Developer Dounin officially left Nginx and created the free Nginx project after declaring disagreement over security disclosures and bug-fixing priorities.
According to Arstechnica, Maxim Dounin – one of the core developers – left Nginx because he believed it was no longer a free and open-source project for the benefit of the community. Dounin founded freenginx and said it would be run by developers, not corporate entities.
Dounin was one of the original and still most active programmers on the Nginx open source project, being one of the first employees of Nginx Inc., the company founded in 2011 to provide commercial support for the software. web server software. According to W3techs ‘s web servers, Nginx is currently used in about a third of the world, followed by Apache
Nginx Inc. was acquired by F5 (headquartered in Seattle, USA) in 2019. However, at the end of 2019, Nginx’s two leaders, Maxim Konovalov, and Igor Sysoev, were detained and interrogated at their home by Russian agents. Internet company Rambler has claimed ownership of the Nginx source code because it was developed at the time Sysoev worked (Dounin also worked there). While criminal charges do not appear to have materialized, the intrusion of a Russian company into a popular open-source part of the web infrastructure has raised some concerns.
Sysoev left F5 and the Nginx project in early 2022. Later this year, because Russia carried out a military campaign in Ukraine, F5 stopped all activities in this country. Some Nginx developers have created Angie to support Nginx users in Russia. Dounin also stopped working for F5 at that time but maintained his role on the Nginx project as a volunteer
Dounin said the new non-technical management at F5 recently assumed they knew how to run open-source projects. In particular, this group decided to interfere with the security policy that Nginx has used for many years, ignoring the developers. He figured this meant he could no longer control what changes were made in Nginx, so he decided to leave.
Comments on The Hacker News, including those by an alleged F5 employee, show that Dounin objected to QUIC’s assignment of published CVE vulnerabilities. Although it is not enabled in Nginx’s default setup, according to the Nginx documentation, QUIC is included in the main version of the application, contains the latest features and bug fixes, and is always updated.
Responding to The Hacker News, Dounin said the F5 team ignored both the project policy and the views of the general developers without any discussion. While the specific action isn’t necessarily bad, the approach is problematic.
According to Astechnica, the F5 side said they felt sorry for Dounin’s departure, and said that successful open-source projects like Nginx require a large and diverse community of collaborators, as well as the application of Strict industry standards for specifying and scoring identified vulnerabilities. The company believes this is a suitable approach to develop highly secure software for customers and the community
