In an email to the Nginx development mailing list on 14 February, core Nginx maintainer and former F5 employee Maxim Dounin announced that he will “no longer participate in Nginx development as run by F5” and instead work on a new aptly named fork called Freenginx, which will be “free from arbitrary corporate actions.”

He also shares his reasons behind the decision:

  1. Non-technical managers from F5 (“who think they know better”) are attempting to run the project.
  2. These managers decided to interfere with Nginx’s security policy, ignoring his interest (he is the core maintainer).
  3. They are driven by marketing and do not consider the developers and the community.
  4. This situation contradicts his agreement with F5 to continue his role as a core Nginx maintainer after he left F5 (after F5 left Moscow after Russia invaded Ukraine).
  5. He no longer controls the changes made in Nginx and no longer sees Nginx as a “free and open source project maintained for the public good” (ahem, the chart).
Usage Statistics of Web Servers
Usage Statistics of Web Servers

Data source: Web Servers Historical Usage Trends Report

Reading just this email can tilt our biases in favor of Maxim—something about the term “corporate” instantly flicks the hate switch (strong, but you get the idea).

But the problem is a bit more nuanced.

Security Policy Interference

In early February, two security vulnerabilities were discovered in Nginx’s HTTP/3 implementation. Per policy, the Nginx developers at F5 disclosed these vulnerabilities and issued two CVEs, CVE-2024-24989 and CVE-2024-24990.

Maxim wasn’t happy. He wanted to treat these issues as normal bugs as Nginx’s HTTP/3 implementation was still considered experimental.

When a CVE is reported, downstream users of Nginx will have the additional burden of patching this issue. So, users generally appreciate vendors who try to minimize CVEs. Maxim’s stance addresses this concern.

However, F5’s decision to issue CVEs and report the vulnerabilities to their users was also with similar intent. As one F5 employee comments on Hacker News (paraphrased for clarity):

We know many users have the feature in production, experimental or not, which was part of the decision-making process. The security advisories we published state that this feature is experimental.

When in doubt, do right by your users.

When in doubt, do right by your users. But who decides what’s right?

For-Profit Open Source

Maxim’s second concern was F5’s “corporate control” over Nginx.

This could explain why he made a new fork instead of joining Angie, an earlier Nginx fork created by Russian F5 employees when they moved out of Moscow. Angie is now owned by Web Server LLC, a for-profit company.

It is easy to point fingers at a company for “making money off of open source,” but it is also a bit naive.

Sustaining open source projects at scale solely through recriprocative acts of altruism is difficult, if not impossible. It often ends with the maintainer unable to make money.

Money buys food, shelter, and medicine (and the occasional life-size poster of Ryan Gosling and happiness).

The open core model, followed by F5 and previously Nginx (the commercial company), is a good middle ground between pure altruism and corporate selfishness. While F5 makes profits, Nginx remains free and open source.


Who’s Right?

Both Maxim and F5 want what’s best for their users.

As F5, you are obligated to report security issues to your users, but as Maxim, your obligation is to reduce the burden on your downstream users.

Regardless of who’s right, there is a Freenginx fork, and it is maintained by one of the most significant contributors to Nginx.

So, wait and watch how it unfolds?