- cross-posted to:
- donoperinfo@infosec.pub
- cross-posted to:
- donoperinfo@infosec.pub
He didn’t expel all Russians, just the ones working for sanctioned Russian companies.
Important context and a good decision
Good! So why the incendiary comments Linus made on Russians. It is so hard to say something like this: "I have to expel them from the project due to a US law forced us to do it. However, I had trust on them all these years and they contributed a lot to the project (that is why they were working here). Now, I am against the law because we should not discriminate people for the origin. Moreover, the claim that they can harm the software is unwarranted because it is OPEN and many eyes are on it. Finally, this harms the entire Linux project because now makes it an “American"project rather than an global one. Sad times.”
I am also against Russian aggression on Ukraine! But would no ban any Russian because of that. The same I am completely against US occupying Iraq and 1/3 of Syria, yet never would occur to me not to hire an American because what their country does. I really don’t understand why is so hard to understand for Lemmy community the double standard.
Strange. In another comment just minutes ago, you were tacitly blaming Ukraine for being invaded, Kevinovich from Florida Oblast.
Insults apart (to Russians, Floridians and Lemmy community) , I do not blame Ukrainians for anything, specially when they are the biggest victims here. I blame the secret cabinets who decides their destiny for power, let those decisions are from Washington or Moscow, but let me tell you for sure are no from Kyiv. Now, historically, if you live close to a mayor power you do not like much (think of Ukraine or Cuba), the best is to have a strong army but never to join another distant power thinking it will save you, they will just use you.
You can get big fines if you don’t comply with sanctions though. And in the end Linux is an American foundation.
Linus was still an ass, though. All this drama is 100% his fault.
Agreed. I would comply (US’s courts can be very hard with you if you don’t) but you can dismiss those Russians with honor and thank them for their contribution. Then, you can consider to move the foundation to a more free environment (Switzerland, Mexico, Spain,…)
That would’ve been great for them to clarify earlier XD
Some people would disagree with you https://lwn.net/Articles/995294/
Your own link 1) does not attest to that and 2) has a comment replying to it directly contradicting what it’s saying in the first place.
I think given the current political situation this is the right call. No one knows what the Russian government might compel otherwise innocent devs to do.
That said, we (and I mean society, not any particular individual) should be mindful that we don’t slip into bigotry.
I’ve worked side by side with RU devs who were both personable and damned competent. Never were their tech skills in doubt, and I retain quite a bit of respect for those individuals.
I’d not do the same today explicitly because of the political and compliance implications. It’s unfortunate, but necessary.
Again, with open software that is not necessary… If we get to believe that argument, those potential “FSB” coders would be the ones who would notice if the CIA was trying to place a back door in the kernel too. Open Software is OPEN!!
Would they? The XZ utils backdoor was only discovered by what can only be described as an insanely attentive developer who happened to be testing something unrelated and who happened to notice a small increase in the startup time of the library, and was curious enough to go and figure out why.
Open does not mean “can’t be backdoored”.
Can you explain me why Linux waited till the very last moment of the Executive Order 14071’s grace period (the order is from April 2022!) to apply it? Obviously he trusted those people, or the verification system of the open system! Imagine you don’t like a political party for bad… fair enough, so you ban their representatives from voting table… don’t you think, that incentivizes the other party committing fraud? In these open system things, the more eyes the better, I don’t care if commies, libertarians, ultra-right or whatever, the diversity is what keep it in check…
This coming from the brilliant mind who thinks Russia’s neighbors are better off neutral toward it and victim blames countries like Ukraine which have been invaded by it, routinely spreads pro-Russia propaganda on Lemmy and nothing else, and has suspiciously Russian-y broken English.
Edit: Also, as other commenters have correctly pointed out, Russian citizens being allowed to be maintainers of the Linux project has fuck-all to do with the actual principles of open software as defined either by the FSF or the OSI.
Ukraine was invaded after a coup (when elections was 11 months away and polls say would turned pro-western anyways in their typical rotation). Yes Finland, Switzerland and Austria were non NATO are prospered fine, I would say even thrived. Same as Singapore with China. Of course, you can take the Cuba route and bring the nuclear missiles from Moscow, surely US will leave it fine. Side the side you want, keep a strong army but don’t join any military alliance seems to be the recipe for success when you leave close to a power you don’t like.
I would say even thrived
Finland has to keep one of the largest militaries on Earth solely due to their proximity with Russia, and they barely fended them off in the 1940s. Ukraine was the last straw, and they decided to join NATO. Switzerland??? Are you fucking high? Go look at a fucking map and see where Switzerland is, holy shit. Austria is once again fully enclosed by NATO countries except a small border with Switzerland to the west.
I’m not even addressing the rest of the comment; citing Switzerland alone was too stupid for your worthless, propagandist drivel to be worth my time.
Usually countries have to decide between butter and guns (eco 101). Well, such “largest militaries on Earth” had it both! Like Switzerland, you do have to keep a strong military to dissuade, but aligning to a alliance when you are the spearhead is bad. Switzerland had made an alliance with France or Germany a century ago, would not have ended non invaded, 100% guaranteed.
Shut the fuck up.
intelligent counterargument… and ten upvotes. cool; disappointment a Lemmy community; seem just like another echo chamber as X.
Linux Fundarion is based in America. It needs to follow its rules and politics. I guess a lot of things will happen after this. As something so important for open technology like It , should be based in a more open, mor asvanced in laws and neutral territory.
Linus is from Finland. Not hard to remember reasons for aversion to Russian propaganda for anyone raised near it.
Blanketing the Linux Foundation as American based kind of sounds like you’re a Russian troll.
Calling out others as a Russian troll sound like a technique to shift scrutiny onto others.
Exactly what a Russian troll would do!
You would think someone from Finland would know better that, when you are so close to a power you don’t like, the best way to prosper is by keeping neutrality,… look at Finland in the 60s-00s, Singapore, Austria… or you choose to pick the Ukrainian, Filipino and Cuban path…
This is hardly the first time the core Linux code stack has been forked and independently developed. Seems like this is going to invite a Russia-specific development environment that just pulls in updates from the main branch and adds in Russia-internal development (which will likely then be copied by non-Russians and backloaded into the core Linux stack under someone else’s name, because why waste good dev work?)
But the argument appears to be anyone with a Russian-sounding name is getting removed from the core development team, until they can prove to the American team that they aren’t… spooks, I guess? Also
The driver code to which the dropped maintainers contributed remains in place.
So this isn’t such a high security risk that the code is being pulled (presumably because its been vetted and appears beyond repute). This is purely a CYA move to eliminate veterans on the team because they were forthright about their identities.
should be based in a more open, mor asvanced in laws and neutral territory.
Its not clear how a policy of booting people based on their surnames accomplishes this.
I could mention all the forks that Linux currently has, please.
With that logic, the US contributes should be expelled too. We have more examples of US folks being served NSLs than Russians.
Lol because russian is so open about who they give nsl to. Or they just poison/defenestrate them
Its the same in the US
Looking at the downvotes, signals some true on you comment!
All that says is that there’s a lot of people ITT who don’t know what a downvote button is for, and the mods aren’t doing their job
Its an American-based venture, owned and operated by American businessmen. They’re not going to burn their own guys, even if some of them are spooks (no evidence that anyone on the core dev team is a spook, but crazy to think the FSB would have people in and the Five-Eyes guys wouldn’t).
I do wonder how long until we start seeing mainstream code-forks that span geopolitical regions. Will we have a Digital Iron Curtain, with BRICS countries doing their own FOSS branches independently of NATO block?
Many European companies canceled contracts with US companies because of the NSL risk. I don’t think the devide is NATO. The US laws are a threat to security and privacy everywhere
Many European companies canceled contracts with US companies because of the NSL risk.
I’d be curious to see who they were. My guess is that they are relatively small and easy enough to circumvent without breaking ties with America as a whole.
But I’m not seeing Exxon, Boeing, or Microsoft pull out of Europe, despite being deeply embedded with sanctioned regimes.
Biden literally introduced legislation to prevent it because it was a mass exodus. The companies you mentioned are US companies. I mean EU companies won’t use US MSPs because of the risk
What current situation?
-
Is so hard to believe Open Source should be open? If there were a malicious intent, others would have been able to detect it in no time… because it is ‘open’! If the open system works, it should not matter there are CIA or FSB, commies or libertarians “infiltrated” making the code.
-
If those Russians had been in that position is because their contributions have been stellar, otherwise they would never have gotten there. Their contribution and effort has been robbed from them just because they mothers give them birth in the wrong coordinates.
-
Linus is a god for many of us… with human traits though… His Finland, although historically robbed by Russia, achieved its highest splendor during the decades of neutrality, not by fiercely antagonizing one or the other power… same as Switzerland, Ireland, Austria and Singapore.
-
All this started with a US law so he has to comply with. However, instead of those unhelpful comments, he should say that in open software it is unwarranted… not to mention countries can get sanctions for their actions, but not civilians that cannot choose where they are born.
-
If we are to believe that Moscow is trying to put something into the kernel “undetected”… gosh, what an organization based on the US with a so pro-establishment leader may be doing so? For real, now I am starting having my doubts on the kernel!
you lost me at this
If there were a malicious intent, others would have been able to detect it in no time… because it is ‘open’!
not sure if troll or just really ignorant.
Executive Order 14071 is more than 2 yrs old… Linus waited till the grace deadline (in 1 week) to apply it, obviously he found it non necessary all this time and he trusted those Russians until the grace period expires. No, not so ignorant, nor a troll. And yes, Open systems is easy to detect maliciousness, better yet, you can pin point who contributed what for everyone to see.
blah blah blah. you’re obviously trolling or have no idea how FOSS is developed.
if FOSS is so secure then why is it a popular attack vector for Russian and Chinese espionage?
just because something is public doesn’t make it inherently more secure, I’m honestly disappointed in your dangerous and clearly flawed take on FOSS.
FOSS is great, but it’s really no more and no less secure than closed sourced software.
So why Linus waited 2 years and a half to apply the Order until the grace period expires? He obviously does not like Russia, but he did trust those individuals (or system)!
My very fist post on lemmy and already see the upvote downvote game… When someone votes should be demanded a public reason, no?
What you should have posted was nothing.
-
Isn’t most of Linux open source?
All of it is. But its still possible to sneak backdoors into Foss software (though magnitudes harder). See xz.
If you can sneak backdoors, removing one side, would not make the other side, even if you consider the good one, be even more able to sneak one too. In election tables, what guarantees transparency is everyone represented at the table, not banning one side.
But NSLs force them to do it, and prevent them from talking about it. This is a bigger risk than something like the xz attack, because the barrier of entry is so low
I’m surprised how many people treat GPL to ignore borders. The IP law still operates only by the rules your country decides.
I can understand the desire for information to be free, but unless Open source movement becomes it’s own country the discussion should end there.
I can understand the desire for information to be free, but unless Open source movement becomes it’s own country the discussion should end there.
Ideally the internet would be extra-sovereign
Nobody says to ignore the law… it is Linus comments that were bad. Instead of defending the people that was working for him all these years and he had trust on them, he decided to throw them under the bus because he is from Finland. Well, Finland prospered the most on its life under neutrality.
Well I guess if he trusts them, he will welcome in open arms once the sanctions are lifted. Or if they get a non russian state domain to operate from.
With those incendiary comments he did on the people that worked for him for years… I doubt they will be back. If he did not trust them, he would have gotten rid of them years ago. He waited to the deadline to kick them out… good, so he trusted them till now… but then, he despise them from being Russian. I simply don’t get it… I don’t know… maybe Linus is just an ass or he was forced to say that… I think probably the first.
Did they get paid?
Edit: Very likely they were paid, and that’s where IP addresses end and sanctions begin.
Every worker within an organization has to be paid, somehow.
Somebody must bear the costs of the supposedly “free (gratis).” In the end, nothing is truly free cost. And, not a single person would work for free (no payment, compensation, or benefits, or in other words, gratis) full-time.
It is an absurdity to think otherwise.
Free and open-source software is handed out at zero-cost to make it possible to lower the barrier of entrance; to make it as widely available as possible. Knowledge should, indeed, be free (gratis).
Explain volunteers then.
Where did you get volunteers from?
It’s about people on the maintainers list, and those are paid.
That it’s open software doesn’t mean people are working for free.
You made a declarative statement that nobody would work full time for free.
So explain volunteers.
Looks like it is about time for a hard fork maintained outside NATO countries.
Just because Russians can’t approve commits anymore?
you mean like the Ubuntu fork North Korea uses?
I hear they’re friends with Russia now, maybe they’ll share.
lol @ “hard fork”
Don’t know how feasible is a fork of the kernel, but if given a choice, I would choose the distro with the kernel that does not ban people from any nationality every time.
Linus is from Finland. Finns barely tolerate Russians under usual circumstances. These are not usual circumstances.
If he did that that would have been genuine discrimination. If he has to do it now because of sanctions, then ok fine. But otherwise I don’t want to see an open source project treating people differently based on where they were born.
Come on lemmy, how is this pro-racism comment upvoted so many times? Please, think.
It is genuine xenophobia. I like in Poland, and its like you’re either a homophobe, or a xenophobe- with pretty limited inbetween. (And there are plenty of people who are both)
True he could have banned them long ago, it’s his project in the end, but he didn’t, he only did it after the sanctions
So the Rest of the world should trust CIA, NSA contributions but not Russia’s FSB ? come on , opensource should be tolerant towards all espionage agencies no matter their skin color.
Russians are majority white but ok
don’t be pedantic, what about the Chinese, south-Africans, north-Koreans, Cubans, …etc
No, they don’t.
Replying because I need to think about how I’m going to vote for this comment and plan to come back later.
Linus in 2012: Nvidia fuck you
Linus in 2024: Russia fuck you
He’s not wrong…
He almost never is.
However, it makes me sad that FOSS is being pulled in to these sanctions.
It’s one thing to be uncooperative with Linux development.
A very different thing is to introduce vulnerabilities into existing working code.
Unrelated but nice profile picture!
Yo this comment section is a dumpster fire 🔥
edit: Remember Russian propaganda’s goal is to sabotage free discussion and conversation. They achieve this by e.g. shitting in a comment section. That might explain what’s going on here. But then again, could just be the gang that hangs in c/Technology doing their thing ¯_(ツ)_/¯
I’ve contributed to open-source projects for years. My account name is my real name. I’m not a bot. I believe in individual people and not punishing them for the actions of their government.
That‘s cool and I respect that, more power to you!
Lots of pro-Russia bots in here pretending to be concerned about
their sudden inability to sneak backdoors into the kernelopen source.
I wouldn’t want to have FSB agents maintaining my open source either.
Source that any of them were?
Good
You have to be arguing in bad faith if you’re trying to say “citizens of nation shouldn’t be responsible for their nation”
The open source benefit is not that they can directly impact it, it’s that their government can’t
You have to be arguing in bad faith if you’re trying to say “citizens of nation shouldn’t be responsible for their nation”
I say that in good faith
it’s that their government can’t
Then take action against specific people if you see that happening.
If it was framed as a measure against possible government coordinated infiltration, sure. But that’s not the case.
You know. I don’t like what the Russian leadership and military are doing. I feel like ultimately we’re in the cold war era. But you know, at the height of the cold war, radio operators around the world still worked Russian stations.
Yes, there was a very clear policy, neither side talked about ANYTHING beyond their signal report and working conditions (information about radio, power output and aerial basically). At the height of the actual cold war, the individuals were not cancelled like this.
Sanction the leadership, sanction the money, and sanction the military. But the normal people that are subject to the propaganda? I don’t understand the benefit in doing this. I also don’t see how the sanctions effect an open source project…
Seems a bit weird. Maybe there’s information we’re not privy to, but on the face of it, just based on what we’re seeing. Seems like a very very odd move.
don’t understand the benefit in doing this.
FSB wants backdoor in kernel. FSB notices subsystem maintainer is Russian, lives in Chelyabinsk. Can close eyes to backdoor, can pretend to review. FSB in Moscow make call to FSB in Chelyabinsk telling to buy heavy wrench at hardware store.
If that were true, surely they’d not trust ANY of their existing work, or at least any done since the Special War Operation. Wouldn’t that make sense?
They’ve left the code, and removed the people arbitrarily. Seems a bit off to me.
Same could be said for any intelligence service . it is better to focus on preventing and detecting these things through analysis and code reviews.
And they could just offer boatloads of cash to someone in another country to insert something so this doesn’t really prevent anything it only isolates a certain subset of people.
So if we can’t completely 100% deal with a problem, we shouldn’t even try? I mean, you’re correct, but we can’t solve all problems at once. If we deal with at least one, then we’ve made progress. Then we can try to deal with the next one.
No but this doesn’t do anything to “deal” with the problem as anyone can built up trust like Jian tan showed. The argument that this makes us more secure is like saying closed source is more secure cause the hackers dont have access to the source.
We have evidence of the US messing with nist standards so by that same logic should we assume all us actors are bad ?
The solution is to verify the code maybe have multiple people from different locations have to review stuff. Build more checks into the process.
The whole point of it being open is that it can be reviewed. It shouldn’t matter where the contributor is from as all code should be subjected to a rigorous review process.
I don’t think this only happens now, governments like Russia, USA, China, Israel will likely always be making these attempts.
I am on your side and don’t understand the fury of down votes in this section regarding this stance. I am from a shit hole of a country too and if my life long contribution to open science (hypothetically speaking) could be so completely disregarded because of something ultra shitty that my country did, I would be super sad and probably mad at the OS community for leaving me behind so quickly.
I also don’t understand the benefit of doing this. Most people seem to claim it’s for security reasons but that does not make sense to me. Closing doors to someone without any proof of malintent is so against open source philosophy that it is perhaps more damaging in its core. And being the kind of government Russia is (or for that matter Israel, China, USA etc etc) they will always try to gain cyber war advantage by such methods. This approach is therefore clearly unsustainable. You would only be able to give dev access to a handful of countries in the world.
It sure as hell won’t scratch a dent in the Russian government’s armor when all these sanctions did not. It is not going to achieve 1/1000th of what all those ambargoes, frozen accounts etc aimed and failed to achieve.
Therefore there is either missing information (external pressure to take this action) or this is simply an action based on personal judgement.
Therefore there is either missing information (external pressure to take this action) or this is simply an action based on personal judgement.
Looking at the other post about NVidia drivers, I am starting to wonder if western governments (or perhaps just the US) are going after large orgs and suggesting how current sanctions should be interpreted. In which case, not sure I can then blame the Linux foundation, since you know, you don’t need government heavy breathing down your neck.
I don’t understand the benefit in doing this.
Security. Torvalds did this for security.
Is it really that hard to parse?
And I’ll say the same here as I did above. If it was for security, their code is tainted too. It’s an arbitrary reaction that is not complete as a solution to anything.
They can check existing code. You have to be able to trust people who are contributing.
They can check new code by these risky people as it comes in, but it why risk it?
How is this keeping to open source philosophies in any way?
“No, you can’t work on this, you’re Russian.”
I don’t support the Russian Government or its actions in any way, but these devs are probably not part of it. They maintain drivers for fucking ASUS hardware.
This has nothing to do with open source. If Russians want to work on the Linux kernel, they’re absolutely free to do so, because the source code is free and open source. What they are being restricted from is getting their changes submitted to the normal Linux foundation trees. FOSS doesn’t mean you’re entitled to have the maintainer of a project look at your patches, it means you can use the software however you want.
And yeah, it makes me sad that Russian kernel maintainers are being excluded. That doesn’t mean it’s a violation of open source philosophies (a maintainer can exclude anyone they want for any reason), it just means it’s an unfortunate policy due to international sanctions.
Russians aren’t restricted from getting their changes submitted, they just can’t be maintainers. This means that they need another maintainer to approve their changes, just like if you or me were to submit a change. A lot of people seem to be misunderstanding what actually happened.
I actually just emailed RMS about this and I’m genuinely curious what he says. If anyone else is interested, I’ll ask if he’s fine with me sharing some of the response.
Oh yes, an update would be really interesting! (Even though I agree with @sugar_in_your_tea@sh.itjust.works in all points.)
My opinion on this whole topic: I don’t like the decision, a Free Software project should only prevent people from contributing in very rare occasions (e.g. having actively tried to sabotage the project). I don’t think this was the case, because I presume that the Linux Foundation was forced by the U.S. government to kick the maintainers out. The should’ve also communicated more clearly to prevent the confusion. (Russian trolls will cry out no matter how they phrased that.)
Edit: Depending on their power as a maintainer, they might be hired by intelligence and forced to just wave a backdoor through. With the Russian government waging a hybrid war against the U.S. and Europe, this poses a real problem.
Another Edit: @Allero@lemmy.today mentioned that apart from Russia, the U.S., Israel and China also have a very well funded intelligence service. So banning Russian maintainers because of a potential backdoor when there are American maintainers (which could be agents) as well? I don’t think it makes sense, but unfortunately the Linux Foundation won’t be able to resist the “complience requirements”.
Because there are both US and EU laws preventing code from countries deemed a threat. Torvalds is paid by the Ameircan Linux Foundation, which has to work under US law and he himself is an EU citizen. Also a lot of other developers are from those countries and if they do not comply, they could get into some pretty bad legal trouble.
So it pretty much boils down to kick out the Russians or kick out all US and EU citizens and well we see Linus choice.
risc-v saw this coming a while ago and moved to Switzerland to avoid it.
Switzerland is being routinely strong-armed these days.
😯🤔 maybe I should look that up, where exactly 😂would be fun to work on RISC-V
You can work on RISC-V wherever you are, just post your patches publicly so anyone can get them, regardless of their jurisdiction.
Yea, just checked their job board, most is remote anyway 😂
And it’s also FOSS, so there’s nothing stopping you from working on it w/o officially working for them.
That’s the start, of course. One could always play good cop, bad cop: “I have to do this to comply with the law, sorry, there’s nothing else I can do.” What Linus has done here is play bad cop, bad cop: “the law says I have to obey sanctions, and by the way I support the sanctions and this move anyway.”
He didn’t banned the Russians when the war started, he could, and probably wanted, but didn’t so what’s your point?
It’s not that hard of a choice either ofc, given one is essentially required.
deleted by creator
altlinux devs:
oh come on we are not trollsSELinux from NSA is evil. Got it.
I don’t think that’s what they were saying, but I don’t think you’re making that point in good faith either.