Subscribe

One of those little sticks holding everything up —

Nginx core developer quits project in security dispute, starts “freenginx” fork

Disagreement over security disclosures and bug-fixing priorities led to split.

- Updated

Multiple forks being held by hands
Enlarge
Getty Images

A core developer of Nginx, currently the world's most popular web server, has quit the project, stating that he no longer sees it as "a free and open source project… for the public good." His fork, freenginx, is "going to be run by developers, and not corporate entities," writes Maxim Dounin, and will be "free from arbitrary corporate actions."

Dounin is one of the earliest and still most active coders on the open source Nginx project and one of the first employees of Nginx, Inc., a company created in 2011 to commercially support the steadily growing web server. Nginx is now used on roughly one-third of the world's web servers, ahead of Apache.

A tricky history of creation and ownership

Nginx Inc. was acquired by Seattle-based networking firm F5 in 2019. Later that year, two of Nginx's leaders, Maxim Konovalov and Igor Sysoev, were detained and interrogated in their homes by armed Russian state agents. Sysoev's former employer, Internet firm Rambler, claimed that it owned the rights to Nginx's source code, as it was developed during Sysoev's tenure at Rambler (where Dounin also worked). While the criminal charges and rights do not appear to have materialized, the implications of a Russian company's intrusion into a popular open source piece of the web's infrastructure caused some alarm.

Sysoev left F5 and the Nginx project in early 2022. Later that year, due to the Russian invasion of Ukraine, F5 discontinued all operations in Russia. Some Nginx developers still in Russia formed Angie, developed in large part to support Nginx users in Russia. Dounin technically stopped working for F5 at that point, too, but maintained his role in Nginx "as a volunteer," according to Dounin's mailing list post.

Dounin writes in his announcement that "new non-technical management" at F5 "recently decided that they know better how to run open source projects. In particular, they decided to interfere with security policy nginx uses for years, ignoring both the policy and developers' position." While it was "quite understandable," given their ownership, Dounin wrote that it means he was "no longer able to control which changes are made in nginx," hence his departure and fork.

The CVEs at the center of the split

Comments on Hacker News, including one by a purported employee of F5, suggest Dounin opposed the assigning of published CVEs (Common Vulnerabilities and Exposures) to bugs in aspects of QUIC. While QUIC is not enabled in the most default Nginx setup, it is included in the application's "mainline" version, which, according to the Nginx documentation, contains "the latest features and bug fixes and is always up to date."

The commenter from F5, MZMegaZone, seemingly the principal security engineer at F5, notes that "a number of customers/users have the code in production, experimental or not" and adds that F5 is a CVE Numbering Authority (CNA).

Dounin expanded on F5's actions in a later mail response.

The most recent "security advisory" was released despite the fact that the particular bug in the experimental HTTP/3 code is expected to be fixed as a normal bug as per the existing security policy, and all the developers, including me, agree on this.

And, while the particular action isn't exactly very bad, the approach in general is quite problematic.

Asked about the potential for name confusion and trademark issues, Dounin wrote in another response about trademark concerns: "I believe [they] do not apply here, but IANAL [I am not a lawyer]," and "the name aligns well with project goals."

MZMegaZone confirmed the relationship between security disclosures and Dounin's departure. "All I know is he objected to our decision to assign CVEs, was not happy that we did, and the timing does not appear coincidental," MZMegaZone wrote on Hacker News. He later added, "I don't think having the CVEs should reflect poorly on NGINX or Maxim. I'm sorry he feels the way he does, but I hold no ill will toward him and wish him success, seriously."

Dounin, reached by email, pointed to his mailing list responses for clarification. He added, "Essentially, F5 ignored both the project policy and joint developers' position, without any discussion."

MegaZone wrote to Ars (noting that he only spoke for himself and not F5), stating, "It's an unfortunate situation, but I think we did the right thing for the users in assigning CVEs and following public disclosure practices. Rational people can disagree and I respect Maxim has his own view on the matter, and hold no ill will toward him or the fork. I wish it hadn't come to this, but I respect the choice was his to make."

A representative for F5 wrote to Ars that:

F5 is committed to delivering successful open source projects that require a large and diverse community of contributors, as well as applying rigorous industry standards forassigning and scoring identified vulnerabilities. We believe this is the right approach for developing highly secure software for our customers and community, and we encourage the open source community to join us in this effort.

This post was updated at 8:15 p.m. ET on Feb. 15 to include a statement from F5.

Kevin Purdy Kevin is a senior technology reporter at Ars Technica, covering a variety of technology topics and reviewing products. He started his writing career as a newspaper reporter, covering business, crime, and other topics. He has written about technology and computing for more than 15 years.

Promoted Comments

Background: started and ran a CNA at a prior employer.

It seems that the developer in question does not understand how the CVE program operates or what a CNA's responsibilities are. CVEs are not demerits. They are identifiers used to refer to specific vulnerabilities for the purpose of identification and communication. It does not matter if the vulnerability exists in the default configuration or not. There is also no obligation to fix CVEs in any particular way. A vendor is perfectly within its rights to say that the vulnerability exists in experimental code and that its security lifecycle policy does not cover this, while still assigning a CVE to refer to the vulnerability.

The important part is that as long as the vendor CNA (F5 in this case) assigns the CVE, they control the details of the CVE record and can specify in the description that the vulnerability exists in experimental code. If the vendor refuses to assign a CVE, another CNA can do so, and the vendor loses control over the CVE record. This is likely a big part of why F5 insisted on assigning the CVEs in question.

Open source projects may or may not work with a CNA to assign CVEs. A lot of times CVEs are assigned by independent researchers, and sometimes there's heated discussion (read: flaming) between the developers and the researchers. This might "work" in some sense, but most people in the security community would prefer not to have that sort of dispute happen.

Channel Ars Technica

Related Stories

    Today on Ars