"I was under the naive assumption that it's individual developers who work together, and their employers do not really matter."
This assumption is not just naive but completely oblivious under normal circumstances, let alone in a discussion about sanctions regime compliance and risk management.
It looks like being oblivious from outsiders perspective, but people living in Russia have culture of being apolitical, because as long as you don't care about politics, politics (Russian Government) does not care about you.
That then leads to bizarre situations when Russia is waging full scale war and Russians are doing their best not to notice.
I find it sad that there are so many reductive comments here. The author of this article is very nuanced:
Should U.S. developers have been sanctioned over the Iraq war that was launched under false pretenses (non-existent WMD)?
Should company sanctions apply to individuals who happen to work for such a company?
Should the matter have been handled more gracefully than a stealthy removal from the MAINTAINERS file?
Has the culture of the Linux Kernel changed?
The culture has certainly changed, almost all big OSS projects have been captured and are essentially governed by corporations.
Perhaps Torvalds has been legally pressured, but 20 years ago he would have put up a fight at least. Back then everyone was proud that OSS could be used by anyone for anything. Now he attacks critics with the Russian troll meme. This is the worst of Torvalds I have seen so far.
So far, he does not seem to have any issues with exporting the Linux Kernel to Russia, which should also be prohibited by sanctions.
- "exporting the Linux Kernel to Russia, which should also be prohibited by sanctions."
There's no export controls of non-commercial, non-ITAR software; such a thing would quickly run into a First Amendment wall. As PGP's Phil Zimmermann observed thirty years ago, you can always just print out your source code on paper and bind it as a book. Can the US government outlaw a book? Of course not.
- "In 1995, Zimmermann published the book PGP Source Code and Internals as a way to bypass limitations on exporting digital code. Zimmermann's introduction says the book contains "all of the C source code to a software package called PGP" and that the unusual publication in book form of the complete source code for a computer program was a direct response to the U.S. government's criminal investigation of Zimmermann for violations of U.S. export restrictions as a result of the international spread of PGP's use.[7]"
No, you misunderstood the statement. That article on the Register I had abundantly read when it came out.
The poster should show that that one sentence from Torvalds could be dismissed - we do not know exactly what interventions he called "trolls". Maybe they were, maybe they were not.
I will still prefer to suspend judgement as it is not immediate what was in Linus' mind when he accused some of being trolls (on suspicion of being organized trolls). He is there and knows names and past - we the outsiders should get properly acquainted with all of that.
Surely, this outcome feels like better-if-avoided collateral damage.
At this point I kinda have to assume posts like these are just concern trolling and aren't really worth taking seriously
If it's genuinely naive, this is a great time to wake up to the fact that russia is conducting a war of conquest against a european country, and this is why they, and a bunch of companies associated with that, are being sanctioned. Why would any reasonable project try to circumvent such sanctions?
> Why would any reasonable project try to circumvent such sanctions
Well, first they should be convinced that the sanction makes sense. It does not matter if it is the "law", an "order" or anything similar: you are responsible of what you do - including what you comply to.
Maybe it does make sense, maybe it does not: from the outside, with limited information about the original decree, it seems perplexing. Surely it raises questions.
For what your post is concerned, the war and the contributions to the Kernel do not have solid links between them - the jump from "there is a war" and "some contractors are inhibited contribution to the Linux kernel" is all to be justified. (The law is not a justification: the law requires justification.)
I guess Torwalds does not have much choice living in the US. But it is concerning.
> genuinely naive
I don't get this angle. My take is that 'naive' people believe they are the good guys. They emotionally rationalize when their tribe indirectly or directly drops bombs on children and get all worked up when a tribe their elders dislike do it. They are destablizing and part of the problem picture.
You could argue US sanctions are counterproductive and are dividing.
A 'people should work out their differences and be friends' is not naive. It is a 'ye the US and Russia more or less arbitrarily invade other countries from time to time. That is bad. Lets not get in the way'.
Noam Chomsky or Henry Kissinger would like a word with all these mental shenanigans.
It's amazing that your comment talks about concern trolling while at the same time says: "it's time to wake up to the fact that russia is conducting a war of conquest.."
Yes, everyone knows that. The issue is how you could assert guilt by mere ownership of a passport. No sanction that I'm aware forbids any Russian national (even if say, living in Europe) from working on something. The cringy way Linus got the message out was also super weird. Trying to make the debate about something else is the concern trolling here.
The USA provoked a War with Russia via Ukraine. The USA sees it in their strategic interests to "Knock down" Russia's "strength" back to what it was in the 1990s i.e. on their knees. Provoking a War via a proxy such as Ukraine was seen as the best way to do this.
Mearsheimer argues that Russia is not an existential threat to American Hegemony so therefore expanding NATO into Ukraine to provoke a War is an unnecessary goal. He sees China as the real existential threat.
The USA is not 'defending" Ukraine because it cares about Ukraine. The situation in Gaza proves that the USA does not "care" about people at all, only what it sees as its strategic interests. The USA is using Israel as a proxy against Iran and Iranian backed "terrorists". The USA regards Israel as having similar strategic interests. And it can use Israel to do the "dirty work" while pretending that they "care" about human rites.
The original comment doesn't show up so I'm not able to reread it but the relevancy of my bringing up Mearsheimer was purely in response to the mentioning of Russia invading a sovereign country, namely Ukraine, not to the Russian developers being removed by the Linux maintainers.
What makes his reasoning suspect? Genuinely curious. I accept that his reasoning that the Israel lobby is the main motive for US Foreign Policy in the Middle East is flawed or overstated. Anything else?
(1) He fails to read Putin's colonial attitude toward Ukraine, and is way too eager to accept the regime's stated NATO encroachment position at face value (rather than for the foil that it is).
(2) Dualism -- he's obsessed with the idea that the US has one real enemy, China, and that therefore Russia should be its friend, no matter what it does.
But mostly because he makes a lot of distorted (and in my view digingenuous) statements (or omits things he should be saying) about basic events.
Apparently people working on open source are just looking for an excuse to pontificate. Same as with Bitwarden, simply raising the issue and then waiting a little for an answer is enough.
> If your company is on the U.S. OFAC SDN lists, subject to an OFAC sanctions program, or owned/controlled by a company on the list, our ability to collaborate with you will be subject to restrictions, and you cannot be in the MAINTAINERS file.
That's all.
Both could've been handled better but there's no need to write ten thousand open source philosophy comments on the issue itself, bad articles and HN comments.
Try looking for NetUP in the sanction list, whose employees (including a former one who's actually working for Amazon) were removed. You won't find it. I'm surprised nobody called out James Bottomley on this bullshit answer.
Actually it is not, because the confusion shifts to OFAC and the question becomes "why should people employed by companies under those identified by etc. be barred from contributing to the Linux Kernel".
> All transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or blocked persons are prohibited unless authorized by a general or specific license issued by OFAC, or exempt. These prohibitions include the [...] receipt of any contribution or provision of funds, goods, or services from any such person.
Note: for both "U.S. persons" and "blocked person" also consider corporate personhood. It's not just individual people. And so the Linux Foundation, Linus himself and every Linux user in the U.S. can't receive anything at all from the sanctioned so it's no wonder they needed to be excluded.
You are welcome to lobby the OFAC to carve out an exemption for open source contributions. Or the White House or the Congress, what do I know who has the authority to write such.
> Because the OFAC literally prohibits a US person receiving anything at all from a sanctioned person
That does not answer the question - it is circular. "Why does the low forbid X?" // "Because it is the law". [I mistyped 'law' as 'low'. I'll keep it.]
Of course the doubts are about whether that action makes sense.
Are they though? Owning a mail.ru email doesn't mean anything, it's a public mail. Corporate email would be corp.mail.ru. They also banned a guy that lives in USA for 10+ years for netup.ru which is not even sanctioned. And a gmail guy, apparently for Baikal Electronics that went bankrupt an year ago (August 2023).
That's because the sanctioned entities are individual Russian companies on the OFAC list, not Russian citizens generally. All of the initial media reporting (speculation, really) turned out to be wrong (because of deliberate non-transparency on the part of Torvalds, in his public statements).
- "We finally got clearance to publish the actual advice: If your company is on the U.S. OFAC SDN lists, subject to an OFAC sanctions program, or owned/controlled by a company on the list, our ability to collaborate with you will be subject to restrictions, and you cannot be in the MAINTAINERS file."
I am pretty sure they just grep'd mail.ru, added a couple of other sus entries and pushed the commit. It's painfully obvious if you take a look at the file https://github.com/torvalds/linux/blob/master/MAINTAINERS, there are no mail.ru addresses left (it's a public email service akin to gmail). The next day someone woke up Linus and told him to answer the public and he came up with the usual FU. That's basically all.
If certain people cannot contribute to the Linux kernel because of a list maintained by the USG then perhaps it's time for Linux kernel development to no longer be dependent on US law.
We should realize this has nothing to do with Russia or the Russian government. This could happen with any country and any group of people. The USG is constantly expanding their sanctions regime. Thus, we need to ask ourselves the obvious question; Who will be next?
What I find perplexing and surprising are the people I see online cheering this on. The people who are happy that the USG is forcing Linux kernel devs to stop working with people. Why are some people so happy for Linus and crew to take orders from the USG's sanctions regime?
> If certain people cannot contribute to the Linux kernel because of a list maintained by the USG then perhaps it's time for Linux kernel development to no longer be dependent on US law.
It is not only US-based organizations, but also people living in the US (and US citizens even if they don't live in the US) that have to follow the US law. Even if you set up the coordinating foundation in e.g. Switzerland, many Linux kernel maintainers would still live in US, probably not wanting to move to Switzerland.
So you might have to find a different country than Switzerland. Brazil, Venezuela, Cuba? Of course, the most sure way to avoid needing to abide by sanctions against Russia, would be to set your headquarters in Russia.
First words of the post: «If certain people cannot contribute to the Linux kernel because of a list».
Issue is raised against the specifics (validity, effectiveness, sense) of possible sanctions.
John parks his car blocking your gate. Sanction A: you paint his car mauve. Sanction B: John's cousin is forbidden providing voluntary work. Sanction A and B are very different and some raise debate more than others.
(If you want a more "actual" example - though besides official governmental actions - there have been pressing debates whether athletes holding some passport can can compete in international games.)
Morality aside, there's about zero legal process behind it: it's just a unilateral power of the executive. Any sitting president can do this to any non-American entity they want.
> This could happen with any country and any group of people.
And that is why it is a good idea to keep people who want to start a war of conquest out of power. So it doesn’t happen to your country and your people.
To what extent can most people actually move the needle of their government's actions?
As a thought experiment, consider a world where all Americans are banned from contributing to software projects because of the long and dismal history of US foreign policy - which involves murdering people so far from US borders as to make such murder fundamentally questionable at a national security level. While Americans protested the Vietnam and Iraq wars, these wars took place regardless. So how do you establish collective responsibility?
Does the fact that the protests took place make Americans immune from consequences? Or should it only matter if citizen movements can stop a government? In either case, you would find most of the G-20 responsible for some atrocity or the other.
The tragedy of the Russia situation is that it is a wholly unjust war, which should be penalised, but the logic and apparatus that would penalise it would also penalise most major nations. It is beyond the scope of HN to create a world order that would repair things. But just because the UNSC is broken, need not mean that the open source ecosystem be left to rot as well.
> To what extent can most people actually move the needle of their government's actions?
I’m not unsimpathic to this argument. In wars innocent people gets hurt. Sometimes that means your name is removed from a text file, sometimes it means that your family is blown up in a missile attack. Either way the solution is the same: stop the war and take the troops home.
I’m not going to adress the textbook whataboutism line by line. Generaly i’m easy to convince that a lot more negative consequences should have followed a lot of attrocities. If you think you caught me in some contradiction by selecting examples then you are wrong.
It matters because software projects are border-agnostic. There are people who benefit from code, and people who benefit from having people contribute to code.
You drew the line on who gets to be a part of this, Geopoliticising something ostensibly unpolitical. If you want a rule of law in code, you’ll need more than a framework that only punishes Russia. Otherwise it’s no longer open source, it’s America-source.
For what it’s worth I’d favour a host of military and economic measures against Russia. I think the only way this war stops is with military aid, maybe even intervention. I’m not here to defend Russia. I just don’t see what you expect Russians to do by nuking them from a Linux maintainer list.
It’s a net loss for all of us to keep their coders out of open source. If we’re gonna do that with a logic that somehow spares America but punishes everyone else, then we just create a precedent that makes the whole ecosystem worse for a lot of people with nothing to do with this.
i agree that's not an unreasonable ask. but if code is to serve geopolitics, then we'll get a lot more (and tougher) situations like this to grapple with. perhaps it's just that I wish code was left neutral.
I think you're under the false impression that the removals were aimed at specific contributors from specific corporations. Which isn't the case by the way.
Ah yes, I'm waiting for the kernel to remove Israeli contributors any day now. Any contributor with an .il email is literally killing Lebanese children according your logic.
> Any contributor with an .il email is literally killing Lebanese children according your logic.
I did not claimed that any kernel contributor is killing anyone. AndyMcConachie’s comment claimed that “This could happen with any country and any group of people.” As if the country in question was doing nothing and then suddenly bamm they were hit with sanctions. If you don’t see how ridiculous that is then there is nothing we can talk about.
I mean it literally could. Do you think that sanctions are only applied to countries that start wars? China is also under sanctions in some form or another from the US.
I guess the point could've been more precise; that anyone anywhere that isn't aligned with US foreign policy could be hit with a similar ban. I agree that it rules out most of the western hemisphere, but there's a world outside of that
When PGP couldn't be exported and OpenBSD had to set up camp in Canada, the same people who are upset now were silent then. The resistance back then was both clever and peaceful.
It's not just perception. Linus assertively decided to wrap this in his own Finnish identity and history. I don't think the developers removed from the MAINTAINERS file were personally involved in Stalin's invasion of Finland.
Aside from numerous ethical issues with this story, it doesn’t make a lot of practical sense. They are not major threat to avoid, even taking into account xz precedent - I don’t think it’s easy or even feasible to plant any backdoors to Linux kernel this way.
This will not make any impact on Russian government or military operations or impair their OS development effort (Astra Linux will be just fine). It sounds pretty much like some legalese ass-covering met the unhinged personality of Torvalds with the scandal as the only outcome.
Email-based filtering of maintainers is not even close to what could be considered adequate security measures. In fact, when CISO or OSS starts caring about the optics, it’s a red flag.
You could just ask them to use an email address hosted outside of Russia for their kernel development work if visible compliance was the only issue. To not offer them a remedy and to exclude people on the basis of their first or last name is a bizarre overreaction to me. It stands no chance of damaging the Russian government and can only harm the project and open source in general, I'm not sure why a non-profit would involve themselves in this in any way.
> These people are employed by companies specifically called out on sanctions
I don't believe you know this for a fact. Are you able to point me where a list of each developer, their association, and the problem with that association is enumerated?
You should practice your trolling skills. You are being way too obvious. At least, I hope so, because if you actually believe this, then this is something only a professional can help you with.
Do you have any examples? Genuinely interested, because it sounds a bit too much for Russian government. Sometimes the code is bad without any malicious intent.
This assumption is not just naive but completely oblivious under normal circumstances, let alone in a discussion about sanctions regime compliance and risk management.
reply