Developers Debate Denying Updates for Open Source Software to Russia

Russia's invasion of Ukraine turns up in Mike Melanson's column "This Week in Programming": While the Open Source Initiative's (OSI) definition of open source software is quite clear on the matter — there must be "no discrimination against persons or groups" and "no discrimination against fields of endeavor" — the issue of who should be allowed to use open source software, according to ethical considerations, has long been debated.

Over the last month, this topic has again become a focus of debate as Russia's invasion of Ukraine has led to developers calling for blanket bans by companies like GitHub and GitLab; and to some developers even taking action. Earlier this month, we wrote about how open source gateway Scarf began limiting access to open source packages for the Russian government and military entities, via its gateway.

As we noted at the time, there was a primary distinction made when Scarf took this action: distribution of open source software is separate from the licensing of it. Those points of the OSI definition pertain to the licensing, not to some entity actively providing the software to others.

Since then, discussions around these ideas have continued, and this week an essay by Bradley M. Kuhn, a policy fellow and hacker-in-residence at the Software Freedom Conservancy, argues that copyleft won't solve all problems, just some of them.

The essay specifically takes to task the idea that open source software can effectively affect change by way of licensing limitations. He spent nearly 3,000 words on the topic, before pointedly addressing the issue of Russia — with a similar conclusion to the one reached by Scarf earlier this month. Kuhn argues that "FOSS licenses are not an effective tool to advance social justice causes other than software freedom" and that, instead, developers have a moral obligation to take stances by way of other methods.

"For example, FOSS developers should refuse to work specifically on bug reports from companies who don't pay their workers a living wage," Kuhn offers in an example.

Regarding Russia specifically, Kuhn again points to distribution as an avenue of protest, while still remaining in line with the principles of free and open source software.

"Every FOSS license in existence permits capricious distribution; software freedom guarantees the right to refuse to distribute new versions of the software. (i.e., Copyleft does not require that you publish all your software on the Internet for everyone, or that you give equal access to everyone — rather, it merely requires that those whom you chose to give legitimate access to the software also receive CCS). FOSS projects should thus avoid providing Putin easy access to updates to their FOSS," writes Kuhn.

No discrimination, huh?

[kmoser]

no discrimination against persons or groups

So they're ok with allowing known terrorists to use OSS in general, not to mention to create cyberweapons?

Re:

[K. S. Kyosuke]

Besides the fact that Freedom 0 says so (you *must* be able to run provided software for *any* purpose), even if you attempted to limit this, I'm not sure that terrorists would be stopped by your insistence that they cease to use your software. What would they do? Would they say "Blast! Our evil plan is foiled by this license clause!" and stop doing their terroristy things?

Re:

[K. S. Kyosuke]

The terrorist is free to obtain free software from *anyone* who redistributes it, not just the original author. That freedom is provided to others. Software is "provided" any time that someone decides to exercise freedoms 2 or 3. So your hypothetical "freedom -1" is irrelevant.

Re:No discrimination, huh?

[martiniturbide]

Came on guys. We know that Open Source and Free Software are made for everybody. Russians are good people, don't make it harder for them because they have a crazy leader.

Re:

[TheMiddleRoad]

A crazy leader they support. I'll call Russians good people when they start sabotaging their own government and military. Until then, not good people.

I was strongly against Trump, but he never got close to this.

Re:

[jwymanm]

Strongly against Trump.. pro world government thoughts on Ukraine. Basically just go with the flow of what MSM wants you to think. Congrats.

Re:

[Chumm]

What is believed to be the true (not bullied) support for the Kremlin? I ask because the US has a massive split on any topic that an opinion could be had and wouldn't be surprised if Russia does as well. I wonder if Putin really has the support of his people as is suggested. I've heard that he is barely in power, but can't claim that I have any superior knowledge about anything going on the other side of the world.

Re: No discrimination, huh?

[gnasher719]

Talked to my granddaughter this afternoon. The company she works for just closed down an office with 150 employees in Moscow. No notice given.

Level playing field?

[bagofbeans]

There's a problem that there will never be a blanket ban. It would be politically selective.

The ban on Russia would be on the argument that they invaded a foreign country, namely Ukraine. So if the rule is a ban on countries that invade, what's the position when it's the U.S. doing the invasion?

Re:

[alvinrod]

They don't have to agree with or support anyone who uses it. Besides, one man's terrorist is another's freedom fighter. If you want to be pedantic you could easily decry the Boston Tea Party as an act of terrorism. So was Adams or anyone else who participated a terrorist or a patriot? Depending on who you ask people who participated in the riots in the capitol or after George Floyd was murdered should be labeled as terrorists. Do neither of those groups get to use OSS now? What about you when someone or som

Re:

[hey!]

They're probably right that cutting off Russians to wide open repositories isn't going to accomplish anything because it's bound to be easy for Russians, both the good guys and bad guys, to get around that.

On the other hand open source licenses don't obligate you to do anything for anyone, *unless you give them binaries*. So it's not forbidden or hypocritical to cut Russians off from your source code servers, it's just ineffective.

Re:

[dowhileor]

software development is a controlled environment and "everyone" actually is not allowed to contribute. this discussion goes on all the time in private about "who" and "what" to exclude just based on the private opinions derived in private class based forums and pretty much? rightly so. yes feelings get hurt but a better birdhouse built is just that, a better birdhouse and will see the light of day in a rational decision making process, a democratic process.

Just another word for weaponizing

[fustakrakich]

What starts as voluntary will quickly become mandatory

Re:

[Eunomion]

"What starts as voluntary will quickly become mandatory"

That statement doesn't seem to make any sense. What are you advocating?

Re:

[kot-begemot-uk]

It is virtue signalling at its worst.

None of this has any meaning economical, military or otherwise, but it allows a group of idiot Cancel Culture obsessives to perform a group circle jerk and demonstrate their vehemence in cancelling everything Russian. It is no different from removing Gagarin's statue from the space museum, prohibiting Dostoevski's novels, prohibiting Chekov's plays, prohibiting Tchaikovski's 1812 and Swan Lake.

All of that has been done. Did any one of them invade f*cking Ukraine? No. B

Re:

[Anonymous Coward]

Yep, if you aren't woke, you must be a Russian, right? The web has become so saturated with woke non sequitur, ad hominem, and other illogic, that I question wether we have been overrun by bots, or at least people only capable of binary thinking.

Re:

[taustin]

You abuse the word "thinking." There's no thinking involved, only parroting the party line like good little sheep.

Re:

[serviscope_minor]

You're right! It's basically impossible now to tell the difference between Putin's paid-for troll army, and right wing nutjobs. He could be either.

Re:

[LeeLynx]

I realize that, after hearing it repeated a few dozen times a day in whatever neo-fascist echo chamber you exist within, you believe you know what the phrase 'virtue signalling' means, but I promise you don't. Please stop using it, you sound like an idiot to the rest of us, and I seriously doubt you actually are. You also don't seem to have a clear idea what 'racism' is, what with both sides of the conflict being of the same race, but I'm guessing you picked up that little tidbit from the same place.

Movi

Re:

[TheMiddleRoad]

True. Every word you wrote. True.

Re:

[TheMiddleRoad]

Virtue signaling is doing something to show you are good, not trying to actively isolate an evil regime.
Cancel culture is when somebody says something offensive and people get really angry about it to the point that a person faces real world consequences. This is not cancel culture, it's isolating an evil regime.
Shutting down everything Russian, from the arts to the open source, isolates the evil Russian regime.
Few are walking around saying, "I hate Russians! They're genetically flawed!" or anything of t

Re:

[serviscope_minor]

Anyone who unironically uses the term "virtue signalling" is an utter fuckwit.

prohibiting Tchaikovski's 1812

Oh and a liar. I forgot that too.

No one's "prohibiting" this music. Someone decided that perhaps a piece of pro-russian military music featuring actual artillery fire as part of the performance perhaps, just perhaps is in poor taste right now. Oh yes also a piece by the same guy referring to Ukraine as "Little Russia".

From the orchestra:

It added: "A member of the orchestra has family directly involved

Re: Just another word for weaponizing

[gnasher719]

The 1812 overture is difficult. Written by Tchaikovsky who has nothing to do with the current murderous regime. And it celebrates victory over a foreign invasion, just that it was France invading Russia back then, not Russia invading the Ukraine. On the ither hand, it does celebrate a Russian victory. Just hope the Russians get thrown out and the Ukraine can show them the finger by renaming it to âoe2022 overtureâ.

Nice

[pele]

As if patents in software were not enough now we're being fed (geo)politics in licensing!

Re:

[Darinbob]

Way back, before the GPL and before things were called "open source", it was not at all uncommon for some free software to have a license saying essentially "anyone can use this except any government or military", "free unless you're a corporation", stuff like that. The "free for everyone" was something of a change in attitude

If the Ukraine is conquered

[Dirk Becher]

Will it be considered Ukraine or Russia?

Re:

[quantaman]

Will it be considered Ukraine or Russia?

Depends how you referred to occupied France in WWII.

I mean, we already have the Russian track record on how they treat occupied territories and I don't think Nazi Germany is a bad comparison [aljazeera.com].

Re:

[Entrope]

It will revert to being "The" Ukraine, of course, to indicate that it is considered nothing more than the Russian frontier.

Who decides?

[Alworx]

There's already enough controversy over conflicts of the most diverse nature around the world, who is to be held accountable, who is the victim... I don't think the world of OSS should enter this quagmire.

Yemen? Rohingya? Uyghurs? Libya? North Korea?

Were should the line be drawn?

Re:

[MysteriousPreacher]

If the past decade has taught us anything it is that opening the door for big matters tends to leave it open for smaller things to come through in the future. The line will advance in unpredictable directions, moving beyond obvious military conflicts into ideological causes. Doing business with Israel? Have a Scottish CEO? Refuse to acknowledge that people can identify as forest animals? No more cooperation with the developers!

Market forces will tamp down a lot of this. Projects with particularly unwieldy i

Another reason not to change licensing

[viperidaenz]

Russia doesn't care about IP from countries that sanction it.
They've already given the green light to anyone in Russia to ignore any licensing requirements if sanctions get in the way.

Re:

[kot-begemot-uk]

No. It does.

There is a clause in the Berne convention which allows any country to use any patent deemed essential to its national security provided that it pays a royalty for that. It is also entitled to determine what royalty it pays. This has been used only once - when USA tried to deny other countries military use of aircraft in the run up to WW1. The world told USA and the Right brothers to go get lost.

Russia applied this clause blanket to all patents from so called hostile countries. These are NOT

Re: Another reason not to change licensing

[viperidaenz]

https://www.google.com/amp/s/t... [google.com]
What they've done is not necessarily in line with global treaties.

Re:

[ISayWeOnlyToBePolite]

No. It does.

There is a clause in the Berne convention which allows any country to use any patent deemed essential to its national security provided that it pays a royalty for that. It is also entitled to determine what royalty it pays.

No there isn't, the Berne Convention protects copyright. Perhaps you're thinking of the Paris Convention which protects patents and trademarks, although I'm unable to find the clause you're referring to.

This has been used only once - when USA tried to deny other countries military use of aircraft in the run up to WW1. The world told USA and the Right brothers to go get lost.

I believe you're referring to the Wright brothers. I can find references to European companies that had licensed the patent(s) suing those who didn't, but nothing that matches your description.

Russia applied this clause blanket to all patents from so called hostile countries. These are NOT countries which sanction it. Some countries which have applied sanctions are not on the list. These are the countries which have actively intervened in the Ukraine conflict with all of: weapons, manpower and sanctions.

It has also set the royalties to zero.

According to the convention it is actually entitled to do it. While it violates the spirit of the law, it is legally watertight and allowed by all international patent treaties.

At this point a reliable source would really help your case.

Berne convention doesn't cover patents

[Catvid-22]

The Berne Convention only deals with literary and artistic works, that is copyright, not patents. Perhaps you mean the Paris Convention of 1883 [wikipedia.org]? If you're talking about both, we have the World Intellectual Property Organization [wikipedia.org] (WIPO), the UN body in charge of both.

Re:

[aRTeeNLCH]

The fact that you claim that Russia did this rightfully as it is allowed by a country under attack, this clearly shows your true colours as a Russian shill. Others have already pointed out that the content can't be correct.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Can we do this to all invaders?

[BardBollocks]

If we aren't, we're being tools.

License is moot

[Unpopular Opinions]

License is just a bunch of words, on a piece of paper or a dialog box, that lawyers would use. If piracy is not a concern anymore and there are nobody to enforce copyright laws, license is moot. Sure we have all seen licenses on strong crypto software that could not be exported to certain countries. If a company sells these products, the seller company is in trouble, but nobody ever said you will not be able to use if, if you bought it elsewhere and somehow it landed on a restricted country. Right now, OSS

Mind unintended consequences

[sinij]

Once you develop and use capability to deny OS updates to a group of people, it will be much harder to resist calls to do it again and again. OS ethos is that it is available to everyone, this means OS projects can focus on coding and not adjudicating requests for activism.

Re:

[gweihir]

Indeed. Works the same as censorship: Once the system is in place it can be used and abused in new and exciting ways and very little can be done to prevent that That is why you fight the establishment of the censorship system. Hoping that it will not be abused once it exists is entirely futile.

Same here: FOSS is either available to everybody or will very soon be available to nobody or almost nobody. This is an old question and it is _clear_ how things work.

Re:

[ChatHuant]

OS ethos is that it is available to everyone, this means OS projects can focus on coding and not adjudicating requests for activism.

I don't know - should a developer consider himself morally fine if his code is used to target children, because that's the open source ethos?

I see strong parallels between this discussion and the arguments surrounding the tension between freedom of speech and the right to not be offended. There, one of the arguments of the progressive wing is that freedom of speech is not absolute, and doesn't mean freedom from consequences. They say it's OK to fire, cancel, ostracize or otherwise punish somebody who said

Re:

[billyswong]

If one invent or manufacture a tool, and a tool is useful to evil people, it will be used by evil people no matter what restriction you try to add onto it. Contrarily, the restriction measure will end up imposed on good people by the evils so that they can monopolize the tool in order to better bully the good people. Oh yeah, I consider those "progressive wing" part of the evil.

Re:

[sinij]

OS ethos is that it is available to everyone, this means OS projects can focus on coding and not adjudicating requests for activism.

I don't know - should a developer consider himself morally fine if his code is used to target children, because that's the open source ethos?

Should a developer consider himself morally fine if his code is used to contribute to systemic racism and oppression of minorities?

While the above is unserious question, you can be certain that certain people will ask it forcefully and won't accept anything short of capitulation.

Re:

[ChatHuant]

Should a developer consider himself morally fine if his code is used to contribute to systemic racism and oppression of minorities?

Well, shouldn't he? If he's aware that his code is used in this way, and he keeps improving it, thus making oppression better and more efficient, is he really absolved of all responsibility just because he opened the source (which, by the way, also helps get the tools to more oppressors)?

This discussion isn't really new though, is it? It's similar to a lot of other ethical problems in society related to the responsibility of a toolmaker if the tool he's making is used for ill purposes. A few random examples

Re:

[sinij]

The society that has everyone becoming a political activist could not continue normal function. Someone still has to get the actual job done, even if to keep Twitter running so everyone else could squelch.

Re:

[dowhileor]

OS ethos is that it is available to everyone, this means OS projects can focus on coding and not adjudicating requests for activism.

I don't know - should a developer consider himself morally fine if his code is used to target children, because that's the open source ethos?

I see strong parallels between this discussion and the arguments surrounding the tension between freedom of speech and the right to not be offended. There, one of the arguments of the progressive wing is that freedom of speech is not absolute, and doesn't mean freedom from consequences. They say it's OK to fire, cancel, ostracize or otherwise punish somebody who said something offensive or politically incorrect. The speaker *is* responsible of the results of his speech, and freedom of speech is subordinated to the right to not be offended. By the same token, shouldn't an open source developer whose code is used by enemies or terrorists be similarly punished - or even worse, because his code may have directly helped in killing innocents?

then add regulation to the potential discussion as well. and take the right to offend as a process of creation as we are offended by most things we don't understand in some way. the constitution, vaguely defines offense as not having ultimate purpose in your actions. in other words if you offend today you will not offend later if you make sense. back to regulation, if the regulators feel that people cannot manage offense in their purpose said regulators will do that for you. open source itself is a regulate

OSS will outlast this war

[bjdevil66]

The updates should be allowed to go out to the entire community. Anything short of it will harm the community as a whole - sowing seeds of mistrust of the West.

The community COULD include some passive aggressive crap with updates, though - starting by including casualty numbers and facts debunking the Russian media's propaganda/lies in CHANGELOG files.

v3.19.2022 - We're not Nazis in Kyiv.
v3.20.2022 - We're still not Nazis.
v3.21.2022 - Just checked again. Still no Nazis here. Just dead civilians and soldiers from both sides and rubble.
v3.22.2022 - Ukrainians still don't want to rejoin the Russian empire.

Or maybe include ASCII art with maps of where civilians have been killed - or just a shirtless Putin on a horse pic, only with him sporting a Hitler mustache.

Re:

[alvinrod]

Just leave stupid politics out of it entirely. I saw something recently where someone had created a modified MIT license (it may have been one of the other popular licenses) where it was essentially identical to the original only it needed to include a particular racial slur as a part of the license as part of what I assume is some kind of "own the liberals" mindset. Equally stupid and juvenile.

Re:

[93 Escort Wagon]

Maybe include a running scorecard:

v3.03.2022 - 456 dead Ukrainian troops, ~ 3500 dead Russian troops (4 generals), 258 Ukrainian civilians killed; 6342 antiwar protestors detained in Russia
v3.08.2022 - 897 dead Ukrainian troops, ~ 6000 dead Russian troops (5 generals), 474 Ukrainian civilians killed; 13914 antiwar protestors detained in Russia

Hmmm.

[jd]

I see the argument, but there are a few problems with the example. A bug affects ALL users, not just those that report it, and if it tuns out to have security implications then not working the ticket would place a lot of innocent people at risk purely to spite a group that is unlikely to give a damn at the end of the day.

Open Source will induce social change beyond software, that is inevitable. Linux is the underlying platform for Android. There are a lot of reasons why Android is popular and that other mob

Bullshit

[gweihir]

That does not work and cannot work. Apparently some idiots insist in doing some virtue-signalling here.

Re:

[93 Escort Wagon]

Yeah, this seems silly on several levels. And even if someone thinks it's a good idea, this is the wrong level on which to be attempting it - let governments figure out how to interfere with Russian access to western networks, if that's considered a worthwhile goal.

Re:

[gweihir]

Yeah, this seems silly on several levels. And even if someone thinks it's a good idea, this is the wrong level on which to be attempting it - let governments figure out how to interfere with Russian access to western networks, if that's considered a worthwhile goal.

Indeed. FOSS is either FOSS or it is not. If it is not, it loses all the FOSS advantages. Now, dropping Russia from the Internet would be something different, but the current consent seems to be that is taking things too far and removed the possibilities of reaching the population there from outside. I agree on that. Also, Russia has to come out of this war in some fashion and eventually has to join the civilized world again. First step for that will be neutralizing Putin and then put the checks and balance

Re:

[93 Escort Wagon]

Even if someone doesn't care about FOSS philosophically, compromised software knows no borders - a rooted box in Russia could easily be used to attack machines anywhere in the world, just as a rooted box in Germany or the US can. I doubt most botnet operators care much where the machines they control are physically located.

Re:

[gweihir]

Even if someone doesn't care about FOSS philosophically, compromised software knows no borders - a rooted box in Russia could easily be used to attack machines anywhere in the world, just as a rooted box in Germany or the US can. I doubt most botnet operators care much where the machines they control are physically located.

Exactly. And anybody in the world could have rooted that box. Not providing patches to Russia anymore would harm others.

A pointless endeavor

[Todd Knarr]

I think the attempt would be pointless. The Russian government and military, which are the true targets of the attempt, have plenty of resources in other countries for getting copies of the updates and forwarding them back to Russia, and once they have copies of the updates it's trivial to set up their own internal mirrors and distribute those updates within Russia. That would completely defeat the attempt to deny them access. The only ones left affected would be the civilian population who have nothing to do with the decision to invade the Ukraine, and who overwhelmingly either don't know anything about it except what lies Putin's press is feeding them or oppose it.

Frankly if you wanted to take action the best course would be to identify Russian government and military IP addresses trying to update and, instead of blocking them, feed them malicious updates with known vulnerabilities restored.

news in code

[bob_jenkins]

My vote is allow them to use OSS (duh), allow them to contribute to OSS (with code reviews as always), and add short comments in the code and documentation giving accurate current censored news. If their government chooses to censor OSS for providing current news, yay, otherwise "everyone can use and update it" continues to mean "everyone can use and update it".

Doesn't make sense

[theendlessnow]

OSS and especially FOSS is just that. We shouldn't play politics. Makes zero sense.

Shutting down software is the job of proprietary commercial software. Let Microsoft disable their OS in all of Russia (for example). It was never free, so, there ya go... But, are we prepared to fully cancel Microsoft everywhere if they don't??

Anyway, FOSS ftw!

Just don't.

[Petersko]

It's in nobody's best interest. The Russian army isn't going become hampered because they don't get a python patch. And not one decision will be different no matter what open source projects deny access. Insecure systems in any country are not good for the world.

Pick your battles. This isn't one of them.

Better ban Windows then

[zkiwi34]

Far more of Russia likely runs it to do what they do.

Allow updates, but include current news and events

[clambake]

In order to download the updates, include pages full of videos and news about the truth going on in Ukraine. Make it such that you'd have to block the updates in order to block the news.

No

[cascadingstylesheet]

No. Just no. The whole point of principles is that they apply all of the time.

If nothing else ... think of this. Next time it will be you. No, really, it will.

"For example, FOSS developers should refuse to work specifically on bug reports from companies who don't pay their workers a living wage," Kuhn offers in an example.

And ... there it is.

Re:

[Tom]

This.

There are always some who are ready to sacrifice the principles of freedom and humanity for some short-term political goal - typically while pretending to support freedom and humanity.

Bye bye world as we know it

[AndyKron]

Why the fuck not? We're screwing Russians in every other way, just like Germany before WWII. Anyone hear of that war?

Re:

[serviscope_minor]

Why the fuck not? We're screwing Russians in every other way, just like Germany before WWII.

It's amazing how many people here would have been happy to let the reich just roll over Europe.

bikesheds everywhere

[Tom]

If you've heard of the bikeshed problem, you understand the recent insanity.

Everyone wants to do something, so they find something to do within their sphere and do it. Doesn't matter if it makes sense or not, if it actually has a chance to do any good or not - it's not about the effect. It's all about the desire to feel as if you did your part.

Bugs are bugs

[Bruce66423]

Just because a bug report comes from Russia is no reason to ignore it. It's still reporting a bug. So unless the bug is Russia specific, it's important to address it because it's a bug, and for us not to cut off our nose to spite our face by ignoring it just because of its origin!

Not open anymore

[cygnusvis]

I they did, it would no longer be âoeopen sourceâ and just âoesource available âoe

Re:

[Jzanu]

What you are saying does not matter at all. This denial in concepts is the same as a sanction. It is the denial of economic gain from the fruits of a free society against which the host country, and by extension every business and organization operating in it to the gain of that host country, has violated by its crimes. In this case Russia and its war of choice and aggressive invasion of a neighbor are more than adequate justification. Additionally, Russia is actively commuting war crimes and crimes against