36
submitted 1 month ago by 0x4E4F@infosec.pub to c/linux@lemmy.world

Official statement regarding recent Greg' commit 6e90b675cf942e from Serge Semin

Hello Linux-kernel community,

I am sure you have already heard the news caused by the recent Greg' commit 6e90b675cf942e ("MAINTAINERS: Remove some entries due to various compliance requirements."). As you may have noticed the change concerned some of the Ru-related developers removal from the list of the official kernel maintainers, including me.

The community members rightly noted that the quite short commit log contained very vague terms with no explicit change justification. No matter how hard I tried to get more details about the reason, alas the senior maintainer I was discussing the matter with haven't given an explanation to what compliance requirements that was. I won't cite the exact emails text since it was a private messaging, but the key words are "sanctions", "sorry", "nothing I can do", "talk to your (company) lawyer"... I can't say for all the guys affected by the change, but my work for the community has been purely volunteer for more than a year now (and less than half of it had been payable before that). For that reason I have no any (company) lawyer to talk to, and honestly after the way the patch has been merged in I don't really want to now. Silently, behind everyone's back, bypassing the standard patch-review process, with no affected developers/subsystem notified - it's indeed the worse way to do what has been done. No gratitude, no credits to the developers for all these years of the devoted work for the community. No matter the reason of the situation but haven't we deserved more than that? Adding to the GREDITS file at least, no?..

I can't believe the kernel senior maintainers didn't consider that the patch wouldn't go unnoticed, and the situation might get out of control with unpredictable results for the community, if not straight away then in the middle or long term perspective. I am sure there have been plenty ways to solve the problem less harmfully, but they decided to take the easiest path. Alas what's done is done. A bifurcation point slightly initiated a year ago has just been fully implemented. The reason of the situation is obviously in the political ground which in this case surely shatters a basement the community has been built on in the first place. If so then God knows what might be next (who else might be sanctioned...), but the implemented move clearly sends a bad signal to the Linux community new comers, to the already working volunteers and hobbyists like me.

Thus even if it was still possible for me to send patches or perform some reviews, after what has been done my motivation to do that as a volunteer has simply vanished. (I might be doing a commercial upstreaming in future though). But before saying goodbye I'd like to express my gratitude to all the community members I have been lucky to work with during all these years.

top 31 comments
sorted by: hot top controversial new old
[-] goffy59@lemmy.world 29 points 1 month ago

While I understand that the manner in which your removal from the Linux kernel maintainer list was handled may feel frustrating, there are much larger issues at stake here. The fact that you would leave a project you claimed to have volunteered for "in good faith" as soon as your country’s role in a horrific war of aggression comes into question is deeply troubling.

Let’s be clear: Russia’s invasion of Ukraine is an unprovoked act of war, involving systematic atrocities and crimes against humanity. No matter how you frame your individual involvement as a contributor to open-source projects, by remaining silent and failing to stand against the actions of your government, you and others in Russia are complicit. You cannot separate your personal or professional activities from the larger geopolitical realities—especially not when your country is committing genocidal acts.

Furthermore, the issue of trust cannot be overstated. The Linux Foundation and broader open-source community depend on trust and collaboration. With Russian state-sponsored espionage, cyberattacks, and covert operations frequently targeting Western infrastructure, it’s impossible to ignore the risks associated with contributors from a country that has made subterfuge and disinformation a central part of its strategy. How can the community trust that your contributions are made in good faith when so many Russian actors have been implicated in espionage and manipulation efforts?

The Linux Foundation does not exist in a vacuum. It stands for more than just code—it represents the principles of openness, transparency, and ethical responsibility. Allowing contributions from individuals tied to a state engaging in war crimes sends the wrong message. It would compromise the integrity of the entire community.

As for the comparison to U.S. support for Israel, the situations are entirely different. The U.S. is not driving soldiers into Gaza to kill Palestinians. While we provide material and military support to Israel—largely aimed at combating Hamas, a recognized terrorist organization—that is not the same as directly engaging in the conflict. The idea that the U.S. is the sole proprietor of the war in Gaza is absurd and fueled by Iranian and other hostile propaganda. The U.S. government has not declared war on Gaza, and no congressional vote has sanctioned such an action.

It’s important to note that U.S. policy toward Israel has been consistent for decades, across multiple administrations. The complexities of this relationship go far beyond any single conflict or war. Furthermore, while atrocities committed by any state must be condemned, we are not responsible for every action taken by Israel, just as Russians like yourself should not dismiss your government's role in the atrocities being committed in Ukraine.

In the end, it's about accountability. You chose to walk away from the Linux community because of a necessary and justified action aimed at holding people accountable for their involvement, directly or indirectly, in a war of aggression. Your departure speaks volumes about where your priorities and loyalties truly lie.

[-] GBU_28@lemm.ee 11 points 1 month ago* (last edited 1 month ago)

Hmm in general this is an interesting comment, but claiming someone in Russia who doesn't stand against Putin is "complicit" in the war is rough. Putin's regime has a long track record of violence against political enemies. Including their family and associates. This is at a level most westerns can't comprehend, as we've never experienced it. For them to stand up as you hope they would could possibly be the last public thing they ever do. I've commented on this platform that I think what Israel is doing is genocide, and that it is disgusting that the US hasn't stopped arms shipments. But I can do that because I'm fortunate to live in a place where there isn't going to be a knock on my door for my opinion.

I do think it's fair to note the salt from OP, and that is unfortunate. their direct line of argument between Russia and israel is also jink. As you say they are widely differnt conflicts. But it would be better they didn't post at all, because I believe they can't truly provide a response that would satisfy...their safety is in question if they do so.

Be clear: I'm in no way apologizing for Russia. I also think sanctions against Russia, and the removal of Russian Linux contributors is a sound move.

Edit edit I just learned about the contributor's work at a Russian defense contractor. If that is true it significantly colors thier position and may make my point about silence for safety more fraught.

[-] Agent_Karyo@lemmy.world 2 points 1 month ago* (last edited 1 month ago)

but claiming someone in Russia who doesn’t stand against Putin is “complicit” in the war is rough.

An alternative viewpoint from someone who has lived in North America and russia for a decade (and speaks both russian and English).

Most Westerners have a pretty primitive and naive understanding of russian culture; you will note how even seemingly reputable analysts that consult senior US diplomatic figures speak in broken russian.

Westerners greatly underestimate the extent to which genocidal imperialism is supported within russian society. Not every single person of course. We are talking strong majority to overwhelming majority support that goes across multiple demographic segments (even ones you wouldn't think would have majority support like younger cohorts or highly educated cohorts).

Consider the annexation of Crimea, which if you live in Ukraine, was the beginning of the invasion of Ukraine. 80-85% support depending on methodology (just a few percentage point delta when using list experiments vs. direct questions).

And don't be naive in thinking that russian society does not recognize the genocidal intent. They most definitely know that Ukrainian is banned, Ukrainian churches are banned, you cannot do anything without getting a russian passport. Tens of thousands of Ukrainians who have the courage to openly oppose this regime are sent to torture dungeons where electrocution torture, cutting off genitals, cutting off fingers, rape, is all a standard procedure.

And russians society knows this, yet they continue to strongly support the invasion and occupation of Ukraine, Georgia (how many russians protested the 2008 invasion?) and Moldova.

Now one might say I am de-humanizing russians. To that I will answer that I am actually treating them as adults that make their own choices and should take responsibility for their actions. There is nothing inherent (in a biological or some sort of cultural essentialism sense) to russian culture that enables imperialism to makes propaganda "uniquely" effective. It's a conscious choice made unfortunately by at least a strong majority of russian society.

This is not directly aimed at you, more of a general comment regarding naive and honestly uneducated takes on the nature of russian society.

[-] GBU_28@lemm.ee 2 points 1 month ago

I understand your point.

I would highlight that part of mine was that until "you" live it, and are face to face with those consequences, it's ignorant to just assume "you" would stand up to the regime. Given that, it's a "rough" call to expect others to meet that very high bar of integrity and personal risk.

[-] Agent_Karyo@lemmy.world 3 points 1 month ago

I think you overestimate how many people in russia do not stand against putin because they are afraid of the consequences. It's definitely true that it happens, but it's not really relevant in the bigger scale of things.

Unfortunately, a strong majority (at the very least) do support putin specifically, his authoritarianism and genocidal imperialism. And this is not limited to specific demographic segments. They may not openly act as rabid chauvinists (although there are tens of millions who do), but they are fundamentally aligned with the putin, his regime, his goals and his methods. For them it's a fair price for their own comfort (both material and existential).

And what further muddies the waters is that among those who oppose putin, many actually support his imperialist agenda (e.g. Navalniy and his team who supported the annexation of Crimea until 2022 when they forced to change their position since they were kicked out of the country).

The whole framing of tens of millions of russians being stuck between a rock and a hard place is incorrect. Even those who claim they are for peace are really looking to consolidate their current occupational gains (with continued atrocities and eradication of Ukrainian identity).

[-] GBU_28@lemm.ee 3 points 1 month ago

Totally with you. I'm not discussing populations, only individuals. And specifically I'm discussing how it is hard for a westerner to realistically judge what is happening to the average Joe in Russia, especially with regard to their freedom to speak out without fear of harm.

I'm not apologizing for anything Russia has done, or condoning the seeming popularity you point out. It's certainly reprehensible.

[-] Agent_Karyo@lemmy.world 2 points 1 month ago

That's a fair point. It is also something that people in democratic countries don't fully appreciate.

[-] 0x4E4F@infosec.pub 4 points 1 month ago* (last edited 1 month ago)

Allowing contributions from individuals tied to a state engaging in war crimes sends the wrong message.

So... letting Israeli maintainers still be on the maintainers list is a great message, got it 👍.

...just as Russians like yourself should not dismiss your government's role in the atrocities being committed in Ukraine.

Ah, yes, you're troubled by this drama, so you must be Russian 😉 👍.

[-] IndustryStandard@lemmy.world 1 points 1 month ago

What you think Americans are some kind of hypocrites who are all talk but really stand for nothing?

If your comment was true all true patriot Americans would be staging a revolution. And definitely not advocate to vote for the people perpetrating those brutal war crimes.

[-] mox@lemmy.sdf.org 21 points 1 month ago* (last edited 1 month ago)

Funny how neither Serge Semin nor OP bothered to mention Serge's employment history. Learn the details before jumping to conclusions, folks.

[-] stoly@lemmy.world 10 points 1 month ago

Please give us the juicy summary!

[-] 0x4E4F@infosec.pub 6 points 1 month ago
[-] possiblylinux127@lemmy.zip 6 points 1 month ago* (last edited 1 month ago)

I'm pretty sure we all know the reason. Hint: it has to do with a particular country invading Ukraine

You don't have to agree with it but that's the reason

[-] Voltage@lemmy.dbzer0.com 0 points 1 month ago

Why is israelis allowed then?

[-] possiblylinux127@lemmy.zip 1 points 1 month ago

Because they are a US ally

[-] CaptainBasculin@lemmy.ml -3 points 1 month ago

Purging of contributors just because they originate from a country is not how leadership of an open source project should act. Really sad to see.

[-] goffy59@lemmy.world 17 points 1 month ago

Purging of contributors just because they originate from a country is not how leadership of an open source project should act. Really sad to see.

This isn't about "purging contributors just because they originate from a country"—it's about addressing real security risks and complying with international sanctions. Open-source projects, especially something as critical as the Linux kernel, don’t exist in a vacuum. They are part of a global infrastructure that is deeply intertwined with national security and legal obligations.

Russia's actions on the global stage, from its involvement in cyber warfare to the invasion of Ukraine, have resulted in widespread sanctions for good reason. When individuals or organizations tied to sanctioned entities are involved, it becomes a matter of compliance and risk management, not arbitrary exclusion. The leadership of open-source projects has a responsibility to protect the project’s security and integrity, especially from potential threats that are well-documented.

It’s unfortunate that good contributors are caught in the crossfire, but that's a consequence of the political reality created by Russia's actions. The Linux Foundation, being U.S.-based, has to comply with these sanctions, and more importantly, must take steps to safeguard critical infrastructure from potential compromise. It’s not about nationality—it's about mitigating risks and ensuring compliance with international laws. That’s just how responsible leadership works.

[-] mellejwz@lemmy.world 4 points 1 month ago

That's not what happened. There are still Russian contributors. Just the onces that have in some way (maybe indirectly) ties with the Russian government have been removed.

[-] possiblylinux127@lemmy.zip 2 points 1 month ago

Then go elsewhere. At the end of the day you are empowered to act

[-] Peter1986C 2 points 1 month ago

Infosec reasons, allegedly.

[-] PetteriPano@lemmy.world 41 points 1 month ago

The contributor above works at Baikal Electronics, which are a defense supplier in/for Russia, and therefore sanctioned.

The Linux Foundation is based in the US and have to bide by those sanctions.

[-] goffy59@lemmy.world 17 points 1 month ago

The contributor above works at Baikal Electronics, which are a defense supplier in/for Russia, and therefore sanctioned.

The Linux Foundation is based in the US and have to bide by those sanctions.

Kudos to this guy for nailing it. The connection between Baikal Electronics, a sanctioned defense supplier for Russia, and the compliance the Linux Foundation must adhere to under U.S. sanctions makes perfect sense. It's not about personal vendettas—it's about following legal obligations and protecting the integrity of critical projects like the Linux kernel. Well said!

[-] lambalicious@lemmy.sdf.org 0 points 1 month ago

The Linux Foundation is based in the US and have to bide by those sanctions.

I think the fact to deal with and fix is this one, and not the fact that a contributor from Linux can come from anywhere. Ratattioulle life lessons, people!

[-] goffy59@lemmy.world 12 points 1 month ago

Infosec reasons, allegedly.

Saying "Infosec reasons, allegedly" is not only dismissive but also incredibly irresponsible given the current global security climate. There’s nothing “alleged” about the cyber threats posed by Russia. The evidence is overwhelming, documented, and spans decades of hostile actions across Europe and the U.S.

Russia has engaged in full-scale cyber warfare against Western infrastructure, ranging from the NotPetya attacks that caused billions in damages, to election interference in multiple countries, and the continuous disinformation campaigns meant to destabilize democratic institutions. In the cybersecurity world, you don’t wait around for damage to occur before addressing vulnerabilities—prevention is key. It’s not "alleged" when we have mountains of evidence of Russian cyber operations targeting everything from defense industries to healthcare systems.

Your dismissal of the very real "infosec reasons" undermines a fundamental understanding of modern cybersecurity. Espionage, sabotage, and cyberattacks aren't just hypothetical scenarios; they are ongoing, constant threats. By brushing off legitimate concerns with a sarcastic "allegedly," you're either willfully ignoring these realities or grossly underestimating the scale of the issue. Russia has weaponized the digital space, and whether you like it or not, contributions to critical open-source projects like the Linux kernel are absolutely a potential vector for compromise.

When you throw around "allegedly" as if these are mere conspiracy theories, you demonstrate a lack of understanding about how covert operations work. They don’t come with red flags and announcements—they rely on subtlety, deception, and exploiting weaknesses in systems, both technological and human.

Infosec concerns are serious. They aren't alleged. They are proven, documented, and ongoing. If you don't see the logic in taking proactive steps to secure critical infrastructure projects from a country that has made espionage and cyber warfare a cornerstone of its foreign policy, then you're missing the bigger picture entirely. The Linux kernel is too important to global infrastructure to take any risks, and infosec reasons are very much real, not some "alleged" excuse.

[-] DahGangalang@infosec.pub 1 points 1 month ago

I understand the sanctions part and wanting to head off any potential state interference with projects like this, but "infosec reasons" feels very hand wavy.

I think I'd be a lot more comfortable if we had seen malicious/bad faith actions/communications or maybe some more specific and tangible reasons to suspect them being compromised on the part of the Russian maintainers before they were just removed.

[-] goffy59@lemmy.world 9 points 1 month ago

I understand the sanctions part and wanting to head off any potential state interference with projects like this, but “infosec reasons” feels very hand wavy.

I think I’d be a lot more comfortable if we had seen malicious/bad faith actions/communications or maybe some more specific and tangible reasons to suspect them being compromised on the part of the Russian maintainers before they were just removed.

Your understanding of the sanctions is a good start, but dismissing “infosec reasons” as merely "hand-wavy" shows a serious lack of awareness about the global security threats that Russia, and by extension, its citizens, pose—especially when it comes to technology and infrastructure. To suggest that we need to "see malicious or bad faith actions" first before taking precautionary steps demonstrates a complete misunderstanding of how cybersecurity and threat prevention work.

Let's get real: Russia has been systematically involved in espionage operations for decades. This isn't speculation—it's fact. They have a proven track record of conducting cyber warfare, engaging in disinformation campaigns, and launching full-on hybrid attacks across Europe and the U.S. From burning down munition factories to assassinating journalists with polonium, to paying off right-wing influencers and politicians in the West, the Russian state and its network of operatives have relentlessly undermined democratic societies. And you think we should wait for more tangible evidence before removing people from sensitive projects? That's beyond naïve—it’s reckless.

Cybersecurity doesn't work by waiting until something catastrophic happens. You don't wait for a hacker to exploit a vulnerability before patching it, just as you don’t wait for a spy to steal sensitive information before tightening your security protocols. Russia is actively involved in cyber warfare, and pretending that this doesn’t extend to individuals who might seem disconnected from their government is dangerously shortsighted. Espionage is embedded into Russian statecraft—it operates through layers of deception, often utilizing individuals who appear innocent or disconnected.

And we’re not talking about abstract threats. Russian actors have been implicated in numerous high-profile cyberattacks, including those that targeted Western infrastructure, democratic processes, and industrial sectors. If anything, the decision to remove Russian maintainers from the Linux project for "infosec reasons" is prudent. It’s not hand-wavy—it's a necessary step to protect the integrity of a globally important project from potential compromise by a nation that has shown no qualms about leveraging technology for malicious purposes.

Moreover, the idea that you would need to see overt acts of bad faith from these maintainers before taking action completely ignores the covert nature of cyber espionage. Russia's hybrid warfare tactics often operate in the shadows—by the time you see the problem, it's far too late. You're essentially asking to see the explosion before you start investigating the bomb, which is absurd in any cybersecurity context.

Your dismissal of these concerns as "hand-wavy" highlights a disturbing lack of understanding about the real and present threats posed by Russian actors, whether state-sponsored or not. Pretending otherwise is not just foolish, it’s an invitation for disaster. Ignorance is not an excuse in matters of national security, and being “comfortable” with this situation is exactly what Russia counts on when it comes to exploiting vulnerabilities.

Infosec reasons are not some vague excuse—they are at the heart of protecting projects like the Linux kernel, which are critical to global infrastructure. If you don’t understand that, you’re either blissfully unaware of the reality of cyber threats or willfully ignorant of the risks. Either way, it’s a dangerous position to take.

[-] DahGangalang@infosec.pub 6 points 1 month ago

I really like your way of explaining that.

It still feels dirty, but when is war and geopolitics ever actually clean? I feel a lot more heartened that this was the right choice after reading your response.

[-] goffy59@lemmy.world 5 points 1 month ago

I wish the world were more peaceful—truly. But as long as people keep prioritizing their lizard brain, greed, or whatever you want to call it, I don’t think that will ever happen. It's best to stay vigilant.

[-] lambalicious@lemmy.sdf.org 2 points 1 month ago

After all of that papyrus, what do you make that Israel is not being sanctioned like this? They do, after all, carry out operations such as esionage on smartphones internationally.

[-] TheGrandNagus@lemmy.world 1 points 1 month ago

Contibutors in general were not "purged".

Maintainers (i.e. people who could push patches with very little oversight) from sanctioned Russian companies were removed from their roles.

They can still contribute.

Leave it to a lemmy.ml user to spread misinformation to make Russia look like the victim in this.

[-] GBU_28@lemm.ee 0 points 1 month ago

If they believe there are sanction and security concerns they have to act.

this post was submitted on 24 Oct 2024
36 points (74.3% liked)

Linux

8305 readers
130 users here now

Welcome to c/linux!

Welcome to our thriving Linux community! Whether you're a seasoned Linux enthusiast or just starting your journey, we're excited to have you here. Explore, learn, and collaborate with like-minded individuals who share a passion for open-source software and the endless possibilities it offers. Together, let's dive into the world of Linux and embrace the power of freedom, customization, and innovation. Enjoy your stay and feel free to join the vibrant discussions that await you!

Rules:

  1. Stay on topic: Posts and discussions should be related to Linux, open source software, and related technologies.

  2. Be respectful: Treat fellow community members with respect and courtesy.

  3. Quality over quantity: Share informative and thought-provoking content.

  4. No spam or self-promotion: Avoid excessive self-promotion or spamming.

  5. No NSFW adult content

  6. Follow general lemmy guidelines.

founded 2 years ago
MODERATORS