Freenginx: A Fork of NGINX
A volunteer NGINX developer is forking NGINX, the world’s most popular web server, into Freenginx.
By Netcraft‘s count, NGINX (pronounced EngineX) is the world’s most popular web server. So when a top NGINX developer, Maxim Dounin, announced he was forking NGINX, it was potentially a huge deal.
Dounin made this decision because of his grievances from what he perceives as NGINX corporate owner F5‘s overreach into the project’s management. In particular, he hates what management is doing with security policies and how they’re now assigning Common Vulnerabilities and Exposures (CVE) bugs in NGINX’s experimental HTTP/3 code.
As Dounin wrote, “Some new non-technical management at F5 recently decided that they know better how to run open source projects. In particular, they decided to interfere with security policy NGINX uses for years, ignoring both the policy and developers’ position.” Specifically, Douin objected to these bugs being treated as security issues instead of as ordinary bugs, which didn’t warrant a security release.
It wasn’t so much the specific issue, though, as F5’s attitude, as he explained in another note. “There was no public discussion. The only discussion I’m aware of happened on the security-alert@ list, and the consensus was that the bug should be fixed as a normal bug. Still, I was reached several days ago with the information that some unnamed management requested an advisory and security release anyway, regardless of the policy and developers’ position.”
Ignored senior programmers are ticked-off programmers.
By his own account, Dounin has not been an F5 employee since the company left Russia in 2022 due to its invasion of Ukraine. Instead, he’s been a significant volunteer contributor for the past two years.
Now, he feels that while F5 has every right to do what it wants with the program since he is “no longer able to control which changes are made in NGINX within F5, and no longer see nginx as a free and open source project developed and maintained for the public good,” he’ll no longer work on NGINX. Instead, he’ll work on Freenginx, “an alternative project, which is going to be run by developers, and not corporate entities.”
It’s for that reason that Dounin is not joining a previous open source NGINX fork, Angie. This program was created by Russian Nginx developers who were left high and dry when F5 moved out of Moscow. Angie is owned by the Russian company Web Server, and Dounin worries that any for-profit company may interfere with the proper development and maintenance of the code.
The backdrop to this development is complex, involving geopolitical tensions, corporate acquisitions, and the inherent challenges of balancing commercial interests with the open source ethos. NGINX’s history has been a tumultuous one. F5’s 2019 acquisition of NGINX was seen as a new chapter that would bring financial stability and growth. However, the subsequent raid on NGINX‘s Moscow offices by Russian state agents on behalf of the Russian web company Rambler, which claimed it owned the NGINX code, left the company staggered. F5’s Moscow office closure only added more complexity to the narrative.
Dounin’s new venture, Freenginx, aims to recapture the spirit of open source development “for the public good,” free from corporate control. Freenginx’s first code release, freenginx-1.25.4, arrived on February 20. This is a clone of the old repo with only a few minor changes. One of which is a fix for the bugs that prompted the fork.
And, what does F5 make of all this? A company representative said, “F5 is committed to delivering successful open source projects that require a large and diverse community of contributors, as well as applying rigorous industry standards for assigning and scoring identified vulnerabilities. We believe this is the right approach for developing highly secure software for our customers and community, and we encourage the open source community to join us in this effort.” It doesn’t sound to me like they’re worried at all about this fork.
So, for now, at least Dounin appears to be free to make his attempt to gain web server mindshare free of interference. However, based on the low activity in the Freenginx mailing list, there appears to be little interest, but only time will tell if the project will gain steam with users or developers.
