Maxim Dounin mdounin at
Wed Feb 14 22:21:10 UTC 2024


On Wed, Feb 14, 2024 at 10:45:37PM +0100, Sergey Brester wrote:

> Hi Maxim,
> it is pity to hear such news...
> I have few comments and questions about, which I enclosed inline below...
> Regards,
> Serg.
> 14.02.2024 19:03, Maxim Dounin wrote:
> > Hello!
> > 
> > As you probably know, F5 closed Moscow office in 2022, and I no
> > longer work for F5 since then. Still, we've reached an agreement
> > that I will maintain my role in nginx development as a volunteer.
> > And for almost two years I was working on improving nginx and
> > making it better for everyone, for free.
> And you did a very good job!


> > Unfortunately, some new non-technical management at F5 recently
> > decided that they know better how to run open source projects. In
> > particular, they decided to interfere with security policy nginx
> > uses for years, ignoring both the policy and developers' position.
> Can you explain a bit more about that (or provide some examples
> or a link to a public discussion about, if it exists)?

I've already provided some details here:

: The most recent "security advisory" was released despite the fact 
: that the particular bug in the experimental HTTP/3 code is 
: expected to be fixed as a normal bug as per the existing security 
: policy, and all the developers, including me, agree on this.
: And, while the particular action isn't exactly very bad, the 
: approach in general is quite problematic.

There was no public discussion.  The only discussion I'm aware of 
happened on the security-alert@ list, and the consensus was that 
the bug should be fixed as a normal bug.  Still, I was reached 
several days ago with the information that some unnamed management 
requested an advisory and security release anyway, regardless of 
the policy and developers position.

> > That's quite understandable: they own the project, and can do
> > anything with it, including doing marketing-motivated actions,
> > ignoring developers position and community. Still, this
> > contradicts our agreement. And, more importantly, I no longer able
> > to control which changes are made in nginx within F5, and no longer
> > see nginx as a free and open source project developed and
> > maintained for the public good.
> Do you speak only about you?.. Or are there also other developers which
> share your point of view? Just for the record...
> What is about R. Arutyunyan, V. Bartenev and others?
> Could one expect any statement from Igor (Sysoev) about the subject?

I speak only about me.  Others, if they are interested in, are 
welcome to join.

> > As such, starting from today, I will no longer participate in nginx
> > development as run by F5. Instead, I'm starting an alternative
> > project, which is going to be run by developers, and not corporate
> > entities:
> > 
> > [1]
> Why yet another fork? I mean why just not "angie", for instance?

The "angie" fork shares the same problem as nginx run by F5: it's 
run by a for-profit corporate entity.  Even if it's good enough 
now, things might change unexpectedly, like it happened with F5.

> Additionally I'd like to ask whether the name "freenginx" is really well
> thought-out?
> I mean:
>   - it can be easy confused with free nginx (compared to nginx plus)
>   - the search for that will be horrible (if you would try to search for
> freenginx,
>     even as exact (within quotes, with plus etc), many internet search
> engine
>     would definitely include free nginx in the result.
>   - possibly copyright or trademark problems, etc

Apart from potential trademark concerns (which I believe do not 
apply here, but IANAL), these does not seem to be significant (and 
search results are already good enough).  Still, the name aligns 
well with project goals.

> > The goal is to keep nginx development free from arbitrary corporate
> > actions. Help and contributions are welcome. Hope it will be
> > beneficial for everyone.
> Just as an idea: switch the primary dev to GH (github)... (and commonly from
> hg to git).
> I'm sure it would boost the development drastically, as well as bring many
> new
> developers and let grow the community.

While I understand the suggestion and potential benefits, I'm not 
a fun of git and github, and prefer Mercurial.

Maxim Dounin

More information about the nginx-devel mailing list