Last week, Greg Kroah-Hartman, the maintainer of the stable branch of the Linux kernel, made a significant announcement on the Linux code maintainers mailing list. He stated that some developers would be removed due to compliance requirements. He mentioned that they could come back if they provide adequate documentation.
This message reached a group that includes Linus Torvalds, the original creator of Linux. In his response to the mailing list, Torvalds openly expressed his worries about potential Russian trolls trying to infiltrate the kernel. He asserted, “It’s entirely clear why the change was done. It’s not getting reverted.” Torvalds made it clear that using anonymous accounts to challenge this decision wouldn’t work.
However, not everyone agreed with the decision to remove Russian developers. One maintainer raised concerns about transparency, questioning whether anyone really reviewed patches before they got approved. This maintainer pointed out that patches often slipped through unnoticed, sometimes getting approved without any comment from Torvalds.
This situation sparked worries about future implications for the Linux community, especially if hypothetical regulations ever required introducing a backdoor in the kernel. Amanda Brock, the CEO of OpenUK, called the decision “alarming.” On LinkedIn, she emphasized that open source thrives on participation. She noted that as open source software sees widespread adoption—accounting for over 90% of active codebases—governments have grown increasingly concerned about associated risks.
The strength of open source lies in the dedicated efforts of thousands of developers who fix bugs and enhance the Linux kernel. Code reviews are critical for compliance, ensuring that the kernel and related software don’t introduce malware or security vulnerabilities. A notable incident from 2021 exemplifies this. The University of Minnesota faced backlash after a cybersecurity researcher attempted to submit flawed patches to the kernel. When their involvement was uncovered, they lost their maintainer status.
Following the incident, Minnesota issued an apology, clarifying that the patches were part of a poorly thought-out study called the “hypocrite commit.” They emphasized that these were the only flawed patches submitted by them and that they were halted before passing the review process.