from Hacker News

Freenginx: Core Nginx developer announces fork

by bkallus on 2/14/24, 6:29 PM with 475 comments

• by sevg on 2/14/24, 7:08 PM

  Worth noting that there are only two active "core" devs, Maxim Dounin (the OP) and Roman Arutyunyan. Maxim is the biggest contributor that is still active. Maxim and Roman account for basically 99% of current development.

  So this is a pretty impactful fork. It's not like one of 8 core devs or something. This is 50% of the team.

  Edit: Just noticed Sergey Kandaurov isn't listed on GitHub "contributors" because he doesn't have a GitHub account (my bad). So it's more like 33% of the team. Previous releases have been tagged by Maxim, but the latest (today's 1.25.4) was tagged by Sergey.

• by ComputerGuru on 2/14/24, 7:12 PM

  This isn’t just “a core nginx dev” — this is Maxim Dounin! He is nginx. I would consider putting his name in the title. (And if I were F5, I’d have given him anything he asked for to not leave, including concessions on product vision.)

  That said, I’m not sure how much leg he has to stand on for using the word nginx itself in the new product’s name and domain…

• by sschueller on 2/14/24, 7:10 PM

  Is this what the security disagreements is about https://mailman.nginx.org/pipermail/nginx-announce/2024/NW6M...?

• by fl0ki on 2/14/24, 10:32 PM

  Given this fork still boasts a 2-clause BSD license, the corporate nginx can still make the effort to backport patches. It's certainly harder than requiring a single converged development branch, but how closely they track Maxim's work is ultimately up to them.

  If nginx continues to receive more attention from security researchers, I imagine Maxim will have good reasons to backport fixes the other way too, or at least benefit from the same disclosures even if he does prefer to write his own patches as things do diverge.

  Though history also shows that hostile forks rarely survive 6 months. They either get merged if they had enough marginal value, or abandoned outright if they didn't. Time will tell.

• by arter4 on 2/14/24, 7:21 PM

  I admit I haven't followed closely this issue, but what is he talking about?

  >In particular, they decided to interfere with security policy nginx uses for years, ignoring both the policy and developers’ position.

• by stefanos82 on 2/14/24, 7:02 PM

  I don't get it...does not he knows about angie [1]? It was created by NGINX core devs after F5 acquisition if I'm not mistaken and it's a drop-in replacement for NGINX.

  [1] https://github.com/webserver-llc/angie

• by karolist on 2/14/24, 6:51 PM

  > Unfortunately, some new non-technical management at F5 recently decided that they know better how to run open source projects. In particular, they decided to interfere with security policy nginx uses for years, ignoring both the policy and developers’ position.

  Ah, I completely forgot F5 was involved in this, probably most of everyone else and F5 gets no money from this. Shouldn't matter to them, do they even have competition in enterprise load balancer space? I spent 9 years of my career managing these devices, they're rock solid and I remember some anecdotes about MS buying them by the truckloads. They should be able to cover someone working on nginx, maybe advertise it more for some OSS goodwill.

• by nginxforks2402 on 2/14/24, 7:04 PM

  There is another fork already from some "ex-devs from the original team" https://angie.software/en/ https://github.com/webserver-llc/angie

• by resolutebat on 2/14/24, 10:07 PM

  Per the discussion at https://news.ycombinator.com/item?id=39374312, this cryptic shade:

  > Unfortunately, some new non-technical management at F5 recently decided that they know better how to run open source projects. In particular, they decided to interfere with security policy nginx uses for years, ignoring both the policy and developers’ position.

  Refers to F5's decision to publish two vulnerabilities as CVEs, when Maxim did not want them to be published.

• by nimbius on 2/14/24, 10:01 PM

  >freenginx.org

  IANAL, but i strongly recommend reconsidering the name as the current one contains a trademark.

• by notsosubtle on 2/14/24, 8:23 PM

  https://my.f5.com/manage/s/article/K59427339

  All F5 contributions to NGINX open source projects have been moved to other global locations. No code, either commercial or open source, is located in Russia.

  yeah, yeah

• by larodi on 2/14/24, 6:57 PM

  Is called "rage-fork" perhaps this. So proposed title: nginx dev rage-forks over security disagreement with boss company

  But then perhaps he also has every right to do it, even though AFAIR the original author was somebody else.

• by webprofusion on 2/15/24, 5:20 AM

  One of the most heavily used Russian software projects on the internet https://www.nginx.com/blog/do-svidaniya-igor-thank-you-for-n... but it's only marginally more modern than Apache httpd.

  In light of recently announced nginx memory-safety vulnerabilities I'd suggest migrating to Caddy https://caddyserver.com/

• by petecooper on 2/14/24, 7:41 PM

  Mailing list discussion:

  https://forum.nginx.org/read.php?2,299130

• by andrewstuart on 2/15/24, 5:32 AM

  After using Nginx for something like 15 years I dropped it a couple of years ago.

  Using Caddy instead.

  A point came where I realised I didn't enjoy Nginx. Configuring it was hard and it felt brittle.

  A particular pain point is certificates/ssl. I absolutely dreaded doing anything with certificates in Nginx.

  When I heard that Caddy automatically handles SSL/ certificates I jumped the nginx ship and swam as fast as I could to Caddy.

• by pbaam on 2/14/24, 7:21 PM

  What a coincidence, some days ago I was reading some HN posts related to lighttpd and I found [1]. The link is dead and it has inappropriate content, so use arhive.org. The author doesn't go too much in detail of why nginx being purchased is a problem, but in how to configure lighttpd. And the first comment predicts the hypothetical case of F5 being problematic.

  [1] https://news.ycombinator.com/item?id=19413901

• by dmacvicar on 2/14/24, 9:23 PM

  It seems every time I read about a project being forked, they use the (probably) trademarked name in the project's fork, just to need a rename a few weeks after.

• by someoneinworld on 2/15/24, 7:01 AM

  Just curious how do folks make a living with free contributions not associated to any company? Is it sponsorships or they do some contract work on the side ? It feels these devs are soo underappreciated for the tremendous work they do, so much in software is supported on so many of these projects and companies dont sponsor or do the right thing !

• by pornel on 2/14/24, 6:53 PM

  I'm hoping the fork will allow having code comments.

• by BadHumans on 2/14/24, 8:26 PM

  Tangent, but I got curious about contributing so I went to the Freenginx homepage, it looks like this project will be organized over mailing list. I would love if someone would create a product that gives mailing list a tolerable UI.

• by frikkie444 on 2/23/24, 10:12 AM

  F5 is spinning this to be about not disclosing CVE's when the truth is more that the experimental code that was flagged was not considered production ready and whomever is running it should know they are on their own. This CVE is an obvious bug, and

  when your KPI is CVE's per month every bug looks like a CVE

  F5 wants this feature prioritized over what Maxim planned, and Maxim doesn't have to comply, he is a volunteer.

• by robgibbons on 2/15/24, 7:46 PM

  It was already mentioned in the other thread, but it looks like F5 owns the trademark for the Nginx name. Maxim should consider rebranding the project to avoid any legal blowback.

• by seunosewa on 2/15/24, 12:35 PM

  I hope he implements the least connection load balancing option for free users.

• by Reelix on 2/17/24, 12:34 AM

  So - The big question...

  Is the fork going to allow you to change the nginx Server response header (A PAID feature in the current fork...) without requiring you to mod it in and recompile it? :p

  Yes - You read that correctly. They refuse to accept PR's to add additional functionality because that functionality is restricted to the paid version :p

• by illusive4080 on 2/14/24, 6:51 PM

  Anyone have more info about the changes nginx made?

• by petecooper on 2/14/24, 7:38 PM

  Page won't load for me, Wayback Machine caught it:

  https://web.archive.org/web/20240214184151/https://mailman.n...

• by aftbit on 2/15/24, 7:17 PM

  I dunno seems like a tempest in a teapot. Not sure why Maxim would not want CVEs to be assigned to something. Maybe it was just the final straw after a series of bad interactions. Every project has a lifespan, sometimes trying to keep them going forever is not the answer. I will miss nginx a lot if I need to migrate though.

• by qwertox on 2/14/24, 7:31 PM

  Time for me to slowly start looking for an alternative.

  There was a time when I wanted to move away from it and was eyeing HAProxy, but the lack of the ability to serve static files didn't convince me. Then there was Traefik, but I never looked too much into it, because Nginx is working just fine for me.

  My biggest hope was Cloudflare's Rust-based Pingora pre-announcement, which was then never published as Open Source.

  Now that I googled for the Pingora name I found Oxy, which might be Pingora? Googling for this yields

  > Although Pingora, another proxy server developed by us in Rust, shares some similarities with Oxy, it was intentionally designed as a separate proxy server with a different objective.

  Any non-Apache recommendations? It should be able to serve static files.

• by chrisweekly on 2/14/24, 9:38 PM

  Note for some reason Maxim chose to link to http://freenginx.org, instead of https://freenginx.org

• by caycep on 2/14/24, 7:00 PM

  wondering also whether Igor and Maxim are ok, what w/ the geopolitical situation there.

• by egberts1 on 2/17/24, 11:58 AM

  I stop using Nginx when i needed ability to assign an Ethernet port (IP address not yet available) and Nginx developers refused to do this.

  Before you ask why would I do that, Ive got all Ethernet interfaces on dynamically IP created on a on-demand basis and only wanted ONE specific interface (non-public) to host the HTTP/HTTPS protocol.

  And no, we do not want to jerry-rig some fancy nginx config file shell -script updater whenever an IP address gets assigned/reassigned.

  Here came lighthttpd and Apache to the rescue.

• by devosalain on 2/25/24, 11:59 AM

  Is F5 trying to kill the original nginx. [Cfr hostile take-overs of Microsoft]

• by lyu07282 on 2/15/24, 12:23 AM

  seems like an annoying but necessary thing, so lets give the original a quick death and migrate to freenginx

  Infrastructure like that should not be run by for-profit corporations anyway, it will always end up like in this case sooner or later

• by soupbowl on 2/15/24, 7:42 PM

  Did we find out why the dev of freenginx did not want the nginx CVE that caused this fork? Some contex would be nice as it seems like a weird reason to fork.

• by apatheticonion on 2/15/24, 9:49 AM

  My biggest gripe as an internet keyboard warrior with an opinion is not being able to understand the source control and build process of Nginx.

  Probably a skill issue but when I last tried to compile Nginx from the Github mirror I spent hours trying to figure it out. I wish there was a GitHub page with an easy to understand build process... and that I could just run "cargo build --release" lol

• by davecheney on 2/14/24, 9:28 PM

  Oh snap, F5 just Hudson’d themselves.

• by INTPenis on 2/14/24, 9:59 PM

  If I ever need nginx I'll use freenginx. But funny enough all my services run in Traefik these days. 15 years ago Apache httpd was the norm, and lately nginx has been, and now I can't even think of a reason to use it.

• by web3-is-a-scam on 2/14/24, 9:26 PM

  Apache my beloved

• by aaroninsf on 2/15/24, 7:10 PM

  Dissatisfaction, like water, will always find its level.

• by rdl on 2/14/24, 8:59 PM

  Curious how to support Maxim despite Russia complications.

• by schneems on 2/14/24, 7:00 PM

  Can it un-swap the behavior of SIGTERM and SIGKILL please?

• by udev4096 on 2/15/24, 9:06 AM

  Judging from the comments of the guy from F5, it seems that Maxim didn't wanna assign a CVE to the latest vulns. I wonder why

• by not_a_dane on 2/15/24, 8:30 PM

  Just looking at comments here makes me feel like this is pretty much underrated.

• by lnxg33k1 on 2/15/24, 8:32 PM

  Innovation is being kept hostage by MBAs, marketing, PR and recruiters

• by thomasjudge on 2/14/24, 10:38 PM

  How the heck am I supposed to pronounce that? "Free-en-gen-icks"?

• by darylteo on 2/15/24, 3:16 AM

  F5 closing moscow office: Is this a result of US sanctions?

• by DeathArrow on 2/15/24, 7:29 PM

  I hope some people will find the time to help him.

• by liveoneggs on 2/15/24, 7:29 PM

  This fork should use the Apache Foundation for its hosting and things.

• by scrps on 2/15/24, 7:54 PM

  Bravo!

• by Vosporos on 2/15/24, 8:53 AM

  Godspeed

• by 687m786m78 on 2/14/24, 7:55 PM

  It is scary to think about how much of web relies on projects maintained by 1 or 2 people.

• by q2dg on 2/14/24, 7:58 PM

  Just use Apache

• by SomeoneFromCA on 2/15/24, 9:27 AM

  NGINX are FSBs shills.

• by darkhorn on 2/14/24, 8:56 PM

  I don't understand why some people use a Russian software! Especially in this age.

• by nginxsjsjn on 2/15/24, 4:07 AM

  Well maybe this core dev can impact some better malware into it and update the defaults.

  Nginx loves to pretend it’s 1995. It barely has http3 support and does insanely stupid things by default.

  No wonder people move to haproxy, Traefik, caddy, etc. Cloudflare doesn’t use it anymore for good reason.

• by system2 on 2/14/24, 6:58 PM

  There is no news other than this individual post. I wish he could describe it more. It says it is free but where is the github page for it?