[csense]

Let me spell it out for you:

If Project P in Country A is identified by Country B as a potential target for planting cyber-attack-enabling backdoors, Country B has an incentive to find people to put a backdoor in P.

If Country B is a free country with rights and ethics, they will say "Help us put a backdoor in P. We'll pay you very well for services rendered," or try to get someone who already works for Country B intelligence into P's management structure.

If Country B is an "evil" country, they will do all of the above, but will also tell people of influence in P who live or have family in Country B or its allies, "Help us put a backdoor in P. If you refuse or if the backdoor doesn't work or if the legitimate workers of P find it and remove it before it helps us, you'll be arrested and/or tortured and/or killed and/or your family too."

Removing Russian based kernel maintainers from positions in which they could conceivably help insert a backdoor into the kernel hopefully removes the incentive for the Russian government to threaten (or carry out) horrific violence against these individuals and their families.

[riehwvfbk]

So all that an evil Russian who wants to commit murder by way of a git commit has to do is...

register a free gmail account and come up with a fake name. Gotcha. Certainly no bad guy will ever think of this.

[ruraljuror]

a random free gmail account and a fake name does not give you the ability to commit to the linux kernel, so no.

[solarkraft]

It allows you to get code into the kernel by way of sending patches. Eventually you may earn enough trust to get into some kind of power position. Surely you remember the liblzma/xz story.

[riehwvfbk]

These people don't even remember that the man in the telly told them something completely different a month ago. As far as they are concerned, they've always been at war with Eastasia. And you are expecting them to remember something and draw parallels?

[yeputons]

Either country can also say: "we have this law that requires people to help law enforcement agencies to implement backdoo^W special technical measures to advance national security interests, and also a gag order because it's a matter of national security".

I think Australia had something called Technical Capability Notices (TCNs) back in 2018? For legal entities for sure, not sure about hobbyists.

The last paragraph also makes the whole situation sound like someone cares for Russian developers' well-being. I highly doubt it was ever the intention.

[nomilk]

Really appreciate informative comments like this, basically explaining from first principles and not assuming people are idiots for not immediately understanding the implications.

It also made me realise what a cushy, insular world I live in not having to worry about those threats when I write software. Made me more aware of what others might face.

[whimsicalism]

It’s a made up scenario that has never been documented to happen with a major OSS project. The solution seems like an incredibly poor fit and this justification is retroactive. The notion that they are actually doing the Russian maintainers a favor is ridiculous.

When a society starts shadowboxing figments of its own imagination, that is not a good sign for the health of the society.

[red-iron-pine]

Yeah im sure those Chinese and NK hackers are keen to document their blackmail, no way that could go badly for them

[whimsicalism]

It's open source, any exploit introduced by a maintainer is self-documenting. Provide a single example for the Linux kernel, please.

[consteval]

I would argue nobody needs to provide an example. IMO, we can assume an action to be taken if:

1. The mechanisms for its existence exist

2. There is motivation of a large enough scale

3. The scale of the actors is large enough

The Linux kernel is very large, and nation-states like Russia are also very large. There is a very high motivation for a backdoor to exist for the Russian government. And the mechanisms are certainly in place to create such a backdoor.

So, I conclude there would absolutely be a Russian backdoor planted, if it isn't already. For the same reasons I conclude Windows probably has multiple backdoors for US agencies.

As a side-note, the scale of the Linux Kernel matters here. It's over a billion lines of code. It's truly trivial to sneak in an exploit and have it never be discovered. You can't prove a negative here - just because we haven't seen an exploit doesn't mean they don't exist. Also, we have found MANY bugs in the Linux kernel. Are they exploits intentionally planted? Virtually impossible to tell. Some bugs have existed for decades before discovery.

You should assume your operating systems already contain many exploits. Thus, we have tools like encryption, firewalls, and trusted repos to protect us anyway.

Note this doesn't mean I support the move. Certainly, any other country could implant backdoors (and probably have already). However, the Linux kernel kind of sort of belongs to the West, and the West kind of sort of has an alliance. So it makes sense why Russia is singled out.

[whimsicalism]

The world is a chaotic and complicated place, you cannot deductively prove things about the world in the manner you are trying. I do not support further securitization based on this style of reasoning. I think we lose more than we gain. If I should assume my OS already contains many exploits, it seems like the risk from Russians is just that they read the source code carefully.

> the Linux kernel kind of sort of belongs to the West,

I don't agree.

[rvnx]

While everything you mention is absolutely true, to the credit of the opinion of whimsicalism, any maintainer worldwide could get offered tons of bitcoins to integrate a backdoor / "bug".

True life-changing money, in all absolute sense.

[ramon156]

Exactly. And that's how the west / america would approach it. Throw money at it until u get what u want

[rib3ye]

That’s generally how you incentivize humans, yes.

[nineteen999]

Cool. Which country owns the Linux kernel?

Not that I disagree with the move 100%, but I don't think it's that clear cut.

[type0]

Linux foundation is 501(c)(6) organization based in US.of.A

[nineteen999]

Completely irrelevant. They are not the owner of the Linux kernel.

Linus holds the trademark. The copyright holders are the contributors to the source code. Nobody "owns" it, that's the point, it's an international project.

[diggan]

Linus, who since 2010 is an American citizen. Effectively, the US is probably the country closest to "owning" the Kernel, in that if the US wanted to put an abrupt cease to kernel development, they could, if only for a short period until the project re-organizes. I don't think any other country posses even the ability of doing so.

[nineteen999]

Any other person from any other country in the world can and could fork it in a heartbeat 100% legally. It wouldn't stop diddly squat, except that it loses its BDFL and finds another one in short order. There is absolutely zero the US could do about this.

[hulitu]

Removing US based kernel maintainers from positions in which they could conceivably help insert a backdoor into the kernel hopefully removes the incentive for the US government to threaten (or carry out) horrific violence against these individuals and their families.

cough xz cough

[Wytwwww]

It would only work if the specific government agency/actor could successfully conceal such actions from the rest of the government agencies, courts, media etc. etc. No such safety checks exist in Russia or other pseudo-fascist states.

If the Russian government is blackmailing you your are certainly screwed. In US.. well it depends but you could quite easily bring down the people doing this to you with yourself if you chose not to comply. Therefore no rational US government "actor" would engage in something like that outside of extreme circumstances.

[yeputons]

> In US.. well it depends but you could quite easily bring down the people doing this to you with yourself

I personally don't see much difference between "going down" and "going down together with other people". At least for myself and my family. I'm screwed anyway.

[Wytwwww]

It has more to do with shifting the cost/incentives for the other side which would reduce the likelihood of you ending up in such a position.

[red-iron-pine]

why would they threaten violence when they can offer money?

the Linux User Group of Northern Virginia, the suburb of DC with all of the money, used to hold their events at local Palantir office.

lotta Red Hat contracts with the FedGov. And RH commits a lot of code to the kernal and other FOSS projects.

[tryauuum]

what next? removing all developers who have ever visited russia (because they have probably been told they would be tortured unless they put a backdoor)? removing all developers that have family ties to china? removing anyone who hasn't been born in US and who has family outside of US? if Linus father, who lives in Finland, visits Russia should Linus be removed then?

What you wrote is very logical but it doesn't explain who defines how "evil" the country is. And the answer is "US". All your 4 paragraphs could be rewritten with "US defines if you are worthy or not". Which sounds real and quite disappointing to many people who thought Linux is a shared effort of the humanity

I haven't followed the original events but I understand their actions. Probably they need to have "no russian developers" ticked for compliance for some defense contractor. So they have run "grep -rF .ru .git/" and found russian developers to remove to tick that requirement. I would have probably done the same -- it's easier to do it that to explain to many people why those people aren't evil

[fuoqi]

Such a blatant BS rationalization... The commit literally talks about "compliance". This is nothing more than an easy alternative to navigating the obscure sanctioning regime. It's like self-censorship, people/companies do this because of the fear that their activity may fall under sanctions, even though it highly likely does not.

If your system relies on people being in "a free country with rights and ethics", then you have a bad system widely open to abuse. After all, who decides which country is "free" and which is not? White house? Should you exclude people from all "non-free" countries?

[thayne]

> people/companies do this because of the fear that their activity may fall under sanctions, even though it highly likely does not.

People/companies do this because lawyers tell them that there is a risk that the activity may violate sanctions. And yes the lawyers are probably overly conservative, but that's because there often isn't a way to know for sure whether something is actually a violation until you end up in the courtroom.

[instig007]

> And yes the lawyers are probably overly conservative, but that's because there often isn't a way to know for sure whether something is actually a violation until you end up in the courtroom.

You've outlined a justification based on a kafkaesque stockholm syndrome vibe. The system doesn't work as well as it's being advertised, does it?

[wiseowise]

> After all, who decides which country is "free" and which is not?

Not being in active occupation war would be a good start.

[pvaldes]

And not killing journalists or the opposition would be also a nice touch. Or not jailing people for having an opinion about the army.

[Fifnmar101]

I'm not saying the Russia invasion is not evil, but man, did you watch too many popcorn movies?

How child play and naive you're thinking of politics. If Russia ever had that degree of power to control the behavior of its citizens, it would have already ruled the world.

You can't even fully control a 5-person band and you're telling us that magically Russia is able to control millions of people, amongst which none of them know justice or human rights enough to leak any info. You know, even under the infamous assassin attempts from FBI, Snowden managed to flee to Russia. How can Russia be more powerful than the US in this way?

I'm not saying good words to any regime. I mean both the US sanction and the Russian invasion suck. I don't want another country bossing over what you can do, and I don't want another country pointing guns on your head either.

[wiseowise]

> You can't even fully control a 5-person band and you're telling us that magically Russia is able to control millions of people, amongst which none of them know justice or human rights enough to leak any info.

They’ve literally killed most powerful and influential opposition leader on open display. Use your brain, it’s not hard.