According to Arstechnica , Maxim Dounin - one of the core developers has left Nginx because he believes that it is no longer an open source and free project for the benefit of the community. Dounin founded freenginx and said it will be run by developers, not corporate organizations.
Dounin was one of the first and still most active developers of the Nginx open source project, and was one of the first employees of Nginx Inc., a company founded in 2011 to commercially support the web server software. According to W3techs , Nginx is now used in about a third of the world's web servers, followed by Apache.
Nginx Inc. was acquired by Seattle-based F5 in 2019. However, in late 2019, two of Nginx's executives, Maxim Konovalov and Igor Sysoev, were detained and questioned by Russian agents at their homes. Internet company Rambler, has claimed ownership of the Nginx source code because it was developed at the time Sysoev worked there (Dounin also worked there). While criminal charges do not appear to have materialized, the fact that a Russian company has tapped into a popular open source part of the web's infrastructure has raised some concerns.
Sysoev left F5 and the Nginx project in early 2022. Later that year, due to Russia's military campaign in Ukraine, F5 ceased all operations in that country. Several Nginx developers formed Angie to support Nginx users in Russia. Dounin also left F5 at that time, but maintained his role in the Nginx project as a volunteer.
Nginx is the open source web server software with the largest market share today.
Dounin said that the new non-technical management at F5 recently assumed they knew how to run open source projects. In particular, the group decided to tamper with the security policy that Nginx had been using for years, bypassing the developers. He said this meant he no longer had control over what changes were made to Nginx, so he decided to leave.
Comments on The Hacker News , including one from an employee believed to be from F5, show that Dounin objects to the assignment of published CVE vulnerabilities to QUIC. While it is not enabled in Nginx's default setup, according to Nginx documentation, QUIC is included in the main version of the application, contains the latest features and bug fixes, and is always kept up to date.
Speaking to The Hacker News , Dounin said the F5 team ignored both project policy and the views of the general developers without any discussion. While the specific actions weren't necessarily bad, the overall approach was problematic.
F5 said it regrets Dounin's departure, and said successful open source projects like Nginx require a large and diverse community of contributors and strict industry standards for assigning and scoring known vulnerabilities. The company believes this is the right approach to developing highly secure software for its customers and the community.
Source link
Comment (0)