I for one am going through quite a culture shock. I always assumed the nature of FOSS software made it immune to be confined within the policies of nations; I guess if one day the government of USA starts to think that its a security concers for china to use and contribute to core opensource software created by its citizens or based in their boundaries, they might strongarm FOSS communities and projects to make their software exclude them in someway or worse declare GPL software a threat to national security.
So like what happened
Recently, Linux removed several people from their organization that have Russian email addresses. Linus made a statement that confirmed this was done intentionally. I believe that there was some mention of following sanctions on Russia due to the war. I haven’t looked into the details of it all, so take my analysis with a grain of salt. From what I understand, it sounded like it was only Russian maintainers that were removed and normal users submitting code from Russia can still contribute. Maintainers have elevated permissions and can control what code gets accepted into a project, meaning that a bad actor could allow some malicious code to sneak past. This may have also contributed to the decision since this type of attack has happened before and Russia seems like a likely culprit. The reactions to this change have been varied. Some people feel it is somewhat justified or reasonable, some people think that it means it is no longer open source, and some people think it is unfairly punishing Russian civilians (it is worth noting that that is part of the point of sanctions).
As per usual, the discussion of the Linux drama far exceeds the actual drama. I’m guessing most of those people will still contribute.
Nothing is devoid of global politics.
Russian maintainers were unceremoniously kicked out citing compliance issues.
Linux at this point is an absolutely critical part of the information infrastructure our world is built on. It’s not just a few nerds in basements cobbling together code. Safeguarding this infrastructure against bad actors is absolutely crucial for everybody’s safety. Unfortunately we’re going to see more of this kind of stuff in an increasingly polarised world.
Depending on industry, 60-80% of all servers, globally, are running on Linux. So yes, we are not going away.
Israelis are more known for putting backdoors wherever they can than Russians, for example.
Anyway, nation-states are not the only kind of group with malicious interest. Maybe a maintainer is a member of some mafia, I dunno. How are you going to know this?
Many things can be done with FreeBSD. Again, in our time it may get some popularity again not because of such events even, but because of their possibility and to avoid monoculture (in the context of backdoors too).
Not realy since Open source is most of the time still the best Option, and you cant realy controll Open source since there is always the option to fork Things. (For example If the US decided that China ist a NoNo the Open source Community in EU or India can do what they want since it is not under their jurisdiction)
but then the project loses momentum, the userbase fragments, opensource projects are fragile as they are mostly volunteer work; I guess the discussion of government threat and overreach towards opensource projects is mostly discussed in the context of cryptocurrencies and other ‘disruptive’ software
Same here. For now it’s only barring contributors which won’t harm actual users much, but that could change in the future with the precedent this is setting.
What’s the point of “FOSS” at that point if it’s not so different from corporate products, being similarly vulnerable to sanctions? I could see genuine free software being relegated to piracy communities if it goes that far.
FOSS gives people the option to take the original code and create their own version of it in case they don’t like what the original maintainers are doing. With closed source you would be stuck and would have to look for something new.
No.
Yes. If FOSS projects bend the knee to shitty laws just because “they are the law”, then FOSS is free labor for corporations with no gains for the people.
Which corporation are you talking about here?
Nearly every single corporation with an online presence uses free software from the foss community.
America™
The usual consequences to not following the law are not in your favor.
If your goal in contributing to FOSS is to go to prison, there are a lot better avenues to achieve that.
Law aren’t always right and governments don’t always do the best neither for the world nor for its citizens. Open source projects and corporations shouldn’t rely on any government, they shouldn’t do the biddings on governments — either “good” or “bad” — and act in people best interests.
Of course this is a pipe dream and what we got is more free work for companies with none the benefits
I don’t understand why you think “avoiding prison” equals free work for companies. The individuals contributing to open source are subject to the same laws we’re discussing in this thread, and are the ones that would actually be getting consequences.
No one exists without a government, and that’s not even a pipe dream, it’d be societal collapse.
That’s the point of FOSS as copyleft, to use the law to protect “free and open” information. This allows bigger projects, because contributors don’t have to keep their heads down.
At the same time maybe this is a downside, not an upside. As the reason why it has all gotten so big and complex and corporate-influenced.
It really is. Relying on a government good will to protect people best interests may be the point of failure of FOSS. I hope not but I’m less and less optimistic about the future
I’m ootl. Quick summary?
NO MORE FUN!
I get that it’s a nice daydream to think of open source projects as existing in some kind of independent, ethereal vacuum just because the code is out there and accessible from any place on Earth. But every software project is (mostly?) dependent on the jurisdiction in one country, in this case it’s the US, and so their laws about sanctions and so on apply. And yes, this means that unless conflicts/wars between nations happen to cease, that we will eventually have completely separated blocks of politics/culture/military and also IT. Globalization is over. China will have their own stuff, Russia will have their own stuff, and US+EU will have their own stuff. And none of those countries should continue using high-tech products made by the other because they could be sabotaged and it might be hard to find, so it’s best to not use them at all and just cook your own stuff. It’s unfortunate, but bound to happen in the current state of the political world.
Yes, bad actors can exist everywhere, it doesn’t really help anything but fragment the project and harm it, do we need multiple directed forks ? Fuck no it will be best if everyone can monitor and contribute, I kind of think of it as they do peer reviewing in research and shit, it’s always better when more people can view it, that will leave less room for biasing and frankly detect bad actors easily
I’m not concerned that they followed the best advice of their lawyers to respond to the legal and political challenges that currently exist.
I am concerned that hostile nation states (define those as you will) have made supply chain attacks (remember the xz Utils backdoor) so common that actions like this or worse are becoming necessary and that open source, globally contributed software could be at risk.
This does very little to protect against supply chain attacks.
Your example shows that too.
Increasing modularity and reducing complexity of software seem to be the right way to that end. Plan9, GNU Hurd, Minix3 are interesting in that context.
Certain Open Source movements are pure bigotry and opportunism, the Linux Kernel / The Linux Foundation for example, so it doesn’t really make me wonder.
If someone really wants to use the contribution of the expelled maintainers they can just make their own fork. Part of the Free in FOSS is the freedom to associate or not associate with contributors.
Not really, open source projects don’t necessarily have to be open to all contributors and I was aware of this already. They have to be open to anyone doing what they want with the code, by definition, which is good, but they don’t have to allow everyone to contribute to upstream. I’m not sure if there’s any particular defence against this being used in a discriminatory manner, but I do think this effect is significantly mitigated by the decentralised nature of open source and the fact that it’s not too uncommon for forks to become preferred over the original, the fact that open source projects rise and fall in popularity, etc.
I wonder if there’s some way to manage an open source project so that it’s not subject to particular national laws in this way.
It’s not decentralized on the level of project development, the visible proof of which is what we’ve seen happen.
How many times have you seen two branches of a significant project to coexist with comparable popularity?
I wonder if there’s some way to manage an open source project so that it’s not subject to particular national laws in this way.
Yes. Pseudonymous software development. I’ve seen Ross Ulbricht’s name today, so we also know the risks.
Naturally this is closer to some underground warez than to copyleft, because the legal ways of protecting copylefted information against appropriation will not be available. A different paradigm.
I’m out of the loop, what’s the recent Linux drama? If you don’t wanna type it out, you can point me in the right direction. Thanks. :)
Torvalds kicked out a bunch of Russia-based kernel maintainers.
For additional context, this was not a choice, but a requirement. The Linux Foundation is US based, and Torvalds is a US citizen. This was required due to current US sanctions against Russia, and was not just some sort of “Russia bad” thing from Torvalds that a lot of people are framing it as.
this was not a choice, but a requirement
It has been framed as such, but no evidence has been given that it was a requirement
and was not just some sort of “Russia bad” thing from Torvalds
The way he announced it and responded to the critics very much made it seem like that. He legitimately needs to shut the fuck up and get a PR person to talk in his stead.
It wasn’t a culture shock but it made something obvious that sometimes gets forgotten. The “Open” just means that one can look at the source code and copy it to make a new version. There is no obligation of the original creators to support things outside of what they want/can do.
Of course. It’s still just a software project.
