The email thread continues. Linus later responded with:
>No, but I'm not a lawyer, so I'm not going to go into the details that
I - and other maintainers - were told by lawyers.
>I'm also not going to start discussing legal issues with random
internet people who I seriously suspect are paid actors and/or have
been riled up by them.
Which I find pretty concerning statements, quite a disservice to the community. It's a global community, and here the maintainers take some action without explanation. They don't even have a communiqué at hand to tell people what this action is, why it was taken, and which alternatives were considered but rejected. This is the bare minimum that I expect of the maintainers of a piece of software that is very critical to many millions of systems worldwide.
Counting on the goodwill of users is not acceptable for an operating system that underpins the security of people's computers.
Open source means put up or shut up. If you don’t like the institutions, then build it yourself.
You can’t cry foul when the group is literally providing you with free software. Open source institutions don’t own anyone anything beyond open software.
That is the letter of the law, yes. I would suggest though that the spirit / intent behind the law includes fostering a community, which in turn encourages open and clear communication.
No, the legally binding licenses that fall under the purview of Copyleft enforcement. A critical component of modern Free Software is licenses that absolve the primary author of liability that is implicitly agreed-upon when contributing third-party code. If these contributors disagreed with the terms of the GPL then they had 30 years to realize it.
And right now Linus is not putting up, is suddenly actively refusing to put up, and we're all very concerned about that.
As an open source community leader, putting up consists of leading well, and transparently. It's not just a coding role. He may have inherited the leadership role by being the original coder but he has to keep it by being a worthy leader.
I speculate Linus or Greg received the equivalent of a National Security Letter. Otherwise they could point to the regulations.
While a little bit too much of a guess, it's quite possible that whatever three letter agency finally had a high-confidence note on who was behind the XZ backdoor and decided to issue an (blatant) order to kick out all Russian maintainers, because that's how USG usually works.
The quoted text is a great mechanism to turn your brain off. "Oh, they giving me stuff. They must be good then and can do no wrong. I can turn my brain off and go sleep."
Just to be clear, I'm not saying good words to any regime. I mean both the US sanction and the Russian invasion suck. I don't want another country bossing over what you can do, and I don't want another country pointing guns on your head either.
Russia is bad, but that doesn't mean I'm in support of bans like this without a reason. Just because you "have the reason to commit crimes" is not strong enough a reason to exclude you! How child's bully it is!
> don't want another country bossing over what you can do
So we agree that invading other countries is wrong. However you believe that a country has the inherent right to do anything (including imprisoning, murdering them etc. etc.) to its citizens and face no external repercussions? At the same time other countries do not have the right to not do business with that country or to prevent its citizens from doing that. Seems slightly contradictory? No?
> not strong enough a reason to exclude you
IMHO that just sounds like a pretext to me and the removal itself seems like mainly a political statement (especially considering the rhetoric coming from Linus himself).
Not that I'd have any issues with that whatsoever (if those people really want to keep their maintainer status so strongly they could've just moved to another country like a over a million of other Russians did.)
Most of those emigrees have returned. Out of all people I personally know only two still live abroad, and only one of them has no plans to ever go back (but has not changed his passport because it's truly difficult).
And saying "they could easily have emigrated" shows that you have zero touch with the common man. No, many people can't "simply leave" even if their profession is in demand.
Edit: ah, I now see your other comments. No further discussion needed, don't forget to label me either a paid troll, a useful idiot, or both.
It helps to think of these people as essentially Mao's Red Guards. They are (I hope) still very young and as a result very absolutist in their thinking. They are fanatical about their country being the best because they haven't seen or experienced much else. And they get a sense of power from belonging to what they think is the group of the People Who Are Always Right.
Mao's Red Guards. Because these ducks quack like those ones did.
It's rather confusing and hard to understand which side are you targeting here... Because only one is semi-fanatically defending their country while disregarding pretty much any argument or fact that doesn't align with that.
We need literature, fiction or non-fiction, which can illustrate some historical thought fallacies that have lead well-intentioned humans into destruction empowered by self-righteousness. Bonus for testimonials by humans who have recovered from this civilizational anti-pattern.
You’re insane, if you think that this is grey situation.
Vanishing empire invaded another country with intent to occupy and subjugate another.
Expecting that one hand can rape, kill, steal while another participates just like nothing happened is psychopath mentality.
>doesn't mean I'm in support of bans like this without a reason
You're saying that you don't trust Torvalds. I do trust him.
Linus said there are legal reasons that involve laws and lawyers and he's not going to go into more detail on the internet. If you had responsibilities to other people as Linus does, and those responsibilities included discussions with attorneys, you'd be a fool to talk about the details i public, so your personal needs in this matter don't see important to me.
He also says he's not US but Finnish, and given the history of Russia's attitude toward Finland, he's fine with it. He also says that what's involved here is not simply US law or policy, so laying the blame for this on the US is misguided.
My comment would be deleted if I answered your question about Israel, but there is no mainstream left-wing media or left-wing political party in the USA.
If you scroll down on the thread linked, someone mentions the reason isn't that the developers are Russian, but because their employers in Russia are sanctioned companies.
I don't know if that's accurate, but seems feasible. If so I'm 100% behind it.
It'd be nice to know the exact reasoning for this, rather than just see a commit without any context of why they're being removed. I'm pretty sure we'll know in due time.
I think it's more likely that everyone will forget in a few days and we will never know. Maybe there will be few more random bans.
I highly doubt anyone banned will even try to send "sufficient documentation". The wording is as vague and arbitrary as it gets, and the underlying tone sounds to me not like "we have such and such requirements", but like "some Russian-sounding names are banned, but we still have to demonstrate there is a due process".
Reminds me of banks. Banks are fined for not having processes for detecting money laundering. Not money laundering, mind it, just having "inadequate" processes. If such a process flags someone, that someone is blocked and they should provide "sufficient documents", but the bank is not allowed to tell them why or what, that would be "tipping off", which is illegal. And then it all comes down to bank's internal policies (that the bank is not allowed to disclose) or even a personal relationship with a branch manager.
> Banks are fined for not having processes for detecting money laundering. Not money laundering, mind it, just having "inadequate" processes. If such a process flags someone, that someone is blocked and they should provide "sufficient documents",
Isn't that how most compliance regulation works? You can't force companies to have a perfect record of preventing something, no matter how you structure things, so instead of trying to do so, you setup something that will at least preventing it somewhat. And then you fine the companies who don't do anything to prevent the issue.
I'm not a lawyer, but I don't think so. For example, there is no penalty for not having an accountant on payroll. But there are some for not keeping adequate records. I suspect it's irrelevant whether you have a full-time accountant so your records are always in order, or if you do nothing all year and hire someone for a big overhaul each December and also every time authorities need something.
> "some Russian-sounding names are banned, but we still have to demonstrate there is a due process".
That's not true! There are still many Russian maintainers in the kernel, but they are not based in Russia. They only banned individuals, based in Russia, who are employed by sanctioned companies.
As a neighboring comment mentioned, at least one banned individual seems to be based in the US is employed by Amazon, as per their LinkedIn, including some old posts: https://news.ycombinator.com/item?id=41933300
They just happened to still use their older .ru email in the MAINTAINERS file.
Huawei is under same level of sanctions, but nobody with `xxx@huawei.com` is removed from Maintainers list. So, probably "sanctions" are not the reason.
is it? the actual specifics of the sanctions matter, I don't think any of the US sanctions would prevent them from participating in kernel programming.
I don't but with Huawei, the situation is mostly that we don't want to import their technology or give them our technology. With Russia, we basically prohibit all business in general with the entire country.
Do you have any example of a removed person with .ru email who lives and works in the US?
I saw some comments on Reddit about people with @gmail.com (I think), but other comments pointed out that these people were not actually removed and were just present on a screenshot.
It's not a geopolitical drama or melodrama, Linux Foundation needs to follow the laws of US where it's located. It's the same as any other American company
Linux Foundation was never supposed to stifle collaboration in the kernel. They are supposed to be a way to support Linux in a tax-advantaged way, full stop.
EFF should start a fork if any part of them still stands for what's in their name.
I agree. It's not big deal. The Russian team can just fork the kernel, and manage it under their own legal structures. It's really not that hard. Indeed CentOS was maintained by just one person for many years.
It's not a big deal for Linux either, the code in question is mostly for devices that are not sold in the west. So no loss there.
That's the beauty of open source, you can say no to contributions for any reason whatsoever, and the contributor can fork your code and continue to develop it as they please.
Maintainers ≠ developers, and it wasn't that long ago when we heard Linus moaning about maintainer shortage and nobody wanting to pick up their work. Now we get this. Whatever you think of this particular decision, it won't help with finding more maintainers, especially from countries other than the US and its closest allies.
I live in a country which may one day find itself under US sanctions, and I'm been busy cutting reliance on American services, just to avoid having to migrate everything in a rush if that happens. Everyone here understands this (for example, my day job migrated off GitHub to self hosted gitlab back in 2022), and I can't imagine many people will be interested in spending years of effort to then possibly be kicked from the project because they chose to be born in a wrong country.
Probably the best thing that can happen to the kernel... this type of measure generally backfires spectacularly by giving talent the opportunity to thrive, if anything as a way to fight back against injustice and arbitrary decisions, or for sanctioned opposition to invest in resilience by dumping more money in things otherwise not consider a priority. I always thought Argentine music from the 80's and early 90s was legendary, and this stems from a post-Falklands war, self-inflicted sanction against anglo music... regional bands thrived and created gems that even today can be appreciated as masterpieces...
Tell that to Palestinians or Afgani or Iraki or one of the many countries US invaded or where they financed coups and mass killings...
If Americans want to participate in international communities they are free to leave the US. Aren't they?
BTW Linus is Finnish and Sergey Mikhailovich Brin is Russian
The harsh reality is that the west is now that place where people think it's a crime to be born in a place instead of another...
I'll quote something for you
criminalizing individuals based on their place of birth or nationality is generally considered a violation of international human rights law. Principles of non-discrimination are central to international agreements like the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights. These treaties emphasize that all people, regardless of origin, have the right to equality before the law and protection from discrimination.
My sense is they simply believe it actually, drawing on sources that seem organic and Western to them; the propaganda is that effective.
In any case: (1) there has never been a "civil war" in Ukraine in modern times; (2) Azov was formed in May 2014, well after Russia's invasions of both the Donbas and the Crimea were well underway; and (3) nevermind the rest.
In 2016, Amnesty International and Human Rights Watch received several credible allegations of abuse and torture by the regiment. Reports published by the Office of the United Nations High Commissioner for Human Rights (OHCHR) documented looting of civilian homes and unlawful detention and torture of civilians between September 2014 and February 2015 "by Ukrainian armed forces and the Azov regiment in and around Shyrokyne".
Another OHCHR report documented an instance of rape and torture, writing: "A man with a mental disability was subject to cruel treatment, rape and other forms of sexual violence by 8 to 10 members of the 'Azov' and the 'Donbas' battalions (both Ukrainian battalions) in August–September 2014. The victim's health subsequently deteriorated and he was hospitalized in a psychiatric hospital." A report from January 2015 stated that a Donetsk People's Republic supporter was detained and tortured with electricity and waterboarding and struck repeatedly on his genitals, which resulted in his confessing to spying for pro-Russian militants.
Battalion Azov was created on May 5, 2014 along with other battalions of the Special Purpose Police Patrol Service (SPPS) on the basis of a decision of the Ministry of Internal Affairs of Ukraine.
That's the usual propaganda that spreads on wiki, Azov was (officially) founded as a para military group in February 2014 (I wrongly wrote 2024 in my previous post).
CIA disinformation is not information. Azov is just one of the many incarnations of the US foreign policy, it's the same thing they do every time: they train far right extremists (azov is a neo-nazi group) then they pretend we believe they are self formed organizations, spontaneously born. It's the Afghan mujahideen of the Soviet–Afghan War all over again, been there, seen that, etc. etc.
I am European, I cooperate with news agencies, I can discern truth from lies.
According to right‑wing radicalism researcher Vyacheslav Likhachev, Azov had many roots. The brigade was founded by the activists of Patriot of Ukraine, Automaidan, Social-National Assembly and other organisations active during the Euromaidan.
Euromaidan took place between 21 November 2013 and 22 February 2014.
You do the math.
Blame Wikipedia, not me
Anyway, if you really don't know what "people from ibizia" is, your loss!
More substantially: why are you (so persistently) trying to nerd-snipe some internet randoid (me) over the (obviously irrelevant) exact founding date of that organization?
If you have some broader point to make about Azov -- make it. Lemme guess: some variant of "Just forget Ukraine and support Trump's capitulation plan, because Azov, ooh, scary".
I used to pirate a lot of random music in early 00’s and went through a Latin phase. Downloaded one album by Fabiana Cantilo full of covers by what seemed to be other Argentine artists and some names are Soda Stereo and Andres Calamaro.
They seem to have a lot of what kids today would call bangers.
Some of my favorite Argentine songs: Donde Manda Marinero, En La Ciudad De la Furia. Fabiana’s album that I torrented back in the day happens to be covers of the famous songs and I like a lot of them too
Disclaimer, I just happened to know some Argentine songs that are total ear worms, not necessarily an expert in Argentine music
If Project P in Country A is identified by Country B as a potential target for planting cyber-attack-enabling backdoors, Country B has an incentive to find people to put a backdoor in P.
If Country B is a free country with rights and ethics, they will say "Help us put a backdoor in P. We'll pay you very well for services rendered," or try to get someone who already works for Country B intelligence into P's management structure.
If Country B is an "evil" country, they will do all of the above, but will also tell people of influence in P who live or have family in Country B or its allies, "Help us put a backdoor in P. If you refuse or if the backdoor doesn't work or if the legitimate workers of P find it and remove it before it helps us, you'll be arrested and/or tortured and/or killed and/or your family too."
Removing Russian based kernel maintainers from positions in which they could conceivably help insert a backdoor into the kernel hopefully removes the incentive for the Russian government to threaten (or carry out) horrific violence against these individuals and their families.
It allows you to get code into the kernel by way of sending patches. Eventually you may earn enough trust to get into some kind of power position. Surely you remember the liblzma/xz story.
These people don't even remember that the man in the telly told them something completely different a month ago. As far as they are concerned, they've always been at war with Eastasia. And you are expecting them to remember something and draw parallels?
Either country can also say: "we have this law that requires people to help law enforcement agencies to implement backdoo^W special technical measures to advance national security interests, and also a gag order because it's a matter of national security".
I think Australia had something called Technical Capability Notices (TCNs) back in 2018? For legal entities for sure, not sure about hobbyists.
The last paragraph also makes the whole situation sound like someone cares for Russian developers' well-being. I highly doubt it was ever the intention.
Really appreciate informative comments like this, basically explaining from first principles and not assuming people are idiots for not immediately understanding the implications.
It also made me realise what a cushy, insular world I live in not having to worry about those threats when I write software. Made me more aware of what others might face.
It’s a made up scenario that has never been documented to happen with a major OSS project. The solution seems like an incredibly poor fit and this justification is retroactive. The notion that they are actually doing the Russian maintainers a favor is ridiculous.
When a society starts shadowboxing figments of its own imagination, that is not a good sign for the health of the society.
I would argue nobody needs to provide an example. IMO, we can assume an action to be taken if:
1. The mechanisms for its existence exist
2. There is motivation of a large enough scale
3. The scale of the actors is large enough
The Linux kernel is very large, and nation-states like Russia are also very large. There is a very high motivation for a backdoor to exist for the Russian government. And the mechanisms are certainly in place to create such a backdoor.
So, I conclude there would absolutely be a Russian backdoor planted, if it isn't already. For the same reasons I conclude Windows probably has multiple backdoors for US agencies.
As a side-note, the scale of the Linux Kernel matters here. It's over a billion lines of code. It's truly trivial to sneak in an exploit and have it never be discovered. You can't prove a negative here - just because we haven't seen an exploit doesn't mean they don't exist. Also, we have found MANY bugs in the Linux kernel. Are they exploits intentionally planted? Virtually impossible to tell. Some bugs have existed for decades before discovery.
You should assume your operating systems already contain many exploits. Thus, we have tools like encryption, firewalls, and trusted repos to protect us anyway.
Note this doesn't mean I support the move. Certainly, any other country could implant backdoors (and probably have already). However, the Linux kernel kind of sort of belongs to the West, and the West kind of sort of has an alliance. So it makes sense why Russia is singled out.
The world is a chaotic and complicated place, you cannot deductively prove things about the world in the manner you are trying. I do not support further securitization based on this style of reasoning. I think we lose more than we gain. If I should assume my OS already contains many exploits, it seems like the risk from Russians is just that they read the source code carefully.
> the Linux kernel kind of sort of belongs to the West,
I'm not proving anything, I'm assuming, and I think it's a reasonable assumption. My argument is that I don't need proof, so I won't even bother providing it. Based on what I've seen, I can be highly confident there exists backdoors in the Linux Kernel without explicitly having to find those backdoors.
For the same reason, I can be highly confident there is at least one person stealing office supplies at Amazon. And I can be highly confident there are some examples of data theft in automobiles. I just use the same principles as above.
> I don't agree.
Okay. How?
The vast majority of Kernel developers are from the West and live in the West. The kernel was created in the West. Management is in the West. And the majority of large tech companies are Western, so probably the majority of Kernel users are also in the West.
Therefore, the West has a majority control over the kernel, and they have a huge incentive to "protect" it to how they define that. That's that, and we can tell this is the case because it wasn't Russia banning western devs from kernel development, was it?
Also: on the topic of chaos, this is why the "motivation" bullet point exists. If there's no motivation, I can't be sure, due to chaos. Chaos means even things that should happen may not. Motivation, particularly of the financial variety, cuts through the chaos of humanity. I am very confident in asserting that and I think pretty much all of history supports that.
While everything you mention is absolutely true, to the credit of the opinion of whimsicalism, any maintainer worldwide could get offered tons of bitcoins to integrate a backdoor / "bug".
Completely irrelevant. They are not the owner of the Linux kernel.
Linus holds the trademark. The copyright holders are the contributors to the source code. Nobody "owns" it, that's the point, it's an international project.
Linus, who since 2010 is an American citizen. Effectively, the US is probably the country closest to "owning" the Kernel, in that if the US wanted to put an abrupt cease to kernel development, they could, if only for a short period until the project re-organizes. I don't think any other country posses even the ability of doing so.
Any other person from any other country in the world can and could fork it in a heartbeat 100% legally. It wouldn't stop diddly squat, except that it loses its BDFL and finds another one in short order. There is absolutely zero the US could do about this.
Removing US based kernel maintainers from positions in which they could conceivably help insert a backdoor into the kernel hopefully removes the incentive for the US government to threaten (or carry out) horrific violence against these individuals and their families.
It would only work if the specific government agency/actor could successfully conceal such actions from the rest of the government agencies, courts, media etc. etc. No such safety checks exist in Russia or other pseudo-fascist states.
If the Russian government is blackmailing you your are certainly screwed. In US.. well it depends but you could quite easily bring down the people doing this to you with yourself if you chose not to comply. Therefore no rational US government "actor" would engage in something like that outside of extreme circumstances.
> In US.. well it depends but you could quite easily bring down the people doing this to you with yourself
I personally don't see much difference between "going down" and "going down together with other people". At least for myself and my family. I'm screwed anyway.
what next? removing all developers who have ever visited russia (because they have probably been told they would be tortured unless they put a backdoor)? removing all developers that have family ties to china? removing anyone who hasn't been born in US and who has family outside of US? if Linus father, who lives in Finland, visits Russia should Linus be removed then?
What you wrote is very logical but it doesn't explain who defines how "evil" the country is. And the answer is "US". All your 4 paragraphs could be rewritten with "US defines if you are worthy or not". Which sounds real and quite disappointing to many people who thought Linux is a shared effort of the humanity
I haven't followed the original events but I understand their actions. Probably they need to have "no russian developers" ticked for compliance for some defense contractor. So they have run "grep -rF .ru .git/" and found russian developers to remove to tick that requirement. I would have probably done the same -- it's easier to do it that to explain to many people why those people aren't evil
Such a blatant BS rationalization... The commit literally talks about "compliance". This is nothing more than an easy alternative to navigating the obscure sanctioning regime. It's like self-censorship, people/companies do this because of the fear that their activity may fall under sanctions, even though it highly likely does not.
If your system relies on people being in "a free country with rights and ethics", then you have a bad system widely open to abuse. After all, who decides which country is "free" and which is not? White house? Should you exclude people from all "non-free" countries?
> people/companies do this because of the fear that their activity may fall under sanctions, even though it highly likely does not.
People/companies do this because lawyers tell them that there is a risk that the activity may violate sanctions. And yes the lawyers are probably overly conservative, but that's because there often isn't a way to know for sure whether something is actually a violation until you end up in the courtroom.
> And yes the lawyers are probably overly conservative, but that's because there often isn't a way to know for sure whether something is actually a violation until you end up in the courtroom.
You've outlined a justification based on a kafkaesque stockholm syndrome vibe. The system doesn't work as well as it's being advertised, does it?
The Russian government could compel pretty much anyone in Russia to do anything with minimal actual cost to it.
Governments in US and other democratic states would be risking a lot more if if other government agencies, courts, media etc. figure that out. Therefore as long as they are somewhat rational they are less likely to engage in something like that.
A member of the House of Lords, Lord Lea, has written to the London Review of Books saying that shortly before she died, fellow peer and former MI6 officer Daphne Park told him Britain had been involved in the death of Patrice Lumumba, the elected leader of the Congo, in 1961.
When he asked her whether MI6 might have had something to do with it, he recalls her saying: "We did. I organised it."
And in modern times.
Russia would be screaming out of their lungs and threatening nuclear war if CIA or MI6 murdered someone in Moscow with plutonium tea.
I'm not saying the Russia invasion is not evil, but man, did you watch too many popcorn movies?
How child play and naive you're thinking of politics. If Russia ever had that degree of power to control the behavior of its citizens, it would have already ruled the world.
You can't even fully control a 5-person band and you're telling us that magically Russia is able to control millions of people, amongst which none of them know justice or human rights enough to leak any info. You know, even under the infamous assassin attempts from FBI, Snowden managed to flee to Russia. How can Russia be more powerful than the US in this way?
I'm not saying good words to any regime. I mean both the US sanction and the Russian invasion suck. I don't want another country bossing over what you can do, and I don't want another country pointing guns on your head either.
> You can't even fully control a 5-person band and you're telling us that magically Russia is able to control millions of people, amongst which none of them know justice or human rights enough to leak any info.
They’ve literally killed most powerful and influential opposition leader on open display. Use your brain, it’s not hard.
To this casual bystander it seems like they usually hurt innocent citizens far more than the leaders of the usually authoritarion regime that it targets.
>To this casual bystander it seems like they usually hurt innocent citizens far more than the leaders of the usually authoritarion regime that it targets.
That's kinda the point. The common folk put pressure on their leaders to correct their behavior.
western people had plenty of time to stop buying russian oil after the Crimea was stolen in 2014, but alas, they wanted to sponsor russian military and police so badly
That assumes the common folk can put pressure on their leaders, which is usually not the case for countries targeted by sanctions from the US, which usually have autocratic or otherwise authoritarian governments.
History is full of violent revolutions against autocratic governments. We should inflict maximum pain on the Russian populace. Be as cruel as possible. Keep the pressure on. Eventually it might pay off. And even if it doesn't work, it serves as an object lesson to other countries on the consequences of opposing US policies.
Amusement has nothing to do with it. This is one method among many for pursuing national geopolitical goals. It's a shame that the Russian populace has to suffer, I bear them no ill will. But if they ever want to get out of international sanctions then they know what they need to do.
Buy a ticket to Ukraine right about now and ask Ukrainians how amused are they. And don’t forget to visit every country that had to take millions of refugees.
If that is truly the case: either people in Russia are unable to construct logical chains and understand why certain things are happening (and in that case one should seriously question their ability to contribute meaningful code). OR, they do understand the reasons but choose to support their leader's actions (in which case them having privileges in the project is a major security risk). Which one is it?
People in Russia weren't born three years ago and can remember things.
When the US illegally invaded and devastated Iraq in 2003 under the fake pretense of WMD weapons, no sanctions against the US from the other Western countries followed. And of course the US didn't sanction itself and the American people reelected the president who started that war instead of surrendering him to the International Criminal Court.
So, if one constructs a logical chain from that, invading a country doesn't lead to any punishment, neither internationally nor domestically.
What you’re saying is that majority of Russians never visited basic school? Because you learn «минус на минус не дает плюс» somewhere around start of mathematics.
Do you not think that at least 50% of all people in Russia would vote for Putin or his affiliates (even if the elections weren't falsified)? Therefore most people in Russia are certainly not innocent.
We don't know and can't know that, there hasn't been a single election without major falsifications since about 2004. I personally don't know anyone who voted for him, but I don't keep many ties to the "lowest classes". If your image of the Russian society is based solely on US left-wing media, then it has even less resemblance to reality.
Even (pseudo)opposition polls generally show that most people support Putin? Yes I understand that polls in such a society might not be particularly meaningful. But I'm not even saying that most Russians actively support the government, implicit support (i.e. being unwilling to risk anything to change the status quo) is almost as good.
> "lowest classes"
I find it hard to believe that there aren't plenty of people who are middle class and above who support the regime. After all Russia's economy is almost entirely based on raw resources extraction and (now) military related industries.
> If your image of the Russian society is based solely on US left-wing media
And yours is based on Kremlin propaganda channels and media sources? See what I did there? Both assumptions are equally valid/invalid and neither contributes anything to a meaningful discussion besides immediately shutting down the possibility of one existing.
The Linux kernel will outlast any war and even many countries. It’s an institution, and in some ways it fosters more global collaboration and interdependence than even the UN. Bifurcating it along geopolitical lines is a short-sighted, lose/lose reaction to an inarticulable problem.
Well, I oppose the inclusion of OSS in those sanctions. I’m also generally skeptical of the theory of change - economic decoupling generally doesn’t make conflict less likely or protracted.
I don’t know a lot about that sanctions regime. If it was targeted stuff related to directly preventing the ongoing genocides, sure keep them - but in general, I would be opposed.
"we reserve the right to refuse to (i) delete any of the submissions, favorites, or comments you posted on the Hacker News site or linked in your profile and/or (ii) remove their association with your Hacker News ID."
In addition to GDPR (which is EU law but US companies have to respect it too), it may violate local state laws in the US too that you can't delete the account, if someone knows.
Best is somehow rather not to post if you don't want to have your messages recorded and linked to you.
> Linux is a technology controlled by Western state actors?
Not directly, but sort of? Isn't this specific case an actual example of that?
> Would you support a backdoor contributed by a friendly nation state
The theoretical risk of that somewhat lower. i.e. government actors in friendly nation states could face somewhat serious consequences if they try that and it backfires. Russian government would face no risk or consequences whatsoever if they conspired to murder someone or imprison them on trumped up charges.
Whether we like to acknowledge it or not, the world has been split in two:
Russia, China, Iran, North Korea... and everybody else.
I can deploy an Azure or AWS cloud server right now in any one of several dozen nations, including Malaysia, Indonesia, Chile, Qatar, Israel, and Mexico.
I can't deploy VMs in Russia, China, Iran, or North Korea.
Not just because of sanctions, but because they don't allow me to. It's illegal for me -- I don't even need to specify which country I am in, it doesn't matter -- to deploy pretty much anything in those nations, by their own laws. (Similarly, I can't buy property, start a business, buy shares directly, etc, etc...)
It is self evident, though? Russia, NK and Iran at least.. I wouldn't necessarily say that China is technically on Russia's side. Not to such a degree that most Western countries are on Ukraine's side.
They even comply with some sanctions and AFAIK aren't actually sending weapons to Russia.
> Russia, China, Iran, North Korea... and everybody else.
Something is happening in Kazan as we speak. In attendance are many among your "everybody else", many of whom have no great love for any of these four. It is worth asking why this might be.
>Russia, China, Iran, North Korea... and everybody else.
BRICS meeting is currently happening in Russia and the leaders who gathered there represent more than a half of world's population: "Putin returns to world stage hosting 36 leaders at Brics summit in Russia"[0].
>I can't deploy VMs in Russia
Really? You are welcome to click "Start your trial period" at Yandex Cloud. [1]
>Similarly, I can't buy property, start a business, buy shares directly
I invite readers to note the couching here of a technical/strategic point in a moral/historical comparison, and to consider whether the latter is warranted
which are based in countries that have Russia on a sanctions list. The main contributer employer based in a country that doesn't have Russia on some list is Huawei.
So given those folks contribute the most code to Linux, they may not want possible complications with regards to possible legal issues.
Not sure if you are joking or not, but BRICS certainly have enough developers for that effort, especially if it is encouraged and financed by the member states. I would not be surprised if this happens.
did banning plastic straws in a few US cities fix climate change and pollution?
>The access Russia currently enjoys is the equivalent of Goebbels being allowed to anonymously publish front-page editorials in the Times
there's absolutely nothing you can do about this to prevent this.
troll farms can afford residential VPNs and can network with the US/EU via neighboring neutral countries or their overseas agents.
>while simultaneously contributing code to Bletchley Park co
there's absolutely nothing you can do about this to prevent this.
how do you know that John Johnson contributing code to some widely-used library is not Ivan Ivanson, a KGB sleeper agent? do you know John Johnson in person? does anyone else in your anonymous, informal, nebulous developer clique know any other contributor personally? are you sure that jkldjsafj, qweqweqwe and all the random anonymous guys with anime girl profile pictures who contribute code to a myriad projects are not Russian plants?
>I would like to remind you of the recent XZ utils backdoor into SSH contributed by a less than friendly nation state.
case in point to the above: no one fucking knows who did it. it could be Russia, it could be China, it could be Israel, it could be NSA/CIA.
> there's absolutely nothing you can do about this to prevent this.
Fibre can be cut.
I know it's unpalatable, or somehow "an escalation", but when NATO started backing Ukraine and the US imposed sanctions on Russia, the logical move would have been to immediately sever all of their international network links. There's what, a few dozen fibre connections crossing their borders?
"an escalation" is a bit of an understatement if you try to cut the fiber connecting Russia and China. they also share a border with Georgia, Azerbaijan, Kazakhstan and Mongolia.
what the fuck are you going to do? do you people not understand how the Internet works? unless you isolate your network from all other networks, it is accessible from any other network.
That’s fixable too. If the rest of the world drops all packets to or from Russian CIDR blocks, it doesn’t matter how many fibre links they still have lit up.
Just a handful of public clouds and major CDNs dropping packets from Russian IPs would cut them off from almost all Internet services directly or indirectly. Good luck browsing web pages with cdnjs and the like just timing out for you!
Russia can route to the rest of the Internet because they’re being allowed to in the same sense that they can sell oil and gas to Europe because Europeans are allowing them to.
Ok, lots of Russian trolls out and about. It's entirely clear why the change was done, it's not getting reverted, and using multiple random anonymous accounts to try to "grass root" it by Russian troll factories isn't going to change anything. And FYI for the actual innocent bystanders who aren't troll farm accounts - the "various compliance requirements" are not just a US thing.
If you haven't heard of Russian sanctions yet, you should try to read the news some day. And by "news," I don't mean Russian state-sponsored spam. As to sending me a revert patch - please use whatever mush you call brains. I'm Finnish. Did you think I'd be _supporting_ Russian aggression? Apparently it's not just lack of real news, it's lack of history knowledge too.
That's fine, but we would like to see the orders he received and the evidence. This patch is outrageous because of the lack of transparency, not the patch itself if there's a good reason for it. Linus and Greg appear to be not only not posting a reason, but trying to keep the reason secret.
What about them? I can say "it's illegal for me to murder someone" without a lawyer being involved and so I can say "it's illegal for me to collaborate with company X" if that is true. Lawyers wouldn't stop me saying that unless something fishy was happening.
> The ban complies with the EU’s 12th sanctions package adopted in December, which ordered companies in and outside the bloc to stop exporting products and technology to Russia by March 20.
That would mean that either A) it's not what triggered this change or B) the kernel wasn't legally following compliance requirements for almost a year
But besides that, that sanction is between EU<>Russia, not sure if that would ultimately enforce the kernel to implement those compliance requirements, unless also agreed and followed by the US.
Sounds like overreach by a company that is heavily invested in Linux as a base for its products, and is having a difficult time with US trade regulations.
Its pandering. I hope these developers petition to be added back.
Have to say that a lot of hacker news contributors really show their colors around events like this. This is a completely good thing to do and well past due.
Why should this be a problem for anyone outside of China? It's only when the same people can read your messages and send dudes with guns to your doorstep if they don't like what they see that things actually get dangerous.
That's interesting, but these seem like they are just a slightly more structured form of the ways in which the CCP has been known to keep track of their own nationals abroad for many years. Not only is there no evidence or reason to expect that they would interact with people who are not PRC nationals, they presumably don't have guns and certainly have no actual policing powers either. If these "Chinese police stations" were to dispatch someone to my door, I could just call the actual police to have them removed. Meanwhile, I doubt I could call the "Chinese police stations" to protect me from the police of the country I live in, if they were to act upon a friendly request from the US like the Swedes and British did with Assange or the New Zealanders did with Kim Dotcom.
How convoluted, insidious, and camouflaged can a hidden backdoor or exploitable intentional defect be?
If hacking or subversion is possible, it has been tried and will be again. If anyone is going to try it, chances are Putin's people will.
It's by far the sneakiest, most advanced cheating and infiltration apparatus humanity has ever known. It inherited a large "meddling war chest" from the Soviet Union, then invested heavily into it for 25 years. The Internet increased its opportunities a million-fold. Its semitransparent tentacles are now embedded into nearly every consequential organization on the planet.
Consider the xz episode as a baseline. It was fairly sneaky, but it was introduced by a newcomer to the project and affected mostly existing code. A more elaborate exploit might be submitted with a new feature by an established maintainer.
This could get messy in other projects, depending where this rule came from.
I know there are .ru maintainers in at least one other ; and what about distros?
It is wrong - plain and simple.
It is no different to racism.
As for Linus comments,
it is really surprising how many proper idiots working in IT industry.
It was not like that before..
Not long ago, simply reading Linux magazine was considered a terrorism.
Not sure this is really what anyone had in mind when sanctioning Russia? The maintainers probably aren't pleased but can't see a direct route from there to Putin's opinion of the war in Ukraine.
Probably not sanctions, but national security concerns.
The former aims to punish and worsen the situation of the other country, the latter aims to reduce the attack vector and improve the situation of the US.
If I were a KGB (FSB) agent with a task to undermine US infrastructure with my commits in Linux kernel, using my real russian name and .ru TLD would be the last thing to do.
Sure, but if I were an agency tasked with protecting US from security threats, I would begin with the lowest hanging fruit.
Yes, probably the guy who holds up the number "3" using his thumb, index, and middle finger shouldn't be allowed in the Super Secret Vault. But the dude right behind him who has "I'm Russian" tattooed on his forehead shouldn't be allowed in either, and he's a bit easier to spot.
It’s pretty evident at this point that any Russian citizen in Russia or with family in Russia can be coerced, and it’s also pretty clear that Putin specifically does not have good intentions.
There are lots of good people there. It’s too bad there is a crazy person at the helm.
It is evident everyone CAN be coerced. Not that everyone WILL BE, because some people still think of themselves as people, not some “honest citizens” or “economic agents”.
It is also evident that someone quite far from Russia HAS ALREADY BEEN coerced to make that unannounced change, but you try really hard to look the other way. “Those Linux nerds” were shown who's the boss in the room when it comes to “important matters”. Don't you feel that the form of that change itself is a sign of silent disobedience, and you are expected to participate in public outcry forcing further developments instead of just bending over willingly?
It is totally possible that there was some direct intelligence that those accounts can be used in some clandestine operation in the future, probably without even asking some of the owners. After all, spies are #1 information source to other spies, they run the global spectacle together. Still, accepting “this is secret” as an excuse, you are already accepting defeat.
The cost/risk to the Russian government of coercing someone to do anything is approximately zero. Not so much in the US/etc., the risk of negative consequences is not insignificant?
> were shown who's the boss in the room when it comes to “important matters”.
Or Linus just doesn't like Russia(ns)? Why is there a need for some conspiracy?
all you have to look at is the number of russian oligarchs being defenstrated since the invasion began to know that if it served russian aims to inject malware into the kernel somehow via their maintainers it would probably be tried. the maintainers are probably not oligarch level rich so imagine the pressure on them if needed.
if you believe Russian government would coerce its own citizens, why do you not believe they would coerce foreigners? they have a world class intelligence agency that routinely assassinates regime enemies in foreign countries after all, so why should it be any harder for them?
Well, what do you propose? We're obviously far past the point of diplomacy. The sanctions are not designed to change hearts and minds. They're designed to make Russia's war efforts more difficult. The sorry state of affairs is that Russia's government has made itself a huge problem and there are no good solutions.
I doubt this particular move will complicate Russia's war efforts in any appreciable way. There is no non-fanciful way in which the named, well-established and closely watched kernel maintainers could have leveraged their status for it, and the tech scene has been one of the remaining bastions of pro-Western sentiment in Russian society. How many young programmers will be disenchanted with the West after hearing of this, and finally relent and answer their government's call to go write software for military drones or whatever?
Well, this comment (https://news.ycombinator.com/item?id=41932923) seems to indicate that Russian military industrial companies seem to get some use out of contributing to the kernel. As to your question, I cannot answer it to any degree of accuracy and I believe you cannot either.
That certainly absolves Sadam of the tens of thousands of murders committed by his government. That's a perfectly reasonable and sane take.
Hitler himself faced quite a few false accusations (e.g. even for crimes actually committed by the Soviets). Certainly that would mean that he did nothing wrong according to a troll like yourself?
Really how so? Is that not what you were implying? Or what was your point exactly? Besides the claim that Sadam being not guilty of some small subset accusations targeting him somehow changes anything?
Was it? The were perfectly fine with ignoring the hundreds of thousands of Iraqis killed by Saddam's government during the revolt they instigated in 1991 because they didn't want to get involved or remove him from power at the time.
Even in 2003 that wasn't anywhere close to being the primary reason.
> We see it again and again.
That doesn't change those facts...
Are you saying that Saddam didn't commit the atrocities that he did because US government said he did?
Obviously I'm talking more about Fascist Italy than Germany. Both because of general ideology and military performance. Of course unlike in Italy's case there is no Nazi Germany to bail them out...
Wait ... Western countries killing in Russia? What?! As part of the Cold War, sure, but that's the nature spying; we do it, they do it, everybody does it. Seems like you're implying armed forces level killing in Russia, though. Care to explain that?
It's already the case, if you are living in a country officially listed as "hostile to Russia" (or "enemy") it's very difficult to business there. That's why McDonald's left for example.
This was a very bad move by the Linux foundation. They should get new lawyers. Linux development should probably be moved outside of wartime/unstable jurisdictions like the US.
My worry is less about big projects being inclusive and multinational, and more about whether there are clear guidelines and specific reasons given when people are kicked off or otherwise demoted.
Nobody likes being at the mercy of a system that feels capricious.
I guess that's it. Open source is a fantasy that started coming to an end about 15 years ago. We lived in a fantasy world in 90s-00s, where there were no governments, no corporations and almost no people that make you shake your head. It was so easy (and of course silly, in the hindsight) to believe, that the internet is some another world, where earthly matters do not concern us. And everything was just about improving this world for ourselves. It's not like people often agree to work for free otherwise. Working for free is incompatible with capitalism, and we learn to believe that nothing else is truly possible in the real world. It's not like "open source" doesn't have a point in that imperfect world with governments, corporations and 8B people, that the internet seemed disconnected from for a while, it just doesn't have place. It simply almost doesn't happen there.
So, now the real world has slowly catched up to that fantasy world of ours. The winter has really come.
Can we please get a fraction of the resources currently put into Linux kernel development and start developing a robust userland ecosystem for SeL4?
Microkernels in general already mitigate the possible damage that could be done by rogue code in large monolithic kernels. A formally verified microkernel like SeL4 is an even better guarantee. And performance concerns of microkernels are practically solved at this point.
These sorts of nation-state sponsored malicious code practices could be made mostly irrelevant. We just need a little momentum to get us there.
>No, but I'm not a lawyer, so I'm not going to go into the details that I - and other maintainers - were told by lawyers. >I'm also not going to start discussing legal issues with random internet people who I seriously suspect are paid actors and/or have been riled up by them.
Which I find pretty concerning statements, quite a disservice to the community. It's a global community, and here the maintainers take some action without explanation. They don't even have a communiqué at hand to tell people what this action is, why it was taken, and which alternatives were considered but rejected. This is the bare minimum that I expect of the maintainers of a piece of software that is very critical to many millions of systems worldwide. Counting on the goodwill of users is not acceptable for an operating system that underpins the security of people's computers.