Microkernels in general already mitigate the possible damage that could be done by rogue code in large monolithic kernels. A formally verified microkernel like SeL4 is an even better guarantee. And performance concerns of microkernels are practically solved at this point.
These sorts of nation-state sponsored malicious code practices could be made mostly irrelevant. We just need a little momentum to get us there.
>No, but I'm not a lawyer, so I'm not going to go into the details that I - and other maintainers - were told by lawyers. >I'm also not going to start discussing legal issues with random internet people who I seriously suspect are paid actors and/or have been riled up by them.
Which I find pretty concerning statements, quite a disservice to the community. It's a global community, and here the maintainers take some action without explanation. They don't even have a communiqué at hand to tell people what this action is, why it was taken, and which alternatives were considered but rejected. This is the bare minimum that I expect of the maintainers of a piece of software that is very critical to many millions of systems worldwide. Counting on the goodwill of users is not acceptable for an operating system that underpins the security of people's computers.
You can’t cry foul when the group is literally providing you with free software. Open source institutions don’t own anyone anything beyond open software.
As an open source community leader, putting up consists of leading well, and transparently. It's not just a coding role. He may have inherited the leadership role by being the original coder but he has to keep it by being a worthy leader.
I speculate Linus or Greg received the equivalent of a National Security Letter. Otherwise they could point to the regulations.
It's not their software. Linux kernel is written by thousands of people from all around the world.
I don't know if that's accurate, but seems feasible. If so I'm 100% behind it.
It'd be nice to know the exact reasoning for this, rather than just see a commit without any context of why they're being removed. I'm pretty sure we'll know in due time.
I highly doubt anyone banned will even try to send "sufficient documentation". The wording is as vague and arbitrary as it gets, and the underlying tone sounds to me not like "we have such and such requirements", but like "some Russian-sounding names are banned, but we still have to demonstrate there is a due process".
Reminds me of banks. Banks are fined for not having processes for detecting money laundering. Not money laundering, mind it, just having "inadequate" processes. If such a process flags someone, that someone is blocked and they should provide "sufficient documents", but the bank is not allowed to tell them why or what, that would be "tipping off", which is illegal. And then it all comes down to bank's internal policies (that the bank is not allowed to disclose) or even a personal relationship with a branch manager.
Isn't that how most compliance regulation works? You can't force companies to have a perfect record of preventing something, no matter how you structure things, so instead of trying to do so, you setup something that will at least preventing it somewhat. And then you fine the companies who don't do anything to prevent the issue.
That's not true! There are still many Russian maintainers in the kernel, but they are not based in Russia. They only banned individuals, based in Russia, who are employed by sanctioned companies.
Not much exact reasoning added, if you ask me. Quoting:
> Ok, lots of Russian trolls out and about.
> It's entirely clear why the change was done, it's not getting reverted, ...
> And FYI for the actual innocent bystanders who aren't troll farm accounts - the "various compliance requirements" are not just a US thing.
> If you haven't heard of Russian sanctions yet, ...
> As to sending me a revert patch - please use whatever mush you call brains. I'm Finnish. ...
is it? the actual specifics of the sanctions matter, I don't think any of the US sanctions would prevent them from participating in kernel programming.
I saw some comments on Reddit about people with @gmail.com (I think), but other comments pointed out that these people were not actually removed and were just present on a screenshot.
Any self-respecting maintainer will not come back after this.
Linux might have a lot of developers, but has a hard time finding and retaining maintainers.
This is not a good development.
EFF should start a fork if any part of them still stands for what's in their name.
It's not a big deal for Linux either, the code in question is mostly for devices that are not sold in the west. So no loss there.
That's the beauty of open source, you can say no to contributions for any reason whatsoever, and the contributor can fork your code and continue to develop it as they please.
I live in a country which may one day find itself under US sanctions, and I'm been busy cutting reliance on American services, just to avoid having to migrate everything in a rush if that happens. Everyone here understands this (for example, my day job migrated off GitHub to self hosted gitlab back in 2022), and I can't imagine many people will be interested in spending years of effort to then possibly be kicked from the project because they chose to be born in a wrong country.
Something like 80-90% of said contributions are essentially corporate.
If Americans want to participate in international communities they are free to leave the US. Aren't they?
BTW Linus is Finnish and Sergey Mikhailovich Brin is Russian
The harsh reality is that the west is now that place where people think it's a crime to be born in a place instead of another...
I'll quote something for you
criminalizing individuals based on their place of birth or nationality is generally considered a violation of international human rights law. Principles of non-discrimination are central to international agreements like the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights. These treaties emphasize that all people, regardless of origin, have the right to equality before the law and protection from discrimination.
Care to name a few?
Ok, lots of Russian trolls out and about. It's entirely clear why the change was done, it's not getting reverted, and using multiple random anonymous accounts to try to "grass root" it by Russian troll factories isn't going to change anything. And FYI for the actual innocent bystanders who aren't troll farm accounts - the "various compliance requirements" are not just a US thing.
If you haven't heard of Russian sanctions yet, you should try to read the news some day. And by "news," I don't mean Russian state-sponsored spam. As to sending me a revert patch - please use whatever mush you call brains. I'm Finnish. Did you think I'd be _supporting_ Russian aggression? Apparently it's not just lack of real news, it's lack of history knowledge too.
But this change here feels like there was pressure from the DoD or White House. A lot of sanctions seems to be introduced and enforced informally.
> The ban complies with the EU’s 12th sanctions package adopted in December, which ordered companies in and outside the bloc to stop exporting products and technology to Russia by March 20.
That would mean that either A) it's not what triggered this change or B) the kernel wasn't legally following compliance requirements for almost a year
But besides that, that sanction is between EU<>Russia, not sure if that would ultimately enforce the kernel to implement those compliance requirements, unless also agreed and followed by the US.
Some of them, yes, some of them, no. /s
Its pandering. I hope these developers petition to be added back.
If hacking or subversion is possible, it has been tried and will be again. If anyone is going to try it, chances are Putin's people will.
It's by far the sneakiest, most advanced cheating and infiltration apparatus humanity has ever known. It inherited a large "meddling war chest" from the Soviet Union, then invested heavily into it for 25 years. The Internet increased its opportunities a million-fold. Its semitransparent tentacles are now embedded into nearly every consequential organization on the planet.
Consider the xz episode as a baseline. It was fairly sneaky, but it was introduced by a newcomer to the project and affected mostly existing code. A more elaborate exploit might be submitted with a new feature by an established maintainer.
The former aims to punish and worsen the situation of the other country, the latter aims to reduce the attack vector and improve the situation of the US.
There are lots of good people there. It’s too bad there is a crazy person at the helm.
Then they should be reminded that their military is actively using Linux to kill Ukrainian civilians https://en.wikipedia.org/wiki/Astra_Linux
Some examples:
https://www.theverge.com/2022/6/8/23159656/microsoft-russia-...
https://www.reuters.com/business/russia-shrugs-off-jobs-impa...
https://www.hpe.com/us/en/newsroom/statement/2022/06/hpe-ann...
https://newsroom.ibm.com/Update-on-IBMs-Business-Operations-...
Nobody likes being at the mercy of a system that feels capricious.
So, now the real world has slowly catched up to that fantasy world of ours. The winter has really come.
They seem to have a lot of what kids today would call bangers.
Some of my favorite Argentine songs: Donde Manda Marinero, En La Ciudad De la Furia. Fabiana’s album that I torrented back in the day happens to be covers of the famous songs and I like a lot of them too
Disclaimer, I just happened to know some Argentine songs that are total ear worms, not necessarily an expert in Argentine music
If Project P in Country A is identified by Country B as a potential target for planting cyber-attack-enabling backdoors, Country B has an incentive to find people to put a backdoor in P.
If Country B is a free country with rights and ethics, they will say "Help us put a backdoor in P. We'll pay you very well for services rendered," or try to get someone who already works for Country B intelligence into P's management structure.
If Country B is an "evil" country, they will do all of the above, but will also tell people of influence in P who live or have family in Country B or its allies, "Help us put a backdoor in P. If you refuse or if the backdoor doesn't work or if the legitimate workers of P find it and remove it before it helps us, you'll be arrested and/or tortured and/or killed and/or your family too."
Removing Russian based kernel maintainers from positions in which they could conceivably help insert a backdoor into the kernel hopefully removes the incentive for the Russian government to threaten (or carry out) horrific violence against these individuals and their families.
register a free gmail account and come up with a fake name. Gotcha. Certainly no bad guy will ever think of this.
I think Australia had something called Technical Capability Notices (TCNs) back in 2018? For legal entities for sure, not sure about hobbyists.
The last paragraph also makes the whole situation sound like someone cares for Russian developers' well-being. I highly doubt it was ever the intention.
It also made me realise what a cushy, insular world I live in not having to worry about those threats when I write software. Made me more aware of what others might face.
True life-changing money, in all absolute sense.
Not that I disagree with the move 100%, but I don't think it's that clear cut.
cough xz cough
What you wrote is very logical but it doesn't explain who defines how "evil" the country is. And the answer is "US". All your 4 paragraphs could be rewritten with "US defines if you are worthy or not". Which sounds real and quite disappointing to many people who thought Linux is a shared effort of the humanity
I haven't followed the original events but I understand their actions. Probably they need to have "no russian developers" ticked for compliance for some defense contractor. So they have run "grep -rF .ru .git/" and found russian developers to remove to tick that requirement. I would have probably done the same -- it's easier to do it that to explain to many people why those people aren't evil
If your system relies on people being in "a free country with rights and ethics", then you have a bad system widely open to abuse. After all, who decides which country is "free" and which is not? White house? Should you exclude people from all "non-free" countries?
How child play and naive you're thinking of politics. If Russia ever had that degree of power to control the behavior of its citizens, it would have already ruled the world.
You can't even fully control a 5-person band and you're telling us that magically Russia is able to control millions of people, amongst which none of them know justice or human rights enough to leak any info. You know, even under the infamous assassin attempts from FBI, Snowden managed to flee to Russia. How can Russia be more powerful than the US in this way?
I'm not saying good words to any regime. I mean both the US sanction and the Russian invasion suck. I don't want another country bossing over what you can do, and I don't want another country pointing guns on your head either.
To this casual bystander it seems like they usually hurt innocent citizens far more than the leaders of the usually authoritarion regime that it targets.
That's kinda the point. The common folk put pressure on their leaders to correct their behavior.
Do you not think that at least 50% of all people in Russia would vote for Putin or his affiliates (even if the elections weren't falsified)? Therefore most people in Russia are certainly not innocent.
if you really think so strongly about it maybe you should run "Red Star OS" instead
While a little bit too much of a guess, it's quite possible that whatever three letter agency finally had a high-confidence note on who was behind the XZ backdoor and decided to issue an (blatant) order to kick out all Russian maintainers, because that's how USG usually works.
Yes, probably the guy who holds up the number "3" using his thumb, index, and middle finger shouldn't be allowed in the Super Secret Vault. But the dude right behind him who has "I'm Russian" tattooed on his forehead shouldn't be allowed in either, and he's a bit easier to spot.
They’ve literally killed most powerful and influential opposition leader on open display. Use your brain, it’s not hard.
What specific law are you talking about?
They just happened to still use their older .ru email in the MAINTAINERS file.
It is also evident that someone quite far from Russia HAS ALREADY BEEN coerced to make that unannounced change, but you try really hard to look the other way. “Those Linux nerds” were shown who's the boss in the room when it comes to “important matters”. Don't you feel that the form of that change itself is a sign of silent disobedience, and you are expected to participate in public outcry forcing further developments instead of just bending over willingly?
It is totally possible that there was some direct intelligence that those accounts can be used in some clandestine operation in the future, probably without even asking some of the owners. After all, spies are #1 information source to other spies, they run the global spectacle together. Still, accepting “this is secret” as an excuse, you are already accepting defeat.
> were shown who's the boss in the room when it comes to “important matters”.
Or Linus just doesn't like Russia(ns)? Why is there a need for some conspiracy?
In any case: (1) there has never been a "civil war" in Ukraine in modern times; (2) Azov was formed in May 2014, well after Russia's invasions of both the Donbas and the Crimea were well underway; and (3) nevermind the rest.
And BTW, speaking about Azov:
In 2016, Amnesty International and Human Rights Watch received several credible allegations of abuse and torture by the regiment. Reports published by the Office of the United Nations High Commissioner for Human Rights (OHCHR) documented looting of civilian homes and unlawful detention and torture of civilians between September 2014 and February 2015 "by Ukrainian armed forces and the Azov regiment in and around Shyrokyne".
Another OHCHR report documented an instance of rape and torture, writing: "A man with a mental disability was subject to cruel treatment, rape and other forms of sexual violence by 8 to 10 members of the 'Azov' and the 'Donbas' battalions (both Ukrainian battalions) in August–September 2014. The victim's health subsequently deteriorated and he was hospitalized in a psychiatric hospital." A report from January 2015 stated that a Donetsk People's Republic supporter was detained and tortured with electricity and waterboarding and struck repeatedly on his genitals, which resulted in his confessing to spying for pro-Russian militants.
When a society starts shadowboxing figments of its own imagination, that is not a good sign for the health of the society.
Linus holds the trademark. The copyright holders are the contributors to the source code. Nobody "owns" it, that's the point, it's an international project.
If the Russian government is blackmailing you your are certainly screwed. In US.. well it depends but you could quite easily bring down the people doing this to you with yourself if you chose not to comply. Therefore no rational US government "actor" would engage in something like that outside of extreme circumstances.
I personally don't see much difference between "going down" and "going down together with other people". At least for myself and my family. I'm screwed anyway.
the Linux User Group of Northern Virginia, the suburb of DC with all of the money, used to hold their events at local Palantir office.
lotta Red Hat contracts with the FedGov. And RH commits a lot of code to the kernal and other FOSS projects.
Nor are Americans, by this standard - what we've done directly in Syria & Iraq is quite bad and enjoyed substantial popular support.
We can and know that. Just talk with your fellow Russians.
> "lowest classes"
I find it hard to believe that there aren't plenty of people who are middle class and above who support the regime. After all Russia's economy is almost entirely based on raw resources extraction and (now) military related industries.
> If your image of the Russian society is based solely on US left-wing media
And yours is based on Kremlin propaganda channels and media sources? See what I did there? Both assumptions are equally valid/invalid and neither contributes anything to a meaningful discussion besides immediately shutting down the possibility of one existing.
People/companies do this because lawyers tell them that there is a risk that the activity may violate sanctions. And yes the lawyers are probably overly conservative, but that's because there often isn't a way to know for sure whether something is actually a violation until you end up in the courtroom.
You've outlined a justification based on a kafkaesque stockholm syndrome vibe. The system doesn't work as well as it's being advertised, does it?
Not being in active occupation war would be a good start.
1. The mechanisms for its existence exist
2. There is motivation of a large enough scale
3. The scale of the actors is large enough
The Linux kernel is very large, and nation-states like Russia are also very large. There is a very high motivation for a backdoor to exist for the Russian government. And the mechanisms are certainly in place to create such a backdoor.
So, I conclude there would absolutely be a Russian backdoor planted, if it isn't already. For the same reasons I conclude Windows probably has multiple backdoors for US agencies.
As a side-note, the scale of the Linux Kernel matters here. It's over a billion lines of code. It's truly trivial to sneak in an exploit and have it never be discovered. You can't prove a negative here - just because we haven't seen an exploit doesn't mean they don't exist. Also, we have found MANY bugs in the Linux kernel. Are they exploits intentionally planted? Virtually impossible to tell. Some bugs have existed for decades before discovery.
You should assume your operating systems already contain many exploits. Thus, we have tools like encryption, firewalls, and trusted repos to protect us anyway.
Note this doesn't mean I support the move. Certainly, any other country could implant backdoors (and probably have already). However, the Linux kernel kind of sort of belongs to the West, and the West kind of sort of has an alliance. So it makes sense why Russia is singled out.
> the Linux kernel kind of sort of belongs to the West,
I don't agree.
For the same reason, I can be highly confident there is at least one person stealing office supplies at Amazon. And I can be highly confident there are some examples of data theft in automobiles. I just use the same principles as above.
> I don't agree.
Okay. How?
The vast majority of Kernel developers are from the West and live in the West. The kernel was created in the West. Management is in the West. And the majority of large tech companies are Western, so probably the majority of Kernel users are also in the West.
Therefore, the West has a majority control over the kernel, and they have a huge incentive to "protect" it to how they define that. That's that, and we can tell this is the case because it wasn't Russia banning western devs from kernel development, was it?
Also: on the topic of chaos, this is why the "motivation" bullet point exists. If there's no motivation, I can't be sure, due to chaos. Chaos means even things that should happen may not. Motivation, particularly of the financial variety, cuts through the chaos of humanity. I am very confident in asserting that and I think pretty much all of history supports that.
Has that strategy ever worked?
But sure.. usually it doesn't really work out.
Of course weakening the target country economically, politically and militarily is still better than nothing,