Where Does Open Source Fit into Russia’s War with Ukraine? – InApps Technology 2022

Earlier this week, open source gateway Scarf began limiting access to open source packages for Russian government and military entities, via its gateway. In the company’s announcement, Scarf CEO and founder Avi Press wrote that “Scarf will be blocking all package and container downloads originating from Russian Government sources until further notice.”

The company is not the only one to make such a move this week, with Oracle suspending all operations in the Russian Federation, Hashicorp prohibiting access to its products, and Apple stopping all sales in Russia. There were numerous others, but Scarf’s actions stand out — in that the restriction here applies to open source, not proprietary, software.

When it comes to open source software, the Open Source Initiative’s definition is quite clear: there must be “no discrimination against persons or groups” and “no discrimination against fields of endeavor.” Each of these criteria applies to the license of said open source software, while the distribution of that same software may be a different matter entirely, argues Press.

“There’s a difference between the code and the repositories where we collaborate on the code, versus the distribution channels where that code gets distributed,” said Press in an interview. “Just because you have the free permission to pull down the source code itself, versus, say, pull down a Dockerized application so that I can spin up an entire infrastructure ecosystem within my firewall and it all just works at the click of the button, those are two completely different things. Having more control over that distribution channel, that doesn’t really impact the nature of what the scope of these licenses are talking about.”

While Press agrees that bypassing such restrictions, at least when just one company is implementing them, can be somewhat trivial, he asserts that the open source community at large could make a difference by working together.

“If we cut off the software supply chain at all these different levels, it could quickly get quite untenable,” said Press. “I think that really just underlines the idea that if there’s a lot of different parties creating and maintaining this kind of software that are all working together, it actually could really make a difference over time.”

In the blog post, Press calls on other companies in the open source space to follow suit, further noting that “every package and container registry also needs to offer increased distribution observability, so that we can make these efforts effective across the OSS ecosystem.”

“I think that every package registry should join us. NPM, Docker Hub, I mean, pick your language — Sonatype, Maven Central, Hackage, all of these package registries should do this,” said Press. “You may have access to the raw repositories of all of the software, but if you don’t have a package manager, your software development just grinds to a halt.”

At least two companies that Press might cite — GitHub and GitLab — have both declined to limit access to users in Russia, though calls for doing so have been broader than limiting access to the Russian government and military organizations. This is another point of distinction for Scarf’s actions. While Press writes that “Traffic originating from other Russian sources such as businesses, civilian internet service providers, or otherwise, will be unaffected by this change,” the moves by other companies cited are blanket bans across Russia.

This idea of restricting access to open source software even came up in a thread on the libreplanet listserv, with Czech developer Jacob Hrbek asking Free Software Foundation (FSF) members “Should we and can we take steps to prevent/reduce Russia’s access to our software?”

While the responses varied, they tended toward the typically ironclad ideals of the FSF, which state that according to the “four freedoms” there should be no restrictions. Arch GNU creator Thomas Lord argues that “I would think we’d want free software to be thriving in Russian and every society because that gives *users* greater freedom to do what they think is best.”

Coraline Ada Ehmke, founder and executive director of the Organization for Ethical Source, disputed the FSF stance.

“We can’t simultaneously celebrate the growing adoption of free and open source technologies by governments and militaries around the world, and also absolve ourselves of any responsibility when our work is used or abused to cause harm at unprecedented scale,” wrote Ehmke. “The traditionalist FLOSS insistence on the neutrality of technology, enshrined in Freedom Zero, is increasingly out of step with the reality of its global impact. Of course, we can’t prevent all potential abuses of free and open source software, but is that really reason enough to throw up our hands and do nothing at all?”

Stefano Maffulli, executive director of the Open Source Initiative, also said that blanket restrictions on Russia would end up hurting Russian citizens far more than “the Russian military and powerful elites who certainly have the means to develop workarounds,” but also agreed that restricting access to open source distribution could be an effective means of protest.

“This is not the first time that the open source definition and OSI have been pushed to discuss the ethical implications of the freedom that the open source licenses grant. There was a time during the Trump administration when a few maintainers of open source projects removed access to their repositories once they found out that ICE was using their code. Which would have been fine if they did just that. But instead they changed their licenses adding restrictions, for example: you can’t use this code if you work for ICE, or you can’t use this code if you’re harming people… etc,” wrote Maffulli in an email.

“The licenses don’t say that individuals and corporations must continue doing business with a tyrant,” added Maffulli, noting that limiting distribution, rather than changing licensing, was “a fine distinction.”

InApps Technology is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: scarf.sh, Docker.

Photo by Katie Godowski from Pexels.