Politics tamfitronics Linux Foundation’s decision to ban Russian maintainers has the potential to destroy open source’s global collaboration model
By
Cliff Saran,Managing Editor
Published: 30 Oct 2024 12:20
Following the removal last week of Russian Linux kernel maintainers to comply with US policies, Linus Torvalds – the developer of the original Linux kernel – spoke about his concerns that there were lots of Russian trolls who could potentially infiltrate the Linux kernel.
The decision to block the maintainers followed a compromise of the open source XY Utils software library, which was caused by a social engineering attack targeting the maintainer of the utility.
“It’s entirely clear why the change was done. It’s not getting reverted, and using multiple random anonymous accounts to try to ‘grass root’ it by Russian troll factories isn’t going to change anything,” wrote Torvalds in a message to the Linux patch list of recipients who help maintain the kernel code.
His remarks have fielded a swathe of comments, ranging from anti-Russian sentiment to speculation that Microsoft lobbyists were behind the decision. Yet its impact has far-reaching consequences for open source, which, until now, has largely been regarded as a global community effort.
Any US sanctions to prevent people from certain countries from participating in open source projects not only has the potential to destroy global collaboration, but could also open the flood gates to wider scrutiny, involving possible background checks on software engineers working in all businesses.
Politics tamfitronics The vulnerability of open source maintainers
The ban comes just months after the XY Utils incident, where an overworked project maintainer of the XY Utils open source library took on help from a developer using the name Jia Tan, who initially joined the project and started opening pull requests for various bug fixes or improvements. The developer, having established trust and credibility, began to receive permissions for the repository. The attackers then sent spurious complaints and bugs, as a form of social engineering attack, to pressure the project’s original maintainer to give Jia Tan more control of the project, commit permissions and, eventually, release manager rights.
It seems that as part of the effort to gain these permissions, Jia Tan used an interesting form of social engineering. Fake accounts were used to send myriad feature requests and complaints about bugs to put pressure the original maintainer, eventually causing them to add Jia Tan to the repository.
One of the changes Jia Tan introduced was a sophisticated backdoor in XY Utils.
I don’t know the logic behind the decision [to block the Russian maintainers]. People are being excluded from global collaboration who are not bad actors, and that’s hugely problematic. It’s a can of worms Amanda Brock, OpenUK
However, the Russian maintainers do not appear to have done anything wrong. Amanda Brock, CEO of OpenUK, said: “I don’t know the logic behind the decision. People are being excluded from global collaboration who are not bad actors, and that’s hugely problematic. It’s a can of worms.”
The licensing of open source code means it can be used by anyone for any purpose. “In my 16 to 17 years in open source, this is the first time I’ve seen a category of people being restricted,” she added.
There are rules around export control that prevent technology, like encryption software, being exported. Earlier this year, the US Office of Foreign Assets Control issued guidance on President Joe Biden’s executive order imposing sanctions on Russia and Russian businesses. Certain categories of software and IT consulting services are covered, which means these cannot be provided in Russia. The sanctions also cover certain Russian businesses.
Although the Linux Foundation has not released any further details on the ban, it is believed that the banned Russian maintainers may have worked at these organisations.
As Brock noted, although export controls restrict the distribution of software, often, the code is available on a mirror site. “Sanctions are different,” she added. “If a business is on a sanction list, you cannot engage commercially in certain ways with that business, and what I gather from the bits of discussion [I’ve seen] is that 11 individuals have been told that they can’t be on the maintainer list.”
Brock’s understanding of why these individuals have been excluded is that their employers are subject to a US sanctions list.
Politics tamfitronics Exclusion could impact other countries of interest
“These people, to the best of my knowledge, have done nothing wrong. They are of a class of people who the US government wants to exclude because, I believe, their employer has connections to Russia, which means that they have to be excluded.”
For Brock, the decision to ban the 11 Russian maintainers has consequences for open source code, which is increasingly being subject to complex legislation and legal restrictions.
For instance, the US and the UK have imposed sanctions on Chinese tech firms, such as Huawei. Yet research suggests China has the second largest community of open source software developers in the world. The geography of open source software research paper, published in 2021, analysed developers on GitHub. While the US had the largest number of developers using GitHub, China had the second largest.
“China is particularly interesting because it’s high up the US list of countries of concern. But at the same time, it has made a decision to engage in open source at a massive scale, and this is a conscious and government-backed decision,” said Brock.
Brock pointed out that Chinese companies have funded open source at scale, both in terms of contributors and investment in foundations.
Projects being driven by Chinese contributors include KubeEdge, which enables Kubernetes to be used in edge computing; Habor, a cloud-native registry for Kubernetes; and Dragonfly, a file distribution and image acceleration system.
Chinese software, based on open source technology, is also embedded in many of the smart devices in use today.
The UK government has forced mobile telecoms providers to rip out Huawei equipment from the UK’s mobile networks. Brock pointed out that the code in mobile networks is open source, and may very well have Chinese contributors, adding: “How far are we going to go with this? Where does it start and stop?”
She questioned whether the US and other governments would hold proprietary software providers to the same account, to ensure no developer code sourced from “countries of interest” is included in a commercial product. To implement such compliance would require every commercial software provider to change all of their contracts and licences, said Brock, and few organisations are large enough to fund international legal teams to ensure open source software complies with regulations in every region they operate in.
The Linux Foundation’s decision to ban the Russian developers is most likely a response to legal advice, to avert a potential clash with the US administration. With geopolitical tension heating up, there are risks that open source software developers and maintainers from other countries may find that they, too, are being dropped from contributing to and supporting open source projects.
Read more on Open source software
Linux enters the cold war
By: Cliff Saran
Russian Linux kernel maintainers blocked
By: Cliff Saran
XZ backdoor discovery reveals Linux supply chain attack
By: Rob Wright
US tech used in Russian weapons, despite export controls
When Emmett Spurlock talks about city government, he does not begin with politics. He begins with planning.
A Duke University graduate with an executive management credential from Harvard Business School, Spurlock was sworn in earlier this year as a Fayetteville City Council member after unseating a longtime incumbent by a narrow margin. It is his first time holding elected office, but not his first time leading complex organizations or weighing decisions with long-term consequences.
“I’ve spent my career thinking about second- and third-order effects,” Spurlock said. “Just because something isn’t happening today doesn’t mean it won’t happen tomorrow.”A career built on strategySpurlock grew up in New Jersey and earned his undergraduate degree in computer science from Duke University. After graduating, he worked as a defense contractor and later held corporate roles with national organizations including McDonald’s Corporation...
Minister of the Federal Capital Territory (FCT), Nyesom Wike, on Saturday lashed out at politicians he accused of supporting those betraying him, raining curses on them.
Wike spoke in Port Harcourt while commissioning the Rivers State chapter of the Renewed Hope Ambassadors’ office.
He warned that senators and members of the House of Representatives backing acts of betrayal would, in turn, be betrayed.
According to the minister, when such politicians eventually face betrayal, they “will collapse and go”.
Wike said, “Whether you are a senator, House of Reps member, minister or governor, and you support betrayals, people will continue to betray you in life. Betrayal is your portion.
“The day you will be betrayed, you will not have mouth to say anything. There you will collapse and go and they will announce that so so person has died.
“That is the...
Businessman Isaac Fayose has described Monday’s protest at the National Assembly complex as only the beginning of a larger movement.
Politics Nigeria reports that a cross-section of Nigerians converged on the National Assembly on Monday morning to demand that electronic transmission of election results be made compulsory.
Despite several clarifications by the Senate following reports that it rejected electronic transmission of results, the protesters insist that lawmakers must be clear by explicitly inserting the phrase “real-time electronic transmission” in the proposed legislation.
Senate announced earlier that it would hold an emergency plenary session on Tuesday to address the concerns raised.
Speaking to journalists at the protest ground, Fayose said the decision reached at the emergency sitting would determine whether the protest would continue.
He said, “We all know what happens in a collation room. A collation room is a room...
Senate spokesman, Yemi Adaramodu has lashed out at Nigerians protesting real-time electronic transmission of election results.
Speaking during an interview on ‘Politics Today’, a programme on Channels Television on Tuesday, Adaramodu said the protesters have always been there even for good things.
DAILY POST reports that Nigerians, on Monday converged in Abuja for the “Occupy National Assembly” protest against the rejection of e-transmission of election results by the Senate.
Prominent politicians such as the former Labour Party presidential candidate, Peter Obi, as well as former Minister of Transport, Rotimi Amaechi, among others participated in the protest.
Reacting, the Senate spokesman said, “Those people you saw on the street are always there, even for good things.
“If you give them a road, they will say it is not wide enough. If you give them electricity, they will say the light is...
The Berlin Film Festival has issued a lengthy statement from head Tricia Tuttle over what it describes as a “media storm” that has swept over the festival.
The note — sent out late on Saturday night — comes following criticism faced by multiple attendees over the comments about politics, most notably the jury in the opening day press conference. Faced with questions about the conflict in Gaza, jury head Wim Wenders said, “We have to stay out of politics because if we make movies that are dedicatedly political, we enter the field of politics,” prompting immediate backlash on social media. Indian author Arundhati Roy later pulled out of the festival in anger over the comments.
Both Michelle Yeoh and Neil Patrick Harris later faced online criticism for their reaction to questions about politics and the rise of facism, Harris...
There may well be a malign element to Gallup’s decision to stop presidential polling, but it was never an uncomplicated good.US President Donald Trump (Image: Sipa USA)
Gallup, Inc., perhaps the world’s best-known polling firm, having achieved a kind of Band-Aid level association with the product it produces, last week announced that it will no longer track US presidential approval or the favourability of any political figure. It lands as a dark development, yet another example of institutions rewriting reality for the benefit of the increasingly authoritarian second administration of Donald Trump.
The notion of regular polling on the level of approval apparently enjoyed by politicians, their parties and policies is now so core to how we consume politics that it’s easy to forget that the art is less than 100 years old.
Trump says US has 'some work' to do with Iran, repeats call for country to end nuclear programOn Iran, Donald Trump praised Steve Witkoff’s diplomatic efforts with the Republic. “Iran is a hot spot right now,” Trump said, noting that both Witkoff and Jared Kushner – another envoy and the president’s son-in-law – have a good relationship with the representatives Iran. “Good talks are being had. It’s proven to be, over the years, not easy to make a meaningful deal with Iran. We have to make a meaningful deal, otherwise, bad things happen, but we have to make a meaningful deal,” Trump said.
He added: double quotation markWe do have some work to do with Iran....
Trump says he has signed an order imposing a 10% tariff on all importsDonald Trump has announced on his social media platform that he has signed an order to impose tariffs on every nation, although he made no reference to what legal authority he was relying on to do so.
“It is my Great Honor to have just signed, from the Oval Office, a Global 10% Tariff on all Countries, which will be effective almost immediately,” the president posted.
Minutes later the White House released a fact sheet explaining that Trump had signed a proclamation “invoking his authority under section 122 of the Trade Act of 1974” to impose “a temporary import duty”.
Last year, the Congressional Research Service, which provides legislative research and analysis to lawmakers, explained that, temporary, legal authority: double...
US government issues travel warnings for citizens in Mexico amid widespread violenceThe Mexican government killed a cartel boss known as “El Mencho”, sparking a wave of retaliatory violence in western Mexico and stranding travelers on Sunday.
The US government urged US citizens in widespread areas of Mexico to shelter in place, saying that US government staff in those areas were also doing so on Sunday and would continue on Monday.
A travel alert from the US embassy in Mexico noted that no airports had been closed, but that roadblocks had affected airline operations, that most flights out of the cities of Guadalajara and Puerto Vallarta were canceled, and that rideshares were suspended in Puerto Vallarta.
The alert advised people to “seek shelter” and “minimize unnecessary movements”.
“Americans should keep family and friends advised of your location & well-being,” the...
‘Melania’ producer spills on superstar soundtrack snubsMelania, the Amazon MGM documentary about the former First Lady, faced unexpected soundtrack hurdles when several music superstars refused to license their songs.
Producer Marc Beckman told Variety that politics played a major role in the rejections.
“There was music that we tried to get, but sadly, there were politics to it,” he said.
Beckman shed light on which artists refused to let their songs be used.
The team hoped to license a track from Guns N’ Roses.
But the band’s members were divided politically.
Because approval required unanimous consent, the split meant the song was off the table.
“So Guns N’ Roses was definitely...
