Why geopolitics risks global open source collaborations

Politics tamfitronics The vulnerability of open source maintainers

The ban comes just months after the XY Utils incident, where an overworked project maintainer of the XY Utils open source library took on help from a developer using the name Jia Tan, who initially joined the project and started opening pull requests for various bug fixes or improvements. The developer, having established trust and credibility, began to receive permissions for the repository. The attackers then sent spurious complaints and bugs, as a form of social engineering attack, to pressure the project’s original maintainer to give Jia Tan more control of the project, commit permissions and, eventually, release manager rights.

It seems that as part of the effort to gain these permissions, Jia Tan used an interesting form of social engineering. Fake accounts were used to send myriad feature requests and complaints about bugs to put pressure the original maintainer, eventually causing them to add Jia Tan to the repository.

One of the changes Jia Tan introduced was a sophisticated backdoor in XY Utils.

I don’t know the logic behind the decision [to block the Russian maintainers]. People are being excluded from global collaboration who are not bad actors, and that’s hugely problematic. It’s a can of worms

However, the Russian maintainers do not appear to have done anything wrong. Amanda Brock, CEO of OpenUK, said: “I don’t know the logic behind the decision. People are being excluded from global collaboration who are not bad actors, and that’s hugely problematic. It’s a can of worms.”

The licensing of open source code means it can be used by anyone for any purpose. “In my 16 to 17 years in open source, this is the first time I’ve seen a category of people being restricted,” she added.

There are rules around export control that prevent technology, like encryption software, being exported. Earlier this year, the US Office of Foreign Assets Control issued guidance on President Joe Biden’s executive order imposing sanctions on Russia and Russian businesses. Certain categories of software and IT consulting services are covered, which means these cannot be provided in Russia. The sanctions also cover certain Russian businesses.

Although the Linux Foundation has not released any further details on the ban, it is believed that the banned Russian maintainers may have worked at these organisations.

As Brock noted, although export controls restrict the distribution of software, often, the code is available on a mirror site. “Sanctions are different,” she added. “If a business is on a sanction list, you cannot engage commercially in certain ways with that business, and what I gather from the bits of discussion [I’ve seen] is that 11 individuals have been told that they can’t be on the maintainer list.”

Brock’s understanding of why these individuals have been excluded is that their employers are subject to a US sanctions list.

Politics tamfitronics Exclusion could impact other countries of interest

“These people, to the best of my knowledge, have done nothing wrong. They are of a class of people who the US government wants to exclude because, I believe, their employer has connections to Russia, which means that they have to be excluded.”

For Brock, the decision to ban the 11 Russian maintainers has consequences for open source code, which is increasingly being subject to complex legislation and legal restrictions.

For instance, the US and the UK have imposed sanctions on Chinese tech firms, such as Huawei. Yet research suggests China has the second largest community of open source software developers in the world. The geography of open source software research paper, published in 2021, analysed developers on GitHub. While the US had the largest number of developers using GitHub, China had the second largest.

“China is particularly interesting because it’s high up the US list of countries of concern. But at the same time, it has made a decision to engage in open source at a massive scale, and this is a conscious and government-backed decision,” said Brock.

Brock pointed out that Chinese companies have funded open source at scale, both in terms of contributors and investment in foundations.

Projects being driven by Chinese contributors include KubeEdge, which enables Kubernetes to be used in edge computing; Habor, a cloud-native registry for Kubernetes; and Dragonfly, a file distribution and image acceleration system.

Chinese software, based on open source technology, is also embedded in many of the smart devices in use today.

The UK government has forced mobile telecoms providers to rip out Huawei equipment from the UK’s mobile networks. Brock pointed out that the code in mobile networks is open source, and may very well have Chinese contributors, adding: “How far are we going to go with this? Where does it start and stop?”

She questioned whether the US and other governments would hold proprietary software providers to the same account, to ensure no developer code sourced from “countries of interest” is included in a commercial product. To implement such compliance would require every commercial software provider to change all of their contracts and licences, said Brock, and few organisations are large enough to fund international legal teams to ensure open source software complies with regulations in every region they operate in.

The Linux Foundation’s decision to ban the Russian developers is most likely a response to legal advice, to avert a potential clash with the US administration. With geopolitical tension heating up, there are risks that open source software developers and maintainers from other countries may find that they, too, are being dropped from contributing to and supporting open source projects.