Last week, Greg Kroah-Hartman, the current maintainer of the stable branch of the open source Linux kernel, issued a message on the Linux code maintainers mail list announcing that it was removing some developers due to compliance requirements.
“They can come back in the future if sufficient documentation is provided,” he wrote in the message sent to the Linux patch list of recipients who help maintain the kernel code.
This mailing list includes Linus Torvalds, the developer of the original Linux kernel. In a post to the same Linux patch maintainers mailing list, Torvalds spoke about his concerns that there were lots of Russian trolls who could potentially infiltrate the Linux kernel. “It’s entirely clear why the change was done. It’s not getting reverted, and using multiple random anonymous accounts to try to ‘grass root’ it by Russian troll factories isn’t going to change anything,” wrote Torvalds.
However, some argue that the decision to remove the Russian developers was not transparent.
One maintainer questioned whether the compliance of the Linux kernel was open to public scrutiny: “No one ever reviewed patches. The patch just slipped into an unrelated subsystem pull request and got pulled by Torvalds, with not even a comment.”
Looking at the implications on the future of Linux, the maintainer raised the question of a scenario where, to comply with hypothetical regulations, a backdoor would be required in the Linux kernel.
Amanda Brock, CEO of OpenUK, described the decision to remove Russian developers from patching the Linux kernel as “alarming”. In a LinkedIn post, she said: “At its heart, open source allows anyone to participate for any purpose. But as we have seen adoption of open source at scale in recent years, to the point where over 90% of the active codebases used by companies have dependencies on open source software, it’s understandable that concerns about risk have been raised by governments.”
Open source relies on the work of thousands of software developers, who spend their time fixing bugs and creating improvements to Linux and the software that runs on top of the operating system kernel. Reviewing code submission is a key compliance step to ensure the Linux kernel and any open source code does not introduce malware or open up deliberate security holes.
One such case occurred in 2021, when the University of Minnesota was removed as a maintainer after a cyber security researcher attempted to push flawed patches into the kernel. When the university was identified as the source of the bugs, it was removed as a maintainer.
Minnesota later issued an apology, stating: “The four patches submitted between August 9, 2020 and August 21, 2020 were part of our ill-conceived ‘hypocrite commit’ case study. They are the only patches of this nature ever submitted from Minnesota and they were stopped before making it past the review stage.”