Probably the best thing that can happen to the kernel... this type of measure generally backfires spectacularly by giving talent the opportunity to thrive, if anything as a way to fight back against injustice and arbitrary decisions, or for sanctioned opposition to invest in resilience by dumping more money in things otherwise not consider a priority. I always thought Argentine music from the 80's and early 90s was legendary, and this stems from a post-Falklands war, self-inflicted sanction against anglo music... regional bands thrived and created gems that even today can be appreciated as masterpieces...
I used to pirate a lot of random music in early 00’s and went through a Latin phase. Downloaded one album by Fabiana Cantilo full of covers by what seemed to be other Argentine artists and some names are Soda Stereo and Andres Calamaro.
They seem to have a lot of what kids today would call bangers.
Some of my favorite Argentine songs: Donde Manda Marinero, En La Ciudad De la Furia. Fabiana’s album that I torrented back in the day happens to be covers of the famous songs and I like a lot of them too
Disclaimer, I just happened to know some Argentine songs that are total ear worms, not necessarily an expert in Argentine music
The next time you hear "we don't have enough maintainers", you'll know why because Tsar Linus decided to play a political game instead of developing the kernel.
If Project P in Country A is identified by Country B as a potential target for planting cyber-attack-enabling backdoors, Country B has an incentive to find people to put a backdoor in P.
If Country B is a free country with rights and ethics, they will say "Help us put a backdoor in P. We'll pay you very well for services rendered," or try to get someone who already works for Country B intelligence into P's management structure.
If Country B is an "evil" country, they will do all of the above, but will also tell people of influence in P who live or have family in Country B or its allies, "Help us put a backdoor in P. If you refuse or if the backdoor doesn't work or if the legitimate workers of P find it and remove it before it helps us, you'll be arrested and/or tortured and/or killed and/or your family too."
Removing Russian based kernel maintainers from positions in which they could conceivably help insert a backdoor into the kernel hopefully removes the incentive for the Russian government to threaten (or carry out) horrific violence against these individuals and their families.
Really appreciate informative comments like this, basically explaining from first principles and not assuming people are idiots for not immediately understanding the implications.
It also made me realise what a cushy, insular world I live in not having to worry about those threats when I write software. Made me more aware of what others might face.
Either country can also say: "we have this law that requires people to help law enforcement agencies to implement backdoo^W special technical measures to advance national security interests, and also a gag order because it's a matter of national security".
I think Australia had something called Technical Capability Notices (TCNs) back in 2018? For legal entities for sure, not sure about hobbyists.
The last paragraph also makes the whole situation sound like someone cares for Russian developers' well-being. I highly doubt it was ever the intention.
While everything you mention is absolutely true, to the credit of the opinion of whimsicalism, any maintainer worldwide could get offered tons of bitcoins to integrate a backdoor / "bug".
Completely irrelevant. They are not the owner of the Linux kernel.
Linus holds the trademark. The copyright holders are the contributors to the source code. Nobody "owns" it, that's the point, it's an international project.
Linus, who since 2010 is an American citizen. Effectively, the US is probably the country closest to "owning" the Kernel, in that if the US wanted to put an abrupt cease to kernel development, they could, if only for a short period until the project re-organizes. I don't think any other country posses even the ability of doing so.
Removing US based kernel maintainers from positions in which they could conceivably help insert a backdoor into the kernel hopefully removes the incentive for the US government to threaten (or carry out) horrific violence against these individuals and their families.
So you are saying that any country can incentivize a developer to plant a backdoor and removing Russian maintainers is solely for their safety? Aww, that is so touching.
Such a blatant BS rationalization... The commit literally talks about "compliance". This is nothing more than an easy alternative to navigating the obscure sanctioning regime. It's like self-censorship, people/companies do this because of the fear that their activity may fall under sanctions, even though it highly likely does not.
If your system relies on people being in "a free country with rights and ethics", then you have a bad system widely open to abuse. After all, who decides which country is "free" and which is not? White house? Should you exclude people from all "non-free" countries?
> people/companies do this because of the fear that their activity may fall under sanctions, even though it highly likely does not.
People/companies do this because lawyers tell them that there is a risk that the activity may violate sanctions. And yes the lawyers are probably overly conservative, but that's because there often isn't a way to know for sure whether something is actually a violation until you end up in the courtroom.
To this casual bystander it seems like they usually hurt innocent citizens far more than the leaders of the usually authoritarion regime that it targets.
Would you oppose Germans having access to British and American systems during WW2?
Russians have been allowed to spread their propaganda, fund influencers, sell anti virus products, contribute to kernel code, etc… all the while they are at war with a western-backed nation.
What’s your logic here? That freedom means giving enemies unfettered access to our most sensitive systems?
Before you say something about peer review or shallow bugs, I would like to remind you of the recent XZ utils backdoor into SSH contributed by a less than friendly nation state.
The access Russia currently enjoys is the equivalent of Goebbels being allowed to anonymously publish front-page editorials in the Times, while simultaneously contributing code to Bletchley Park computers.
Whether we like to acknowledge it or not, the world has been split in two:
Russia, China, Iran, North Korea... and everybody else.
I can deploy an Azure or AWS cloud server right now in any one of several dozen nations, including Malaysia, Indonesia, Chile, Qatar, Israel, and Mexico.
I can't deploy VMs in Russia, China, Iran, or North Korea.
Not just because of sanctions, but because they don't allow me to. It's illegal for me -- I don't even need to specify which country I am in, it doesn't matter -- to deploy pretty much anything in those nations, by their own laws. (Similarly, I can't buy property, start a business, buy shares directly, etc, etc...)
>Russia, China, Iran, North Korea... and everybody else.
BRICS meeting is currently happening in Russia and the leaders who gathered there represent more than a half of world's population: "Putin returns to world stage hosting 36 leaders at Brics summit in Russia"[0].
>I can't deploy VMs in Russia
Really? You are welcome to click "Start your trial period" at Yandex Cloud. [1]
>Similarly, I can't buy property, start a business, buy shares directly
I invite readers to note the couching here of a technical/strategic point in a moral/historical comparison, and to consider whether the latter is warranted
which are based in countries that have Russia on a sanctions list. The main contributer employer based in a country that doesn't have Russia on some list is Huawei.
So given those folks contribute the most code to Linux, they may not want possible complications with regards to possible legal issues.
Not sure if you are joking or not, but BRICS certainly have enough developers for that effort, especially if it is encouraged and financed by the member states. I would not be surprised if this happens.
did banning plastic straws in a few US cities fix climate change and pollution?
>The access Russia currently enjoys is the equivalent of Goebbels being allowed to anonymously publish front-page editorials in the Times
there's absolutely nothing you can do about this to prevent this.
troll farms can afford residential VPNs and can network with the US/EU via neighboring neutral countries or their overseas agents.
>while simultaneously contributing code to Bletchley Park co
there's absolutely nothing you can do about this to prevent this.
how do you know that John Johnson contributing code to some widely-used library is not Ivan Ivanson, a KGB sleeper agent? do you know John Johnson in person? does anyone else in your anonymous, informal, nebulous developer clique know any other contributor personally? are you sure that jkldjsafj, qweqweqwe and all the random anonymous guys with anime girl profile pictures who contribute code to a myriad projects are not Russian plants?
>I would like to remind you of the recent XZ utils backdoor into SSH contributed by a less than friendly nation state.
case in point to the above: no one fucking knows who did it. it could be Russia, it could be China, it could be Israel, it could be NSA/CIA.
> there's absolutely nothing you can do about this to prevent this.
Fibre can be cut.
I know it's unpalatable, or somehow "an escalation", but when NATO started backing Ukraine and the US imposed sanctions on Russia, the logical move would have been to immediately sever all of their international network links. There's what, a few dozen fibre connections crossing their borders?
"an escalation" is a bit of an understatement if you try to cut the fiber connecting Russia and China. they also share a border with Georgia, Azerbaijan, Kazakhstan and Mongolia.
what the fuck are you going to do? do you people not understand how the Internet works? unless you isolate your network from all other networks, it is accessible from any other network.
That’s fixable too. If the rest of the world drops all packets to or from Russian CIDR blocks, it doesn’t matter how many fibre links they still have lit up.
Just a handful of public clouds and major CDNs dropping packets from Russian IPs would cut them off from almost all Internet services directly or indirectly. Good luck browsing web pages with cdnjs and the like just timing out for you!
Russia can route to the rest of the Internet because they’re being allowed to in the same sense that they can sell oil and gas to Europe because Europeans are allowing them to.
The Linux kernel will outlast any war and even many countries. It’s an institution, and in some ways it fosters more global collaboration and interdependence than even the UN. Bifurcating it along geopolitical lines is a short-sighted, lose/lose reaction to an inarticulable problem.
Well, I oppose the inclusion of OSS in those sanctions. I’m also generally skeptical of the theory of change - economic decoupling generally doesn’t make conflict less likely or protracted.
I don’t know a lot about that sanctions regime. If it was targeted stuff related to directly preventing the ongoing genocides, sure keep them - but in general, I would be opposed.
"we reserve the right to refuse to (i) delete any of the submissions, favorites, or comments you posted on the Hacker News site or linked in your profile and/or (ii) remove their association with your Hacker News ID."
In addition to GDPR (which is EU law but US companies have to respect it too), it may violate local state laws in the US too that you can't delete the account, if someone knows.
Best is somehow rather not to post if you don't want to have your messages recorded and linked to you.
It's not a geopolitical drama or melodrama, Linux Foundation needs to follow the laws of US where it's located. It's the same as any other American company
> The ban complies with the EU’s 12th sanctions package adopted in December, which ordered companies in and outside the bloc to stop exporting products and technology to Russia by March 20.
That would mean that either A) it's not what triggered this change or B) the kernel wasn't legally following compliance requirements for almost a year
But besides that, that sanction is between EU<>Russia, not sure if that would ultimately enforce the kernel to implement those compliance requirements, unless also agreed and followed by the US.
If you scroll down on the thread linked, someone mentions the reason isn't that the developers are Russian, but because their employers in Russia are sanctioned companies.
I don't know if that's accurate, but seems feasible. If so I'm 100% behind it.
It'd be nice to know the exact reasoning for this, rather than just see a commit without any context of why they're being removed. I'm pretty sure we'll know in due time.
I think it's more likely that everyone will forget in a few days and we will never know. Maybe there will be few more random bans.
I highly doubt anyone banned will even try to send "sufficient documentation". The wording is as vague and arbitrary as it gets, and the underlying tone sounds to me not like "we have such and such requirements", but like "some Russian-sounding names are banned, but we still have to demonstrate there is a due process".
Reminds me of banks. Banks are fined for not having processes for detecting money laundering. Not money laundering, mind it, just having "inadequate" processes. If such a process flags someone, that someone is blocked and they should provide "sufficient documents", but the bank is not allowed to tell them why or what, that would be "tipping off", which is illegal. And then it all comes down to bank's internal policies (that the bank is not allowed to disclose) or even a personal relationship with a branch manager.
> Banks are fined for not having processes for detecting money laundering. Not money laundering, mind it, just having "inadequate" processes. If such a process flags someone, that someone is blocked and they should provide "sufficient documents",
Isn't that how most compliance regulation works? You can't force companies to have a perfect record of preventing something, no matter how you structure things, so instead of trying to do so, you setup something that will at least preventing it somewhat. And then you fine the companies who don't do anything to prevent the issue.
I'm not a lawyer, but I don't think so. For example, there is no penalty for not having an accountant on payroll. But there are some for not keeping adequate records. I suspect it's irrelevant whether you have a full-time accountant so your records are always in order, or if you do nothing all year and hire someone for a big overhaul each December and also every time authorities need something.
Huawei is under same level of sanctions, but nobody with `xxx@huawei.com` is removed from Maintainers list. So, probably "sanctions" are not the reason.
Sounds like overreach by a company that is heavily invested in Linux as a base for its products, and is having a difficult time with US trade regulations.
Its pandering. I hope these developers petition to be added back.
This could get messy in other projects, depending where this rule came from.
I know there are .ru maintainers in at least one other ; and what about distros?
Not sure this is really what anyone had in mind when sanctioning Russia? The maintainers probably aren't pleased but can't see a direct route from there to Putin's opinion of the war in Ukraine.
Probably not sanctions, but national security concerns.
The former aims to punish and worsen the situation of the other country, the latter aims to reduce the attack vector and improve the situation of the US.
If I were a KGB (FSB) agent with a task to undermine US infrastructure with my commits in Linux kernel, using my real russian name and .ru TLD would be the last thing to do.
It’s pretty evident at this point that any Russian citizen in Russia or with family in Russia can be coerced, and it’s also pretty clear that Putin specifically does not have good intentions.
There are lots of good people there. It’s too bad there is a crazy person at the helm.
It is evident everyone CAN be coerced. Not that everyone WILL BE, because some people still think of themselves as people, not some “honest citizens” or “economic agents”.
It is also evident that someone quite far from Russia HAS ALREADY BEEN coerced to make that unannounced change, but you try really hard to look the other way. “Those Linux nerds” were shown who's the boss in the room when it comes to “important matters”. Don't you feel that the form of that change itself is a sign of silent disobedience, and you are expected to participate in public outcry forcing further developments instead of just bending over willingly?
It is totally possible that there was some direct intelligence that those accounts can be used in some clandestine operation in the future, probably without even asking some of the owners. After all, spies are #1 information source to other spies, they run the global spectacle together. Still, accepting “this is secret” as an excuse, you are already accepting defeat.
all you have to look at is the number of russian oligarchs being defenstrated since the invasion began to know that if it served russian aims to inject malware into the kernel somehow via their maintainers it would probably be tried. the maintainers are probably not oligarch level rich so imagine the pressure on them if needed.
And the solution so far has been to punish everyone you can get your hands on (i.e. everyone but Putin), tying people's future with his own and playing right into his narrative. Truly excellent diplomacy all around.
Well, what do you propose? We're obviously far past the point of diplomacy. The sanctions are not designed to change hearts and minds. They're designed to make Russia's war efforts more difficult. The sorry state of affairs is that Russia's government has made itself a huge problem and there are no good solutions.
Contrary to american adventures in the Vietnam, Iraq and other places, and by our best friend in the middle east, the civilian casualties are kept by a minimum by the russians. All the official numbers confirm that.
> the civilian casualties are kept by a minimum by the russians.
In every place where Russia has been that has been rescued there have been numerous torture chambers and mass graves.
Russia has been terror bombing civilians daily, specifically targeting civilians in order to kill as many as possible.
Hundreds of hospitals have been destroyed and Russia continually uses double-tap to target rescue workers.
They throw out masses of booby traps that looks like toys to kill and maim kids. Sometimes they even leave children alive on the booby trap.
It's a complete fabrication that Russia cares about civilian lives. They don't even care about the lives of their own soldiers as they're sent to the front without training, food, or ammo.
And I heard Iraqis were throwing out babies out of incubators in a Kuwait hospital.
"The Nayirah testimony was false testimony given before the United States Congressional Human Rights Caucus on October 10, 1990, by a 15-year-old Kuwaiti girl who was publicly identified only as Nayirah at the time. In her testimony, which took place two months after the Iraqi invasion of Kuwait, she claimed to have witnessed Iraqi soldiers taking babies out of incubators at a Kuwaiti hospital before looting the incubators and leaving the babies to die on the floor. Nayirah's statements were widely publicized and cited numerous times in the United States Senate and by American president George H. W. Bush to contribute to the rationale for pursuing military action against Iraq. Her portrayal of Iraqi war crimes was aimed at further increasing global support for Kuwait against the Iraqi occupation during the Gulf War, which resulted in the expulsion of Iraqi troops from Kuwait by a 42-country coalition led by the United States.
In 1992, it was revealed that Nayirah's last name was al-Ṣabaḥ (Arabic: نيرة الصباح) and that she was the daughter of Saud Nasser Al-Saud Al-Sabah, the erstwhile Kuwaiti ambassador to the United States. Furthermore, it was revealed that her testimony was organized as part of a wider public relations campaign conducted by the Kuwaiti government-in-exile's Citizens for a Free Kuwait, which sought to encourage American military involvement against Iraq's occupation of Kuwait through coordination with the American public relations firm Hill & Knowlton. In the aftermath of the Gulf War, the Nayirah testimony came to be regarded as a classic example of modern atrocity propaganda." [0]
It's already the case, if you are living in a country officially listed as "hostile to Russia" (or "enemy") it's very difficult to business there. That's why McDonald's left for example.
Wait ... Western countries killing in Russia? What?! As part of the Cold War, sure, but that's the nature spying; we do it, they do it, everybody does it. Seems like you're implying armed forces level killing in Russia, though. Care to explain that?
I think this is good. It’s a clear potential attack vector and we have plenty of people who can maintain Linux here. I don’t really see any downside to this.
Code is supposed to be free and all that, but this is an obvious security exploit waiting to happen. It’s not like Linux is somehow beyond countries; even Linus works for a US foundation.
How convoluted, insidious, and camouflaged can a hidden backdoor or exploitable intentional defect be?
If hacking or subversion is possible, it has been tried and will be again. If anyone is going to try it, chances are Putin's people will.
It's by far the sneakiest, most advanced cheating and infiltration apparatus humanity has ever known. It inherited a large "meddling war chest" from the Soviet Union, then invested heavily into it for 25 years. The Internet increased its opportunities a million-fold. Its semitransparent tentacles are now embedded into nearly every consequential organization on the planet.
Consider the xz episode as a baseline. It was fairly sneaky, but it was introduced by a newcomer to the project and affected mostly existing code. A more elaborate exploit might be submitted with a new feature by an established maintainer.
Probably the best thing that can happen to the kernel... this type of measure generally backfires spectacularly by giving talent the opportunity to thrive, if anything as a way to fight back against injustice and arbitrary decisions, or for sanctioned opposition to invest in resilience by dumping more money in things otherwise not consider a priority. I always thought Argentine music from the 80's and early 90s was legendary, and this stems from a post-Falklands war, self-inflicted sanction against anglo music... regional bands thrived and created gems that even today can be appreciated as masterpieces...
Regional bands thrived and created gems that even today can be appreciated as masterpieces...
Care to name a few?
I used to pirate a lot of random music in early 00’s and went through a Latin phase. Downloaded one album by Fabiana Cantilo full of covers by what seemed to be other Argentine artists and some names are Soda Stereo and Andres Calamaro.
They seem to have a lot of what kids today would call bangers.
Some of my favorite Argentine songs: Donde Manda Marinero, En La Ciudad De la Furia. Fabiana’s album that I torrented back in the day happens to be covers of the famous songs and I like a lot of them too
Disclaimer, I just happened to know some Argentine songs that are total ear worms, not necessarily an expert in Argentine music
The next time you hear "we don't have enough maintainers", you'll know why because Tsar Linus decided to play a political game instead of developing the kernel.
I thought I read that they had enough maintainers already and so don't need to write any guides on kernel development.
Strongly opposed to any sort of sanction regime that results in this.
Let me spell it out for you:
If Project P in Country A is identified by Country B as a potential target for planting cyber-attack-enabling backdoors, Country B has an incentive to find people to put a backdoor in P.
If Country B is a free country with rights and ethics, they will say "Help us put a backdoor in P. We'll pay you very well for services rendered," or try to get someone who already works for Country B intelligence into P's management structure.
If Country B is an "evil" country, they will do all of the above, but will also tell people of influence in P who live or have family in Country B or its allies, "Help us put a backdoor in P. If you refuse or if the backdoor doesn't work or if the legitimate workers of P find it and remove it before it helps us, you'll be arrested and/or tortured and/or killed and/or your family too."
Removing Russian based kernel maintainers from positions in which they could conceivably help insert a backdoor into the kernel hopefully removes the incentive for the Russian government to threaten (or carry out) horrific violence against these individuals and their families.
Really appreciate informative comments like this, basically explaining from first principles and not assuming people are idiots for not immediately understanding the implications.
It also made me realise what a cushy, insular world I live in not having to worry about those threats when I write software. Made me more aware of what others might face.
Either country can also say: "we have this law that requires people to help law enforcement agencies to implement backdoo^W special technical measures to advance national security interests, and also a gag order because it's a matter of national security".
I think Australia had something called Technical Capability Notices (TCNs) back in 2018? For legal entities for sure, not sure about hobbyists.
The last paragraph also makes the whole situation sound like someone cares for Russian developers' well-being. I highly doubt it was ever the intention.
While everything you mention is absolutely true, to the credit of the opinion of whimsicalism, any maintainer worldwide could get offered tons of bitcoins to integrate a backdoor / "bug".
True life-changing money, in all absolute sense.
Exactly. And that's how the west / america would approach it. Throw money at it until u get what u want
That’s generally how you incentivize humans, yes.
Cool. Which country owns the Linux kernel?
Not that I disagree with the move 100%, but I don't think it's that clear cut.
Linux foundation is 501(c)(6) organization based in US.of.A
Completely irrelevant. They are not the owner of the Linux kernel.
Linus holds the trademark. The copyright holders are the contributors to the source code. Nobody "owns" it, that's the point, it's an international project.
Linus, who since 2010 is an American citizen. Effectively, the US is probably the country closest to "owning" the Kernel, in that if the US wanted to put an abrupt cease to kernel development, they could, if only for a short period until the project re-organizes. I don't think any other country posses even the ability of doing so.
Removing US based kernel maintainers from positions in which they could conceivably help insert a backdoor into the kernel hopefully removes the incentive for the US government to threaten (or carry out) horrific violence against these individuals and their families.
cough xz cough
So you are saying that any country can incentivize a developer to plant a backdoor and removing Russian maintainers is solely for their safety? Aww, that is so touching.
Such a blatant BS rationalization... The commit literally talks about "compliance". This is nothing more than an easy alternative to navigating the obscure sanctioning regime. It's like self-censorship, people/companies do this because of the fear that their activity may fall under sanctions, even though it highly likely does not.
If your system relies on people being in "a free country with rights and ethics", then you have a bad system widely open to abuse. After all, who decides which country is "free" and which is not? White house? Should you exclude people from all "non-free" countries?
> people/companies do this because of the fear that their activity may fall under sanctions, even though it highly likely does not.
People/companies do this because lawyers tell them that there is a risk that the activity may violate sanctions. And yes the lawyers are probably overly conservative, but that's because there often isn't a way to know for sure whether something is actually a violation until you end up in the courtroom.
[dead]
[dead]
[dead]
Do sanctions ever actually work as intended?
To this casual bystander it seems like they usually hurt innocent citizens far more than the leaders of the usually authoritarion regime that it targets.
Would you oppose Germans having access to British and American systems during WW2?
Russians have been allowed to spread their propaganda, fund influencers, sell anti virus products, contribute to kernel code, etc… all the while they are at war with a western-backed nation.
What’s your logic here? That freedom means giving enemies unfettered access to our most sensitive systems?
Before you say something about peer review or shallow bugs, I would like to remind you of the recent XZ utils backdoor into SSH contributed by a less than friendly nation state.
The access Russia currently enjoys is the equivalent of Goebbels being allowed to anonymously publish front-page editorials in the Times, while simultaneously contributing code to Bletchley Park computers.
Don’t vote, reply.
> That freedom means giving enemies unfettered access to our most sensitive systems?
Do you imply that Linux is a technology controlled by Western state actors?
> I would like to remind you of the recent XZ utils backdoor into SSH contributed by a less than friendly nation state.
Would you support a backdoor contributed by a friendly nation state?
I didn't say "western"!
Whether we like to acknowledge it or not, the world has been split in two:
Russia, China, Iran, North Korea... and everybody else.
I can deploy an Azure or AWS cloud server right now in any one of several dozen nations, including Malaysia, Indonesia, Chile, Qatar, Israel, and Mexico.
I can't deploy VMs in Russia, China, Iran, or North Korea.
Not just because of sanctions, but because they don't allow me to. It's illegal for me -- I don't even need to specify which country I am in, it doesn't matter -- to deploy pretty much anything in those nations, by their own laws. (Similarly, I can't buy property, start a business, buy shares directly, etc, etc...)
Have a look at the requirements to deploy something into China: https://learn.microsoft.com/en-us/azure/china/overview-check... and https://learn.microsoft.com/en-us/azure/china/overview-sover...
Nothing like this is needed for any other cloud region. I can just pick "the rest of the planet" from a drop-down list at will.
So why should we let "the other side" of the planet gain benefits from our collective works, if they slam the door in our face in response?
> Whether we like to acknowledge it or not, the world has been split in two
Someone who is so dependent on media images that he declares them unquestionable truths in advance is probably unqualified to reason about propaganda.
> Not just because of sanctions, but because they don't allow me to. It's illegal for me
No it's because aws/azure failed to follow local Russian laws + sanctions imposed by US. If you need Russian vps, you can contact Russian providers.
Microsoft seems to have no trouble “following local laws” in every other country they’re present in.
What’s different about the local laws in Russia, China, Iran, and North Korea?
Sanctions. Complying with local law or operating in those countries might break sanctions.
China is not sanctioned.
>Russia, China, Iran, North Korea... and everybody else.
BRICS meeting is currently happening in Russia and the leaders who gathered there represent more than a half of world's population: "Putin returns to world stage hosting 36 leaders at Brics summit in Russia"[0].
>I can't deploy VMs in Russia
Really? You are welcome to click "Start your trial period" at Yandex Cloud. [1]
>Similarly, I can't buy property, start a business, buy shares directly
Of course you can.
[0] https://www.theguardian.com/business/2024/oct/22/putin-brics...
[1] https://yandex.cloud/en/
I invite readers to note the couching here of a technical/strategic point in a moral/historical comparison, and to consider whether the latter is warranted
Who is the “our” that owns Linux? It is a human project and any human should be able to be maintainer.
Liberalism is what makes our society great, not paranoia and securitization.
> Who is the “our” that owns Linux?
Well, the Linux Foundation which owns the Linux® trademark and employs the primary maintainer is based in the US:
* https://en.wikipedia.org/wiki/Linux_Foundation
Some of the most active contributer employers are Intel, Google, Linaro, AMD, Red Hat, SuSE, Meta, Oracle, Qualcomm, IBM, NVIDIA, TI, Arm, Microsoft:
* https://lwn.net/Articles/972605/
* https://kernelnewbies.org/DevelopmentStatistics
which are based in countries that have Russia on a sanctions list. The main contributer employer based in a country that doesn't have Russia on some list is Huawei.
So given those folks contribute the most code to Linux, they may not want possible complications with regards to possible legal issues.
So they can fork it and roll their own version of Linux. Russia-ux.
Not sure if you are joking or not, but BRICS certainly have enough developers for that effort, especially if it is encouraged and financed by the member states. I would not be surprised if this happens.
Even North Korea runs their own Linux Distribution ( https://en.wikipedia.org/wiki/Red_Star_OS )
[dead]
[flagged]
did banning plastic straws in a few US cities fix climate change and pollution?
>The access Russia currently enjoys is the equivalent of Goebbels being allowed to anonymously publish front-page editorials in the Times
there's absolutely nothing you can do about this to prevent this.
troll farms can afford residential VPNs and can network with the US/EU via neighboring neutral countries or their overseas agents.
>while simultaneously contributing code to Bletchley Park co
there's absolutely nothing you can do about this to prevent this.
how do you know that John Johnson contributing code to some widely-used library is not Ivan Ivanson, a KGB sleeper agent? do you know John Johnson in person? does anyone else in your anonymous, informal, nebulous developer clique know any other contributor personally? are you sure that jkldjsafj, qweqweqwe and all the random anonymous guys with anime girl profile pictures who contribute code to a myriad projects are not Russian plants?
>I would like to remind you of the recent XZ utils backdoor into SSH contributed by a less than friendly nation state.
case in point to the above: no one fucking knows who did it. it could be Russia, it could be China, it could be Israel, it could be NSA/CIA.
> there's absolutely nothing you can do about this to prevent this.
Fibre can be cut.
I know it's unpalatable, or somehow "an escalation", but when NATO started backing Ukraine and the US imposed sanctions on Russia, the logical move would have been to immediately sever all of their international network links. There's what, a few dozen fibre connections crossing their borders?
The alternative is this: https://edition.cnn.com/2024/09/13/media/right-wing-media-in...
"an escalation" is a bit of an understatement if you try to cut the fiber connecting Russia and China. they also share a border with Georgia, Azerbaijan, Kazakhstan and Mongolia.
what the fuck are you going to do? do you people not understand how the Internet works? unless you isolate your network from all other networks, it is accessible from any other network.
That’s fixable too. If the rest of the world drops all packets to or from Russian CIDR blocks, it doesn’t matter how many fibre links they still have lit up.
Just a handful of public clouds and major CDNs dropping packets from Russian IPs would cut them off from almost all Internet services directly or indirectly. Good luck browsing web pages with cdnjs and the like just timing out for you!
Russia can route to the rest of the Internet because they’re being allowed to in the same sense that they can sell oil and gas to Europe because Europeans are allowing them to.
> If the rest of the world drops all packets to or from Russian CIDR blocks
yes, okay, fine, go convince China to do just that
Don’t need to convince everybody, just the majority.
> how do you know that John Johnson contributing code to some widely-used library is not Ivan Ivanson, a KGB sleeper agent?
Because his name is "Jia Tan" so he must be chinese. /s
I'm strongly opposed to Russia's expansionist goals in Ukraine.
The Linux kernel will outlast any war and even many countries. It’s an institution, and in some ways it fosters more global collaboration and interdependence than even the UN. Bifurcating it along geopolitical lines is a short-sighted, lose/lose reaction to an inarticulable problem.
Frankly, that is completely irrelevant to the kernel maintainers list.
It's of the main reasons these sanctions exist. It's the biggest topic in Europe since WW2.
Well, I oppose the inclusion of OSS in those sanctions. I’m also generally skeptical of the theory of change - economic decoupling generally doesn’t make conflict less likely or protracted.
As far I understand software itself is not included in US sanctions, it's the infrastructure, websites, mailing lists etc
They are somewhat collateral victims of the war and of the bad political choices (both sides) sadly.
So you think in 1992 when FRY was sanctioned research and Internet links should not have been affected when flights were suspended for example?
I don’t know a lot about that sanctions regime. If it was targeted stuff related to directly preventing the ongoing genocides, sure keep them - but in general, I would be opposed.
[flagged]
You can try to ask dang but for technical reasons he is unlikely to fulfill your request.
Thanks for the info. Appreciated.
"we reserve the right to refuse to (i) delete any of the submissions, favorites, or comments you posted on the Hacker News site or linked in your profile and/or (ii) remove their association with your Hacker News ID."
In addition to GDPR (which is EU law but US companies have to respect it too), it may violate local state laws in the US too that you can't delete the account, if someone knows.
Best is somehow rather not to post if you don't want to have your messages recorded and linked to you.
imo its a violation of the CCPA but they don’t agree
You can just stop coming here. It's super easy.
Say some naughty words?
by that logic N.Korean subjugates should also get maintainer rights
if you really think so strongly about it maybe you should run "Red Star OS" instead
North Korean maintainers should be allowed, imo
Not a good idea for Linux to get involved in geopolitical drama.
Any self-respecting maintainer will not come back after this.
Linux might have a lot of developers, but has a hard time finding and retaining maintainers.
This is not a good development.
It's not a geopolitical drama or melodrama, Linux Foundation needs to follow the laws of US where it's located. It's the same as any other American company
Most of the developers are paid by US companies. I don’t think this will really affect anything at all.
Is there any new "compliance requirements" (sanctions I suppose?) that made this happen? Or is a delayed change since the sanctions started?
The latest change would be EU sanctions that disallow export of technology from March 2024: https://www.themoscowtimes.com/2024/05/17/microsoft-blocks-r...
But this change here feels like there was pressure from the DoD or White House. A lot of sanctions seems to be introduced and enforced informally.
That cited change is actually from December 2023:
> The ban complies with the EU’s 12th sanctions package adopted in December, which ordered companies in and outside the bloc to stop exporting products and technology to Russia by March 20.
That would mean that either A) it's not what triggered this change or B) the kernel wasn't legally following compliance requirements for almost a year
But besides that, that sanction is between EU<>Russia, not sure if that would ultimately enforce the kernel to implement those compliance requirements, unless also agreed and followed by the US.
It’s surprising to see that there are any compliance requirements Linux adheres to.
If it is because of national security concerns, will Israelis and Chinese lose kernel maintainership status as well?
> If it is because of national security concerns, will Israelis and Chinese lose kernel maintainership status as well?
Some of them, yes, some of them, no. /s
[dead]
I doubt anything would happen the next time US invades a country.
Earlier: https://news.ycombinator.com/item?id=41917357
If you scroll down on the thread linked, someone mentions the reason isn't that the developers are Russian, but because their employers in Russia are sanctioned companies.
I don't know if that's accurate, but seems feasible. If so I'm 100% behind it.
It'd be nice to know the exact reasoning for this, rather than just see a commit without any context of why they're being removed. I'm pretty sure we'll know in due time.
I think it's more likely that everyone will forget in a few days and we will never know. Maybe there will be few more random bans.
I highly doubt anyone banned will even try to send "sufficient documentation". The wording is as vague and arbitrary as it gets, and the underlying tone sounds to me not like "we have such and such requirements", but like "some Russian-sounding names are banned, but we still have to demonstrate there is a due process".
Reminds me of banks. Banks are fined for not having processes for detecting money laundering. Not money laundering, mind it, just having "inadequate" processes. If such a process flags someone, that someone is blocked and they should provide "sufficient documents", but the bank is not allowed to tell them why or what, that would be "tipping off", which is illegal. And then it all comes down to bank's internal policies (that the bank is not allowed to disclose) or even a personal relationship with a branch manager.
> Banks are fined for not having processes for detecting money laundering. Not money laundering, mind it, just having "inadequate" processes. If such a process flags someone, that someone is blocked and they should provide "sufficient documents",
Isn't that how most compliance regulation works? You can't force companies to have a perfect record of preventing something, no matter how you structure things, so instead of trying to do so, you setup something that will at least preventing it somewhat. And then you fine the companies who don't do anything to prevent the issue.
I'm not a lawyer, but I don't think so. For example, there is no penalty for not having an accountant on payroll. But there are some for not keeping adequate records. I suspect it's irrelevant whether you have a full-time accountant so your records are always in order, or if you do nothing all year and hire someone for a big overhaul each December and also every time authorities need something.
Huawei is under same level of sanctions, but nobody with `xxx@huawei.com` is removed from Maintainers list. So, probably "sanctions" are not the reason.
What about maintainers employed by huawei, they still on that file, any difference here?
Sounds like overreach by a company that is heavily invested in Linux as a base for its products, and is having a difficult time with US trade regulations.
Its pandering. I hope these developers petition to be added back.
Are US corporations going to be forced to fire their Russian coders?
They should have already based on the sanctions two years ago, Belarus also.
Some examples:
https://www.theverge.com/2022/6/8/23159656/microsoft-russia-...
https://www.reuters.com/business/russia-shrugs-off-jobs-impa...
https://www.hpe.com/us/en/newsroom/statement/2022/06/hpe-ann...
https://newsroom.ibm.com/Update-on-IBMs-Business-Operations-...
This could get messy in other projects, depending where this rule came from. I know there are .ru maintainers in at least one other ; and what about distros?
Russian government is cancer but this is pointless. It would be much easier to hide a backdoor in an npm or python package.
Which HOPEFULLY don't run at kernel privilege level (but I do know better).
Not sure this is really what anyone had in mind when sanctioning Russia? The maintainers probably aren't pleased but can't see a direct route from there to Putin's opinion of the war in Ukraine.
Probably not sanctions, but national security concerns.
The former aims to punish and worsen the situation of the other country, the latter aims to reduce the attack vector and improve the situation of the US.
If I were a KGB (FSB) agent with a task to undermine US infrastructure with my commits in Linux kernel, using my real russian name and .ru TLD would be the last thing to do.
It’s pretty evident at this point that any Russian citizen in Russia or with family in Russia can be coerced, and it’s also pretty clear that Putin specifically does not have good intentions.
There are lots of good people there. It’s too bad there is a crazy person at the helm.
It is evident everyone CAN be coerced. Not that everyone WILL BE, because some people still think of themselves as people, not some “honest citizens” or “economic agents”.
It is also evident that someone quite far from Russia HAS ALREADY BEEN coerced to make that unannounced change, but you try really hard to look the other way. “Those Linux nerds” were shown who's the boss in the room when it comes to “important matters”. Don't you feel that the form of that change itself is a sign of silent disobedience, and you are expected to participate in public outcry forcing further developments instead of just bending over willingly?
It is totally possible that there was some direct intelligence that those accounts can be used in some clandestine operation in the future, probably without even asking some of the owners. After all, spies are #1 information source to other spies, they run the global spectacle together. Still, accepting “this is secret” as an excuse, you are already accepting defeat.
all you have to look at is the number of russian oligarchs being defenstrated since the invasion began to know that if it served russian aims to inject malware into the kernel somehow via their maintainers it would probably be tried. the maintainers are probably not oligarch level rich so imagine the pressure on them if needed.
> The maintainers probably aren't pleased but can't see a direct route from there to Putin's opinion of the war in Ukraine.
Then they should be reminded that their military is actively using Linux to kill Ukrainian civilians https://en.wikipedia.org/wiki/Astra_Linux
"Putins opinion on the war he started" undersells the issue that Russia has actively been undermining, killing, and sabotaging in western countries.
And the solution so far has been to punish everyone you can get your hands on (i.e. everyone but Putin), tying people's future with his own and playing right into his narrative. Truly excellent diplomacy all around.
Well, what do you propose? We're obviously far past the point of diplomacy. The sanctions are not designed to change hearts and minds. They're designed to make Russia's war efforts more difficult. The sorry state of affairs is that Russia's government has made itself a huge problem and there are no good solutions.
[flagged]
If America isn’t perfect, does that mean its enemies must be? Surely you don’t live in so simple a world?
Anyway, us encroaching on Russian interests (debatable) is hardly an excuse for them to go blowing up a country full of innovent civilians.
Contrary to american adventures in the Vietnam, Iraq and other places, and by our best friend in the middle east, the civilian casualties are kept by a minimum by the russians. All the official numbers confirm that.
It was not them who invented shock and awe.
> the civilian casualties are kept by a minimum by the russians.
In every place where Russia has been that has been rescued there have been numerous torture chambers and mass graves.
Russia has been terror bombing civilians daily, specifically targeting civilians in order to kill as many as possible.
Hundreds of hospitals have been destroyed and Russia continually uses double-tap to target rescue workers.
They throw out masses of booby traps that looks like toys to kill and maim kids. Sometimes they even leave children alive on the booby trap.
It's a complete fabrication that Russia cares about civilian lives. They don't even care about the lives of their own soldiers as they're sent to the front without training, food, or ammo.
>They throw out masses of booby traps that looks like toys to kill and maim kids. Sometimes they even leave children alive on the booby trap.
You forgot infants raped with a teaspoon.
Seriously, nobody can be that gullible.
Is that a coping mechanism or something?
"The claims are so ridiculous that they can't be true!"
There's thousands of documented cases of Russian war crimes out there to educate yourself if you're tired of shoving your head into the sand.
Admittedly, I've luckily only heard of a single case of them booby trapping a dead mother who carried her still alive baby.
(And surprise surprise, the same usernames appear who defend the Russian horrors.)
And I heard Iraqis were throwing out babies out of incubators in a Kuwait hospital.
"The Nayirah testimony was false testimony given before the United States Congressional Human Rights Caucus on October 10, 1990, by a 15-year-old Kuwaiti girl who was publicly identified only as Nayirah at the time. In her testimony, which took place two months after the Iraqi invasion of Kuwait, she claimed to have witnessed Iraqi soldiers taking babies out of incubators at a Kuwaiti hospital before looting the incubators and leaving the babies to die on the floor. Nayirah's statements were widely publicized and cited numerous times in the United States Senate and by American president George H. W. Bush to contribute to the rationale for pursuing military action against Iraq. Her portrayal of Iraqi war crimes was aimed at further increasing global support for Kuwait against the Iraqi occupation during the Gulf War, which resulted in the expulsion of Iraqi troops from Kuwait by a 42-country coalition led by the United States.
In 1992, it was revealed that Nayirah's last name was al-Ṣabaḥ (Arabic: نيرة الصباح) and that she was the daughter of Saud Nasser Al-Saud Al-Sabah, the erstwhile Kuwaiti ambassador to the United States. Furthermore, it was revealed that her testimony was organized as part of a wider public relations campaign conducted by the Kuwaiti government-in-exile's Citizens for a Free Kuwait, which sought to encourage American military involvement against Iraq's occupation of Kuwait through coordination with the American public relations firm Hill & Knowlton. In the aftermath of the Gulf War, the Nayirah testimony came to be regarded as a classic example of modern atrocity propaganda." [0]
Looks familiar?
[0] https://en.wikipedia.org/wiki/Nayirah_testimony
[flagged]
Let the Russians banish western developers from working on Russian projects.
It's already the case, if you are living in a country officially listed as "hostile to Russia" (or "enemy") it's very difficult to business there. That's why McDonald's left for example.
Wait ... Western countries killing in Russia? What?! As part of the Cold War, sure, but that's the nature spying; we do it, they do it, everybody does it. Seems like you're implying armed forces level killing in Russia, though. Care to explain that?
So?
China next? And then they cry that Linux does not have enough maintainers...
[flagged]
[flagged]
Alternative title: Nobody with an email ending in .ru left in the MANTAINERS file.
That would be a nice explanation, but some people with @gmail.com were also removed from the list.
I think this is good. It’s a clear potential attack vector and we have plenty of people who can maintain Linux here. I don’t really see any downside to this.
Code is supposed to be free and all that, but this is an obvious security exploit waiting to happen. It’s not like Linux is somehow beyond countries; even Linus works for a US foundation.
My initial reaction reading the thread was just to shake my head. What's the point of open source?
How convoluted, insidious, and camouflaged can a hidden backdoor or exploitable intentional defect be?
If hacking or subversion is possible, it has been tried and will be again. If anyone is going to try it, chances are Putin's people will.
It's by far the sneakiest, most advanced cheating and infiltration apparatus humanity has ever known. It inherited a large "meddling war chest" from the Soviet Union, then invested heavily into it for 25 years. The Internet increased its opportunities a million-fold. Its semitransparent tentacles are now embedded into nearly every consequential organization on the planet.
Consider the xz episode as a baseline. It was fairly sneaky, but it was introduced by a newcomer to the project and affected mostly existing code. A more elaborate exploit might be submitted with a new feature by an established maintainer.
[dead]
[flagged]
[flagged]