projects are left without maintainers

Posted Oct 23, 2024 4:39 UTC (Wed) by alison (subscriber, #63752)
Parent article: Several Russian developers lose kernel maintainership status

The fact that the patch removes the sole maintainer of various drivers is disturbing. One is left to wonder, "Why not go all the way and remove the drivers too?"

No one will mistake me for an attorney, but it's hard to see why sanctions on individuals would motivate this step. Assuredly the removed maintainers are SW engineers, not arms traders or military personnel. Perhaps their employers are sanctioned.

Chinese developers make major contributions to so many subsystems on such a regular basis that removing any number of them would cripple the kernel. It has only been a year or two since I thought, "My employer should try to hire the author of new feature X", only to figure out that she/he worked for Huawei in PRC.

projects are left without maintainers

Posted Oct 23, 2024 4:52 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link] (28 responses)

It's indeed not the nationality, but the employers that are sanctioned. Developers can get unbanned if they document that they are not employed by sanctioned entities (and don't have some kind of interest in them).

projects are left without maintainers

Posted Oct 23, 2024 7:05 UTC (Wed) by comio (subscriber, #115526) [Link]

this is the point.

projects are left without maintainers

Posted Oct 23, 2024 8:20 UTC (Wed) by npws (subscriber, #168248) [Link] (9 responses)

And who is required to "comply"? Linus, Greg, the LF, some Linux distributors?

People required to comply

Posted Oct 23, 2024 8:35 UTC (Wed) by farnz (subscriber, #17727) [Link] (8 responses)

Per this notice from the Department of Commerce, all US citizens and people with permanent US residency, regardless of location, everyone located in the US, and all companies with a US legal entity face criminal penalties for breaking sanctions. Additionally, the US reserves the right to fine foreign entities that enable covered people to break US sanctions, and to prohibit them from trading with anyone in the USA until the fine is paid; so a Swedish bank that breaches sanctions can't then transfer money to, from, or through a US correspondent bank.

People required to comply

Posted Oct 23, 2024 12:33 UTC (Wed) by Kamiccolo (subscriber, #95159) [Link] (1 responses)

And similar sanctions are not limited to US only.

People required to comply

Posted Oct 23, 2024 12:54 UTC (Wed) by farnz (subscriber, #17727) [Link]

I know for a fact (having been subject to them) that Russian sanctions work exactly the same way as USA sanctions do. The only difference between the two of note is the relative economic power of the two countries - I would be annoyed if I could never visit the USA again or be paid by a company that does business in the USA as well as my local country, but it doesn't hugely bother me that I'd have problems visiting Russia or being paid by a Russian business.

And that ends up being the core problem with where you locate an open-source foundation; international politics means that unless the world is at peace, you're really choosing the place whose sanctions decisions are least impactful on you, not a place from where you can ignore sanctions.

People required to comply

Posted Oct 23, 2024 14:13 UTC (Wed) by npws (subscriber, #168248) [Link] (5 responses)

Thanks for the link. That answers who is subject to these sanctions. However I also wonder which specific sanctions might be applicable to someone holding a maintainer role. Its not really a formalized position, there is no money or goods exchanged, any idea what these sanctions prohibiting these people from keeping their position might be?

People required to comply

Posted Oct 23, 2024 15:18 UTC (Wed) by Wol (subscriber, #4433) [Link]

Just a guess, but are they being paid, by a sanctioned entity, to work on the kernel? Or does it at least look like that?

Cheers,
Wol

People required to comply

Posted Oct 23, 2024 18:34 UTC (Wed) by MarcB (guest, #101804) [Link] (1 responses)

> However I also wonder which specific sanctions might be applicable to someone holding a maintainer role.

That really is the question. At least for EU sanctions, I do not see anything obvious. You could maybe interpret providing authenticated GIT access as "making available an economic resource". The only exemption here is for registered telecommunication providers.

But maybe US sanctions are broader.

People required to comply

Posted Oct 24, 2024 18:22 UTC (Thu) by MarcB (guest, #101804) [Link]

To answer myself:

US sanctions indeed appear to be broader and explicitly go both ways:
"These prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person and the receipt of any contribution or provision of funds, goods, or services from any such person."

The last part would obviously cover maintainers, but really all contributors.

People required to comply

Posted Oct 24, 2024 23:48 UTC (Thu) by Paf (subscriber, #91811) [Link] (1 responses)

I think this specific part - Maintainer vs some other role - seems really, really fuzzy and probably comes from lawyers trying to figure out what sort of line to draw, possibly after consultation with relevant authorities. It is definitely a slightly arbitrary line that falls well short of no interaction.

People required to comply

Posted Oct 25, 2024 3:34 UTC (Fri) by olof (subscriber, #11729) [Link]

I am not a lawyer, and I am not in any way involved in any of this, but I don't see the differentiation as arbitrary myself:

A developer (or other maintainers) need to reach out and make contact with a maintainer when they are sending them code (or bug reports, etc). A developer submitting patches is posting on a public mailing list.

The direction of who is contacting who (and/or who is contacted in private vs on a public list) is possibly more relevant than whether a person is technically labeled a maintainer or contributor.

projects are left without maintainers

Posted Oct 23, 2024 15:37 UTC (Wed) by xinitrc (subscriber, #126452) [Link] (1 responses)

Maybe not the best correlation but still. In the one of the European countries in 1938 they haven't started to pursue and oppress one of the nations straight away(i think you understand which i am referring to).
It was started with a small thing, by forcing them to wear a yellow star.
And what happens next we all know.

projects are left without maintainers

Posted Oct 23, 2024 15:47 UTC (Wed) by corbet (editor, #1) [Link]

I think we have quickly reached the Godwin point here; this doesn't seem like a good direction to pursue.

projects are left without maintainers

Posted Oct 23, 2024 18:39 UTC (Wed) by turistu (guest, #164830) [Link] (9 responses)

How would you "document" that you're not employed by some entity? Get some kind of statement from the said entity that they're not employing you? Does that seem reasonable to you?

projects are left without maintainers

Posted Oct 23, 2024 18:54 UTC (Wed) by bluca (subscriber, #118303) [Link] (5 responses)

By proving that you are working for a different, non-sanctioned entity for example

projects are left without maintainers

Posted Oct 23, 2024 19:04 UTC (Wed) by MarcB (guest, #101804) [Link] (4 responses)

> By proving that you are working for a different, non-sanctioned entity for example

After which you would, of course, be harassed online; maybe even loose your job or get harassed offline. After all, it is documented in a public changelog, that you disavowed your country.

I really hope that there was non-public communication beforehand and the people affected now are just those who did not provide any documentation.

projects are left without maintainers

Posted Oct 23, 2024 20:54 UTC (Wed) by bluca (subscriber, #118303) [Link] (3 responses)

Uh? Why would you be "harassed online" for showing that you have a job? There's literally several websites dedicated to it, like Linkedin...

projects are left without maintainers

Posted Oct 24, 2024 18:04 UTC (Thu) by MarcB (guest, #101804) [Link] (2 responses)

Note that I even mentioned "harassed online" as the most harmless possible outcome. Worse is possible.

Russian, domestic propaganda is very much based on a "true patriots versus corrupted individuals" narrative, where "corrupted" can get defined *very* broadly and arbitrarily. It utilizes thugs, online and offline, as helpers. Police and prosecutors look away when those thugs cross the line of acceptable - and even legal - behaviour.

You can be absolutely certain that a bunch "of true Russian patriots" is now watching the maintainers file and will challenge anyone who gets re-added. This might even escalate offline, by contacting employers, neighbors and so on.

projects are left without maintainers

Posted Oct 24, 2024 18:51 UTC (Thu) by atnot (subscriber, #124910) [Link]

> Russian, domestic propaganda is very much based on a "true patriots versus corrupted individuals" narrative, where "corrupted" can get defined *very* broadly and arbitrarily.

Oh, so it's just like nationalism everywhere else too :)

showing proof of employment ≠ disavowing Russia

Posted Oct 26, 2024 1:32 UTC (Sat) by hackerb9 (guest, #21928) [Link]

MarcB, are you thinking that the sanctions are by nationality? I do not think that is the case as it looks like the US sanctions actually target 500 specific entities[1] in Russia. A maintainer doesn't need to show that they work for a foreign corporation, which I could imagine might appear to some like disavowing Russia, they can show they work for some other Russian business.

[1]: https://sanctionslist.ofac.treas.gov/Home/static/sdn.html

projects are left without maintainers

Posted Oct 23, 2024 19:30 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link]

There is no straight answer.

Fortunately, these were not personal sanctions. So for Linux, it's probably enough to submit documentation to the LF that proves that you're working for a different entity. It doesn't even have to be an entity outside of Russia, an unsanctioned company should be sufficient.

projects are left without maintainers

Posted Oct 24, 2024 23:32 UTC (Thu) by timrichardson (subscriber, #72836) [Link] (1 responses)

I don't know how it works in Russia, but in Common Law countries, copyright of work done by an employee belongs to the employer. When you submit code, you make a statement of whose copyright it is, I believe. You need permission from the copyright owner to submit. You not actually submitting your code, you submit code belonging to the copyright owner.

If someone was to contribute code they wrote outside of their employment with a sanctioned firm, the copyright of the submission would vest with the contributor, not the employee (depending on the employment contract and the nature of the submission). The changed ownership of copyright is a significant difference, and probably significant regarding sanctions. Likewise if employment changes.

projects are left without maintainers

Posted Oct 24, 2024 23:33 UTC (Thu) by timrichardson (subscriber, #72836) [Link]

"not the employer"

projects are left without maintainers

Posted Oct 23, 2024 20:18 UTC (Wed) by JoeBuck (subscriber, #2330) [Link] (2 responses)

It seems apparent that many commenters on this thread incorrectly think that all Russian developers have been banned. Hopefully we can get clarification soon about exactly which people or companies are banned due to sanctions, but it seems most likely that Cyberax is correct. The US has been sanctioning specific Russian companies and individuals, not Russia as a whole.

the search pattern seems to be different

Posted Oct 24, 2024 11:22 UTC (Thu) by alexsv (guest, #174216) [Link] (1 responses)

If it was only about sanctioned entities, some .ru domains would have remained in the MAINTAINERS. But there are none left.

the search pattern seems to be different

Posted Oct 24, 2024 21:41 UTC (Thu) by HenrikH (subscriber, #31152) [Link]

All 11 of them works for companies currently on the sanctions list

projects are left without maintainers

Posted Oct 25, 2024 11:08 UTC (Fri) by nix (subscriber, #2304) [Link] (1 responses)

How do you document that you're *not* employed by someone? You can provide a contract of employment for someone else, but that proves nothing (you could have left). You'd almost have to ask your employers' lawyers to talk to the LF's lawyers. What you can do if you're currently unemployed (as is likely if, say, you *left* your ex-employer's employ because you disagreed with their helping the war, but didn't go public with that disagreement because you don't much like the idea of a very long prison term) I'm not sure.

Documenting that you don't work for a sanctioned entity

Posted Oct 25, 2024 12:17 UTC (Fri) by farnz (subscriber, #17727) [Link]

The usually accepted route is to get your tax documents from your government, along with either proof of employment elsewhere or a statement from your old employer that they no longer employ you.

The tax documents show that you're not being taxed on income from your old employer; the proof of employment elsewhere, or confirmation that your old employer no longer employs you, shows that you're not being paid "under the table" by your old employer, either. And if your new employer is cover for your old employer, you can expect them to be covered by sanctions fairly shortly thereafter, in a game of whack-a-mole.

Ultimately, this comes down to the point of sanctions; they're meant to be the last step before an out-and-out trade blockade, where targeted industries in a country you wish to make suffer lose their ability to trade with you, but other industries don't. That way, you can still get the benefits of (e.g.) buying raw materials like oil or metal ores from the country you're trying to make suffer, but they can't sell refined metals or consumer products on the global market.