Maxim Dounin announces the freenginx project.

As such, starting from today, I will no longer participate in nginx development as run by F5. Instead, I’m starting an alternative project, which is going to be run by developers, and not corporate entities:

  • BreakDecks@lemmy.ml
    link
    fedilink
    English
    arrow-up
    82
    arrow-down
    2
    ·
    9 months ago

    The name of this project is a death sentence. F5 owns the NGINX trademark. A successful fork of this will need to have a new name.

    When Oracle ruined Hudson, the community forked it and renamed it to Jenkins, and Oracle lost their investment. The same should be possible with NGINX (BSD vs. MIT, IANAL).

      • Anarch157a@lemmy.world
        link
        fedilink
        arrow-up
        26
        ·
        9 months ago

        That might be true inside Russia, but not in the rest of the world. F5 could sue in the US and force the registrar responsible for the .org TLD to hand the domain to them.

        In his place, I would chosen something related but different enough to avoid trademark infringement, like “Freeginx”. IANAL, but I believe sometimes all it takes is one letter to keep lawyers away.

    • electricprism@lemmy.ml
      link
      fedilink
      arrow-up
      2
      ·
      9 months ago

      IMO he would have been better off reversing the letters to something like XNGIN2 or some other clever play on the old theme.

      Besides the new name being problematic it’s plain aweful.

      Feels like Gentoo ==> Funtoo – Gentoo is a infinitely better name IMO.

  • fmstrat@lemmy.nowsci.com
    link
    fedilink
    English
    arrow-up
    64
    arrow-down
    4
    ·
    edit-2
    9 months ago

    TLDR; F5 owns Nginx. Making corporate over security decisions. New community fork from one of the core devs at http://freenginx.org/. Too new to know if it will be adopted by other mainstream projects that currently leverage/embed nginx.

    Note: If you use nginx and are concerned about security, consider a look at projects such as owasp/modsecurity-crs which include security layers on top of nginx.

    • xinayder@infosec.pub
      link
      fedilink
      arrow-up
      48
      ·
      9 months ago

      That doesn’t seem to be the case. From what I read on HN, the dev quit because he thought it didn’t make sense to submit CVEs for temporary/wip solutions, and F5 thought otherwise.

      So as I see it, the developer quit because he didn’t agree that a CVE should be opened for a work-in-progress solution that was live on Nginx.

    • MangoPenguin@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      25
      ·
      9 months ago

      Making corporate over security decisions.

      I read the opposite essentially, that F5 is publishing CVEs and the dev did not want them to.

      • towerful@programming.dev
        link
        fedilink
        arrow-up
        14
        ·
        9 months ago

        Yeh, seems like the CVEs were against an alpha branch.
        So, perhaps its a good reminder not to use alpha in production… But I feel it warranted a bug report instead of a “Common Vulnerabilities and Exploits” notice, normally something used to notify potentially production deployed systems of an issue.

        That would be like Pepsi issuing a product recall to all retail outlers for a product that has only been tested internally (kinda)

        • Kushan@lemmy.world
          link
          fedilink
          English
          arrow-up
          11
          ·
          9 months ago

          I think it’s more like pepsi issuing a product recall for something that has been accidentally left on the side of the road. You know you should not be drinking it anyway, but you also know someone would try it.

          • Bene7rddso@feddit.de
            link
            fedilink
            arrow-up
            3
            ·
            9 months ago

            It was on purpose on the side of the road so people could gice feedback. But the issue wasn’t a health issue (privilege escalation, etc), it just wasn’t tasty (DoS). Something you really don’t want to sell in the store, but in an alpha/beta version it’s no big deal

  • NotSteve_@lemmy.ca
    link
    fedilink
    arrow-up
    23
    ·
    edit-2
    9 months ago

    Does it actually make sense to call it free nginx? It seems like that’d just cause confusion, especially if the projects diverge. Most of the time when this happens they choose a new name (like MariaDB vs MySQL)

    That being said, I wish the project all the best. I use nginx both professionally and personally so I’ll be keeping an eye on this.

  • just another dev@lemmy.my-box.dev
    link
    fedilink
    English
    arrow-up
    15
    arrow-down
    1
    ·
    9 months ago

    A few years ago some other nginx devs also split off to create the fork Angie. I wonder why they didn’t join forces. My guess would be egos.

  • Klara@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    7
    arrow-down
    1
    ·
    9 months ago

    Does nginx give me anything over apache httpd in the year of our lord 2024? I’ve used both for hosting servers but never really understood the difference, as apache seems to have incorporated the important improvements that nginx made iirc.

    • wolf@lemmy.zip
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 months ago

      Using both, too.

      Supposedly NGINX gives you better peak performance and the configuration file format is more popular.

      I would guess that peak performance is only a concern when being google/netflix/amazon, otherwise I would bet the bottleneck is somewhere else.

      Further, NGINX seems to have become the default reverse proxy for all start ups, companies etc. around 10 years ago and thanks to group thinking by now one has to explain when using something else than NGINX.

      What I really miss from Apache is Apaches awesome letsencrypt module w/o the need for certbot. (If somebody knows about a module for NGINX which takes care of letsencrypt w/o certbot, please enlighten me.)

      In summary: Technical Apache and NGINX are IMHO mostly interchangeable (outside of peek performance demands), but the market/herd/group think prefers NGINX.

      • Slotos@feddit.nl
        link
        fedilink
        arrow-up
        1
        ·
        9 months ago

        Sorry, but you don’t get to claim groupthink while ignoring state of Apache when Nginx got released.

        Apache was a mess of modules with confusing documentation, an arsenal of foot guns, and generally a PITA to deal with. Nginx was simpler, more performant, and didn’t have the extra complexity that Apache was failing to manage.

        My personal first encounter was about hosting PHP applications in a multiuser environment, and god damn was nginx a better tool.

        Apache caught up in a few years, but by then people were already solving different problems. Would nginx arrive merely a year later, it would get lost to history, but it arrived exactly when everyone was fed up with Apache just the right amount.

        Nowadays, when people choose a web server, they choose one they are comfortable with. With both httpds being mature, that’s the strongest objective factor to influence the choice. It’s not groupthink, it’s a consequence of concrete events.

        • matcha_addict@lemy.lol
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          9 months ago

          It looks to be similar. I’m not sure how trivial it is to add this. For nginx it’s basically built in. You just give it the Lua code. It’s also pretty capable. You can basically write a whole API back-end in it, which is pretty good for small APIs or functionalities, like an image resizing API.

  • baatliwala@lemmy.world
    link
    fedilink
    arrow-up
    5
    arrow-down
    1
    ·
    edit-2
    9 months ago

    It’s weird but I’m siding with the company on this one. With what little context we’ve been given the dev sounds like a stereotypical reddit moderator.

      • baatliwala@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        9 months ago

        From what I understood the company who owns Nginx decided to give CVE ratings to experimental features, but those were for the stable branch. The dev disagreed because they were “experimental” but the company wanted to give them anyway because it was the stable branch used in production.

        I don’t understand what was so bad about this direction that the company wanted to take that the dev threw a hissy fit about corpos bad, decided to leave, and start his own fork. It’s an insane overreaction IMO, maybe I’ve misunderstood something so IDK which is why my opinion is that the dev is a moron.

  • merthyr1831@lemmy.world
    link
    fedilink
    arrow-up
    1
    ·
    9 months ago

    I sympathise with the dude dev but corporate loves corporate; I dont think the project is going to attract much funding if it’s purely a ‘libre’ fork.