Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Cloud Programming

Nginx Core Developer Quits Project, Says He No Longer Sees Nginx as 'Free and Open Source Project For the Public Good' (arstechnica.com) 53

A core developer of Nginx, currently the world's most popular web server, has quit the project, stating that he no longer sees it as "a free and open source project... for the public good." From a report: His fork, freenginx, is "going to be run by developers, and not corporate entities," writes Maxim Dounin, and will be "free from arbitrary corporate actions." Dounin is one of the earliest and still most active coders on the open source Nginx project and one of the first employees of Nginx, Inc., a company created in 2011 to commercially support the steadily growing web server. Nginx is now used on roughly one-third of the world's web servers, ahead of Apache.

Nginx Inc. was acquired by Seattle-based networking firm F5 in 2019. Later that year, two of Nginx's leaders, Maxim Konovalov and Igor Sysoev, were detained and interrogated in their homes by armed Russian state agents. Sysoev's former employer, Internet firm Rambler, claimed that it owned the rights to Nginx's source code, as it was developed during Sysoev's tenure at Rambler (where Dounin also worked). While the criminal charges and rights do not appear to have materialized, the implications of a Russian company's intrusion into a popular open source piece of the web's infrastructure caused some alarm. Sysoev left F5 and the Nginx project in early 2022. Later that year, due to the Russian invasion of Ukraine, F5 discontinued all operations in Russia. Some Nginx developers still in Russia formed Angie, developed in large part to support Nginx users in Russia. Dounin technically stopped working for F5 at that point, too, but maintained his role in Nginx "as a volunteer," according to Dounin's mailing list post.

Dounin writes in his announcement that "new non-technical management" at F5 "recently decided that they know better how to run open source projects. In particular, they decided to interfere with security policy nginx uses for years, ignoring both the policy and developers' position." While it was "quite understandable," given their ownership, Dounin wrote that it means he was "no longer able to control which changes are made in nginx," hence his departure and fork.

This discussion has been archived. No new comments can be posted.

Nginx Core Developer Quits Project, Says He No Longer Sees Nginx as 'Free and Open Source Project For the Public Good'

Comments Filter:
  • by Mononymous ( 6156676 ) on Friday February 16, 2024 @11:24AM (#64244752)

    Can't tell who's right here.
    Usually on software security, you can count on the corporations to maintain appearances and profit margins at the expense of users.
    But I honestly don't know whether he's bothered with the owner for doing right or wrong by users.

    • The moment "non-technical management" starts making engineering and architecture decisions, software starts to rot.
    • by Burdell ( 228580 ) on Friday February 16, 2024 @11:54AM (#64244840)

      There's already another fork of nginx from a group of former nginx devs, Angie [angie.software]. Given this week's dev decided to make another fork rather than join them tells me there was already issues between devs... and it kind of feels like maybe this week's dev was the issue (can't work with the group that formed Angie, can't work with F5).

      • by keltor ( 99721 ) *
        The Angie devs basically left over HTTP/3 which is also same area these CVEs were in ...
        • by Junta ( 36770 )

          Looks like the split with Russia was also a big motivator. This guy stayed on in a volunteer capacity after he couldn't 'work' for the nginx project anymore, but seems others didn't feel *that* loyal to the nginx 'brand'.

    • by Junta ( 36770 )

      Well, strangely enough even with the developers side of the story, I'd say he seems to be "wrong", though of course he's free to do what he wants (he was already a volunteer).

      He effectively stormed out because he felt acceding to having CVEs was overreacting. The CVEs applied to code that was in active use by users in 'main' releases, even if it was not formally blessed as 'complete'. The thing is that CVEs are a bit obnoxious (many of them are non-issues), but ultimately manageable.

      Now if a end user knows

  • ...freenginx, is "going to be run by developers, and not corporate entities," writes Maxim Dounin, and will be "free from arbitrary corporate actions."

    Really? That's cool. Sounds like a reasonable request from a purist who believ...

    Nginx is now used on roughly one-third of the world's web servers, ahead of Apache.

    OK, scratch what I said before. Maybe realize where your product stands in a commercial world, and understand a "pet" project mindset doesn't fit anymore.

    No comment on the whole Russia, Russia, Russia spin.

    • by nightflameauto ( 6607976 ) on Friday February 16, 2024 @12:21PM (#64244958)

      ...freenginx, is "going to be run by developers, and not corporate entities," writes Maxim Dounin, and will be "free from arbitrary corporate actions."

      Really? That's cool. Sounds like a reasonable request from a purist who believ...

      Nginx is now used on roughly one-third of the world's web servers, ahead of Apache.

      OK, scratch what I said before. Maybe realize where your product stands in a commercial world, and understand a "pet" project mindset doesn't fit anymore.

      Sounds like that's exactly what he did. He realized his pet project was now a commercial entity and would bow to commercial pressures, and instead of staying with the corporatist for-profit management team, he forked and went back to making a pet project. Seems a reasonable response if the guy's got the means to continue living life.

      It sounds very much to me like he's being harshly for it, which I'm having trouble understanding. Is the only "appropriate" way to deal with disagreements with management to kowtow, apologize, then fall back in line? That seems far sadder than somebody forking a project to keep working on it his own way whether it's seen as a competitor to the original project or not.

      • Sorry, that last paragraph should have had the word 'judged' inserted in there before the word 'harshly.' So much for my edit-fu.

    • Sometimes open source developers hope that the corporate users somehow contribute resources to continue development, because it is in their mutual interest.
      The alternative is for an open source project to go into a weird commercial mode where there is some bonus to paying them money. Like getting access to support (of dubious value) or getting security updates on older releases, which isn't a very efficient use of development resources for the open source project's goal of moving forward.

      The only times I've

      • Sometimes open source developers hope that...

        At what point in the timeline driven by Greed do you logically abandon "hope"?

        And here I assumed the software developer community was far more logical, given the not-so-forgiving compiler restraints they're often confined to. Apparently I was wrong.

        • A person can be strong in rigorous mathematic logic while also a hot mess when it comes to human interactions.

          But yeah, I get it. There is a certain amount of wishful thinking in the idealist open source developer, but you'd think we adapt after having reality slap us in the face so many times.

  • by Anonymice ( 1400397 ) on Friday February 16, 2024 @12:50PM (#64245090)

    From the information available, it seems that Dounin was against bugs found in "experimental" code being marked as a security fix & assigned CVEs.

    The problem here is that the problematic code is included in the mainline branch of nginx. Not in testing, not in beta, but in mainline.

    It doesn't matter if the functions are disabled by default. If insecure code is included in the production release, users need to be informed with appropriately assigned CVEs that can be monitored.
    I don't expect to have to monitor dev bug trackers to be made aware of security risks in my production applications.

    nginx plays a major role in today's internet & as a CNA, F5 is obligated to assign CVEs to security bugs in their products.

    If the dev doesn't want the headache/exposure of priority bug fixes & CVEs in experimental code, experimental code shouldn't be included in the mainline.

    • by Junta ( 36770 )

      On top of this, getting hit with a CVE is hardly a badge of shame. Frankly MITRE has really let the point of CVEs dilute with a whole bunch of 'not really a risk' CVEs come out. Declaring many 'high severity' CVEs that aren't even a huge deal.

    • Perhaps he was against it being included in the mainline, but they went ahead with it anyway. I'm only speculating, but if my warnings were ignored and the result was security flaws in live code then I'd certainly be considering whether this was a path I wanted to continue down.
  • Time to dump Nginx and go back to Apache maybe? Probably less worries about Russian influence....
    • by gweihir ( 88907 )

      The architecture of both is very different. Depending on what you are doing one or the other is a far better fit.

      About "russian influence": I wrote some custom Apache transformation filters and some simple content generators for a large organization with a lot of traffic going through them a few years ago. I had to dig through Apache sources a lot for that. I doubt placing backdoors in a popular FOSS webserver is feasible longer term.

  • OpenBSD (Score:4, Informative)

    by jmccue ( 834797 ) on Friday February 16, 2024 @01:10PM (#64245178) Homepage

    OpenBSD removed nginx years ago, I do not know why. But that that may indicate there could be issues with nginx that the developer was not allowed to fix/deal-with.

    http://undeadly.org/cgi?action=article&sid=20140827065755

    • by gweihir ( 88907 )

      Very, very unlikely. The OpenBSD devs would not keep quiet about something like that.

  • Anagram: freeingnx

  • I hope both forks do well. This move should hopefully keep both sides keep the community interests at their core.

The last person that quit or was fired will be held responsible for everything that goes wrong -- until the next person quits or is fired.

Working...