[personal profile] mjg59
The Linux Foundation is an industry organisation dedicated to promoting, protecting and standardising Linux and open source software[1]. The majority of its board is chosen by the member companies - 10 by platinum members (platinum membership costs $500,000 a year), 3 by gold members (gold membership costs $100,000 a year) and 1 by silver members (silver membership costs between $5,000 and $20,000 a year, depending on company size). Up until recently individual members ($99 a year) could also elect two board members, allowing for community perspectives to be represented at the board level.

As of last Friday, this is no longer true. The by-laws were amended to drop the clause that permitted individual members to elect any directors. Section 3.3(a) now says that no affiliate members may be involved in the election of directors, and section 5.3(d) still permits at-large directors but does not require them[2]. The old version of the bylaws are here - the only non-whitespace differences are in sections 3.3(a) and 5.3(d).

These changes all happened shortly after Karen Sandler announced that she planned to stand for the Linux Foundation board during a presentation last September. A short time later, the "Individual membership" program was quietly renamed to the "Individual supporter" program and the promised benefit of being allowed to stand for and participate in board elections was dropped (compare the old page to the new one). Karen is the executive director of the Software Freedom Conservancy, an organisation involved in the vitally important work of GPL enforcement. The Linux Foundation has historically been less than enthusiastic about GPL enforcement, and the SFC is funding a lawsuit against one of the Foundation's members for violating the terms of the GPL. The timing may be coincidental, but it certainly looks like the Linux Foundation was willing to throw out any semblance of community representation just to ensure that there was no risk of someone in favour of GPL enforcement ending up on their board.

Much of the code in Linux is written by employees paid to do this work, but significant parts of both Linux and the huge range of software that it depends on are written by community members who now have no representation in the Linux Foundation. Ignoring them makes it look like the Linux Foundation is interested only in promoting, protecting and standardising Linux and open source software if doing so benefits their corporate membership rather than the community as a whole. This isn't a positive step.

[1] Article II of the bylaws
[2] Other than in the case of the TAB representative, an individual chosen by a board elected via in-person voting at a conference

Not surprising

Date: 2016-01-25 02:50 pm (UTC)
From: (Anonymous)
The fact that the LF caters to their corporate donors isn't at all surprising for those of us who have known the LF since its inception.

I used to be employed by the LF. I actually came over during the merger between the ODSL and FSG, so I was there at the very beginning. The entire tone, internally, of the LF was centered around pleasing our corporate overlords from the very start. Those of us who didn't fall in line with that sentiment, didn't last long at the new organization.

Let me share the story about how I butted up against this new corporate-driven focus early on in the LF's lifetime. I was tasked to try and salvage a project to provide a unified, cross-platform, installation tool. Something that would allow third parties write a single installer that would, in turn, be able to register itself with whatever underlying package management system in use (though, our focus was deb and rpm at the time). It was a good goal, and something both corporations and community alike would have been able to get behind if done right. I even came up with a lovely little proof of concept to demonstrate how we hoped to accomplish this. My work was well received by the package management communities at the time.

Unfortunately, one of our major donors (either a platinum or gold, it's been too long, and I, frankly, can't remember which) didn't like it. What this company really wanted was essentially a back-door into RPM (they only cared about RPM-based systems). They wanted to allow non-privileged users (e.g., not admins) to install their software on systems. They developed a major *nix desktop application (used primarily by researchers and scientists) and their primary friction-point for their customers was that they'd buy the application suite and then have to have some admin/IT guy actually install it for them because they lacked root access to their systems. They wanted a way to bypass this. They wanted to be able to write an installer that normal, non-root users, could use to install their software system-wide.

I knew such a patch would NEVER be accepted by upstream distributions and package manager developers, and their requests were shot down constantly by the other community members on the mailing-list where we were discussing this, so I chose to ignore them and, basically, let others in the community "talk sense" into them (I remember a Google employee being very vocal about how bad this idea was, and I pretty much let him act as the big detractor to such a backdoor in RPM).

They were livid that the LF employee (me) wasn't backing them up in the mailing list traffic. They felt that the money they were paying to the LF meant that the LF would basically be a "lobbying firm" for them to the Open Source community: That whatever crazy thing they (or other platinum/gold members wanted) should be promoted by the LF and it was the LF's responsibility to convince the Open Source community to accept edicts from these corporate sponsors. They complained to higher ups (very higher ups) at the LF, and I lost my job.

I wasn't the first that this happened to at the LF, and I wouldn't be the last.

So, yeah, as early as 2008-2010 companies were using the LF as a glorified "lobbying firm", and this obviously hasn't changed.

Now, of course, there are LF employees who are immune to these sorts of things. For example, I can't imagine this sort of stuff flying with the various kernel developers they employ. But for the myriad of ancillary projects they have employees working on, I'm certain they have felt the corporate influence at some point during their time at the LF.

Re: Not surprising

Date: 2016-01-26 10:37 pm (UTC)
From: [identity profile] yuhong.wordpress.com
The funny thing is that Windows Installer supported something like this, of course with the program only usable by the user that installed it.

Re: Not surprising

Date: 2016-04-23 01:31 am (UTC)
From: (Anonymous)
You know the things you say make a lot of sense. You are writing it as a criticism, and I'm like "hey not a bad idea at all".

I think you misinterpret people wanting a "back-door". They don't want a back-door, they want a user to be able to install his own software, mostly. Or, they want there to be an intermediate between administrator (root) and regular user, but in Linux land this is a deep schism. This is a wide gap, and enormous split.

You should for fun write a little small script to list all files owned by the various users/groups in your system. You will find that 99% of all files not created by or for a user (ie. user home directory) are all owned by root and virtually nothing else. The files not owned by root, you can count them on about 2 hands.

Unless you have something specific such as www-data or something of the kind.

Just loop through /etc/passwd or /etc/group and do a find for that user or group across the filesystem ex. boundaries (normally) using -xdev.

It might surprise you, just like seeing earth from space (they way they report that).

The thing you mention here is a very valid concern. A true backdoor, of course, would not be. I bicker about constantly about being able to do stuff without being root. I hate having to be root as much as I do. You cannot even normally specify the target for some logging (using syslog) without being root. Doing something as non-root is so unusual that you rather avoid having to choose that. And I can understand that someone might want that.

But that's not, that's nothing like the idiocy that we see today in mostly systemd. That rhymes.


Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Page Summary

Expand Cut Tags

No cut tags