Hacker News new | past | comments | ask | show | jobs | submit login
Police conducted search in the Nginx office due to a copyright claim (twitter.com/antnesterov)
586 points by ameshkov on Dec 12, 2019 | hide | past | favorite | 217 comments

My bad translation of a related part from Sysoev's interview to a russian journal "Hacker"[0] made in 2012:

- Interesting: you were working at Rambler while developing nginx. Did Rambler had any rights? That's a subtle question. How did you manage to keep the rights for project?

Yes, that is a subtle question. It interests others beside you, and we thoroughly worked on that. Russian law works this way: the company has the right on anything which was in employee's field of work or by it's own contract. So there has to be a contract with someone with purpose "to make a software product". In Rambler I was a system administrator, I'd developed in my free time, product was distributed under BSD license since the beginning, as an open-source software. Rambler started using it after the main features were ready. More than that, even the first usage was outside of Rambler, it were Rate.ee and zvuki.ru websites.

[0] https://habr.com/ru/company/xakep/blog/136354/

And the same quality translation of a commentary by Lynwood Investments CY Ltd, the company which initiated the case, given to the online magazine The Bell [0]:

The Rambler Internet Holding (edit: it's legal name is Rambler Group LLC) company found that it's exclusive rights on NGINX web server, which was developed by it's employees with use of corporate resources, were violated by third parties. The company gave the right for infringment claims to Lynwood Investments CY Ltd (named A&NN Holdings Limited at the time of the deal), which has a competence in this type of cases.

Lynwood Investments CY Ltd had appealed to law enforcement bodies for the evalution of this situation. They recognized Rambler Internet Holding as victim of actions by unidentified violators (sic!) and initiated a criminal case.

Lynwood Investments CY Ltd would not comment the case until the court's decision. Wherein we would try to restore the justice with all ways possible and we reserve right to file lawsuits in any jurisdiction where it's needed to protect our interests.

[0]https://t.me/thebell_io/4315 (NB: yes, Telegram)

The commentary[0] of Igor Ashmanov, who was CEO of Rambler when they hired Sysoev, on the document in tweet:

Sysoev was developing in his work time, in the office, with company's equipment. (quote from the order: edit)

1. Bullshit. There isn't anything on that in our laws. You have to very accurately prove that there was an assignment on that. "In his work time" or "with company's equipment" - doesn't work. Everything's allowed - and IP is within authors.

2. Besides, when I hired Sysoev - it was in 2000 - we have talk specifically that he had his pet project and he'd have the right to work on it. It was called "mod_accel" or something, he renamed it in 2001-2002.

I can make a statement about that in court, if needed. And my partner in my companies, Dmitriy Pashko, then-CTO of Rambler, could, I think.

3. He had worked as a system administrator. Software development wasn't in his responsibilities at all.

4. I think, Rambler cannot provide any paper, more so an assignment, on development of a web server.

I asked our advocate, ..., to look what's going on. The lawyers of Runa Capital (edit: early investors of Nginx Inc.) already work in the case, so probably our help wouldn't be necessary.

I think, skunks would fail.


edit: link to the source

Thanks for providing some actual information in a thread rife with speculation.

Not sure I would buy that system administrator's don't write code and writing a webserver which is closely related to a sysads job.

Ironic thing here is that it probably doesn't matter because Russian law regarding copyright assignment is very different and much more employee-friendly than the US law. It will be interesting to see how the case develops but my understanding is that unless there was a very specific and documented work assignment from his boss to write nginx code, the copyright still belongs to Igor even if it was developed on the company equipment and on company time.

But its a trade secrets, breach of contract case.

I am surprised Russian law is that pro employee - would wreak havoc for offshoring

> I am surprised Russian law is that pro employee - would wreak havoc for offshoring

I think it only seems that way because we're so used to the US model where software you develop in your spare time at home with your own equipment might still be owned by your employer or even a university (even if you're just an undergraduate student already paying many tens of thousands in tuition fees). I read a few IP policies over the years, and, if they are to be believed, apparently, even if you're simply using WiFi to work on your student project in a university building, they may claim to own the whole copyright and patent rights to any resulting work; I don't quite understand how everyone else doesn't find it as demotivating as I do.

If you look at the actual reasons for Rambler not owning nginx — this situation is actually better for offshoring because anything developed for the client per the spec would be owned by the client, yet anything that employees work on in their own time, they could package as their own offering (e.g., separate packages and/or modules) and ramp-up work for more than one client without violating anyone's IP rights.

TBH, I don't actually understand how software craftsmanship consulting is supposed to work in the US. As an IC SWE consultant, I was negotiating a nginx consulting project with one relatively big company, and the sample MSA I got from them basically would have precluded me from ever working on nginx again had I signed it as-is. I think it's really amazing how more folk don't get sued in the US for these sorts of things; I can only imagine that it's merely for lack of trying on part of most of these corporations, not for lack of standing (unless all these terms everyone agrees to are somehow unenforceable in reality).

> would wreak havoc for offshoring

Why? I would actually expect offshore development to be the least problematic - typically there is a spec and agreed-upon set of deliverables and the rights to these deliverables are cleanly transferred. It is the common employment situation where your boss tells you your objectives in more or less vague terms which is more muddled.

9.5 rules of doing business in Russia

1. Keep your servers abroad.

2. Register your domains abroad.

3. Register your company abroad.

4. Keep your money abroad and don't put all eggs in one basket.

5. Seriously, don't put all your eggs in one basket!

6. Keep your database abroad.

7. Document everything regarding your office setup.

8. Split the risks and assets.

9. You can give youself up voluntarily. Find a large patron or manage law enforcement protection yourself.

10. Leave the country.

11. Have a battalion of armed bodyguards?

A little bit on that Alexander Mamut guy: http://rumafia.net/en/dosje/12 . One of the "7 banker" group.

He is the one who racketeered Euroset into selling itself at 990% discount.

Evroset was the largest retail network in Russia, built from scratch buy a man with a lot of talent, but no mafia connections. Alexander Chichvarkin was pretty much the most renowned businessman of his generation in Russia.

Chichvarkin fled to UK, and left a director to be his proxy.

They used the same tactic — director detained, and offered a trade at gunpoint. The director however managed to escape the capture too. In this case, after his bodyguards made a scuffle with police in his office.

Chichvarkin is Evgeny, not Alexander.

0. Don’t do business in Russia

I would use the same approach for setting up a business in the US. Additionally I would require some huge insurance to protect myself from frivolous lawsuits.

As an outside business you want no servers in the US or use US dollars in any form as you may end up being sanctioned or worse extradited for things that are not illegal in your country.

> as you may end up being sanctioned or worse extradited for things that are not illegal in your country

You're of course conflating problems that are very common in Russia (hyper corruption, few human rights, zero business law protection, no functioning independent judicial system) with problems (the need for huge insurance, extradition, getting sanctioned) that are rare in the monster size $22 trillion US economy filled with millions of businesses.

List of countries currently meaningfully sanctioned by the US: Russia, Cuba, Iran, Venezuela, North Korea, Syria

I certainly hope you don't live in North Korea while commenting freely on Hacker News (which is, naturally, located in the US).

Not a bad idea for any company in any country, the way laws surrounding tech are going.

Not sure if your comment is trolling or just due to ignorance, but https://en.m.wikipedia.org/wiki/Sergei_Magnitsky

Not trolling... if they outlaw encryption, as most governments want to do, it will require creative org structures.

Australian checking in - and I'm not trolling either: I can just as easily read that 10-point list off for Australia.

Which companies were taken over illegally by organized groups in Australia?

Because the OP's list was likely referring to a very different reality than what you imagine: https://www.theguardian.com/world/2008/jun/24/russia.interna...

> Which companies were taken over illegally by organized groups in Australia?

That kind of stuff does happen in Australia too, it's not just widely known or reported on.

A good friend - (now-ex) business owner - several years ago had her company taken from her at gun point. With nothing to be done about it ("or else") by people who the police won't fk with.

Ermm, you may wanna pay more attention to the companies being granted native-title claims on the mineral-rich chunks of land all over the country ..

I think the last one pretty much covers it.

That could happen in any country. That's a corporate dispute.

Rambler sold their NGINX "copyright rights" to a shady law firm (Lynwood Investments CY Ltd).

Anything can happen anywhere, but it's the height of naivety to call the general international risk of this of this (government takeover of your shit) happening anywhere vs Russia comparable. It's way more likely to happen in russia and anyone who's worked there can tell you that.

That's not a corporate displute. It's probable cause in criminal law. Ngnix founders are already detained btw.

They are currently being interrogated, not detained.

If you can't walk away from an interrogation, you've been detained.

Maximum continuous time for an interrogation in Russia - 4 hours, after which there should be a pause of at least an hour. Maximum total time is 8 hours within a single day.

Maximum time for a detention is 48 hours until the court's decision. The difference is how much time one would have to actively prepare his defence themselves, not via advocates.

You could use those 'rules' instead of toilet paper - not even half a year ago a ton of people were detained longer and without proper accommodations like food, water and place to sleep. Nothing happened afterwards, maybe in a couple years un human rights council will make government give those people some money, but that's it.

It works like this: you detain a person for 48 hours, then release him and when he is at the exit, detain him once more. Repeat as needed. Probably you would need to find another formal reason for a detainment (I'm not sure though), but seems it is not very difficult. They did something like just this summer, when protests was going against infringements with voting.

There was police raid in the office. After that founders were captured and brought to interrogation. If it's not "detained" then I don't know what any other meaning this word may have.

They were released and are at their homes now.

Perhaps not as often or quite so capriciously

Oh my, I still see people in the comments who naively think this is a copyright issue. Seriously? 15 years after the alleged event? With physical violence against software developers?

It's only one among thousands of cases when putinists rob successful companies. The world must put more pressure on putinism, because eventually all the stolen resources turn into imprisonments of people in the country and deaths of people in the countries attacked by that putinist machine.

Perhaps feeding into more conspiracies, yet it's worth to remember the recent law to "isolate" the russian internet from the rest of the world [0].

Securing control over the web server software (indeed popular for solid reasons) plays well into this lockdown objective and yields to the state a product that it would struggle to create on its own otherwise. Think of those failed attempts at creating a "national OS" to break dependence from Western originated Windowses, Linuxes, and macOS alikes.

0: https://www.usnews.com/news/world/articles/2019-05-01/new-ru...

Good point, although there would be one fatal flaw on that objective; nginx is open source and can simply be forked (outside Russia).

It can be both a copyright issue and a corruption issue.

Sounds more like trade secrets / breach of contract

Rambler supposedly claimed copyright, so while what you’re saying may or may not be true, it’s certainly acceptable to view this as a copyright issue regardless:


I am quite sure you are right this is corrupt putinism. Putin's economic system is crony capitalism. The laws mean nothing, it is all a matter of who has political corrections and pays the biggest bribe.

That is why there is so little technological innovation in Russia, in spite of its being a huge developed country with a highly educated workforce (except, of course, for hacking). People with ideas know they will just be stolen, so they either leave them undeveloped or move to another country with real rule of law.

This sentiment is equally true for the west, crony capitalism. I just wish more people would acknowledge that the west is in the same state.

No, that's not true. There is a lot wrong with western capitalism, but it isn't nearly bad as what is going on in Putin's Russia.

Copyright doesn't have to be defended. Until it expires, someone holds it and whoever does has the right to control the licensing.

But this is absolutely a copyright issue! If a company has copyright on something I use, I need a license from them. Now we don't know what Russian courts will decide here, and we also don't know whether courts in other countries would respect that. What could happen as a worst case "robbery" scenario is that the developer is forced to agree they never had copyright!

So whether or not the claim was unjustified, it might become a huge problem not just for the individual developers of Nginx but for everybody distributing it or using it. And that has a lot to do with how copyright works.

Former CEO of Rambler at the time already said that the company had no claim on this and that they had an agreement about this exact issue back when Sysoev was hired. It can't be more clear than this.

I am not sure why this is being downvoted. If a Russian court determines (and/or the developer is forced to agree) that the BSD license was issued by someone who did not own the intellectual property, doesn't that create a significant legal issue for anyone who is using nginx under that BSD license since that license would no longer be valid?

Doesn't the potential for this exact sort of issue point out a flaw in how copyright law works (especially under international law?)

When you say "if a Russian court determines" this sounds like an insult to me. Simply check out how recently lots of people have been convicted for nothing, for a poster, a like, for jogging, for trying to get elected, for a youtube video.

I kindly ask you to stop believing that Russia is a place where unicorns shit with rainbow and courts work. No, they do not. And by not acknowledging putin's terror against us you literally deprive us of a right to become a normal country again one day.

(just in case, I didn't downvote the post above)

I am not claiming anything about the justice or fairness of Russian courts, you are reading far more into my comment than was present. This is precisely why I mentioned that the developer may be forced to agree.

From my understanding of how copyright law works, if the local court determines that who a copyright holder is, international courts are required by treaty to uphold that determination.

But it doesn't matter if the court is just or not. What matters is whether the decision is official. Now, the rest of the world doesn't have to abide by the decision, but whether or not Russian courts are corrupt (they are) they do make decisions and there is sufficient law enforcement to bring those decisions to life.

In America our courts work better, but we still have a lot of improvement. Hopefully your countrh serves as a warning to us and not as a whipping boy.

Russian cangaroo courts determine only one thing: which side has more influence, and rule in favour of prevailing one. The side that can call an FSB raid on an opponent is obviously way more influential.

Source: I'm from Russia.

Russian "court" can "determine" whatever whoever paid the court wants it to "determine". It's not a flaw in the copyright law - it's a flaw in Russia having no real independent non-corrupt court system. You can't fix this flaw by writing different license or signing some different papers.

And yet, copyright is a civil dispute. I’ve never heard of a police raid due to copyright.

According to the warrant[1] it seems to be a criminal case.

Anyway, you should read up on the BSA copyright raids. Fortunately they seem to have fallen out of fashion.


Best practices for side projects (US):

- Never give work full rights to everything you make on your own time.

- Never use company hardware, software, time or offices to develop a side project you might want to monetize commercially later.

- Charge work a "1 node license fee" of $1 with an invoice and a standard commercial software EULA if you intend to try your creation at work. Also specify that it includes maintenance for the duration of your employment and that all modifications, including those made on work time and on work hardware, are your property and that they are granted a license to them for 1 node.


Nginx was developed not on company time/resources. I am sure Igor was careful to do it by law, but it doesn't really matter in russia. They can detain you and kick you until you give them what they want, and there is nothing you could do. There are countless examples.

I think you will run into conflict of interest issues with having your employer pay you to use your product. It might fly at some places, but I would be hesitant of running afoul of all manner of issues if there could be a perception that you are leveraging your employment position to profit your own company. Especially if your employer accepts money from the government.

I agree with the first two though. I personally am leery of suggesting the use of my own products and services to a current employer, and would only do it if it's very clear that there's both not other great options and that there's not a conflict of interest (decision maker is in another department for instance) and recognize that I may need to quit my job to avoid the perception of a conflict of interest or legal issues with government grants or other awards that may prohibit employees from also being vendors.

It's definitely riskier than just not using your personal projects at work unless your employer is actively pursuing using it fully independently (ex: your project is the only good solution to a problem and it's unreasonable for your employer to be the only people who can't use it). But even then, I'm largely unable to do work that only I can possibly do (i.e. I worked on two projects as an independent contractor for my current employer before they were my part-time employer) for people in another department despite being part time simply because it's too much of a mess to get it approved. I could probably get it done, but it's a huge hassle and not worth it for $1.

But your current employer might also take major issue with you having a side business selling to their competitors stuff that they want to use, regardless of the technical legality... at the least you might get fired even if you've done nothing legally wrong it might be against their employment guidelines to do this if you're a full time employee. I specifically chose to be part time because I still do contract work on the side (and make more money doing that than I do at the part time job, but I really enjoy my part time job so I don't mind).

> I think you will run into conflict of interest issues with having your employer pay you to use your product. It might fly at some places, but I would be hesitant of running afoul of all manner of issues if there could be a perception that you are leveraging your employment position to profit your own company.

I think when it's literally "pay me one dollar for a company-wide license, so there's mutual consideration for license and it's clear what the arrangement is"... one does not need to worry about a substantial fiscal conflict of interest or appearance of impropriety.

I mean, it's a whole lot of work to squeeze one more dollar out of your employer ;)

It's not about amounts, it's about perception and policies. The idea of selling a product even remotely related to my job description to my current employer just sounds like a whole bag of nasty waiting to drop.

What happens when you leave the company and try to increase the price to make a business out of it? Did you create a situation through the course of your employment such that the company you left is now dependent on your products? Would they have made different choices in what tool to use if it cost more at the time? Will even bringing up the idea of charging your employer cost you a lot of social capital with your supervisor and make you look like you're aiming to resign soon to work on a new project and aren't fully committed to your job?

Will they expect you to offer software for a $1 indefinite license including free updates for life or not including support or upgrades? Will they balk when your support or custom features cost $200/hr and cry foul? Companies are led by MBAs. They don't want to spend money and are very good at avoiding it at your expense.

Will they use their vastly larger capital to sue you for it, if indeed it is critical to them, arguing that if you felt it was useful enough to the company to sell it to them then it was part of your job responsibilities to work on it (excepting the case where you did the project prior to starting work at the company). Will you somehow be able to prove that it was done outside of work hours and relied in no way on your confidential knowledge of what the company does?

It's just messy and the potential for really really messy. You might manage to pull it off, but I personally would not try this unless the case was extremely clear cut and everyone involved knew everything so that no one could retroactively claim it was done in an underhanded way. But I was a boy scout so I learned that if you aren't willing to be totally transparent in your approach you probably actually don't think it's ethical. Clearly not applicable to today's top business schools, of course...

> It's not about amounts, it's about perception and policies. The idea of selling a product even remotely related to my job description to my current employer just sounds like a whole bag of nasty waiting to drop.

The discussion here relates to open source stuff. You give your company a bypass to the license agreement (attribution requirements, etc) in exchange for $1. That's a small business benefit, and in turn you create a clear papertrail of ownership with consideration. Yes, everyone would do this eyes wide open.

You can set the terms however fits the requirements of all involved. If you leave, they are an open source user like any other. Maybe they are allowed to redistribute without attribution, etc, indefinitely. Maybe it includes giving you the right to say that <employer> is using the package.

You do this when your employer already knows you tinker on open source, and a project is getting serious enough that it deserves to have its IP rights explicitly protected.

> Will they use their vastly larger capital to sue you for it, if indeed it is critical to them, arguing that if you felt it was useful enough to the company to sell it to them then it was part of your job responsibilities to work on it (excepting the case where you did the project prior to starting work at the company). Will you somehow be able to prove that it was done outside of work hours and relied in no way on your confidential knowledge of what the company does?

That's the whole point here-- you demonstrate that the company considered it yours at that point in time, and entered into a license agreement for it.

I have been on both sides of deals like this. Not all employers will do it, but it is a not-unreasonable way to protect everyone's interests and record what the parties considered the ownership to be at the time of employment. I've also sold company-owned code to an employee for $1 and an indefinite license because we didn't want to maintain it anymore.

I think we basically agree then. It just needs to all be transparent. There's just an awful lot of different ways things can go wrong and it's hard to know which ones will end up being relevant. I agree that it could be a good method for establishing clear separation. Just very tricky.

The thing is I am not sure if Igor was developing Nginx on his own time. IANAL as well, but I am not sure if it counts if part of the work was done from his Rambler workplace.

According to Russian laws it does not matter. Igor was hired by Rambler to do system administration job, he was never assigned any software development job - that means Igor owns the copyright. His ex-boss is confirming this (in Russian: https://roem.ru/12-12-2019/281134/rambler-nginx/#comment-292...)

Sorry "Never give work full rights to everything you make on your own time." is not going to work there is to much precedent in US employment law.

Precedent doesn't come into it (until it does), it's all about what's in your contract.

Work for Red Hat? You own your free software contributions, even those made at work. Work for Google? They own even the small lump of green putty you found in your armpit one midsummer morning.

Many companies will apparently put in grab-all clauses but back down (but Google won't) if you call them on it.

This is why I am very glad to be an independent contractor without the pesky “inventions” clause. With “inventions” clauses, if I worked on my open-source MaraDNS while on the clock, a company could make a reasonable legal case that they own it.

Even in California, where a company can not own inventions done on one’s own equipment in one’s own time (as long as it’s not related to their day job), before signing an “inventions” clause, I am very careful to tag my GitHub repos with a date stamp before the date I signed the inventions clause, and only use versions of my open source software at work which I wrote before I started working for them (e.g. I have a secure password generator shell script, and when I use it to generate the dozen or so passwords I need to do my work, I use a version which existed before I started work at the company).

Replying to myself: Did you know that the website hosting this blog entry is using nginx as their server:


There is something very ironic about a blog posting claiming that a company owns all of the software a developer makes in their free time, running on an open source server initially developed in Igor Sysoev’s free time while he was working for Rambler.

Whoa, you created MaraDNS? Man, I love that software. Been using it for years. Keep up the great work!

This is all because of the purchase by Sberbank (This is the largest Russian bank reporting to the government) of Rambler. In Russia, the chance of a fair trial in this case is very small. Sberbank simply “collects assets” and wages an unfair fight for money. It is a pity that the man in Russia and now he will be so pressured.

Given that almost all media in Russia are subordinate to the state, a very small number of people find out about this situation and this is very sad.

First, lawmakers are crashing Yandex stocks, now this. It is sad that I live in Russia ...

Igor Sysoev developed Nginx while working in Rambler (a Russian search engine) back in 2002-2004. Now, 15 years later, Rambler filed a copyright claim against Nginx and Igor, and demands (allegedly) 51M RUB from them.

To save anyone else having to look it up. 51M RUB is currently around US $810k.

In Dr. Evil's voice: "One Million Dollars!"

Somewhat surprised this hasn't settled out of court then.

I'd be surprised if it had been. I'd wager Rambler is after the ngnix itself rather than some cash.

Rambler was bought by the Sberbank (the largest state-owned bank in Russia) in August this year

This is a very important detail if true!

But even if they "owned" nginx - what does it get them? The community would immediately fork it and change the branding.

The same happened to MySQL when Sun was bought by Oracle when MariaDB was forked - though I concede MariaDB isn't as popular as I hoped.

> though I concede MariaDB isn't as popular as I hoped

I would think that's more due to the huge boom in Postgres popularity than any failing of Maria. For the projects that do still use MySQL, all the ones I know of are on Maria or Aurora rather than the Oracle implementation.

Not really. The real reason is that Oracle has done a reasonably good job of continuing the development of the Open Source project. You can certainly argue about what things they should have focused on (the MariaDB community has done that, mostly arguing there should be more engines), but Oracle has done nothing to damage the project, and a lot of good in it (serious improvements to the main engine, InnoDB).

If MariaDB hadn't been there, and as competitive as it was, I doubt Oracle would have played so nicely with MySQL.

Oracle has one goal, and that is to make money. They've realised due to the competitive pressure in this case that they can't abandon the community and go straight into value extraction mode.

InnoDB was owned by Oracle since 2005. I don't recall seeing any complaints about that at the time. In 2010, when Oracle bought Sun, then there were complaints from the MySQL team. But not complaints when Sun bought MySQL. Honestly, most people had been using InnoDB as their main MySQL engine for the previous 5 years already but there was no whinging from the MySQL team about that (that I recall).

It's all pretty arbitrary in my opinion -- if Monty and company hadn't whined so much when Oracle bought Sun, I doubt there would have been a fork.

Anyway... it never bothered me one way or the other.

If they're angling for a ruling that they've always had the copyright to the code (or at least core / original parts), then presumably any licenses (FOSS or otherwise) granted by anyone who isn't Rambler would be null and void.

Yes, and while the focus is on the Nginx project, there are probably other projects that used code from Nginx that would also be affected.

Would the community have any right to fork something the original author never had the right to open source in the first place?

No idea what is actually going on, but the "simple" scenario is that it is just a mafia-style bust out. If that's the case, the attackers don't want the source or future development, they want to extract as much money as possible without regard to Nginx as an ongoing concern.

If they indeed have copyright then you cannot legally fork it without them giving you licence to it. Just because you have the code doesn't mean you have the licence. All the other licences would be void.

If you contributed to nginx, do these new owners own your contributions if you submitted them under what turned out to be false pretenses ? Shouldn't all the community contributions be void because of that? That would significantly reduce nginx's worth.

If not, what's to stop other companies doing this in a predatory way? Start an "open source" project, gather years of valuable contributions from a enthusiastic community, then pull the rug?

> what's to stop other companies doing this in a predatory way? Start an "open source" project, gather years of valuable contributions from a enthusiastic community, then pull the rug?

Pulling the rug would mean revealing that your company never really owned the copyright, so at the very least you make yourself look bad.

Also, I don't imagine courts take a favourable view of transfers of ownership which are essentially fraudulent. I'm not a lawyer, as you can doubtless tell, but I presume it wouldn't be good for you if they could prove you'd planned the thing from the start.

There's an analogy outside of copyright: stolen goods. Sale of stolen goods isn't a legal transfer of ownership, but you don't want to be caught knowingly selling stolen goods, much less proven guilty of it (and the whole point of 'pulling the rug' is that things play out in court). I presume a similar principle would apply with intellectual property.

No, these "new owners" wouldn't own these contributions.

But since the project is under BSD license, they could make a case that they are allowed to use your changes (under that license). I'm not sure how that would eventually play out in court, though.

Right, that would be "shared source" not "open source" (or _free software_).

As it is, nginx is licensed under BSD - that would include the many contributions by anyone else (which cannot be claimed if the original project's copyright is found to belong to someone else) - so if the official nginx goes private but the BSD license is found valid, then the community can continue to publish their own "not-nginx" under BSD.

In a worse-case-scenario where copyright of the original nginx project are reassigned and the BSD license annulled, then the community need only replicate something resembling the original codebase that the community's subsequent (and fully legitimately BSD-licensed) patches/changes/commits can be applied to (though this will take some time) - so in either event, the prospective future "owners" of nginx cannot realistically hope to control the world of nginx deployments and the extended nginx developer ecosystem.

> As it is, nginx is licensed under BSD

That has just been cast into doubt.

> copyright of the original nginx project are reassigned

Not reassigned. It would be found to never have been licensed.

> need only replicate something resembling the original codebase

Which is impossible without it becoming derived of the original. If you want to apply a patch to something it must first look like the original. A good chunk of the patches will have been derived from the original substantially. Which means they'd need to be rewritten too.

> the prospective future "owners" of nginx cannot realistically hope to control

Yes they could exert a lot of power and force people into paying. A clean-room effort would take a year! In that year they could go after everybody who is distributing old copies.

This is as bad as it gets if that company is found to own copyright.

In that case, who would pay the new "owner" for the now unlicensed parts provided by outside contributors?

I see this having only two outcomes: either nothing happens (it stays BSD), or it becomes nuclear waste, and new owner cannot sell it because it is plagued by mutually incompatible legal status of different portions of the code.

I can't see how the third version, where it stays clean, but the new owner can milk it, is possible.

Well if it becomes toxic waste they could force everybody currently using it into licensing it from them. They could even try and go for damages for previous use.

But my point it that these customers would not be protected by that license, since they'd be using the code of other contributors without license, so they'd still be potentially open for extortion by hundreds other entities (I suppose there were many contributors).

Hmm yes interesting. Thanks for pointing that out!

The other patch authors could retroactively agree with the robber that their derived publications have been without license. Then they too could block usage of Nginx by pledging to go after anybody who gets a license from the robber.

Don't you understand the trick? If they acknowledge that they "stole" it, Mamut will then go to US and use it as a basis for his claims on the F5, which is like a million times bigger than this claim.

I imagine it's more complicated than that. Settlements can have terms (no admission of fault, etc), and claiming precedent across countries probably isn't straightforward.

Don't you think that these are not things that a person being asked to sign a paper under a gunpoint will think about?

Especially now that F5 owns Nginx.

I don't think F5 is going to lie down and let some shady hucksters take nginx for $$$ from them. They would have already looked at the copyright situation when they bought nginx.

I think the statue of limitations in Russia is under 10 years for most civil claims. Maybe someone can clarify what are the actual charges and what would the statute of limitations be? If statute of limitations ran out, maybe the corporate lawyer can get this thrown out quickly?

> what would the statute of limitations be

It is usually 3 years for such cases, but it counts since the moment of time when alleged infringement was discovered.

I don't think it works like that. The supposed copyright violation is ongoing.

I should remind you that there was a 1:342 ratio of "Not guilty" to "Guilty" decisions on the criminal cases in Russia last year, and the it's declining year-to-year.

I was interested in the ratio for the US, which based on a quick lookup seems to be 1:249 for federal cases... (Numbers taken from here: https://www.pewresearch.org/fact-tank/2019/06/11/only-2-of-f...)

Just wanted to note that it is not a very good way to gauge opressiveness or fairness... In a perfect world, charges would only ever be brought against the guilty, and only the guilty would be found as such by court. In such a World the ratio would be 0:<division by zero error>...

The corruption in judicial circles of Russia works this way: the police had opened the case, the defendant obviously isn't guilty, we state that he's guilty with a penalty of conditional term instead of a real one and free him in a court's room. If we state that he isn't guilty, then it would start the process of quality check in all parties involved in the development of the case which unavoidably ends with penalties or criminal cases upon the policemen, nah we don't need that.

I agree on a perfect world scenario, but we in Russia have a big pile of ridiculous court decisions every month.

> Just wanted to note that it is not a very good way to gauge oppressiveness or fairness

I would point out that the conviction ratio of the US is indicative of massive flaws in the powers that DAs have in most jurisdictions to force time limited plea agreements on defendants who have limited information and are under threat of charges with much higher penalties. This can usually be done without any oversight or approval from judges.

> In a perfect world, charges would only ever be brought against the guilty, and only the guilty would be found as such by court. In such a World the ratio would be 0:<division by zero error>...

That sounds like a world with complete surveillance, no privacy and a judicial system with absolute power. Doesn't sound like a perfect world to me.

A bit of context.

Rambler used to be a somewhat successful and independent Internet company, but in dire straits recently because it's lost the market to its primary competitor - Yandex. So very much like Yahoo vs Google.

Now it's been bought out by Sberbank - the largest state bank run by a good friend of Putin. Sberbank is looking at becoming at becoming an IT monster, being a provider of just about everything - from food delivery to banking, with huge amount of Big Data at its heart. Delusions of grandeur at taxpayers' expense.

This lawsuit is the first big move of the new Sberbank's management team in Rambler.

To be clear: Sberbank bought 46.5%

And that's yet another reason why copyrights can not last forever.

I see it this way (being a Russian): it's not a copyright claim issue, but rather a hostage situation with bandits involved (a.k.a Russian authorities), and what they want is ransom so that top #1-2 nginx contributors don't go to jail for some 10 years.

I've some kind of reflex to say "come on, it can't be that bad over there", but then I read a thread like this and it's like a slap in my naivete's face.

To put the "over there" remark in context, I grew up in a neighbourhing country.

This reminded me the Lebedev institute situation from last month: https://www.nytimes.com/2019/11/07/world/europe/russia-raid-...

The last company I worked for put together a dev team in the Ukraine and poached some talent from a local company that was connected to the local government. Our company ended up paying a relatively small (significant in the Ukraine) 'fee' to not have the team physically shut down by the locals.

Yep mate it totally can, stuff like that goes here on daily basis.

It feels like an intelligence shakedown. Nginx has a rather large install base. FSB would love to have an entry point in it I'm sure, or maybe they previously had one and are trying to gain it back?

NGinx is owned by F5 Networks [1]. F5 customers could probably open a case and ask what contingency plans are in place.

[1] - https://www.f5.com/company/news/press-releases/f5-completes-...

NGINX still has separate support from F5 Support.

Is their support team in Russia? They may have their hands tied at the moment.

This is what's really concerning. If FSB was able to actually implement something and shell all nginx boxes (and thusly obtain SSL certs, intercept communications, etc..) imagine how much access they'd have.

Then they would definitely advertise it by attacking the company so that the whole world would know about their secret backdoor. Very smart, indeed!

Physical access is easier to get than remote access when you have a baton and the intelligence of a cop.

FSB/GRU are more than just thugs with batons, they are professionals who could easily slip in to a building at night and access computers without anyone knowing. Basically the Russian CIA.

GRU have been severely embarrassed quite a few times in the last few years. It does seem that they're much closer to thugs with batons.

Just thinking about it would have a chilling effect which to the authorities may be better than actual access.

I'm going to switch from nginx to Caddy, so I guess?

On the flip side I feel like nginx has too high of a profile. It'd be better to target some other low level system package or npm/pip module, etc.

that's not going to happen, too many security experts constantly monitoring nginx. That's the beauty of it being a high profile open source project.

"I keep track of these things, Clark. One of us has to."

Just like too many security experts monitoring crypto standards so NIST wouldn’t try to slip in a backdoor?

No, not similar. Crypto is very different.

Conspiracy theories are fun, but no, it doesn’t feel like an intelligence shakedown if you know even a little bit about intelligence shakedowns. Or about backdooring software.

Clandestine ops have an extremely low probability of success using this strategy and nobody who does them is this incompetent. Especially not Russia.

nginx is open source. I tend to use the distribution provided packages which in case of debian are reproducible builds.

(yeah, i know there's a pro version of nginx. never used it)

"It's open source, someone surely is doing regular thorough security audits."

Auditing one of the world's most used pieces of internet facing software that also isn't "a huge codebase"? Yes I do think nginx will be just fine. Security experts are constantly combing through that sort of software looking for holes, as well as AI tools. duh. It ups your brand to find holes.

Counterpoint: https://en.wikipedia.org/wiki/Heartbleed - 2 years is a long time

Someone surely is doing regular thorough security audits of nginx, yes. Even at maximal cynicism, discovering a backdoor in its source code would get someone niche fame and a job at Project Zero (or a nice windfall on the black market, I guess).

the thing is: you have to introduce very subtle bugs when the code is open. And if you exploit it in the millions someone is going to notice.

Indeed. If, as suggested, a backdoor is planted by something like a three letter agency they're not going for mass surveillance or "hacking all the things". It's a very valuable asset that you use wisely, maybe even just once if the target is worth being discovered afterwards.

It's easy to forget just how corrupt government and law enforcement can get. In America, try to bribe a police officer and you'll quickly find yourself in jail. Other countries, it's almost expected that you bribe police (and indeed, the true reason you just got pulled over might be to shake you down)

Driving in several of the Balkans since the 90s with German license plates always required keeping some cash on hand to buy the officer's lunch. It's probably not true any more for Croatia since its acceptance into the EU, but we still had this experience in Bosnia and Serbia up through the 2010s.

Doubt. Croatian police face hefty fines if they take bribe. Source: have several close friends in the police.

I think I might have addressed this in an edit while your comment was posting. I agree fully on Croatia. It could happen in the 90s but the country has changed a lot since then.

This is something we're working on though (in the US).

It's pretty obvious to us, коллега, but that sounds absolutely crazy and conspiracy-like for outsiders of ex-USSR.

wow, I would have thought those dudes would have moved to a more friendly country years ago given the fame and profits from creating nginx.

It's frog in boiling water situation. For a long time the government was content with the money it could get from oil and mining, and many businesses were relatively safe. After the drop in oil prices and economic sanctions they started to get more creative, and the situation kept slowly worsening, until during this year there were multiple high profile cases like this.

Some say Igor didn't move because he's a patriot. Ironic, isn't it?

Well, I wouldn't necessarily call him a patriot or regime supporter or whatever (not a vocal one anyways), but he indeed did like to occasionally throw some stones towards non-systemic opposition, color revolutions supporters, or other likely-minded people. One example would be what he wrote 12.12.2015 (exactly 4 years prior to current incident) at http://sysoev.ru/ about Berezovskiy's alleged financial support of orange and tulip revolutions of 2004-5.

So in that respect it isn't that impressive that he stayed in Russia even when (mostly non-state) news became more and more disturbing. Probably even less so if you assume a line of reasoning that nobody would bother with relatively small foreign company built around open-source product, a company that's already sold to larger foreign company (conveniently forgetting about the price that F5 paid for that company).

(edit: s/american-registered/foreign/: Nginx Inc. was registered in British Virgin Islands)

He's being Matriotic. He lives in a Motherland, not a Fatherland.

It would indeed be ironic if he supports the current government. But in general patriot can also be someone who dislikes the crazy regime and doesn't want to give up his home without a fight.

Apparently some company called "Lynwood Investments CY Ltd" has bought the rights for copyright enforcement from Rambler Group - I guess this is classed as "copyright trolling"?

Looking at the search warrant[1] the claim is that Nginx was developed while the author still worked at Rambler and during work time.

[1] https://twitter.com/AntNesterov/status/1205086129504104460

do you think Russia is such a law and order country ? Let's wait and see...this isn't it.

I try to stick to the facts and keep my biases out of the conversation and I wish the same to you.

I wrote a short summary on the situation for my English-speaking friends and would like to share here too.


nginx is one of the most popular web-server software, used by hundreds of millions of websites worldwide. It was written by Igor Sysoev in early 2000s, was released and is maintained as an open source software.

At the time of initial release Igor was working for Rambler (a Russian internet company). In 2011 Igor and his partners founded a BVI company Nginx Inc. to provide commercial products and support for the software. The nginx software remained (and still remains) open source. They raised some VC financing and in 2019 were finally acquired by a public company F5 Networks, Inc. for an impressive $670 million.

What has happened?

Today Igor and his partner Maxim Konovalov were arrested in Moscow and are being interrogated. A search is performed in Moscow office of the company. It became public that Rambler filed a lawsuit for breaking its IP rights on nginx.

It might look like a typical IP ownership conflict, but there are details: a) Worldwide internet infrastructure relies heavily on nginx. b) People are under arrest, which illustrates a serious intention and may lead to unpleasant consequences. c) It all happened some months after a successful acquisition, while Rambler was aware of nginx for more than 15 years since the date of the initial nginx release.

What's next?

It is extremely unlikely that Internet will meet any short-term consequences. No, there's no way to turn down nginx remotely, there's no backdoors, etc – so Internet is safe.

No, there is no chance that Russian secret service or someone else will use this situation to introduce some backdoors to nginx server. As any popular open-source software, nginx is developed by hundreds of independent individuals from various countries. The source code is always publicly available, and each developer is highly aware about security.

Long-term consequences are possible, including decline in nginx popularity and development of alternative software. If nginx will be forced to change its licence or shut down, it's very likely that community will instantly make a fork and/or a complete rewrite of this webserver under a new name (which has happened before to MySQL, for instance).

We all hope that this conflict will be resolved, and Igor and Maxim will be safe and sound. All we can do now is spread this information in as straight and clear way.

If nginx has dubious copyright, you cannot fork the code, since not being open source, it is legally not-forkable. Yes, you could do a complete rewrite, but that would require doing so in a "clean room" fashion, which would be very difficult.

In any Western court an entity who forked it, would win a copyright lawsuit if Rambler sued. You cannot claim it was your proprietary code all of a sudden after it's been openly available for 15 years.

Igor Ashmanov (the guy who hired Sysoev, and was a COO at the Rambler at the time) said that the Ngnix (under different name) was indeed a side project started before Sysoev joined Rambler. Moreover this was properly disclosed, and green lighted by Rambler executives at the time.

Source: https://roem.ru/12-12-2019/281134/rambler-nginx/#comment-292... (Russian)

  location / {
    add_header X-Supports "Igor Sysoev" always;      

Hello from Russia.

I've read documents provided by nginx employee Igor Ippolitov, and I'm convinced Rambler is commiting a offence under article 306 of criminal codex.

In brief, in Russia an employee retains all rights on his/her/it's intellectual property if he/she/it was not instructed to do this job. Former Rambler CEO confirmed that Sysoev has no instructions to create a web server.

At the same time, Rambler claims that: "unknown person at an unspecified time acting within the scope of his duties and on behalf of management".

unknown person cannot have a scope of his duties. management cannot give orders to an unknown person.

Some guy on the internet claims this case has no leg to stand on, and the whole reason the office was raided was to scare them into cooperation or revealing useful information. Then they'll catalogue that and say 'not a criminal issue'. The trick is, those materials could then be used in a civil case. This is full text, in russian: https://habr.com/en/company/itsumma/blog/479942/#comment_209...

Having read Red Notice, I strongly suspect the plot is much thicker than a simple copyright violation. The fact that NGINX now runs the majority of web traffic would be a clear signal to the Russian oligarchs that this NGINX is a valuable commodity to control and Sysoev needs to be moved aside. I'm guessing they don't have a deep understanding of BSD licensing terms, but they understand the value of controlling the contributors, and the log files.

F5 buys Nginx, then months later there are suddenly copyright claims and raids relating to the founder having left a former company in 2012...

Playing devil's advocate, I could see how something like that could legitimately take place in a similar situation as the previous employer may feel abused / betrayed, rightfully or not, once he sees a success that he may believes not being possible if it were not for giving some slack to his employees.

Not sure about you but I always wait 7 years before enforcing dubious copyright rights.

So this is what happens when successful ideas in Russia gain market share? Why would anyone want to execute their ideas in Russia?

They may not have a choice?

Or just don't do it. Russia has around the GDP of Italy this might have to do something with it.

Nginx Moscow office, rather than one of their other 6 locations (or F5 which now owns Nginx).

"It seems that someone has already adapted to the system from police searches, or simply to support NGINX!" https://pari-match.club/ https://monosnap.com/direct/JM4VGPga3PaV7Z4pQEdQgiMEIwi0ub

If they own copyright.... Which isn't crazy...

Then the licenseing Igor put on it is null and void I assume, so everyone's instance would become illegal upon that court decision?

It's a little more complicated than that. One might have equitable defenses to infringement. Its doubtful a violation will be considered criminal (USA). Certainly if you are worried keep an eye on the Russian trial and hire a lawyer!

In Russia - yes, but I think it could be appealed in other countries.

Sad times, I really like nginx. Maybe its time for nginy a web server developed in an extradition proof country with strong privacy protection and shell company laws. I could imagine saying that in jest but as these things get more common (a non-equivalent other than power imbalance story is the Apple suing its employee for starting a server chip company) its going to take a lot of planning to develop something and "keep" control of it.

Rambler board has asked the management to ask the police to close the criminal case, look into the situation again and file a civil lawsuit if needed: https://www.interfax.ru/russia/688213

The company I worked for made photo equipment, and had a lot of creatives on staff.

As such, they did not have the typical "We own the ideas you came up with in the shower" clause that most companies have.

Because of that, I was able to develop a fairly popular OS package (popular in a limited demographic, so it's not "A-List").

Slightly easier to read:


TLDR: Igor Sysoev started Nginx while employed by Rambler, who did not then claim copyright, but now they have. The police raid is a result of that claim.

Russia has absurd IP hijacking rules that are being exploited.

On the West there wouldn't be even a chance for this business: nginx would belong to employer by default.

By default but if you have enough leverage you can get all sorts of allowances from an employer. I always have any clause struck about the employer owning anything I produce outside of work for example. (I don't necessarily consider this to be an example of significant leverage just common-sense.)

It's not a 'West' thing, it's a US/wannabe-US company thing. Also likely illegal in most EU countries, anyway.

I'm sure you can't name a single rule or law which is exploited in this case.

If I said "Britain has draconian libel laws" or "The US has absurd copyright laws" would I be wrong? Off the top of my head, I can't name a single rule or law that supports my claim, I only picked up a sense of that from reading the news. Likewise, I read articles like this and I get the impression that Russian IP laws are basically just tools for running extortion rackets... that's my simplistic layperson's take on the situation, but I don't really see any credible counter narrative in this thread.

On contrary with US IP non-hijacking rules we see in the Apple vs Nuvia case.


Both cases are quite similar to my eye.

With the original open sourcing license of nginx in doubt, it is prudent for open source projects to look into alternatives?

Besides the standard Apache, may I suggest the underdog favorite of mine, Hiawatha? I was dissapointed when the license moved from GPL to MIT, but it's still awesome. [1]

There is also Caddy, a go based webserver, which is Apache licensed I think. [2]

Then there is also lighttpd, which is small and fast, but 3-clause bsd. [3]




Not to mention thttpd, which was updated as recently as last year:


As I mentioned before, Apache is The Best Web Server in the world. Period.

If you want simplest non-bloated and secure - OpenBSD's httpd is absolute king.

But for many generations of IT people Apache had (and still has) that nice homey feeling.

One of Best things that happened to IT world.

Edit: s/https/httpd :-) bloody phones and their "smart" keyboards

OpenBSD's httpd is similar enough for relatively simple use cases, porting it to other platforms wouldn't be impossible.

I'd recommend looking at Traefik, Caddy Server, HAProxy, or a combination of them.

This is exactly why Apache still rocks.

Software developer got greedy, rich and robbed by state actors.

Should have contributed to Apache instead.

considering this thread and a host of others, regarding mobile phones being rousted, I think its time to start looking at developing systems that have a "panic mode"

as in "we would comply if we could but you guys scared the system and it hid, we have to wait until it comes out again"

So what are the long term impact if any can opine here? Doesn't sound good for the founder.

Making business in Russia, rule #1: - run!

Or don't run business in Russia at all.

This is a new level of copyright trolling.

always wondered, is it pronounced 'en-gin-ex' or 'N-ginx', there was a debate in my office

From the official FAQ[1]:

> How do you pronounce “NGINX”?

> Correct: en-juhn-eks, Engine-X

> Incorrect: en-jingks

I wouldn't be surprised if it's actually an abbreviation of "engine-x", but I can't find any better source that explains how they came up with the name. Still, this source pretty much implies it.

[1] https://www.nginx.com/resources/wiki/community/faq/#how-do-y...


> nginx [engine x] is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server, originally written by Igor Sysoev.

I was told that N-ginx is a curse word in Chinese, so I pronounce it En-Gin-Ex. I think the former is more intuitive though

> I was told that N-ginx is a curse word in Chinese

Don't know that many swear words in Chinese, but I know that that "ginks" isn't really pronouncable in Chinese. You could do "ging", but the "k" and the "s" would then need to be separate syllables; the best you could get is "en ging ke se", which isn't really close enough to "N-ginks" to be dangerous.

(Similarly, "golf" ends up as three syllables: "gao er fu", plus "qiu" added to the end to clarify that it's a game involving a ball.)

  location / {
    add_header X-Supports "Igor Sysoev" always;      

Damn. And I've just switched to it less then a month ago.

real life Pied Piper...

KGB wants their piece of cake. Classic

The KGB was broken up in 1991.

It's the same people under a different acronym, this is not a meaningful difference for most people.

Especially for the Front Side Bus crowd

For unaware, FSB stands for (Russian) Federal Security Service which is direct successor of KGB : https://en.wikipedia.org/wiki/Federal_Security_Service

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact