Cliff Saran's Enterprise blog

Linux enters the cold war

Cliff Saran
Cliff Saran
Managing Editor

The news that the Linux Foundation has removed Russian software developers from the Linux kernel maintainers mailing list is something that is sending shockwaves through the LInux community.

While the on-going war in Ukraine and growing geopolitical tension, particularly the US, UK and European sanctions against “countries of interest” has impacted technology firms, the open source community has largely been buffered from their effects.

Not anymore. Presumably after seeking legal advice, the Linux Foundation has attempted to avert a clash with the US administration, by removing 11 Russian software developers. It is believed the maintainers worked for organisations sanctioned by the US government due to their close links to the Kremlin, although, at the time of writing, no further clarification has been given.

The open source community is a global church of people who devote their time to writing and maintaining software for free. As OpenUK CEO, Amanda Brock puts it, a can of worms is being opened when those who manage this community try to second guess the sometimes ill-conceived plans of policymakers trying to exert pressure and influence on certain countries.

Now, open source has become the latest front in a 21st century cold war.

Linus Torvalds, the father of Linux, who developed the first kernel, said the decision to drop the Russian maintainers was a compliance issue. He also referred to Russian troll factories, implying that these could be used to infiltrate the Linux kernel with malware.

Greg Kroah-Hartman, the current maintainer of the stable branch of the open source Linux kernel, said: “They can come back in the future if sufficient documentation is provided.”

One can understand that the Linux Foundation’s actions are in response to
the XY Utils incident earlier this year, where social engineering was used to pressurise the maintainer of an open source library to accept a rogue maintainer. The attacker successfully injected malware into the XY Utils code.

Clearly, the open source community needs to ensure this can never happen again. But is banning these Russian developers the right approach? Compliance means adhering to rules and regulations set by the government of the country an organisation resides in. By its very nature, open source is global, but the Linux Foundation is a US organisation and its legal team have clearly looked into US sanctions against countries like Russia. But what of China; it is the second biggest contributor of open source software and the biggest threat to US economic dominance?

The US, UK and several EU countries have put restrictions on Chinese telco equipment provider Huawei. It would be a very sad day for the global open source community if US policies dictate who can and cannot contribute and maintain code.