Nginx Core Developer Quits, Says Nginx Is No Longer A Free And Open Source Project

A core developer of Nginx, the leading web server globally, has recently left the project, expressing dissatisfaction with its direction.

Maxim Dounin, a key figure in Nginx’s development since its early days and a founding member of Nginx, Inc., has departed, citing concerns about the project’s commitment to being a truly open and free platform for public benefit.

Nginx Core Developer Quits, Says Nginx Is No Longer A Free And Open Source Project

Dounin has launched a fork of Nginx called freenginx, intending to maintain it as a project driven solely by developers rather than corporate interests.

The primary goal of freenginx is to ensure that the web server remains independent of any arbitrary corporate influence, focusing instead on community-driven development and openness.

Nginx, originally an open source project, gained commercial support with the establishment of Nginx, Inc. in 2011, where Dounin was among the first employees.

Over the years, Nginx has surged in popularity and is currently utilized by approximately one-third of the world’s web servers, surpassing even Apache in usage statistics.

Who Created And Owns Nginx Matters In This Story

In 2019, Seattle-based networking firm F5 acquired Nginx Inc.

Later that year, Maxim Konovalov and Igor Sysoev, leaders at Nginx, were detained and questioned by armed Russian state agents in their homes.

Rambler, Sysoev’s former employer, claimed ownership of Nginx’s source code, arguing it was developed during Sysoev’s tenure at Rambler.

No criminal charges or rights issues materialized, but the incident raised concerns about Russian intrusion into a vital open source web infrastructure.

Sysoev departed from F5 and the Nginx project in early 2022.

F5 ceased operations in Russia later that year due to the Ukrainian invasion.

Some Nginx developers in Russia formed Angie to support Nginx users in the region.

Igor Sysoev technically stopped working for F5 but continued his involvement in Nginx on a voluntary basis.

According to Sysoev’s mailing list post, F5’s new management wanted to dictate open source project operations, including security policies, prompting Sysoev’s departure and fork of the project.

The CVEs At The Center Of The Split

Dounin, as indicated by comments on Hacker News, appeared to disagree with assigning published CVEs to bugs related to QUIC within Nginx.

Although QUIC isn’t typically activated in the default Nginx configuration, it’s integrated into the “mainline” version of the application, which Nginx documentation describes as continuously updated with the latest features and fixes.

MZMegaZone, identified as a principal security engineer at F5 in one of the Hacker News comments, mentioned that numerous customers and users have implemented the code, whether in production or experimental environments. Furthermore, it’s noted that F5 operates as a CVE Numbering Authority (CNA).

Dounin further addressed F5’s actions in a subsequent email response.

The most recent “security advisory” was released despite the fact that the particular bug in the experimental HTTP/3 code is expected to be fixed as a normal bug as per the existing security policy, and all the developers, including me, agree on this.

And, while the particular action isn’t exactly very bad, the approach in general is quite problematic.

Dmitry Dounin addressed concerns regarding potential name confusion and trademark issues, mentioning that he didn’t believe these issues were applicable but clarified that he wasn’t a lawyer. He expressed that the chosen name aligned well with the goals of the project.

MZMegaZone confirmed a connection between security disclosures and Dounin’s departure. He explained that Dounin objected to the decision to assign CVEs and seemed unhappy about it. He emphasized that the timing of Dounin’s departure didn’t appear coincidental. Despite the disagreement, MZMegaZone maintained a respectful stance, expressing no ill will towards Dounin and wishing him success.

In an email response, Dounin referred to his previous statements on the mailing list to provide clarification. He highlighted that F5 disregarded the project policy and the position of joint developers without engaging in any discussion.

MegaZone, speaking for himself and not on behalf of F5, communicated to the reporter that while the situation was unfortunate, he believed assigning CVEs and adhering to public disclosure practices was the right decision for users.

He acknowledged the differing viewpoints and expressed respect for Maxim’s perspective. Despite the disagreement, he held no animosity towards Dounin or the fork, wishing that the situation could have been resolved differently.

F5 further said:

F5 is committed to delivering successful open source projects that require a large and diverse community of contributors, as well as applying rigorous industry standards forassigning and scoring identified vulnerabilities. We believe this is the right approach for developing highly secure software for our customers and community, and we encourage the open source community to join us in this effort.

Related Stories:

Help Someone By Sharing This Article