In my recent trip to PgConf Russia, a friend brought up the reaction of a Linux kernel maintainer to a patch submission by Baikal Electronics. The reaction has apparently shocked open source developers throughout Russia and I think perfectly encapsulates the dangers open source projects, including PostgreSQL, have to navigate today in the changing geopolitical context. I decided to write a longer piece on this controversy and the issues surrounding it because I don't want to see PostgreSQL, LedgerSMB, or other open source projects I work with go down a similar path.
I believe that we are entering into a new era in open source development and I hope we move forward with our eyes open rather than sleepwalk into disaster. Particularly as we move forward with dual-use technologies in Postgres, such as Transparent Data Encryption, we will face similar pressures and temptations. I hope we don't go down the same road.
Background: Baikal Electronics, Weapons, and Sanctions
The email occurs in the course of the Russo-Ukraine war and the purported efforts by Western powers to deprive Russia of dual-use computer chips, of a sort that could be useful for cruise missile guidance systems and other efforts. I say "purported" because today computer chips are found in virtually everything and therefore this motivation doesn't make much sense. Western countries have imposed a number of sanctions which attempt to restrict access to microchips and other sophisticated electronics. This has included both export bans to Russia of microchips but also sanctions on Russian microchip manufacturers.
Modern weapons by most major powers are heavily computerized and rely on such components. The stated hope by Western powers was to degrade Russia's military manufacturing and repair capabilities and thus end the war on terms favorable to Western interests. It is also possible that the goal of sanctions was to destroy civilian life in the vain hope of a regime change (though there are no cases of Western sanctions achieving this in history, particularly when used against an adversary).
However, most aspects of modern life rely on these same microchips. Banking systems, traffic lights, water treatment facilities, electrical generation, washing machines, refrigerators, and many more pieces of civilian equipment and infrastructure well outside the conflict zone depend on such technologies. For this reason, companies like Baikal Electronics represent an important part of an effort at import substitution and sanction-resilience, not just for military uses but for civilian uses as well. The Linux kernel maintainers have no problem accepting patches from US military and national security agencies (for example, SE-Linux was contributed by the NSA), but suddenly allowing civilian uses of Linux in Russia has become a problem. It's hard to see this as a conscious decision rather than a product of unconscious bias and human error. However, it could also be a conscious decision to weaponize open source software for geopolitical reasons.
Different Interpretations of Motivation: Weapons vs Civilian Use, or Geopolitical Enforcement
The email here could be interpreted in a number of ways. The most likely two are that this is a deliberate effort to extend sanctions to open source development or that it is a deep concern with what might be mistaken to be primarily a weapons contractor. The first is genuinely scary, while the second could be expected to be resolved with a bit of dialogue.
It is possible that the decision was made due to US/EU sanctions or the desire to take a strong stance in favor of US interests (as portrayed by US media) and I understand this is the sense that people have taken this in Russia. In this view, open source becomes just another weapon of geopolitics, and a way to punish countries we don't like. After Russia, the same fate will surely befall China, and then any other country that dares to get in the way of American ambitions throughout the world. Of course this would be rationalized as the argument that Russia is invading and occupying another country illegally and we ought not to support that, but the fact that the US has illegally invaded and is occupying half of Syria doesn't get the same treatment, so again we are dealing with a "rules-based" international order where the rules don't apply to the West. As I will show below, any open source project that goes down this path will be superseded by more inclusive, international projects which may fork from them.
A more charitable view is based on the misunderstanding that Baikal Electronics' chips are primarily used for military applications and have limited civilian use. This may have been true before the war, though even then the company was making inroads into civilian applications. Today, the company has many civilian uses and, as import substitution becomes more important, these civilian uses are growing. In this particular case, dialog ought to be able to resolve the issue and the patches ought to be able to be reviewed. I think the fact that the Linux kernel maintainers have not decided to directly discriminate against Russians as a whole, or even residents of Russia, is evidence that this is a misunderstanding rather than a genuine effort at removing the political neutrality that defines open source. However, if server vendors or even banks would be barred from making contributions for fixes affecting Baikal chips used in civilian applications, this would be quite troubling, and that seems to be the policy specified in the email.
I think the comments about refusing hardware support for Baikal's chips indicates that this is not merely about mistrust of Baikal as an organization technically, but rather something directed at them and their motivations for contribution.
After all, the Open Source Initiative's
Open Source Definition does not allow licenses to discriminate against endeavors or groups of people, whether by citizenship, residency, or employment. While this does not apply to accepting patches, it does apply to distribution so contributions by the NSA become available for use by the Russian armed forces. The kernel maintainers don't have to accept patches from Russian nationals or corporations, but they have to let such people and corporations take advantage of improvements made by US allies. As I will show below, this leads to problems for open source communities trying to cut themselves off from countries they don't like.
The Open Source as Infrastructure from the Unipolar Moment
In order to understand the current situation clearly enough to see what options other countries and corporations have, a bit of history into the current situation is helpful.
Open Source is generally understood to trace back to Cold-War-era academic development practices where academics would write software and share it for purposes of research. This was confined to academia for a number of reasons but particularly due to difficulties with distribution. At the time, the internet was not well developed, and so distribution and collaboration across significant distances, and with significant numbers of people, were difficult.
With the end of the Cold War, the situation dramatically changed. The Unipolar Moment was accompanied by a move to hyper-globalism and this lead to increasing exports of computers, and the rise of a global internet. This in turn lead to increasing investments in telecommunications infrastructure and the rise of a high-speed internet. As computers became faster and storage became denser, and as internet speeds increased, many of the large open source projects we know today either began their lives or moved out from academia into the mainstream.
Open source development practices today are a product of this hyper-connected, globalized world. Globalism, however, has not equally benefited all and has
proved to be demonstrably unstable. US efforts to remake the world in its image are now failing, and workers at home are increasingly unhappy with stagnant wages, lost jobs, and other consequences of a globalized labor market. As a result we began to see largely unsuccessful efforts to disconnect the US economy from the Chinese economy beginning in 2016, and more successful efforts to disconnect from the Russian economy starting in 2022. The efforts at severing economic ties with China have furthermore been picked up by the Biden Administration, and there is a general understanding in both the US and China that similar sanctions are coming to China whenever practical and convenient.
The Global South, often weary of being threatened with US, UK, and EU sanctions, has steadfastly refused to support this effort. Indeed, not a single country from the Global South has sanctioned Russia in the last year. They are therefore at risk of being considered unfriendly countries and arbitrarily sanctioned via secondary sanctions. What has developed is then what Rutgers University Political Science Professor Michael Rossi has called
"The West vs The Rest." This leads to a dangerous dynamic where efforts to isolate one country risks alienating people in a large number of other countries.
Open source, however, remains as infrastructure. Software products cannot consider themselves open source while enforcing geographic boundaries in distribution or preventing individuals, organizations, agencies, or nations one doesn't like from accessing, using, or modifying the source code. This then means that this infrastructure remains no matter what we would like, and further that efforts at excluding those we don't like will generally backfire and eventually kill the projects that we want to protect.
Possible Responses from Non-Western Powers
Of course the best option for everyone would be to work together to address misunderstandings and make sure that geopolitics does not get in the way of accepting code contributions. However, if that is not possible, then other options might be necessary. There are several possible reactions that can be taken from within non-Western powers to such exclusion. These range from maintained patch sets to forking or even switching open source projects.
The simplest approach for people who are excluded from a major open source project is just to maintain a patch set of existing work for use within their countries. The advantage of this is that it is quick and easy. You can maintain the patch set as a git branch, and perhaps even build or release from that branch. This makes it quick and (usually) easy to keep up to date with git rebase, and if the patch set is small, is quite reasonable to do.
If the patch set becomes too large, then maintenance in this will be difficult, in which case forking and merging in changes from the mainline kernel may be an option. This would allow, for example, a "Rinux" (contraction of Russian Linux) to develop. The mainline kernel would still not take on further improvements from the Rinux fork, but Rinux could take all improvements from Linux. If the developers are competent this would leave Rinux as a better, more capable project, and also very attractive to Chinese and other non-Western companies and governments as a project which would would be less likely to be weaponized. If Rinux were particularly successful, it might even make inroads back into Western countries, leaving Linux increasingly used purely by Western governments and military organizations, and increasingly lagging behind until it wouldn't even be worth following anymore.
A final option would be to switch to a different kernel such as OpenBSD, which has a track record of a global outlook, particularly in areas of
cryptography. The particular track record of recruiting cryptographers not bound by US export restrictions may indicate they may be safer partners of collaboration than the Linux kernel at this point.
Of course the best option for everyone would be to work together to address misunderstandings and make sure that geopolitics does not get in the way of accepting code contributions.
Our Choice: To Be Global or To Be Western
Gone now are the days when geopolitics could be safely ignored, but open source software projects today still have to decide how closely to tie themselves to Western geopolitical efforts at maintaining global power. Emerging development communities, raised on open source, in much of the world will dramatically privilege those projects that don't tie themselves to the agendas of any country or group of countries but seek to create commons that all can participate in, well beyond borders.
LedgerSMB was born of a need to maintain software while I was excluded from the SQL-Ledger community. What we found was that more inclusive communities always beat less inclusive ones, and that inclusive forks often kill non-inclusive parent projects.
I hope that the Linux community comes to its senses before it is too late. And I hope the PostgreSQL community never experiences such insanity, because this can be fatal. Of curse the projects that make this error will live on by other names, with other maintainers, and different committers, but the original projects are likely to die. And I don't want this.