In a surprising turn of events, a core developer of Nginx, the world's most widely used web server, has quit the project and started a fork called Freenginx. Maxim Dounin, one of Nginx's earliest and most active coders, cited a dispute with its parent company, F5, as the reason for his departure. This rift has raised concerns about the future of Nginx and its impact on the open-source community.
A Troubled History of Creation and Ownership:
To understand the background of this dispute, it is essential to explore the complex history of Nginx's creation and ownership. Nginx Inc., the commercial entity supporting the web server, was acquired by F5 in 2019. However, in the same year, two of Nginx's leaders, Maxim Konovalov and Igor Sysoev, faced detainment and interrogation by armed Russian state agents. This incident sparked interest as Sysoev's former employer, Internet firm Rambler, claimed ownership of Nginx's source code. While the legal implications remain unclear, it highlighted the potential risks associated with a popular open-source project being subject to external control.
Dispute over Security Policy:
Maxim Dounin's departure from Nginx stems from a dispute concerning the web server's security policy. In a mailing list post, Dounin explained that "new non-technical management" at F5 interfered with Nginx's longstanding security practices. This interference included their decision to assign published Common Vulnerabilities and Exposures (CVEs) to bugs in certain aspects of QUIC, a protocol used for faster and more secure web communication. Dounin and other developers opposed this move, considering it a violation of Nginx's established security policy.
Enter Freenginx: A Fork for the Public Good:
Dounin's response to the dispute was the creation of Freenginx, a fork that aims to be a truly free and open-source project run by developers, free from arbitrary corporate actions. In his announcement, Dounin emphasized the importance of maintaining control over the changes made in Nginx and ensuring that it remains a project for the public good. While the success of Freenginx remains uncertain, the fork presents users with an alternative in the face of the ongoing dispute.
The Implications and Concerns:
Nginx's significance as a widely used web server cannot be understated. With approximately one-third of the world's web servers relying on it, any dispute that affects its development and operation is a matter of concern. It raises questions about the governance of open-source projects and the influence that corporate entities may wield over them.
In Defense of Security Practice:
F5, Nginx's parent company, has responded to the dispute, emphasizing their commitment to applying rigorous industry standards for security practices. They have urged the open-source community to collaborate with them in this effort. F5's decision to assign CVEs, although contested, was made with the intent to ensure users' security and adhere to public disclosure practices. While a difference of opinion exists, it is important to recognize that both parties have the best interests of the users at heart.
Conclusion:
The recent dispute between Nginx's key developer and its parent company, F5, has resulted in Maxim Dounin's departure and the creation of the Freenginx fork. This development raises concerns about the future direction of Nginx and highlights the broader issues surrounding the governance of open-source projects. As the situation unfolds, users will need to evaluate the potential impact on their web server infrastructure and decide whether to stick with the original Nginx or explore the alternative offered by Freenginx. It is our hope that this dispute can be resolved in a way that upholds the principles of transparency, collaboration, and the public good that are at the core of open-source software.