Official statement regarding recent Greg’ commit 6e90b675cf942e from Serge Semin

Hello Linux-kernel community,

I am sure you have already heard the news caused by the recent Greg’ commit 6e90b675cf942e (“MAINTAINERS: Remove some entries due to various compliance requirements.”). As you may have noticed the change concerned some of the Ru-related developers removal from the list of the official kernel maintainers, including me.

The community members rightly noted that the quite short commit log contained very vague terms with no explicit change justification. No matter how hard I tried to get more details about the reason, alas the senior maintainer I was discussing the matter with haven’t given an explanation to what compliance requirements that was. I won’t cite the exact emails text since it was a private messaging, but the key words are “sanctions”, “sorry”, “nothing I can do”, “talk to your (company) lawyer”… I can’t say for all the guys affected by the change, but my work for the community has been purely volunteer for more than a year now (and less than half of it had been payable before that). For that reason I have no any (company) lawyer to talk to, and honestly after the way the patch has been merged in I don’t really want to now. Silently, behind everyone’s back, bypassing the standard patch-review process, with no affected developers/subsystem notified - it’s indeed the worse way to do what has been done. No gratitude, no credits to the developers for all these years of the devoted work for the community. No matter the reason of the situation but haven’t we deserved more than that? Adding to the GREDITS file at least, no?..

I can’t believe the kernel senior maintainers didn’t consider that the patch wouldn’t go unnoticed, and the situation might get out of control with unpredictable results for the community, if not straight away then in the middle or long term perspective. I am sure there have been plenty ways to solve the problem less harmfully, but they decided to take the easiest path. Alas what’s done is done. A bifurcation point slightly initiated a year ago has just been fully implemented. The reason of the situation is obviously in the political ground which in this case surely shatters a basement the community has been built on in the first place. If so then God knows what might be next (who else might be sanctioned…), but the implemented move clearly sends a bad signal to the Linux community new comers, to the already working volunteers and hobbyists like me.

Thus even if it was still possible for me to send patches or perform some reviews, after what has been done my motivation to do that as a volunteer has simply vanished. (I might be doing a commercial upstreaming in future though). But before saying goodbye I’d like to express my gratitude to all the community members I have been lucky to work with during all these years.

  • BCsven@lemmy.ca
    link
    fedilink
    arrow-up
    14
    arrow-down
    1
    ·
    edit-2
    18 days ago

    If the company is in the USA they can restrict who you colloborate with. Thry also can control what you export as asoftware product under ITAR/EAR rules. It is why when some encryotion work had to be done the devs crossed the border into Canada to work on development because under USA law encryption code is a controlled export product even if opensource

    • 0x4E4F@infosec.pubOP
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      5
      ·
      18 days ago

      Then why in the hell was the LF founded in the US? That is something that clearly needs explaining. For example, Sweden is a much better place to do these sorts of things, their software laws are very liberal.

      Some of these things need to be rethought if you ask me, this is not something that should be left like this. If no one in the kernel, including Linus, doesn’t see a serious problem with “we have to move people around to code”, then most of these people are probably braindead… I’m sorry, but if it was me, once I found out I had to move devs around to code, I would have been “fuck this we’re moving the foundation”.

      • kattfisk@lemmy.dbzer0.com
        link
        fedilink
        arrow-up
        11
        arrow-down
        1
        ·
        18 days ago

        You might be surprised to learn that Sweden also has sanctions against Russia, together with the rest of the EU, Norway, Switzerland, Japan, Australia, South Korea and a bunch of other countries. Because this is not about the US being an ass, it’s about Russia being an ass.

        • secretlyaddictedtolinux@lemmy.world
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          17 days ago

          You don’t get it. It’s the lack of transparency about kicking these people out, not the kicking these people out, that is the problem. Who made the decision?

          It makes sense to sanction Russia for being an ass but the way this was done doesn’t feel open, and many people sense it.

        • 0x4E4F@infosec.pubOP
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          3
          ·
          18 days ago

          I wasn’t saying that Russia is not an ass, I was just saying that the whole point of open source is that it’s above borders and nationalities, religion, sexual orientation, etc. It should be an imperative to keep these core values, not bend over backwards when even no warning has been issued, which I’m fairly certain it would have never happened. And on top of that, Linus’es reaction to them being Russian, I mean… come on!

          • kattfisk@lemmy.dbzer0.com
            link
            fedilink
            arrow-up
            6
            ·
            17 days ago

            I’m sorry but that is absolutely not “the whole point of open source”.

            The point of open source is the ability to read, modify, keep and share the source code of the software you use.

            • secretlyaddictedtolinux@lemmy.world
              link
              fedilink
              arrow-up
              1
              arrow-down
              1
              ·
              edit-2
              17 days ago

              These projects are so big and complex that even with open-code a malicious actor is sometimes able to insert damaging code. Who suddenly made this decision? Did the US government order them to do this? If the US government can order them to do this, can they order the elevated coding status of a “benevolent” contributor on the US government payroll who is then ordered to put in a very hard to detect exploit? Open code doesn’t mean exploit free, it means exploits are more likely to be patched.

          • Auli@lemmy.ca
            link
            fedilink
            English
            arrow-up
            6
            arrow-down
            1
            ·
            18 days ago

            Where does this idea the open source is not political and above boarders. Open source is very political in its nature.

            • 0x4E4F@infosec.pubOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              17 days ago

              Political as in freedom to contribute, not political as in “we’re banning devs because they work for someone we don’t like”.

                • 0x4E4F@infosec.pubOP
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  17 days ago

                  Even if that is the case, that doesn’t mean that their code or the code they approve is garbage. I don’t care who you are or who you work for. What you do in your life outside of open source is your own business. Quality of code is what matters in open source.

      • Auli@lemmy.ca
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        18 days ago

        Don’t know if it would help as there are international sanctions against Russia.

      • IrritableOcelot@beehaw.org
        link
        fedilink
        arrow-up
        2
        ·
        18 days ago

        Thats a good point. I think its probably because most of the corporations who fund and contribute to the kernel are American, and coordinating financial and physical contributions would be complicated across borders. Just a hypothesis though.

        • 0x4E4F@infosec.pubOP
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          18 days ago

          But moving people around to code isn’t 🤨? I’m sure it far easier to justify a donation than to book plane tickets and find places for the devs where to stay. And to be perfectly honest, the whole point of open source is “you can contribute from anywhere”. The first time I would’ve encountered the move people around problem, I would have been “this is not the point of open source, it goes against the very spirit of it, we have to do something about this”.

      • secretlyaddictedtolinux@lemmy.world
        link
        fedilink
        arrow-up
        3
        arrow-down
        1
        ·
        edit-2
        17 days ago

        It would be much better if the company were not in a place in which gag orders can be issued, leaving questions as to transparency.

        As it stands now, it isn’t clear if Linus is just “grouchy” about this with a unique personality or if the foundation got a NSL and can’t say anything. And that leads to questions about whether there were other NSLs other than this one and if it’s had an impact on the code.

        Exploits are so hard to detect sometimes if done well and often although they get patched… eventually… the damage is done prior to the patch. The US government, despite doing lots of good things, engages in torture. And even if the US government is the “good guy,” this leads to less trust in the open-source ecosystem, no matter what the justification.

      • BCsven@lemmy.ca
        link
        fedilink
        arrow-up
        1
        ·
        18 days ago

        I agree it might be better elsewhere. (Like how my preference is Protonmail being hosted by a neutral country based company) But so I don’t mislead, my encryption example was generic, not specific to linux kernel…however any novel encryption does have to be noted to NSA and other organizarions in the USA. Canada has something similar but it appeared less strigent, and adjustments have been made between the bordering countries. I personally diaagree that encryption should have government hand in it, it solves nothing. A foreign state actor wanting to send encrypted communications to overthrow another entity isn’t going to follow software laws anyway.

        • 0x4E4F@infosec.pubOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          18 days ago

          Like how my preference is Protonmail being hosted by a neutral country based company

          I also use Protonmail because of this. Sure, the free plan is not really great, but I only keep important stuff, so I don’t get over the 500MB limit, I delete or archive the rest.

          kernel…however any novel encryption does have to be noted to NSA and other organizarions in the USA

          That may be true, but only if you’re a US citizen. For example, my country doesn’t have such regulations. In the end, if it’s open source, it shouldn’t matter whether I report stuff like that to any organization. It’s open source, look it up, it’s on a git repo online freely for everyone to review the code.

          A foreign state actor wanting to send encrypted communications to overthrow another entity isn’t going to follow software laws anyway.

          Exactly. As if hacking and DDOSing are legal 😒. It’s just throwing money away on some people doing pointless things.

          On the other hand, having a ln encryption technologies taskforce makes sense IMO. Watching over what’s going on in the open source world regarding cryptography, yeah, that is something that can actually be useful… for the country’s cyber-security I mean.