Despite the abundance of warm-fuzzy articles focused on open source’s achievements throughout 2024, a cold wind blows over its future. Few winds are colder than the Siberian, and this Russian blast will have a chilling effect few genuinely comprehend.
Writing an end-of-year piece for the New Stack on the morning of Dec. 19, I focused on what I consider to be the most essential thing that will happen to open source in 2024. To me, this is not the “Open Source AI Definition” — no matter how much the open source community badly receives its existence or content; nor is it the EU’s Cyber Resilience Act and their potential liability for open source; nor the exclusions of “free and open source”; nor even the allegations of “open washing in AI” which brought the words “open source” to the mainstream press including the Economist and New York Times; or the meaning of “free and open source” in the EU’s AI Act.
For me, the most critical event in open source in 2024 occurred on Oct. 28. This event involved Russian Linux Kernel maintainers who were excluded due to U.S. sanctions law. One of the excluded maintainers was reinstated after it was determined that he was no longer employed by his sanctioned former employer. This suggests that the decision was based on the potential contributions made during his employment with the U.S.-sanctioned Russian company.
Before I explain why this is such an important event to open source, I should share that I took a break during my writing process. Tempted by the scroll of doom, I stumbled on Dan Lorenc’s LinkedIn post:
“‘This one got a lot of heat, but projects supported by mainly U.S./western companies should *not* be spending time worrying or thinking about helping users based in Russia. Just delete them and remove any maintainers based there.
Yeah, it sucks for individuals, but geopolitics and sanctions are complicated, and there’s a literal war in Europe right now. They can always fork. The community isn’t losing anything by deleting and moving forward.”
The Second Branch
Lorenc wasn’t referring to the Linux Kernel exclusions but to Open Tofu’s pull request 817 in August 2024, which consequently banned Russian IP addresses from accessing the project’s Repo and also blanket-banned Russian devs from contributing to it. This is a more sweeping exclusion of individuals based on nationality from open source contribution than the Kernel maintainer ban.
For the record, I do not agree with Lorenc’s viewpoint, but Dan, I, and others will discuss this topic in London in the plenaries at State of Open Con, bringing these critical conversations to the open on Feb. 4 as part of the discussion of the future of open source.
You Can Pick Your Nose, but Not Your Family
Dan’s post immediately made me think of the book “Diary of a Wimpy Kid — Hot Mess.” It has nothing to do with Dan or anyone else in open source. It’s a book I bought as a Christmas gift that I couldn’t help but read. Very early, it reads, “My dad’s always saying that you can pick your nose but not your family… you’re born into this group of people you don’t know, and you didn’t ask to be part of”. That doesn’t only apply to family but to nationality. Some are privileged enough to change their nationality, but for most, their place of birth will determine their nationality for all of their lives, for better or worse. That’s very different from open source, which is a choice — a choice to open source your code and participate in communities of practice and collaborate.
I have often referred to our relationships across projects and the broader open source community as “family-like.” There is a relatively small core group of folks who lead broadly and who participate in individual projects. Understandably, it’s the norm for them to know each other. Not only is this frequently family-like in understanding each other, but also in the fallings-in and fallings-out with each other. But being a part of that family has always been a choice, primarily based on our having common values around the collaborative creation of code and its benefits. We desire to solve a universal challenge commonly or scratch the same itch wherever in the world we are.
Unlike a family, if you want to participate in open source projects, so long as you have the skills to contribute what you wish to contribute and comply with the code of conduct or contribution rules, your behavior and proposed contribution are acceptable to the project, then you can contribute. Whether your contribution is accepted is about quality and need, not who you are.
A lot of work has gone into making sure that who you are doesn’t matter in open source and opening up the possibility of contribution from a diverse group. Moving from contribution to commit — when your contribution is accepted — may take time and learning, but it has not been blocked by where you were born or live. I have used the phrase “open source is not local source” and should not be restricted to or ring-fenced by local or national boundaries.
Open Source, not Local Source
In my case, I have used the phrase “open source is not local source” to explain the importance of open source’s globally collaborative nature to others and to emphasize its not being compromised due to geopolitics. Those of us representing the UK were excluded from collaboration in open source communities within the EU post-Brexit. Note that the UK left the EU, not Europe, and although this is none of your business, I did not vote for Brexit.
I have been told not to be offended by this exclusion and not to take it personally. It is not about me as an individual but the fact that the European Commission funds collaboration in the EU and does not want anyone from the UK to participate in EU activities on open source — whether this is engaging in policy, speaking at events, or being part of misnamed European activities. These activities are, therefore, not open source, as they are misnamed and effectively EU-only activities.
Brexit was an act of geopolitical shift. It was specific to an exact moment in time and a political redrawing of boundaries. Post this moment in time, in some instances, UK representatives, despite their past contribution to EU open source, cannot speak at events, and instead, “token Brits” speak on behalf of global projects, making the exclusion less apparent. Sadly, this has been my first experience of geopolitics in open source.
I am speaking from a place of potential personal bias when my experience is that geopolitics is destructive and counter-intuitive to open source principles. I believe in global collaboration in technology, including AI. Without a future that transcends borders and boundaries, we will fail to achieve the potential of our digital and AI future.
The Linux Kernel Maintainers
When we look at the Linux Maintainers excluded, the Linux Foundation has no formal explanation for the ban, and various threads share confused messages. It was undertaken as a consequence of sanctions regulation. The trigger of the timing of the decision is unclear, and their website continues to host an export control section that states, “One of the greatest strengths of open source development is how it enables collaboration across the entire world.” I could not agree more.
The page then explains that export control regulations from the U.S. Export Administration Regulations or EAR now link to a 404 message. They do not apply to open source software because “releasing technology to someone other than a US citizen or lawful permanent resident within the United States is deemed to be an export, as is making available software for electronic transmission that individuals outside the US can receive… but the good news is open source technologies that are published and made publicly available to the world are not subject to the” EAR. Therefore, open source remains one of the most accessible models for global collaboration.
In this instance, unlike the Open Tofu pull request, the Russian group was not removed as contributors but as maintainers only.
A Blanket Ban
Open Tofu pull request 817 removes some providers due to a new policy, dated 27 August 2024, that “all providers affiliated with or based in Russia were removed from the project’s repository.” The readme file says, “To comply with applicable sanctions, we block access from specific countries of origin.” Whilst the minutes are intentionally simplified, both the readme and TSC_SUMMARY.md mention restricting access from Russian IPs to the registry in Cloudflare, not the removal of Russian providers from the registry, and there is no explanation of what instigated the discussion or whether any legal advice has been taken.
In both projects, the Russians were not removed from their roles because of personal behavior but apparently because of regulation. The impact of this decision is far-reaching. If this applies to these two projects and is a requirement, then it must apply to many, if not all, other open source projects subject to the U.S.’s regulation. Sanctions are a political tool, a trade instrument, and a subset of export control regulations with an extra-territorial or long-arm reach that could extend to any project, including U.S.-based contributors.
The Russian response to the Linux Kernel exclusion was unsurprising. The Russian digital ministry announced that it would bifurcate the kernel (as Dan suggested, creating a fork) and seek other international collaborators.
This brings me full circle to the desire to continue to be globally collaborative around open source and to leverage the fact that “One of the greatest strengths of open source development is how it enables collaboration across the entire world.”
Laws and Open Source
Now and then, I see a “and where does the license say that” response to a legal requirement. Our licenses express the intellectual property wishes of the code creators, sharing their copyright on the license terms and meeting the 10 definitions of the Open Source Definition, including that there is no discrimination amongst people or fields of use. This deals with sharing the code in an open source project and, in many projects, will also govern the acceptance of code in a license-equals-license-out model.
However, laws trump licensing. Open source is subject to the law of the country where it is used and must comply with all applicable laws and regulations. The same is true of any laws that apply to distributors, including sanctions legislation, should it apply. The question is what is applicable and how this can be met.
We are currently awaiting the Linux Foundation’s update on the need to exclude the Russian Kernel maintainers as maintainers but not contributors.
The far-reaching impact on other open source projects is clearly causing concern. The Software Freedom Conservancy, which hosts many projects and is, like the Linux Foundation, US-based, has also expressed concern about the lack of clarity on why the Russian maintainers were excluded in its Dec. 12 blog post by Rick Sanders.
The blog post explains that, based on the best assumption that they are able to make on the applicable legislation, “In my view, none of the Russian sanctions prevents Russians from contributing to American-based software projects governed by the GPL. While the approach taken by the Linux project is reasonable and understandable, I do not believe SFC’s projects should take similar actions at this time.
However, the lack of clarity leaves an air of confusion, and the Linux Foundation white paper cannot come too quickly.
A New Year’s Wish for Our Digital and AI Futures
France will host the next global AI Summit, their “AI Action Summit,” on 10 February. Their invitation letter acknowledges the need for a Global Approach. One of the Summit’s key focuses will be “Global AI governance.” There is no doubt that for governance and our AI future to be successful and to meet its potential, this must be global.
However, it is not only AI that requires a global, joined-up approach to regulation and collaboration. Our policymakers must understand that technology will be a globally collaborative phenomenon in 2025 and that this will benefit all of us. As a consequence, any acts of geopolitics that might fracture or fragment AI or Digital must be carefully considered, as must the consequences of any fracture it might cause.
For open source, we must call on our leadership to take great care in any actions that might risk fragmenting our collaboration. Any such actions must happen only where there is absolutely no doubt of this being required and with as much pushback as is feasible to support ongoing global collaboration.
As the new U.S. President takes office in January, I wonder if we in the UK should be concerned that tariffs will apply to our sharing of open source. Should we be concerned that other countries will find themselves subject to similar restrictions as those we have seen applied to Russians? Perhaps more importantly, can we rely on a collaborative response from open source leadership and a united front to keep open source global… not local?
State of Open Con is a conference covering open technology, including the future of open and technical open source software and security tracks. The event will be on Feb. 4-5 in London and will include plenaries on the future of open source, where geopolitical shifts and their impact on open source collaboration will be discussed.
Alex Williams of The New Stack will co-host a track on the future of open source at the event.
The post Open Source Is Not Local Source, and the Case for Global Cooperation appeared first on The New Stack.