Teacher
Professional
- Messages
- 2,670
- Reaction score
- 814
- Points
- 113
Maxim Downin, one of the creators of Nginx, is leaving the project due to disagreements with F5.
One of the key developers of Nginx, the most popular web server in the world, announced his departure from the project. He stated that the project is no longer perceived by him as "a free and open project... for the benefit of the public." Maxim Downin, a developer, created a fork called freenginx, which, according to him, "will be managed by developers, not corporate structures" and will be "free from arbitrary corporate actions."
Dounin is one of the first and most active participants in the Nginx project and was one of the first employees of Nginx, Inc., which was created in 2011 to provide commercial support for this web server. Nginx is currently used on about a third of the world's web servers, ahead of Apache.
Nginx Inc. was acquired by Seattle-based F5 in 2019. In the same year, two Nginx leaders, Maxim Konovalov and Igor Sysoev, were detained and interrogated in their homes by FSB agents. Sysoev's former employer, the Internet company Rambler, claimed to own the rights to the Nginx source code, as it was developed while Sysoev was working at Rambler (where Downin also worked). Although criminal charges and rights did not appear to have been implemented, the Russian company's penetration of the popular open source web infrastructure caused some concern.
Sysoev left F5 and the Nginx project in early 2022. Later that year, F5 ceased all operations in Russia. Some Nginx developers who stayed in Russia created Angie, largely to support Nginx users in Russia. Dounin technically also stopped working at F5, but continued to participate in the Nginx project "as a volunteer," according to his mailing list post.
Downin wrote in a statement that "the new non-technical leadership" at F5 "recently decided that they know better how to manage open source projects. In particular, they decided to interfere with the security policy that Nginx has been using for years, ignoring both the policy and the opinion of developers." Although this was "quite understandable" in terms of their ownership, Downin wrote that it meant that he "can no longer control what changes are made to Nginx", which was the reason for his departure and the creation of the fork.
At the center of the controversy were CVEs related to bugs in aspects of QUIC. While QUIC is not included in the most common Nginx default setup, it is included in the" main " version of the app, which, according to the Nginx documentation, contains "the latest features and bug fixes and is always up to date."
Dounin explained more about F5's actions in a subsequent email:
The latest security bulletin was published despite the fact that a certain bug in the experimental implementation of HTTP / 3 should have been treated and fixed as a standard issue, in full compliance with the current security principles, to which all developers, including myself, unanimously agreed.
Although this particular decision is not critical in itself, in the general context such a strategy raises significant concerns.
MZMegaZone, F5's chief security engineer, confirmed that the security disclosure was a turning point for Downin's departure. "He was against our decision to allocate a CVE and did not approve of this step, and the coincidence of time does not look random," MZMegaZone noted on the Hacker News platform. In addition, he expressed the opinion: "I am convinced that assigning a CVE should not tarnish the reputation of NGINX or Maxim. It is a pity that he shares this view, but I respect him and sincerely wish him success."
An F5 spokesperson wrote the following to Ars:
F5 strives to implement successful open source projects that require a large and diverse community of participants, and apply strict industry standards to identify and evaluate identified vulnerabilities. We believe this is the right approach to develop highly secure software for our customers and the community, and we encourage the open source community to join us in this effort.
One of the key developers of Nginx, the most popular web server in the world, announced his departure from the project. He stated that the project is no longer perceived by him as "a free and open project... for the benefit of the public." Maxim Downin, a developer, created a fork called freenginx, which, according to him, "will be managed by developers, not corporate structures" and will be "free from arbitrary corporate actions."
Dounin is one of the first and most active participants in the Nginx project and was one of the first employees of Nginx, Inc., which was created in 2011 to provide commercial support for this web server. Nginx is currently used on about a third of the world's web servers, ahead of Apache.
Nginx Inc. was acquired by Seattle-based F5 in 2019. In the same year, two Nginx leaders, Maxim Konovalov and Igor Sysoev, were detained and interrogated in their homes by FSB agents. Sysoev's former employer, the Internet company Rambler, claimed to own the rights to the Nginx source code, as it was developed while Sysoev was working at Rambler (where Downin also worked). Although criminal charges and rights did not appear to have been implemented, the Russian company's penetration of the popular open source web infrastructure caused some concern.
Sysoev left F5 and the Nginx project in early 2022. Later that year, F5 ceased all operations in Russia. Some Nginx developers who stayed in Russia created Angie, largely to support Nginx users in Russia. Dounin technically also stopped working at F5, but continued to participate in the Nginx project "as a volunteer," according to his mailing list post.
Downin wrote in a statement that "the new non-technical leadership" at F5 "recently decided that they know better how to manage open source projects. In particular, they decided to interfere with the security policy that Nginx has been using for years, ignoring both the policy and the opinion of developers." Although this was "quite understandable" in terms of their ownership, Downin wrote that it meant that he "can no longer control what changes are made to Nginx", which was the reason for his departure and the creation of the fork.
At the center of the controversy were CVEs related to bugs in aspects of QUIC. While QUIC is not included in the most common Nginx default setup, it is included in the" main " version of the app, which, according to the Nginx documentation, contains "the latest features and bug fixes and is always up to date."
Dounin explained more about F5's actions in a subsequent email:
The latest security bulletin was published despite the fact that a certain bug in the experimental implementation of HTTP / 3 should have been treated and fixed as a standard issue, in full compliance with the current security principles, to which all developers, including myself, unanimously agreed.
Although this particular decision is not critical in itself, in the general context such a strategy raises significant concerns.
MZMegaZone, F5's chief security engineer, confirmed that the security disclosure was a turning point for Downin's departure. "He was against our decision to allocate a CVE and did not approve of this step, and the coincidence of time does not look random," MZMegaZone noted on the Hacker News platform. In addition, he expressed the opinion: "I am convinced that assigning a CVE should not tarnish the reputation of NGINX or Maxim. It is a pity that he shares this view, but I respect him and sincerely wish him success."
An F5 spokesperson wrote the following to Ars:
F5 strives to implement successful open source projects that require a large and diverse community of participants, and apply strict industry standards to identify and evaluate identified vulnerabilities. We believe this is the right approach to develop highly secure software for our customers and the community, and we encourage the open source community to join us in this effort.
