Official statement regarding recent Greg’ commit 6e90b675cf942e from Serge Semin
Hello Linux-kernel community,
I am sure you have already heard the news caused by the recent Greg’ commit 6e90b675cf942e (“MAINTAINERS: Remove some entries due to various compliance requirements.”). As you may have noticed the change concerned some of the Ru-related developers removal from the list of the official kernel maintainers, including me.
The community members rightly noted that the quite short commit log contained very vague terms with no explicit change justification. No matter how hard I tried to get more details about the reason, alas the senior maintainer I was discussing the matter with haven’t given an explanation to what compliance requirements that was. I won’t cite the exact emails text since it was a private messaging, but the key words are “sanctions”, “sorry”, “nothing I can do”, “talk to your (company) lawyer”… I can’t say for all the guys affected by the change, but my work for the community has been purely volunteer for more than a year now (and less than half of it had been payable before that). For that reason I have no any (company) lawyer to talk to, and honestly after the way the patch has been merged in I don’t really want to now. Silently, behind everyone’s back, bypassing the standard patch-review process, with no affected developers/subsystem notified - it’s indeed the worse way to do what has been done. No gratitude, no credits to the developers for all these years of the devoted work for the community. No matter the reason of the situation but haven’t we deserved more than that? Adding to the GREDITS file at least, no?..
I can’t believe the kernel senior maintainers didn’t consider that the patch wouldn’t go unnoticed, and the situation might get out of control with unpredictable results for the community, if not straight away then in the middle or long term perspective. I am sure there have been plenty ways to solve the problem less harmfully, but they decided to take the easiest path. Alas what’s done is done. A bifurcation point slightly initiated a year ago has just been fully implemented. The reason of the situation is obviously in the political ground which in this case surely shatters a basement the community has been built on in the first place. If so then God knows what might be next (who else might be sanctioned…), but the implemented move clearly sends a bad signal to the Linux community new comers, to the already working volunteers and hobbyists like me.
Thus even if it was still possible for me to send patches or perform some reviews, after what has been done my motivation to do that as a volunteer has simply vanished. (I might be doing a commercial upstreaming in future though). But before saying goodbye I’d like to express my gratitude to all the community members I have been lucky to work with during all these years.
I understand the sanctions part and wanting to head off any potential state interference with projects like this, but “infosec reasons” feels very hand wavy.
I think I’d be a lot more comfortable if we had seen malicious/bad faith actions/communications or maybe some more specific and tangible reasons to suspect them being compromised on the part of the Russian maintainers before they were just removed.
Your understanding of the sanctions is a good start, but dismissing “infosec reasons” as merely “hand-wavy” shows a serious lack of awareness about the global security threats that Russia, and by extension, its citizens, pose—especially when it comes to technology and infrastructure. To suggest that we need to “see malicious or bad faith actions” first before taking precautionary steps demonstrates a complete misunderstanding of how cybersecurity and threat prevention work.
Let’s get real: Russia has been systematically involved in espionage operations for decades. This isn’t speculation—it’s fact. They have a proven track record of conducting cyber warfare, engaging in disinformation campaigns, and launching full-on hybrid attacks across Europe and the U.S. From burning down munition factories to assassinating journalists with polonium, to paying off right-wing influencers and politicians in the West, the Russian state and its network of operatives have relentlessly undermined democratic societies. And you think we should wait for more tangible evidence before removing people from sensitive projects? That’s beyond naïve—it’s reckless.
Cybersecurity doesn’t work by waiting until something catastrophic happens. You don’t wait for a hacker to exploit a vulnerability before patching it, just as you don’t wait for a spy to steal sensitive information before tightening your security protocols. Russia is actively involved in cyber warfare, and pretending that this doesn’t extend to individuals who might seem disconnected from their government is dangerously shortsighted. Espionage is embedded into Russian statecraft—it operates through layers of deception, often utilizing individuals who appear innocent or disconnected.
And we’re not talking about abstract threats. Russian actors have been implicated in numerous high-profile cyberattacks, including those that targeted Western infrastructure, democratic processes, and industrial sectors. If anything, the decision to remove Russian maintainers from the Linux project for “infosec reasons” is prudent. It’s not hand-wavy—it’s a necessary step to protect the integrity of a globally important project from potential compromise by a nation that has shown no qualms about leveraging technology for malicious purposes.
Moreover, the idea that you would need to see overt acts of bad faith from these maintainers before taking action completely ignores the covert nature of cyber espionage. Russia’s hybrid warfare tactics often operate in the shadows—by the time you see the problem, it’s far too late. You’re essentially asking to see the explosion before you start investigating the bomb, which is absurd in any cybersecurity context.
Your dismissal of these concerns as “hand-wavy” highlights a disturbing lack of understanding about the real and present threats posed by Russian actors, whether state-sponsored or not. Pretending otherwise is not just foolish, it’s an invitation for disaster. Ignorance is not an excuse in matters of national security, and being “comfortable” with this situation is exactly what Russia counts on when it comes to exploiting vulnerabilities.
Infosec reasons are not some vague excuse—they are at the heart of protecting projects like the Linux kernel, which are critical to global infrastructure. If you don’t understand that, you’re either blissfully unaware of the reality of cyber threats or willfully ignorant of the risks. Either way, it’s a dangerous position to take.
I really like your way of explaining that.
It still feels dirty, but when is war and geopolitics ever actually clean? I feel a lot more heartened that this was the right choice after reading your response.