Key Nginx Developer Leaves Project, Launches FreeNGINX Fork
One of the core developers of Nginx, the world’s most popular web server, has announced his departure from the project. He stated that he no longer sees Nginx as “a free and open project… for the public good.” Maxim Dounin, the developer, has created a fork called freenginx, which he says “will be managed by developers, not corporate entities” and will be “free from arbitrary corporate actions.”
Dounin is one of the earliest and most active contributors to the Nginx project and was among the first employees of Nginx, Inc., the company founded in 2011 to provide commercial support for the web server. Today, Nginx powers about a third of the world’s web servers, surpassing Apache in usage.
Nginx, Inc. was acquired by Seattle-based F5 in 2019. That same year, two Nginx leaders, Maxim Konovalov and Igor Sysoev, were detained and questioned at their homes by FSB agents. Sysoev’s former employer, the Russian internet company Rambler, claimed ownership of the Nginx source code, arguing it was developed while Sysoev worked at Rambler (where Dounin also worked). Although no criminal charges or rights claims were ultimately enforced, the incident raised concerns about a Russian company’s involvement in widely used open-source web infrastructure.
Sysoev left F5 and the Nginx project in early 2022. Later that year, F5 ceased all operations in Russia. Some Nginx developers who remained in Russia created Angie, largely to support Nginx users in Russia. Dounin also technically ended his employment with F5 but continued to contribute to Nginx “as a volunteer,” according to his message on the project’s mailing list.
Dispute Over Security Policy and Corporate Control
In his statement, Dounin wrote that “the new non-technical management” at F5 “recently decided they know better how to manage open-source projects. In particular, they chose to interfere with the security policy that Nginx has used for years, ignoring both the policy and the developers’ opinions.” While he acknowledged this was “understandable” from an ownership perspective, Dounin said it meant he “could no longer control what changes are made to Nginx,” prompting his departure and the creation of the fork.
The main point of contention was the handling of CVEs related to bugs in QUIC features. Although QUIC is not enabled in the most common default Nginx setup, it is included in the “mainline” version of the application, which, according to Nginx documentation, contains “the latest features and bug fixes and is always up to date.”
Dounin elaborated on F5’s actions in a follow-up message:
The latest security bulletin was published even though a certain bug in the experimental HTTP/3 implementation should have been treated and fixed as a standard issue, fully in line with the existing security principles, as unanimously agreed by all developers, including myself.
While this individual decision is not critical by itself, in the broader context, such a strategy raises significant concerns.
MZMegaZone, F5’s principal security engineer, confirmed that the security disclosure was a turning point for Dounin’s departure. “He was against our decision to assign a CVE and did not approve of this step, and the timing is clearly not a coincidence,” MZMegaZone commented on Hacker News. He added, “I am convinced that assigning a CVE should not tarnish the reputation of NGINX or Maxim. It’s unfortunate he feels that way, but I continue to respect him and sincerely wish him success.”
An F5 spokesperson told Ars Technica:
F5 is committed to running successful open-source projects that require a large and diverse contributor community, as well as applying strict industry standards to identify and assess discovered vulnerabilities. We believe this is the right approach to developing highly secure software for our customers and the community, and we encourage the open-source community to join us in these efforts.