Nginx Core Developer Quits Project, Says He No Longer Sees Nginx as 'Free and Open Source Project For the Public Good' (arstechnica.com) 53
A core developer of Nginx, currently the world's most popular web server, has quit the project, stating that he no longer sees it as "a free and open source project... for the public good." From a report: His fork, freenginx, is "going to be run by developers, and not corporate entities," writes Maxim Dounin, and will be "free from arbitrary corporate actions." Dounin is one of the earliest and still most active coders on the open source Nginx project and one of the first employees of Nginx, Inc., a company created in 2011 to commercially support the steadily growing web server. Nginx is now used on roughly one-third of the world's web servers, ahead of Apache.
Nginx Inc. was acquired by Seattle-based networking firm F5 in 2019. Later that year, two of Nginx's leaders, Maxim Konovalov and Igor Sysoev, were detained and interrogated in their homes by armed Russian state agents. Sysoev's former employer, Internet firm Rambler, claimed that it owned the rights to Nginx's source code, as it was developed during Sysoev's tenure at Rambler (where Dounin also worked). While the criminal charges and rights do not appear to have materialized, the implications of a Russian company's intrusion into a popular open source piece of the web's infrastructure caused some alarm. Sysoev left F5 and the Nginx project in early 2022. Later that year, due to the Russian invasion of Ukraine, F5 discontinued all operations in Russia. Some Nginx developers still in Russia formed Angie, developed in large part to support Nginx users in Russia. Dounin technically stopped working for F5 at that point, too, but maintained his role in Nginx "as a volunteer," according to Dounin's mailing list post.
Dounin writes in his announcement that "new non-technical management" at F5 "recently decided that they know better how to run open source projects. In particular, they decided to interfere with security policy nginx uses for years, ignoring both the policy and developers' position." While it was "quite understandable," given their ownership, Dounin wrote that it means he was "no longer able to control which changes are made in nginx," hence his departure and fork.
Nginx Inc. was acquired by Seattle-based networking firm F5 in 2019. Later that year, two of Nginx's leaders, Maxim Konovalov and Igor Sysoev, were detained and interrogated in their homes by armed Russian state agents. Sysoev's former employer, Internet firm Rambler, claimed that it owned the rights to Nginx's source code, as it was developed during Sysoev's tenure at Rambler (where Dounin also worked). While the criminal charges and rights do not appear to have materialized, the implications of a Russian company's intrusion into a popular open source piece of the web's infrastructure caused some alarm. Sysoev left F5 and the Nginx project in early 2022. Later that year, due to the Russian invasion of Ukraine, F5 discontinued all operations in Russia. Some Nginx developers still in Russia formed Angie, developed in large part to support Nginx users in Russia. Dounin technically stopped working for F5 at that point, too, but maintained his role in Nginx "as a volunteer," according to Dounin's mailing list post.
Dounin writes in his announcement that "new non-technical management" at F5 "recently decided that they know better how to run open source projects. In particular, they decided to interfere with security policy nginx uses for years, ignoring both the policy and developers' position." While it was "quite understandable," given their ownership, Dounin wrote that it means he was "no longer able to control which changes are made in nginx," hence his departure and fork.
Re: (Score:1)
In Canada, we welcome and greet them in our parliament House of Commons.
Re: (Score:1, Insightful)
I remember the good old days when Conservatives hated Russians. Not like now when they stand in line for a taste of Putin's sausage.
Re: (Score:1)
Re: (Score:1)
Nothing like barrowing money from China
The majority of US debt is owned by US citizens. Also, the word you're looking for is "borrowing."
with zero plans to ever repay
Wait. Are you upset about China holding our debt, or are you upset that there are "zero plans to ever repay" said debt? You're kind of all over the place here with unsupported shit words.
so that Ukraine can fight Russia to a stalemate
Better than being bulldozed by a fascist mafia state.
a very unproductive part of the world unless you are really into potash
Or food. Or neon for chip fabrication. Or liberalism (as opposed to fascism, which is currently trying to spread, with the Russian invasion being the poster child.)
Soviet Fallout
Honestly,
Re: (Score:2)
Nothing like barrowing money from China with zero plans to ever repay
Money spent on Ukraine is dirt cheap insurance and most of it gets fed back into our own economy. US based MIC is raking in hundreds of billions of dollars in new foreign orders triggered by the war.
so that Ukraine can fight Russia to a stalemate
So that Russia aggressive wars of conquest in Europe are halted before a couple hundred billion start looking like rounding errors in terms of consequences.
Re: (Score:3)
China is moving away from holding long-term US debt. Their holdings peaked at $1.3 trillion in 2014, and it's down to about $770 billion, give or take a few billion, in the last few months, a decline of 40%. Part of this is selling existing bonds, some of it is redeeming bonds that have matured. They are not buying nearly as much as they used to, and it's not an issue of trust that they won't be paid back. They bought them because they fully expected to be paid back, and they were. The Chinese government is
Not enough information (Score:3)
Can't tell who's right here.
Usually on software security, you can count on the corporations to maintain appearances and profit margins at the expense of users.
But I honestly don't know whether he's bothered with the owner for doing right or wrong by users.
Re:Not enough information (Score:5, Informative)
Why this would lead someone to fork is unknown. The discussion was apparently private, and as far as I can tell, Dounin hasn't given any more details despite having at least two separate requests for the info in his announcement thread. Which means from the public perspective, all of this just seems like someone has an entitlement complex.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2, Insightful)
Re: (Score:3)
You mean the American company that bought Nginx and, after Putin invaded Ukraine, closed the Moscow office and offered all Russian developers relocation to the US is the big risk and the Russian developer who preferred to stay in Moscow and kept working on that software for free is the safe bet? You want a Russian in Russia to make all fundamental management and development decisions about the web server on your systems at this fucking time?
Re: Not enough information (Score:3)
Are you pregnant with the next dictator then?
Re: (Score:2)
Re: (Score:2)
Speculation: they told him, a volunteer, that he had to fix these bugs stat before they would accept any more code from him.
On a feature that, apparently, he doesn't think should exist.
And perhaps he said he wasn't interested and they said he doesn't have to participate in the project.
I am just thinking like a PHB here since he intimated that corporate culture is at the root.
I wish him good luck, though I prefer to deploy Apache or lighttpd.
Re: (Score:2)
Both parties agreed that there was a bug; corporate said that the affected code was in use by some customers and wanted to issue a CVE; devs apparently wanted to treat it as a just-a-bug-that-has-security-implications-but-doesn't-need-a-CV
Re: (Score:1)
There was a bug in some experimental HTTP/3 code in a prerelease version that was disabled by default. Despite that it was actively in use in some places. F5 saw the bug as bad enough to publish a CVE for it. The developer didn't consider it bad enough for that as it'd be fixed before release.
If it's a bad bug and in use by customers I can see the need for a CVE. The developer just didn't like the red tape / reputation damage.
Depends how bad the bug was and how widely deployed, but I'm inclined to side with
Re: (Score:2)
Re: (Score:1)
Maybe his technical ideas have some merit, being such a long time developer. You did little more than compare him to a petulant baby. Sometimes taking a principled stand is the right thing to do.
I'm glad that he forked, just as I'm glad that mariadb forked off from mysql.
Re: (Score:3)
Re: (Score:2)
Good thing that doesn't appear to be at all what happened here.
Re:Not enough information (Score:5, Insightful)
There's already another fork of nginx from a group of former nginx devs, Angie [angie.software]. Given this week's dev decided to make another fork rather than join them tells me there was already issues between devs... and it kind of feels like maybe this week's dev was the issue (can't work with the group that formed Angie, can't work with F5).
Re: (Score:2)
Re: (Score:2)
Looks like the split with Russia was also a big motivator. This guy stayed on in a volunteer capacity after he couldn't 'work' for the nginx project anymore, but seems others didn't feel *that* loyal to the nginx 'brand'.
Re: (Score:2)
Well, strangely enough even with the developers side of the story, I'd say he seems to be "wrong", though of course he's free to do what he wants (he was already a volunteer).
He effectively stormed out because he felt acceding to having CVEs was overreacting. The CVEs applied to code that was in active use by users in 'main' releases, even if it was not formally blessed as 'complete'. The thing is that CVEs are a bit obnoxious (many of them are non-issues), but ultimately manageable.
Now if a end user knows
Learn to Perceive Reality already. (Score:1, Troll)
...freenginx, is "going to be run by developers, and not corporate entities," writes Maxim Dounin, and will be "free from arbitrary corporate actions."
Really? That's cool. Sounds like a reasonable request from a purist who believ...
Nginx is now used on roughly one-third of the world's web servers, ahead of Apache.
OK, scratch what I said before. Maybe realize where your product stands in a commercial world, and understand a "pet" project mindset doesn't fit anymore.
No comment on the whole Russia, Russia, Russia spin.
Re:Learn to Perceive Reality already. (Score:5, Insightful)
...freenginx, is "going to be run by developers, and not corporate entities," writes Maxim Dounin, and will be "free from arbitrary corporate actions."
Really? That's cool. Sounds like a reasonable request from a purist who believ...
Nginx is now used on roughly one-third of the world's web servers, ahead of Apache.
OK, scratch what I said before. Maybe realize where your product stands in a commercial world, and understand a "pet" project mindset doesn't fit anymore.
Sounds like that's exactly what he did. He realized his pet project was now a commercial entity and would bow to commercial pressures, and instead of staying with the corporatist for-profit management team, he forked and went back to making a pet project. Seems a reasonable response if the guy's got the means to continue living life.
It sounds very much to me like he's being harshly for it, which I'm having trouble understanding. Is the only "appropriate" way to deal with disagreements with management to kowtow, apologize, then fall back in line? That seems far sadder than somebody forking a project to keep working on it his own way whether it's seen as a competitor to the original project or not.
Re: (Score:2)
Sorry, that last paragraph should have had the word 'judged' inserted in there before the word 'harshly.' So much for my edit-fu.
Re: (Score:3)
Sometimes open source developers hope that the corporate users somehow contribute resources to continue development, because it is in their mutual interest.
The alternative is for an open source project to go into a weird commercial mode where there is some bonus to paying them money. Like getting access to support (of dubious value) or getting security updates on older releases, which isn't a very efficient use of development resources for the open source project's goal of moving forward.
The only times I've
Re: (Score:2)
Sometimes open source developers hope that...
At what point in the timeline driven by Greed do you logically abandon "hope"?
And here I assumed the software developer community was far more logical, given the not-so-forgiving compiler restraints they're often confined to. Apparently I was wrong.
Re: (Score:2)
A person can be strong in rigorous mathematic logic while also a hot mess when it comes to human interactions.
But yeah, I get it. There is a certain amount of wishful thinking in the idealist open source developer, but you'd think we adapt after having reality slap us in the face so many times.
Corp. overlords are correct! Pigs sprout feathers? (Score:5, Informative)
From the information available, it seems that Dounin was against bugs found in "experimental" code being marked as a security fix & assigned CVEs.
The problem here is that the problematic code is included in the mainline branch of nginx. Not in testing, not in beta, but in mainline.
It doesn't matter if the functions are disabled by default. If insecure code is included in the production release, users need to be informed with appropriately assigned CVEs that can be monitored.
I don't expect to have to monitor dev bug trackers to be made aware of security risks in my production applications.
nginx plays a major role in today's internet & as a CNA, F5 is obligated to assign CVEs to security bugs in their products.
If the dev doesn't want the headache/exposure of priority bug fixes & CVEs in experimental code, experimental code shouldn't be included in the mainline.
Re: (Score:2)
On top of this, getting hit with a CVE is hardly a badge of shame. Frankly MITRE has really let the point of CVEs dilute with a whole bunch of 'not really a risk' CVEs come out. Declaring many 'high severity' CVEs that aren't even a huge deal.
Re: Corp. overlords are correct! Pigs sprout feath (Score:2)
Not farmed, acquired (Score:3)
Nginx Inc. operated in Russia for years before F5 bought them out.
Dump? (Score:2)
Re: (Score:2)
The architecture of both is very different. Depending on what you are doing one or the other is a far better fit.
About "russian influence": I wrote some custom Apache transformation filters and some simple content generators for a large organization with a lot of traffic going through them a few years ago. I had to dig through Apache sources a lot for that. I doubt placing backdoors in a popular FOSS webserver is feasible longer term.
OpenBSD (Score:4, Informative)
OpenBSD removed nginx years ago, I do not know why. But that that may indicate there could be issues with nginx that the developer was not allowed to fix/deal-with.
http://undeadly.org/cgi?action=article&sid=20140827065755
Re: (Score:2)
Very, very unlikely. The OpenBSD devs would not keep quiet about something like that.
Anagram (Score:2)
Anagram: freeingnx
Hope (Score:2)
I hope both forks do well. This move should hopefully keep both sides keep the community interests at their core.