Worth noting that there are only <i>two</i> active "core" devs, Maxim Dounin (the OP) and Roman Arutyunyan. Maxim is the biggest contributor that is still active. Maxim and Roman account for basically 99% of current development.<p>So this is a pretty impactful fork. It's not like one of 8 core devs or something. This is 50% of the team.<p>Edit: Just noticed Sergey Kandaurov isn't listed on GitHub "contributors" because he doesn't have a GitHub account (my bad). So it's more like 33% of the team. Previous releases have been tagged by Maxim, but the latest (today's 1.25.4) was tagged by Sergey.
This isn’t just “a core nginx dev” — this is Maxim Dounin! He <i>is</i> nginx. I would consider putting his name in the title. (And if I were F5, I’d have given him anything he asked for to not leave, including concessions on product vision.)<p>That said, I’m not sure how much leg he has to stand on for using the word nginx itself in the new product’s name and domain…
Is this what the security disagreements is about <a href="https://mailman.nginx.org/pipermail/nginx-announce/2024/NW6MNW34VZ6HDIHH5YFBIJYZJN7FGNAV.html" rel="nofollow">https://mailman.nginx.org/pipermail/nginx-announce/2024/NW6M...</a>?
Given this fork still boasts a 2-clause BSD license, the corporate nginx can still make the effort to backport patches. It's certainly harder than requiring a single converged development branch, but how closely they track Maxim's work is ultimately up to them.<p>If nginx continues to receive more attention from security researchers, I imagine Maxim will have good reasons to backport fixes the other way too, or at least benefit from the same disclosures even if he does prefer to write his own patches as things do diverge.<p>Though history also shows that hostile forks rarely survive 6 months. They either get merged if they had enough marginal value, or abandoned outright if they didn't. Time will tell.
I admit I haven't followed closely this issue, but what is he talking about?<p>>In particular, they decided to interfere with security policy nginx uses for years, ignoring both the policy and developers’ position.
I don't get it...does not he knows about angie [1]? It was created by NGINX core devs after F5 acquisition if I'm not mistaken and it's a drop-in replacement for NGINX.<p>[1] <a href="https://github.com/webserver-llc/angie">https://github.com/webserver-llc/angie</a>
> Unfortunately, some new non-technical management at F5 recently
decided that they know better how to run open source projects. In
particular, they decided to interfere with security policy nginx
uses for years, ignoring both the policy and developers’ position.<p>Ah, I completely forgot F5 was involved in this, probably most of everyone else and F5 gets no money from this. Shouldn't matter to them, do they even have competition in enterprise load balancer space? I spent 9 years of my career managing these devices, they're rock solid and I remember some anecdotes about MS buying them by the truckloads. They should be able to cover someone working on nginx, maybe advertise it more for some OSS goodwill.
There is another fork already from some "ex-devs from the original team"
<a href="https://angie.software/en/" rel="nofollow">https://angie.software/en/</a>
<a href="https://github.com/webserver-llc/angie">https://github.com/webserver-llc/angie</a>
Per the discussion at <a href="https://news.ycombinator.com/item?id=39374312">https://news.ycombinator.com/item?id=39374312</a>, this cryptic shade:<p>> <i>Unfortunately, some new non-technical management at F5 recently
decided that they know better how to run open source projects. In
particular, they decided to interfere with security policy nginx
uses for years, ignoring both the policy and developers’ position.</i><p>Refers to F5's decision to publish two vulnerabilities as CVEs, when Maxim did not want them to be published.
<a href="https://my.f5.com/manage/s/article/K59427339" rel="nofollow">https://my.f5.com/manage/s/article/K59427339</a><p>All F5 contributions to NGINX open source projects have been moved to other global locations. No code, either commercial or open source, is located in Russia.<p>yeah, yeah
Is called "rage-fork" perhaps this. So proposed title: nginx dev rage-forks over security disagreement with boss company<p>But then perhaps he also has every right to do it, even though AFAIR the original author was somebody else.
One of the most heavily used Russian software projects on the internet <a href="https://www.nginx.com/blog/do-svidaniya-igor-thank-you-for-nginx/" rel="nofollow">https://www.nginx.com/blog/do-svidaniya-igor-thank-you-for-n...</a> but it's only marginally more modern than Apache httpd.<p>In light of recently announced nginx memory-safety vulnerabilities I'd suggest migrating to Caddy <a href="https://caddyserver.com/" rel="nofollow">https://caddyserver.com/</a>
Mailing list discussion:<p><a href="https://forum.nginx.org/read.php?2,299130" rel="nofollow">https://forum.nginx.org/read.php?2,299130</a>
After using Nginx for something like 15 years I dropped it a couple of years ago.<p>Using Caddy instead.<p>A point came where I realised I didn't enjoy Nginx. Configuring it was hard and it felt brittle.<p>A particular pain point is certificates/ssl. I absolutely dreaded doing anything with certificates in Nginx.<p>When I heard that Caddy automatically handles SSL/ certificates I jumped the nginx ship and swam as fast as I could to Caddy.
What a coincidence, some days ago I was reading some HN posts related to lighttpd and I found [1]. The link is dead and it has inappropriate content, so use arhive.org. The author doesn't go too much in detail of why nginx being purchased is a problem, but in how to configure lighttpd. And the first comment predicts the hypothetical case of F5 being problematic.<p>[1] <a href="https://news.ycombinator.com/item?id=19413901">https://news.ycombinator.com/item?id=19413901</a>
It seems every time I read about a project being forked, they use the (probably) trademarked name in the project's fork, just to need a rename a few weeks after.
Just curious how do folks make a living with free contributions not associated to any company? Is it sponsorships or they do some contract work on the side ? It feels these devs are soo underappreciated for the tremendous work they do, so much in software is supported on so many of these projects and companies dont sponsor or do the right thing !
Tangent, but I got curious about contributing so I went to the Freenginx homepage, it looks like this project will be organized over mailing list. I would love if someone would create a product that gives mailing list a tolerable UI.
F5 is spinning this to be about not disclosing CVE's when the truth is more that the experimental code that was flagged was not considered production ready and whomever is running it should know they are on their own. This CVE is an obvious bug, and<p><i>when your KPI is CVE's per month every bug looks like a CVE</i><p>F5 wants this feature prioritized over what Maxim planned, and Maxim doesn't have to comply, he is a volunteer.
It was already mentioned in the other thread, but it looks like F5 owns the trademark for the Nginx name. Maxim should consider rebranding the project to avoid any legal blowback.
So - The big question...<p>Is the fork going to allow you to change the nginx Server response header (A PAID feature in the current fork...) without requiring you to mod it in and recompile it? :p<p>Yes - You read that correctly. They refuse to accept PR's to add additional functionality because that functionality is restricted to the paid version :p
I dunno seems like a tempest in a teapot. Not sure why Maxim would not want CVEs to be assigned to something. Maybe it was just the final straw after a series of bad interactions. Every project has a lifespan, sometimes trying to keep them going forever is not the answer. I will miss nginx a lot if I need to migrate though.
Time for me to slowly start looking for an alternative.<p>There was a time when I wanted to move away from it and was eyeing HAProxy, but the lack of the ability to serve static files didn't convince me. Then there was Traefik, but I never looked too much into it, because Nginx is working just fine for me.<p>My biggest hope was Cloudflare's Rust-based Pingora pre-announcement, which was then never published as Open Source.<p>Now that I googled for the Pingora name I found Oxy, which might be Pingora? Googling for this yields<p>> Although Pingora, another proxy server developed by us in Rust, shares some similarities with Oxy, it was intentionally designed as a separate proxy server with a different objective.<p>Any non-Apache recommendations? It should be able to serve static files.
Note for some reason Maxim chose to link to
<a href="http://freenginx.org" rel="nofollow">http://freenginx.org</a>,
instead of
<a href="https://freenginx.org" rel="nofollow">https://freenginx.org</a>
I stop using Nginx when i needed ability to assign an Ethernet port (IP address not yet available) and Nginx developers refused to do this.<p>Before you ask why would I do that, Ive got all Ethernet interfaces on dynamically IP created on a on-demand basis and only wanted ONE specific interface (non-public) to host the HTTP/HTTPS protocol.<p>And no, we do not want to jerry-rig some fancy nginx config file shell -script updater whenever an IP address gets assigned/reassigned.<p>Here came lighthttpd and Apache to the rescue.
seems like an annoying but necessary thing, so lets give the original a quick death and migrate to freenginx<p>Infrastructure like that should not be run by for-profit corporations anyway, it will always end up like in this case sooner or later
Did we find out why the dev of freenginx did not want the nginx CVE that caused this fork? Some contex would be nice as it seems like a weird reason to fork.
My biggest gripe as an internet keyboard warrior with an opinion is not being able to understand the source control and build process of Nginx.<p>Probably a skill issue but when I last tried to compile Nginx from the Github mirror I spent hours trying to figure it out. I wish there was a GitHub page with an easy to understand build process... and that I could just run "cargo build --release" lol
If I ever need nginx I'll use freenginx. But funny enough all my services run in Traefik these days. 15 years ago Apache httpd was the norm, and lately nginx has been, and now I can't even think of a reason to use it.
Well maybe this core dev can impact some better malware into it and update the defaults.<p>Nginx loves to pretend it’s 1995. It barely has http3 support and does insanely stupid things by default.<p>No wonder people move to haproxy, Traefik, caddy, etc.
Cloudflare doesn’t use it anymore for good reason.