people to help law enforcement agencies to implement backdoo^W special technical measures to advance national security interests, and also a gag order because it's a matter of national security".
I think Australia had something called Technical Capability Notices (TCNs) back in 2018? For legal entities for sure, not sure about hobbyists.
The last paragraph also makes the whole situation sound like someone cares for Russian developers' well-being. I highly doubt it was ever the intention.
Really appreciate informative comments like this, basically explaining from first principles and not assuming people are idiots for not immediately understanding the implications.
It also made me realise what a cushy, insular world I live in not having to worry about those threats when I write software. Made me more aware of what others might face.
It’s a made up scenario that has never been documented to happen with a major OSS project. The solution seems like an incredibly poor fit and this justification is retroactive. The notion that they are actually doing the Russian maintainers a favor is ridiculous.
When a society starts shadowboxing figments of its own imagination, that is not a good sign for the health of the society.
I would argue nobody needs to provide an example. IMO, we can assume an action to be taken if:
1. The mechanisms for its existence exist
2. There is motivation of a large enough scale
3. The scale of the actors is large enough
The Linux kernel is very large, and nation-states like Russia are also very large. There is a very high motivation for a backdoor to exist for the Russian government. And the mechanisms are certainly in place to create such a backdoor.
So, I conclude there would absolutely be a Russian backdoor planted, if it isn't already. For the same reasons I conclude Windows probably has multiple backdoors for US agencies.
As a side-note, the scale of the Linux Kernel matters here. It's over a billion lines of code. It's truly trivial to sneak in an exploit and have it never be discovered. You can't prove a negative here - just because we haven't seen an exploit doesn't mean they don't exist. Also, we have found MANY bugs in the Linux kernel. Are they exploits intentionally planted? Virtually impossible to tell. Some bugs have existed for decades before discovery.
You should assume your operating systems already contain many exploits. Thus, we have tools like encryption, firewalls, and trusted repos to protect us anyway.
Note this doesn't mean I support the move. Certainly, any other country could implant backdoors (and probably have already). However, the Linux kernel kind of sort of belongs to the West, and the West kind of sort of has an alliance. So it makes sense why Russia is singled out.
While everything you mention is absolutely true, to the credit of the opinion of whimsicalism, any maintainer worldwide could get offered tons of bitcoins to integrate a backdoor / "bug".
Completely irrelevant. They are not the owner of the Linux kernel.
Linus holds the trademark. The copyright holders are the contributors to the source code. Nobody "owns" it, that's the point, it's an international project.
Linus, who since 2010 is an American citizen. Effectively, the US is probably the country closest to "owning" the Kernel, in that if the US wanted to put an abrupt cease to kernel development, they could, if only for a short period until the project re-organizes. I don't think any other country posses even the ability of doing so.
Any other person from any other country in the world can and could fork it in a heartbeat 100% legally. It wouldn't stop diddly squat, except that it loses its BDFL and finds another one in short order. There is absolutely zero the US could do about this.
Removing US based kernel maintainers from positions in which they could conceivably help insert a backdoor into the kernel hopefully removes the incentive for the US government to threaten (or carry out) horrific violence against these individuals and their families.
It would only work if the specific government agency/actor could successfully conceal such actions from the rest of the government agencies, courts, media etc. etc. No such safety checks exist in Russia or other pseudo-fascist states.
If the Russian government is blackmailing you your are certainly screwed. In US.. well it depends but you could quite easily bring down the people doing this to you with yourself if you chose not to comply. Therefore no rational US government "actor" would engage in something like that outside of extreme circumstances.
> In US.. well it depends but you could quite easily bring down the people doing this to you with yourself
I personally don't see much difference between "going down" and "going down together with other people". At least for myself and my family. I'm screwed anyway.
what next? removing all developers who have ever visited russia (because they have probably been told they would be tortured unless they put a backdoor)? removing all developers that have family ties to china? removing anyone who hasn't been born in US and who has family outside of US? if Linus father, who lives in Finland, visits Russia should Linus be removed then?
What you wrote is very logical but it doesn't explain who defines how "evil" the country is. And the answer is "US". All your 4 paragraphs could be rewritten with "US defines if you are worthy or not". Which sounds real and quite disappointing to many people who thought Linux is a shared effort of the humanity
I haven't followed the original events but I understand their actions. Probably they need to have "no russian developers" ticked for compliance for some defense contractor. So they have run "grep -rF .ru .git/" and found russian developers to remove to tick that requirement. I would have probably done the same -- it's easier to do it that to explain to many people why those people aren't evil
Such a blatant BS rationalization... The commit literally talks about "compliance". This is nothing more than an easy alternative to navigating the obscure sanctioning regime. It's like self-censorship, people/companies do this because of the fear that their activity may fall under sanctions, even though it highly likely does not.
If your system relies on people being in "a free country with rights and ethics", then you have a bad system widely open to abuse. After all, who decides which country is "free" and which is not? White house? Should you exclude people from all "non-free" countries?
> people/companies do this because of the fear that their activity may fall under sanctions, even though it highly likely does not.
People/companies do this because lawyers tell them that there is a risk that the activity may violate sanctions. And yes the lawyers are probably overly conservative, but that's because there often isn't a way to know for sure whether something is actually a violation until you end up in the courtroom.
> And yes the lawyers are probably overly conservative, but that's because there often isn't a way to know for sure whether something is actually a violation until you end up in the courtroom.
You've outlined a justification based on a kafkaesque stockholm syndrome vibe. The system doesn't work as well as it's being advertised, does it?
I'm not saying the Russia invasion is not evil, but man, did you watch too many popcorn movies?
How child play and naive you're thinking of politics. If Russia ever had that degree of power to control the behavior of its citizens, it would have already ruled the world.
You can't even fully control a 5-person band and you're telling us that magically Russia is able to control millions of people, amongst which none of them know justice or human rights enough to leak any info. You know, even under the infamous assassin attempts from FBI, Snowden managed to flee to Russia. How can Russia be more powerful than the US in this way?
I'm not saying good words to any regime. I mean both the US sanction and the Russian invasion suck. I don't want another country bossing over what you can do, and I don't want another country pointing guns on your head either.
> You can't even fully control a 5-person band and you're telling us that magically Russia is able to control millions of people, amongst which none of them know justice or human rights enough to leak any info.
They’ve literally killed most powerful and influential opposition leader on open display. Use your brain, it’s not hard.
To this casual bystander it seems like they usually hurt innocent citizens far more than the leaders of the usually authoritarion regime that it targets.
>To this casual bystander it seems like they usually hurt innocent citizens far more than the leaders of the usually authoritarion regime that it targets.
That's kinda the point. The common folk put pressure on their leaders to correct their behavior.
western people had plenty of time to stop buying russian oil after the Crimea was stolen in 2014, but alas, they wanted to sponsor russian military and police so badly
That assumes the common folk can put pressure on their leaders, which is usually not the case for countries targeted by sanctions from the US, which usually have autocratic or otherwise authoritarian governments.
History is full of violent revolutions against autocratic governments. We should inflict maximum pain on the Russian populace. Be as cruel as possible. Keep the pressure on. Eventually it might pay off. And even if it doesn't work, it serves as an object lesson to other countries on the consequences of opposing US policies.
Amusement has nothing to do with it. This is one method among many for pursuing national geopolitical goals. It's a shame that the Russian populace has to suffer, I bear them no ill will. But if they ever want to get out of international sanctions then they know what they need to do.
Buy a ticket to Ukraine right about now and ask Ukrainians how amused are they. And don’t forget to visit every country that had to take millions of refugees.
Do you not think that at least 50% of all people in Russia would vote for Putin or his affiliates (even if the elections weren't falsified)? Therefore most people in Russia are certainly not innocent.
We don't know and can't know that, there hasn't been a single election without major falsifications since about 2004. I personally don't know anyone who voted for him, but I don't keep many ties to the "lowest classes". If your image of the Russian society is based solely on US left-wing media, then it has even less resemblance to reality.
Even (pseudo)opposition polls generally show that most people support Putin? Yes I understand that polls in such a society might not be particularly meaningful. But I'm not even saying that most Russians actively support the government, implicit support (i.e. being unwilling to risk anything to change the status quo) is almost as good.
> "lowest classes"
I find it hard to believe that there aren't plenty of people who are middle class and above who support the regime. After all Russia's economy is almost entirely based on raw resources extraction and (now) military related industries.
> If your image of the Russian society is based solely on US left-wing media
And yours is based on Kremlin propaganda channels and media sources? See what I did there? Both assumptions are equally valid/invalid and neither contributes anything to a meaningful discussion besides immediately shutting down the possibility of one existing.
If Project P in Country A is identified by Country B as a potential target for planting cyber-attack-enabling backdoors, Country B has an incentive to find people to put a backdoor in P.
If Country B is a free country with rights and ethics, they will say "Help us put a backdoor in P. We'll pay you very well for services rendered," or try to get someone who already works for Country B intelligence into P's management structure.
If Country B is an "evil" country, they will do all of the above, but will also tell people of influence in P who live or have family in Country B or its allies, "Help us put a backdoor in P. If you refuse or if the backdoor doesn't work or if the legitimate workers of P find it and remove it before it helps us, you'll be arrested and/or tortured and/or killed and/or your family too."
Removing Russian based kernel maintainers from positions in which they could conceivably help insert a backdoor into the kernel hopefully removes the incentive for the Russian government to threaten (or carry out) horrific violence against these individuals and their families.