As can be seen from the text of the resolution, the search was carried out in connection with the initiated criminal case under parts "B" and "C" of Article 146 of the Criminal Code of the Russian Federation ("Violation of copyright and related rights", items "on an especially large scale" and "by a group of persons by prior conspiracy or by an organized group "). As a result, the developers and founders of Nginx face not only the loss of the project, but also up to six years in prison.
The essence of Rambler 's claim is that certain "unidentified persons", during working hours and by order of the company's management, not later than October 4, 2004, created "a program for the Enginix computer", and then, "with intent to violate copyright rights ", published it on the Web and began to distribute, claiming that the rights to it belong exclusively to Igor Sysoev, the founder and developer of Nginx, a former employee of Rambler.
“We found that the exclusive right of Rambler Internet Holding to the Nginx web server was violated as a result of actions of third parties. In this regard, "Rambler Internet Holding" lost the right to lodge claims and claims related to infringement of Nginx, of Lynwood Investments CY Ltd, which possesses the necessary competence to bring justice to the question of ownership rights ", - reported the press service Rambler Group.
The Kommersant publication notes that Lynwood Investments is associated with the co-owner of Rambler Group, Alexander Mamut - in particular, through this company, the businessman owned the British book chain Waterstones.
Rambler Group estimates its damage as of 2011 at 51.4 million rubles.
Let us recall that in 2011 Igor Sysoev left Rambler and founded the Nginx company, which, in addition to free software, began to offer commercial products. Nginx is currently one of the most popular web servers on the Internet, with almost a quarter of all sites running on it.
By 2018, Nginx had revenues of $ 26 million, and in March 2019, Nginx was acquired for $ 670 million by F5, one of the world leaders in multi-cloud services. The project development team, including its founders Igor Sysoev and Maxim Konovalov, continued to work on Nginx as part of F5.
What they say about it
The community and the Russian IT industry reacted very violently to what was happening with Nginx, and many considered these events to be an extremely bad sign for the Russian Internet business. We have collected some important reactions and comments.
Grigory Bakunov, aka Bobuk, Director of Technology Dissemination at Yandex, supported Sysoev and published an official statement on behalf of the company, entitled " Open source is our everything."
Igor Ashmanov, who served as the executive director of Rambler in the early 2000s, says he sees no prospects for this case. “There was no job assignment to design such a web server,” he says. Moreover, according to Ashmanov, when hiring to work with Sysoev, it was specially stipulated that he had his own project, which he had the right to do. Therefore, he considers the version stated in the materials of the criminal case "nonsense".
Habr founder Denis Kryuchkov writes on Twitter that "by a strange coincidence, [this] story got out after Sber entered Rambler", meaning that this year the shareholder structure of Rambler Group underwent changes: in August Sberbank closed the deal to buy 46 , 5% of the company. Kryuchkov also reminds that the sites of the Ministry of Internal Affairs of the Russian Federation and kremlin.ru also use Nginx in their work.
The head of the provider Diphost and the owner of the Escher II telegram channel Philip Kulin writes: “A large amount of third-party code is embedded in nginx. If Rambler miraculously manages to nullify the free license, people will hypothetically be able to demand that their code be removed from nginx, since they did not transfer exclusive rights to Rambler. And there are such people. The very fact of litigation will make the product toxic. And the won disputes - will turn it into a brick of 15 years ago. Nothing will change in the world. Most likely, the decision of the local court will be recognized there as politically biased. "
The American company F5 Networks, which bought Nginx this year, confirmed the search in the company's Moscow office, but did not provide any details. “Earlier today, the Russian police came to the Moscow office of Nginx. We are still gathering facts on this matter, so we have no comments to give at this time, ”F5 Networks said.
Back in 2011, the then editor-in-chief of "Hacker" Styopa Ilyin interviewed Igor Sysoev, and even then asked him if Rambler would have any questions regarding copyright and whether Igor managed to retain the rights to the package. Igor replied that everything is in order, he started developing Nginx even before working at Rambler, and from the very beginning the product was released under the BSD license as open source software.
- Igor, tell us how your education was built, how you came to programming and generally got carried away with computers.
- I was born in Kazakhstan in a small town. When I was about a year old, my father (he is a military man) was transferred to Alma-Ata, and I lived there until I was 18. In 1987, I graduated from school and went to enroll at the Bauman Moscow State Technical University, but I failed to enter the first time, and I returned back to Alma-Ata, where I got a job as a laboratory assistant at the branch of the Institute for Advanced Studies of the USSR Ministry of Geology. There were old computers "Iskra-226", on which I began to program something in BASIC.
And at that time in the magazine "Radio" a series of articles was published on how to assemble your own computer "Radio-86RK", and thanks to their reading I got a pretty good idea of how the computer works and how it works. And the first experience of working with computers was a little earlier: in high school I went to the Palace of Pioneers, and there they put computers Yamaha KUVT (MSX standard). I remember when I was typing the first program, I confused one with the letter I. In general, it did not work for me because of such things.
- Do you remember your first program that other people used?
“My first large and alienated program was AV antivirus, which I wrote in 1989-1990. It was written entirely in assembler, the amount of assembler code was somewhere on the order of 100 KB. The program was able to find several viruses, having a database hardwired into the program with several signatures of viruses known then in the USSR, of which there were at most ten: viruses "Marijuana", "Sofia", "Vienna" and a few more, I do not remember their names. This was my first program, which I distributed in binaries - I did not distribute the source code then. As a result, it spread throughout the country, and was even installed at several factories. There was also a feedback: people sent letters by mail with viruses recorded on floppy disks. For some time I supported this antivirus, but as a result, in 1992, I already lost interest in this topic, and the program died.
In 1994 I graduated from the institute, and a year before that I started working as a system administrator in a company that was involved in the trade of petroleum products. I worked there for almost seven years, after which in April 2000 I decided to leave. Then the NASDAQ blew away, the dot-com bubble burst, and just at that moment I decided to go online. For six months I worked in the XXL.RU online store, after which, as I remember now, on November 13, 2000, I came to work at Rambler.
- What did you do in Rambler?
- I worked as a system administrator. However, in addition to the direct work of the system administrator, I again began to write programs in my free time. It should be noted that programming was not part of my job duties, but since there was time and drive, the first thing I did was to adapt a patch to compress Apache responses. Unfortunately, at that time the name mod_gzip was already taken, so I called my version mod_deflate, it worked with Apache 1.3.
Then I was asked to deal with the mod_proxy module. I looked at it and decided that it is easier to write everything from scratch than to adapt some things there. Thus, the mod_accel module appeared - a module and a set of patches for Apache for reverse proxying. All this was also in the spring of 2001.
- That is, you did all these modules for Rambler, while uploading them to the public?
- Mostly yes. Mod_deflate actually came from a patch that Dmitry Khrustalev wrote while working at RBC. That is, this patch was taken as a basis, there is only half of my code there.
In the fall of 2001, I got the idea to write a lighter and more efficient web server than Apache. At that time, there were already other similar servers, but they all did not know how to proxy, they gave only static. They had one more common drawback - they worked in the same process, and, accordingly, it was unrealistic to scale them, for example, on a two-processor machine.
At that time, I already had quite good experience with Apache - both as a system administrator and as a programmer. Two modules written added to my knowledge: I had to look at the Apache source code and understand how everything works there. Therefore, a lot of things in Nginx migrated from Apache ideologically. Not the code, but the ideology, all the Nginx code was written from scratch.
However, I didn't like everything about Apache: for example, it is very easy to make a configuration there that would be extremely difficult to maintain. That is, the site grows, some new functionality is added, and in the end it becomes impossible to work with the site. You need to add something, and you sit and think: "What will break with me from what I add?" In Nginx, I tried to avoid these things. In general, around the spring of 2002, I started developing Nginx.
- Did people outside of Rambler quickly find out about your developments? How has the project evolved?
- In 2003, my development was discovered outside Rambler, and, moreover, Nginx began to be used on several sites. The first was the Estonian dating site Rate.ee, which still exists today. By the way, this is the most heavily loaded website in Estonia. Then Nginx began to be used on mamba.ru and on zvuki.ru, where it distributed MP3s.
In early 2004, Rambler launched the foto.rambler.ru service, and one of my colleagues, Oleg Bunin, asked me to complete the request proxying functionality in Nginx in order to start using it fully, including on the Rambler photo service. Up to this point, the project was quite academic, I gradually wrote it, but it could never end in anything, that is, it might not have been put into production anywhere. In general, it turned out that I urgently completed the proxying. And somewhere at the beginning of 2004, a version with proxying appeared, and the foto.rambler.ru service started working on the basis of Nginx.
On October 4, 2004, on the next anniversary of the launch of the first space satellite, I released the first public version: 0.1.0.
- Now the share of Nginx is growing very quickly, but how was it at the very beginning?
Now it is really growing fast enough. In the beginning, everything was noticeably more modest. In the first year, Nginx was gaining most popularity in Russia for obvious reasons. In the future, people learned about Nginx outside of it, and individual enthusiasts began to use it at their own peril and risk. An English-language mailing list appeared, third-party resources describing Nginx began to appear, people sent me more and more wishes and comments, I made corrections, the product gradually gained popularity. Now the project is really growing very quickly, and this has become one of the reasons for the creation of the company. Alone, I just stopped coping.
- So, there was no promotion at all, it turns out that the product made itself?
There was no special PR on my part. Although there is an opinion that the best PR is just a good product. That is, all the growth was due to the fact that Nginx "just worked" and people told their friends about their positive experience to the admins, those - to their friends, and so on the principle of word of mouth. The popularity of Nginx, in my opinion, is related to several things. Firstly, this is an effective and free software that allows you to significantly save hardware resources and money, and secondly, in principle, it works well.
- But there are analogs, lighttpd is the same for example.
- In fact, there are a couple more reasons: it turned out to be a rather interesting combination of vital features for creating an effective web infrastructure, which I added gradually and which made Nginx such an indispensable tool. At the same time, Nginx is not overloaded with unnecessary features and remains a very compact development. In addition, the modularity of Nginx has allowed many companies and third-party developers to build their extensions on top of the Nginx core. We can say that Nginx has long been a web platform of its kind.
About lighttpd (lighty). It was once more widespread than Nginx and better known in the world. Its author is the German Jan Kneschke. The difference in popularity was due to the fact that Russia is an incomprehensible country with a balalaika and a bear, snow, and here is Europe. Again, he did better with English, including English documentation.
By the way, thanks to lighttpd, the FastCGI protocol has found a second wind. Until 2000-2001, it was exotic, everyone used the interpreters that were inside Apache: PHP, Perl, Python. And since it is unrealistic to execute PHP code inside a process in lighttpd, FastCGI became the solution. And it is thanks to lighttpd that FastCGI has found a second life. Although back in 2000 people said: “Why, what is FastCGI? We have mod_php and everything works great there".
- What are the main use cases for Nginx that you see now?
- The main use on busy sites is proxying. At the same time, Nginx is installed as a frontend and proxies applications on the backends via HTTP or FastCGI or WSGI. At the same time, the standard approach is to use it in conjunction with Apache - for example, at my previous place of work, Nginx worked like this for a long time, only a couple of years ago they switched to using FastCGI. By the way, in this case, the statistics show that Nginx appears, Apache disappears. Although in fact both are used: it is just that Nginx is one of the components of the proxy system, visible from the outside.
- Explain clearly why proxying requests at all?
Why do people actually use Apache with Nginx? It would seem, why is there an extra link that will interfere. Apache is good and easy to use wherever you need to run an application, for example using mod_php. Now imagine that this PHP is capable of generating 100 responses per second, and each response is, conventionally, 100 KB in size. Not all clients use fast connections: 10 years ago there were modem clients, now mobile Internet is very common, someone just has a bad provider or a slow tariff.
And so we have a 100KB answer and an effective speed to the client, for example 80Kbps (10Kbps). This means that this response will be transmitted to the client for 10 seconds. As a result, all this time, while the client is slowly downloading the response, Apache, along with PHP, "eats" 10-20 MB of memory per client. And instead of doing what Apache can do quickly, it waits for slow clients to download responses. All this consumes a lot of memory, and so does the processor.
When we put Nginx between clients and Apache, then everything starts to work more efficiently: Nginx takes over the entire response as quickly as possible, freeing Apache, and then slowly gives it to clients without spending a lot of memory. Nginx does not consume a lot of memory or processor, because it uses a different web server architecture - non-blocking, based on asynchronous event processing, which allows you to handle many thousands of connections within a single process (unlike Apache, where each connection is handled by a separate process or thread. - Ed. ).
Well, plus to this, we can take out all static files from the backend, this is a simple thing that Nginx can handle very easily and as efficiently as possible - Nginx can simultaneously send tens of thousands of such static files per second, if memory allows and if the network connection allows server.
- Let's get back to typical scenarios.
- So, the first scenario is when we are just doing acceleration, maybe even of one and only site. We had Apache, we put Nginx in front of it, and bang! - a miracle happened. People really put on and are surprised, and then write on "Habr" that "it must be the same, how cool." The second option is also proxying, but we have many backends, that is, we can efficiently scale the entire system horizontally, provided that the application itself allows it. Thus, Nginx acts as a load balancer.
One of the drawbacks of the current implementation is the absence of several balancing policies, but people use it, it works, and we will add functionality. What else? Another scenario, for example, is this: for some reason, many people do not like Apache. They want only Nginx on the server, they don't want to install Apache. In this case, all scripts for them work through FastCGI for PHP or WSGI for Python.
For example, WordPress.com - they started using Nginx a long time ago as a load balancer, and their web server was a commercial LiteSpeed. This year they have already completely migrated to Nginx, now they have PHP running in FastCGI mode.
Another standard use case is when Nginx simply sends all the statics, for example MP3, FLV, MPEG4 video, pictures.
- Let's talk a little about security. Have there been any serious vulnerabilities during the existence of Nginx?
- The vulnerabilities were different, but there were no problems with their help to get remote access, to execute the code. It was possible to drop workflows, but just execute the code - there were no such vulnerabilities. See, usually an exploit is designed for what? We wrote something to the server, and it fell onto the stack for him. The server works, makes a return and gets to this code.
Accordingly, for the exploit to work, you need to know where the stack will be for this process. As a rule, when there is a Debian / Ubuntu package, there is a binary, you can reproduce the crash, try to find where this stack is, and thus make an exploit. How did you start to deal with this? They began to randomize the address space - in modern Windows, for example, this is how it works.
- ASLR?
- Yes, that's right. This is randomization. We had a stack here, and now it's here. And, accordingly, we cannot predict, that is, we took a package, but it will not work to understand where it has a stack now. Nginx is simpler in this regard, because there is practically no data on the stack that is read from clients. You can count on one hand a few cases where this is used, but in these places the code is pretty robust. Data received from clients is allocated by Nginx "on the heap", allocating memory using malloc.
Accordingly, if we write there somewhere a little more, then we will not get to the stack pointer. This randomization in Nginx was present from the very beginning. In general, writing a working exploit, if possible, is very difficult. In addition, the processes that handle requests are not "rooted".
There were security-advisory, they can be viewed on the website. I believe that all of these error messages should be responded to adequately, calmly and professionally. For example, to hide the fact of a bug, when everything is already published, to say like “What? Nothing happened, everything is fine ”- it simply undermines the credibility of the project.
- How many people have worked before and are now engaged in the development, development of the project?
- For a long time I did it alone, I wrote almost all the code alone. About four years ago Maxim Dunin began to help me more and more. Besides the two of us, as the product developed, people sent in patches. Moreover, they often send just letters with a text description of problems or wishes. They say to me: "There is a mistake, you can solve it like this." Just in words. We do this to the best of our ability.
We also have a separate person now - Ruslan Yermilov, who is now involved in documentation. It performs several tasks: translation of the current Russian documentation into English, updating information and adapting the documentation so that it is understandable and unambiguous for people who read it for the first time. A common problem is when an author writes documentation, he has a certain context in his head, and he builds on it. Thinks this goes without saying, but ends up missing out on a lot of details. We are actively fighting against this: Ruslan looks at Nginx from the outside, with a fresh eye, so he is able to write in such a way that everyone understands everything. In addition, Ruslan has extensive experience in the development and documentation of complex software projects.
- I propose to move on to questions related to Nginx and how you came to create a business in general.
I'll tell you everything now. So, probably, in 2008, I received the first letter from an investor, I no longer even remember who it was. In general, there have been about a dozen such letters over the past two years. People wanted to do something with Nginx, make a company. But I refused, because I am not a particularly businessman on the whole. But in the end I began to understand that something needed to be done, otherwise I simply would not be able to further develop the project alone, there was no longer enough strength for everything.
It took quite a long time to comprehend how and with whom I would like to make a company “around” Nginx. In general, I very rarely change the direction of my life: for example, before Rambler I worked for seven years in the same company, in Rambler I also worked for ten years. Change is hard for me. But nevertheless, by the spring of this year, I finally decided to found a company that would help the further development of the project. This step was partly inspired by Sergey Belousov, the founder of Parallels and the Runa Capital fund. We talked with him informally several times, and as a result, I gradually became much closer to the idea of creating a company.
- Sergei knows how to convince, right?
- Sergei is generally a very interesting person, it is always exciting to discuss business with him and not only, he is a very energetic person. Sergey is also a rather domineering leader - I think he influences a lot of decisions in his companies, he is an owner who likes to control what is happening, to directly participate in business.
In general, the process of negotiations with investors, signing the terms of the deal, a lot of everything is a difficult thing, because, firstly, there are a lot of boring details, a huge amount of paper in English, legal, it’s hard to read it in Russian, and -English - even more so. Negotiating everything, again agreeing on all things: we want this, they want this. Psychologically, it's hard. But then, if investors understand your business, everything becomes much easier.
- Interesting: you worked in Rambler and worked on Nginx. Rambler didn't have any rights? This is such a delicate question. How did you manage to keep the rights to the project?
- Yes, this is a rather delicate question. He, of course, interests not only you, and we have worked it out quite thoroughly. In Russia, the legislation is arranged in such a way that the company owns what is done within the framework of labor duties or under a separate contract. That is, there must be a contract with a person, which would say: you need to develop a software product. In Rambler, I worked as a system administrator, I was engaged in development in my free time, the product from the very beginning was released under the BSD license, as open source software. In Rambler, Nginx began to be used when the main functionality was ready. Moreover, even the first application of Nginx was not in Rambler, but on the sites Rate.ee and zvuki.ru.
- Who else works for you at Nginx?
- We also have Sergey Budnevich, a system administrator, who is in charge of supporting the company's infrastructure. Our infrastructure is not very large, but it is there. We have mailing lists, we have a mail server, automatic assembly, testing packages, tracking errors, etc. Sergey helps us a lot with this. We are now going to prepare packages for several more Linux distributions: CentOS, Ubuntu. Sergey is busy automating various processes related to development, testing and maintenance. There are two more people: one person is engaged in marketing - Andrey Alekseev, and Maxim Konovalov is generally the head of everything, he makes the company work.
- What is the official title of your position in the company?
- Formally, I am the technical director. I do not know how to lead people, I focus more on the architecture of future products and the transfer of development "to the team". It is quite difficult to delegate work, but the company was created precisely with the aim of improving the development and product, so now I am trying to teach myself this. Colleagues deal with organizational issues, communication with clients, marketing, relations with partners, documentation, hiring staff, etc. We have many different difficulties, learning to communicate at different levels is not so easy. In fact, we are all involved in all the affairs of the company, since the company is not that big, and there are many things to do.
- It was difficult to delegate, because it seemed that everyone was doing badly, is it easier to do it yourself?
- Well, yes, the approach is that I would rather do it myself, because it will be better, or because it takes a long time to explain what needs to be done, or it is psychologically difficult to say: “Do this”. Personally, it was difficult for me to delegate authority for a number of reasons. Now, as CTO, I am mainly responsible for architecture and development quality.
- Igor, thank you very much for the interview! It can be seen that you still learned to delegate: with all our business questions, you sent us to Maxim Konovalov.
- By the way, this is the first interview I give. I only agreed because I had created a company. Literally in the spring, I was asked by people from another IT publication, I told them: "Sorry, I do not like, I do not want and I do not know how."
- Thanks again! Maxim, did you present any formalized business plan in negotiations with investors? What are you planning to make money on at all?
- Basically, funds have invested in Nginx as a very promising product. A detailed business plan, of course, was important, but American investors approach the issue of investments based not only and not so much on the business plan, where it will be written that we will earn so much in a year with an accuracy of tens of cents. It was important that Nginx is now very popular, it is a ready-made, existing product.
Regarding what we have for ideas for making money: we want, first of all, to achieve the right balance between free and paid functionality. We want to do what a number of companies did not quite succeed in the past. There are several examples of business based on open source development, where companies could not maintain the desired balance, they had to close some features in the product itself, ask for some ridiculous money for them, this upset everyone, and the products stopped developing.
- So you want to create a separate commercial product and find a balance between open source and commercial?
We don't want to make a separate commercial product, we want to make commercial add-ons on top of the main open source product. It will evolve, features that are required by the community will appear. The money we received will help us take the entire production of the product to a new level. Now Igor is no longer working on the code alone, team development is being built. We are hiring people in Russia, the engineering team will remain in Moscow.
Accordingly, the focus on the open source product is very strong and will remain so.
At the same time, we know that there are clients, large companies, mid-sized companies, even small companies that have been using Nginx for a long time. They built a business on this and are grateful to us. When we meet, we hear something like: “Great, wonderful product - thank you very much! But we are missing this and that. Can you do it - are we ready to pay you? " From such conversations, we gradually develop a chain of what we could sell without upsetting the supporters of the free open source product and without undermining the trust in the project as a whole. That is, we collect such requests and compare them with the wishes that come from the user community. We look at where there are intersections and, if we understand that some functionality is actually necessary for everyone, and not for any particular company,
There are even companies that say, “Let us pay you for all these features so that they appear in the product faster. We want everything to go into open source, we don't want the feature to be exclusive and / or paid. " This is called sponsored development.
So far, we have formed ideas that commercial add-ons will be more related to large use cases of Nginx: for example, using commercial add-ons it will be easier to manage thousands of instances, there will be advanced performance monitoring, additional functionality designed for hosting, cloud and CDN infrastructures.
- That is, your focus is on the product. Will you sell services separately, for example, implementation, consulting?
- The fact is that the company is small, it will remain small - we do not want to grow to a company of several hundred people. We are actively working with partners, with system integrators, with software and hardware vendors, we are actively looking for channels to work through partners. The consultations will be carried out partly through partners, partly through us. Unfortunately, we ourselves cannot directly provide consulting and technical support services to all users.
- And what awaits ordinary users in the near future, are you planning any new features?
- From the history of changes in the code over the past three months, from the list of releases that we have released, it can be seen that since the formation of the company, we have seriously intensified the development and fixing process. We have integrated quite a lot of improvements and new options. They added, for example, MP4 streaming, which Igor was asked about for several years. The work is in progress, the functionality is developing.
- Do I understand correctly that Igor Sysoev is the main shareholder of the company, and the rest, a smaller share belongs to investors?
- Yes, Igor is the main shareholder, in total there are three founders of the company, and there are, of course, investors as owners, a group of investors - they jointly own some part. By the way, the very process of receiving money from investors is technically very simple - securities are issued in accordance with the relevant legislation, investors buy them for a certain amount. The amount goes to you, you use it to develop the company. This is exactly how everything is arranged with us.
The essence of Rambler 's claim is that certain "unidentified persons", during working hours and by order of the company's management, not later than October 4, 2004, created "a program for the Enginix computer", and then, "with intent to violate copyright rights ", published it on the Web and began to distribute, claiming that the rights to it belong exclusively to Igor Sysoev, the founder and developer of Nginx, a former employee of Rambler.
“We found that the exclusive right of Rambler Internet Holding to the Nginx web server was violated as a result of actions of third parties. In this regard, "Rambler Internet Holding" lost the right to lodge claims and claims related to infringement of Nginx, of Lynwood Investments CY Ltd, which possesses the necessary competence to bring justice to the question of ownership rights ", - reported the press service Rambler Group.
The Kommersant publication notes that Lynwood Investments is associated with the co-owner of Rambler Group, Alexander Mamut - in particular, through this company, the businessman owned the British book chain Waterstones.
Rambler Group estimates its damage as of 2011 at 51.4 million rubles.
Let us recall that in 2011 Igor Sysoev left Rambler and founded the Nginx company, which, in addition to free software, began to offer commercial products. Nginx is currently one of the most popular web servers on the Internet, with almost a quarter of all sites running on it.
By 2018, Nginx had revenues of $ 26 million, and in March 2019, Nginx was acquired for $ 670 million by F5, one of the world leaders in multi-cloud services. The project development team, including its founders Igor Sysoev and Maxim Konovalov, continued to work on Nginx as part of F5.
What they say about it
The community and the Russian IT industry reacted very violently to what was happening with Nginx, and many considered these events to be an extremely bad sign for the Russian Internet business. We have collected some important reactions and comments.
Grigory Bakunov, aka Bobuk, Director of Technology Dissemination at Yandex, supported Sysoev and published an official statement on behalf of the company, entitled " Open source is our everything."
Igor Ashmanov, who served as the executive director of Rambler in the early 2000s, says he sees no prospects for this case. “There was no job assignment to design such a web server,” he says. Moreover, according to Ashmanov, when hiring to work with Sysoev, it was specially stipulated that he had his own project, which he had the right to do. Therefore, he considers the version stated in the materials of the criminal case "nonsense".
Habr founder Denis Kryuchkov writes on Twitter that "by a strange coincidence, [this] story got out after Sber entered Rambler", meaning that this year the shareholder structure of Rambler Group underwent changes: in August Sberbank closed the deal to buy 46 , 5% of the company. Kryuchkov also reminds that the sites of the Ministry of Internal Affairs of the Russian Federation and kremlin.ru also use Nginx in their work.
The head of the provider Diphost and the owner of the Escher II telegram channel Philip Kulin writes: “A large amount of third-party code is embedded in nginx. If Rambler miraculously manages to nullify the free license, people will hypothetically be able to demand that their code be removed from nginx, since they did not transfer exclusive rights to Rambler. And there are such people. The very fact of litigation will make the product toxic. And the won disputes - will turn it into a brick of 15 years ago. Nothing will change in the world. Most likely, the decision of the local court will be recognized there as politically biased. "
The American company F5 Networks, which bought Nginx this year, confirmed the search in the company's Moscow office, but did not provide any details. “Earlier today, the Russian police came to the Moscow office of Nginx. We are still gathering facts on this matter, so we have no comments to give at this time, ”F5 Networks said.
Back in 2011, the then editor-in-chief of "Hacker" Styopa Ilyin interviewed Igor Sysoev, and even then asked him if Rambler would have any questions regarding copyright and whether Igor managed to retain the rights to the package. Igor replied that everything is in order, he started developing Nginx even before working at Rambler, and from the very beginning the product was released under the BSD license as open source software.
- Igor, tell us how your education was built, how you came to programming and generally got carried away with computers.
- I was born in Kazakhstan in a small town. When I was about a year old, my father (he is a military man) was transferred to Alma-Ata, and I lived there until I was 18. In 1987, I graduated from school and went to enroll at the Bauman Moscow State Technical University, but I failed to enter the first time, and I returned back to Alma-Ata, where I got a job as a laboratory assistant at the branch of the Institute for Advanced Studies of the USSR Ministry of Geology. There were old computers "Iskra-226", on which I began to program something in BASIC.
And at that time in the magazine "Radio" a series of articles was published on how to assemble your own computer "Radio-86RK", and thanks to their reading I got a pretty good idea of how the computer works and how it works. And the first experience of working with computers was a little earlier: in high school I went to the Palace of Pioneers, and there they put computers Yamaha KUVT (MSX standard). I remember when I was typing the first program, I confused one with the letter I. In general, it did not work for me because of such things.
- Do you remember your first program that other people used?
“My first large and alienated program was AV antivirus, which I wrote in 1989-1990. It was written entirely in assembler, the amount of assembler code was somewhere on the order of 100 KB. The program was able to find several viruses, having a database hardwired into the program with several signatures of viruses known then in the USSR, of which there were at most ten: viruses "Marijuana", "Sofia", "Vienna" and a few more, I do not remember their names. This was my first program, which I distributed in binaries - I did not distribute the source code then. As a result, it spread throughout the country, and was even installed at several factories. There was also a feedback: people sent letters by mail with viruses recorded on floppy disks. For some time I supported this antivirus, but as a result, in 1992, I already lost interest in this topic, and the program died.
In 1994 I graduated from the institute, and a year before that I started working as a system administrator in a company that was involved in the trade of petroleum products. I worked there for almost seven years, after which in April 2000 I decided to leave. Then the NASDAQ blew away, the dot-com bubble burst, and just at that moment I decided to go online. For six months I worked in the XXL.RU online store, after which, as I remember now, on November 13, 2000, I came to work at Rambler.
- What did you do in Rambler?
- I worked as a system administrator. However, in addition to the direct work of the system administrator, I again began to write programs in my free time. It should be noted that programming was not part of my job duties, but since there was time and drive, the first thing I did was to adapt a patch to compress Apache responses. Unfortunately, at that time the name mod_gzip was already taken, so I called my version mod_deflate, it worked with Apache 1.3.
Then I was asked to deal with the mod_proxy module. I looked at it and decided that it is easier to write everything from scratch than to adapt some things there. Thus, the mod_accel module appeared - a module and a set of patches for Apache for reverse proxying. All this was also in the spring of 2001.
- That is, you did all these modules for Rambler, while uploading them to the public?
- Mostly yes. Mod_deflate actually came from a patch that Dmitry Khrustalev wrote while working at RBC. That is, this patch was taken as a basis, there is only half of my code there.
In the fall of 2001, I got the idea to write a lighter and more efficient web server than Apache. At that time, there were already other similar servers, but they all did not know how to proxy, they gave only static. They had one more common drawback - they worked in the same process, and, accordingly, it was unrealistic to scale them, for example, on a two-processor machine.
At that time, I already had quite good experience with Apache - both as a system administrator and as a programmer. Two modules written added to my knowledge: I had to look at the Apache source code and understand how everything works there. Therefore, a lot of things in Nginx migrated from Apache ideologically. Not the code, but the ideology, all the Nginx code was written from scratch.
However, I didn't like everything about Apache: for example, it is very easy to make a configuration there that would be extremely difficult to maintain. That is, the site grows, some new functionality is added, and in the end it becomes impossible to work with the site. You need to add something, and you sit and think: "What will break with me from what I add?" In Nginx, I tried to avoid these things. In general, around the spring of 2002, I started developing Nginx.
- Did people outside of Rambler quickly find out about your developments? How has the project evolved?
- In 2003, my development was discovered outside Rambler, and, moreover, Nginx began to be used on several sites. The first was the Estonian dating site Rate.ee, which still exists today. By the way, this is the most heavily loaded website in Estonia. Then Nginx began to be used on mamba.ru and on zvuki.ru, where it distributed MP3s.
In early 2004, Rambler launched the foto.rambler.ru service, and one of my colleagues, Oleg Bunin, asked me to complete the request proxying functionality in Nginx in order to start using it fully, including on the Rambler photo service. Up to this point, the project was quite academic, I gradually wrote it, but it could never end in anything, that is, it might not have been put into production anywhere. In general, it turned out that I urgently completed the proxying. And somewhere at the beginning of 2004, a version with proxying appeared, and the foto.rambler.ru service started working on the basis of Nginx.
On October 4, 2004, on the next anniversary of the launch of the first space satellite, I released the first public version: 0.1.0.
- Now the share of Nginx is growing very quickly, but how was it at the very beginning?
Now it is really growing fast enough. In the beginning, everything was noticeably more modest. In the first year, Nginx was gaining most popularity in Russia for obvious reasons. In the future, people learned about Nginx outside of it, and individual enthusiasts began to use it at their own peril and risk. An English-language mailing list appeared, third-party resources describing Nginx began to appear, people sent me more and more wishes and comments, I made corrections, the product gradually gained popularity. Now the project is really growing very quickly, and this has become one of the reasons for the creation of the company. Alone, I just stopped coping.
- So, there was no promotion at all, it turns out that the product made itself?
There was no special PR on my part. Although there is an opinion that the best PR is just a good product. That is, all the growth was due to the fact that Nginx "just worked" and people told their friends about their positive experience to the admins, those - to their friends, and so on the principle of word of mouth. The popularity of Nginx, in my opinion, is related to several things. Firstly, this is an effective and free software that allows you to significantly save hardware resources and money, and secondly, in principle, it works well.
- But there are analogs, lighttpd is the same for example.
- In fact, there are a couple more reasons: it turned out to be a rather interesting combination of vital features for creating an effective web infrastructure, which I added gradually and which made Nginx such an indispensable tool. At the same time, Nginx is not overloaded with unnecessary features and remains a very compact development. In addition, the modularity of Nginx has allowed many companies and third-party developers to build their extensions on top of the Nginx core. We can say that Nginx has long been a web platform of its kind.
About lighttpd (lighty). It was once more widespread than Nginx and better known in the world. Its author is the German Jan Kneschke. The difference in popularity was due to the fact that Russia is an incomprehensible country with a balalaika and a bear, snow, and here is Europe. Again, he did better with English, including English documentation.
By the way, thanks to lighttpd, the FastCGI protocol has found a second wind. Until 2000-2001, it was exotic, everyone used the interpreters that were inside Apache: PHP, Perl, Python. And since it is unrealistic to execute PHP code inside a process in lighttpd, FastCGI became the solution. And it is thanks to lighttpd that FastCGI has found a second life. Although back in 2000 people said: “Why, what is FastCGI? We have mod_php and everything works great there".
- What are the main use cases for Nginx that you see now?
- The main use on busy sites is proxying. At the same time, Nginx is installed as a frontend and proxies applications on the backends via HTTP or FastCGI or WSGI. At the same time, the standard approach is to use it in conjunction with Apache - for example, at my previous place of work, Nginx worked like this for a long time, only a couple of years ago they switched to using FastCGI. By the way, in this case, the statistics show that Nginx appears, Apache disappears. Although in fact both are used: it is just that Nginx is one of the components of the proxy system, visible from the outside.
- Explain clearly why proxying requests at all?
Why do people actually use Apache with Nginx? It would seem, why is there an extra link that will interfere. Apache is good and easy to use wherever you need to run an application, for example using mod_php. Now imagine that this PHP is capable of generating 100 responses per second, and each response is, conventionally, 100 KB in size. Not all clients use fast connections: 10 years ago there were modem clients, now mobile Internet is very common, someone just has a bad provider or a slow tariff.
And so we have a 100KB answer and an effective speed to the client, for example 80Kbps (10Kbps). This means that this response will be transmitted to the client for 10 seconds. As a result, all this time, while the client is slowly downloading the response, Apache, along with PHP, "eats" 10-20 MB of memory per client. And instead of doing what Apache can do quickly, it waits for slow clients to download responses. All this consumes a lot of memory, and so does the processor.
When we put Nginx between clients and Apache, then everything starts to work more efficiently: Nginx takes over the entire response as quickly as possible, freeing Apache, and then slowly gives it to clients without spending a lot of memory. Nginx does not consume a lot of memory or processor, because it uses a different web server architecture - non-blocking, based on asynchronous event processing, which allows you to handle many thousands of connections within a single process (unlike Apache, where each connection is handled by a separate process or thread. - Ed. ).
Well, plus to this, we can take out all static files from the backend, this is a simple thing that Nginx can handle very easily and as efficiently as possible - Nginx can simultaneously send tens of thousands of such static files per second, if memory allows and if the network connection allows server.
- Let's get back to typical scenarios.
- So, the first scenario is when we are just doing acceleration, maybe even of one and only site. We had Apache, we put Nginx in front of it, and bang! - a miracle happened. People really put on and are surprised, and then write on "Habr" that "it must be the same, how cool." The second option is also proxying, but we have many backends, that is, we can efficiently scale the entire system horizontally, provided that the application itself allows it. Thus, Nginx acts as a load balancer.
One of the drawbacks of the current implementation is the absence of several balancing policies, but people use it, it works, and we will add functionality. What else? Another scenario, for example, is this: for some reason, many people do not like Apache. They want only Nginx on the server, they don't want to install Apache. In this case, all scripts for them work through FastCGI for PHP or WSGI for Python.
For example, WordPress.com - they started using Nginx a long time ago as a load balancer, and their web server was a commercial LiteSpeed. This year they have already completely migrated to Nginx, now they have PHP running in FastCGI mode.
Another standard use case is when Nginx simply sends all the statics, for example MP3, FLV, MPEG4 video, pictures.
- Let's talk a little about security. Have there been any serious vulnerabilities during the existence of Nginx?
- The vulnerabilities were different, but there were no problems with their help to get remote access, to execute the code. It was possible to drop workflows, but just execute the code - there were no such vulnerabilities. See, usually an exploit is designed for what? We wrote something to the server, and it fell onto the stack for him. The server works, makes a return and gets to this code.
Accordingly, for the exploit to work, you need to know where the stack will be for this process. As a rule, when there is a Debian / Ubuntu package, there is a binary, you can reproduce the crash, try to find where this stack is, and thus make an exploit. How did you start to deal with this? They began to randomize the address space - in modern Windows, for example, this is how it works.
- ASLR?
- Yes, that's right. This is randomization. We had a stack here, and now it's here. And, accordingly, we cannot predict, that is, we took a package, but it will not work to understand where it has a stack now. Nginx is simpler in this regard, because there is practically no data on the stack that is read from clients. You can count on one hand a few cases where this is used, but in these places the code is pretty robust. Data received from clients is allocated by Nginx "on the heap", allocating memory using malloc.
Accordingly, if we write there somewhere a little more, then we will not get to the stack pointer. This randomization in Nginx was present from the very beginning. In general, writing a working exploit, if possible, is very difficult. In addition, the processes that handle requests are not "rooted".
There were security-advisory, they can be viewed on the website. I believe that all of these error messages should be responded to adequately, calmly and professionally. For example, to hide the fact of a bug, when everything is already published, to say like “What? Nothing happened, everything is fine ”- it simply undermines the credibility of the project.
- How many people have worked before and are now engaged in the development, development of the project?
- For a long time I did it alone, I wrote almost all the code alone. About four years ago Maxim Dunin began to help me more and more. Besides the two of us, as the product developed, people sent in patches. Moreover, they often send just letters with a text description of problems or wishes. They say to me: "There is a mistake, you can solve it like this." Just in words. We do this to the best of our ability.
We also have a separate person now - Ruslan Yermilov, who is now involved in documentation. It performs several tasks: translation of the current Russian documentation into English, updating information and adapting the documentation so that it is understandable and unambiguous for people who read it for the first time. A common problem is when an author writes documentation, he has a certain context in his head, and he builds on it. Thinks this goes without saying, but ends up missing out on a lot of details. We are actively fighting against this: Ruslan looks at Nginx from the outside, with a fresh eye, so he is able to write in such a way that everyone understands everything. In addition, Ruslan has extensive experience in the development and documentation of complex software projects.
- I propose to move on to questions related to Nginx and how you came to create a business in general.
I'll tell you everything now. So, probably, in 2008, I received the first letter from an investor, I no longer even remember who it was. In general, there have been about a dozen such letters over the past two years. People wanted to do something with Nginx, make a company. But I refused, because I am not a particularly businessman on the whole. But in the end I began to understand that something needed to be done, otherwise I simply would not be able to further develop the project alone, there was no longer enough strength for everything.
It took quite a long time to comprehend how and with whom I would like to make a company “around” Nginx. In general, I very rarely change the direction of my life: for example, before Rambler I worked for seven years in the same company, in Rambler I also worked for ten years. Change is hard for me. But nevertheless, by the spring of this year, I finally decided to found a company that would help the further development of the project. This step was partly inspired by Sergey Belousov, the founder of Parallels and the Runa Capital fund. We talked with him informally several times, and as a result, I gradually became much closer to the idea of creating a company.
- Sergei knows how to convince, right?
- Sergei is generally a very interesting person, it is always exciting to discuss business with him and not only, he is a very energetic person. Sergey is also a rather domineering leader - I think he influences a lot of decisions in his companies, he is an owner who likes to control what is happening, to directly participate in business.
In general, the process of negotiations with investors, signing the terms of the deal, a lot of everything is a difficult thing, because, firstly, there are a lot of boring details, a huge amount of paper in English, legal, it’s hard to read it in Russian, and -English - even more so. Negotiating everything, again agreeing on all things: we want this, they want this. Psychologically, it's hard. But then, if investors understand your business, everything becomes much easier.
- Interesting: you worked in Rambler and worked on Nginx. Rambler didn't have any rights? This is such a delicate question. How did you manage to keep the rights to the project?
- Yes, this is a rather delicate question. He, of course, interests not only you, and we have worked it out quite thoroughly. In Russia, the legislation is arranged in such a way that the company owns what is done within the framework of labor duties or under a separate contract. That is, there must be a contract with a person, which would say: you need to develop a software product. In Rambler, I worked as a system administrator, I was engaged in development in my free time, the product from the very beginning was released under the BSD license, as open source software. In Rambler, Nginx began to be used when the main functionality was ready. Moreover, even the first application of Nginx was not in Rambler, but on the sites Rate.ee and zvuki.ru.
- Who else works for you at Nginx?
- We also have Sergey Budnevich, a system administrator, who is in charge of supporting the company's infrastructure. Our infrastructure is not very large, but it is there. We have mailing lists, we have a mail server, automatic assembly, testing packages, tracking errors, etc. Sergey helps us a lot with this. We are now going to prepare packages for several more Linux distributions: CentOS, Ubuntu. Sergey is busy automating various processes related to development, testing and maintenance. There are two more people: one person is engaged in marketing - Andrey Alekseev, and Maxim Konovalov is generally the head of everything, he makes the company work.
- What is the official title of your position in the company?
- Formally, I am the technical director. I do not know how to lead people, I focus more on the architecture of future products and the transfer of development "to the team". It is quite difficult to delegate work, but the company was created precisely with the aim of improving the development and product, so now I am trying to teach myself this. Colleagues deal with organizational issues, communication with clients, marketing, relations with partners, documentation, hiring staff, etc. We have many different difficulties, learning to communicate at different levels is not so easy. In fact, we are all involved in all the affairs of the company, since the company is not that big, and there are many things to do.
- It was difficult to delegate, because it seemed that everyone was doing badly, is it easier to do it yourself?
- Well, yes, the approach is that I would rather do it myself, because it will be better, or because it takes a long time to explain what needs to be done, or it is psychologically difficult to say: “Do this”. Personally, it was difficult for me to delegate authority for a number of reasons. Now, as CTO, I am mainly responsible for architecture and development quality.
- Igor, thank you very much for the interview! It can be seen that you still learned to delegate: with all our business questions, you sent us to Maxim Konovalov.
- By the way, this is the first interview I give. I only agreed because I had created a company. Literally in the spring, I was asked by people from another IT publication, I told them: "Sorry, I do not like, I do not want and I do not know how."
- Thanks again! Maxim, did you present any formalized business plan in negotiations with investors? What are you planning to make money on at all?
- Basically, funds have invested in Nginx as a very promising product. A detailed business plan, of course, was important, but American investors approach the issue of investments based not only and not so much on the business plan, where it will be written that we will earn so much in a year with an accuracy of tens of cents. It was important that Nginx is now very popular, it is a ready-made, existing product.
Regarding what we have for ideas for making money: we want, first of all, to achieve the right balance between free and paid functionality. We want to do what a number of companies did not quite succeed in the past. There are several examples of business based on open source development, where companies could not maintain the desired balance, they had to close some features in the product itself, ask for some ridiculous money for them, this upset everyone, and the products stopped developing.
- So you want to create a separate commercial product and find a balance between open source and commercial?
We don't want to make a separate commercial product, we want to make commercial add-ons on top of the main open source product. It will evolve, features that are required by the community will appear. The money we received will help us take the entire production of the product to a new level. Now Igor is no longer working on the code alone, team development is being built. We are hiring people in Russia, the engineering team will remain in Moscow.
Accordingly, the focus on the open source product is very strong and will remain so.
At the same time, we know that there are clients, large companies, mid-sized companies, even small companies that have been using Nginx for a long time. They built a business on this and are grateful to us. When we meet, we hear something like: “Great, wonderful product - thank you very much! But we are missing this and that. Can you do it - are we ready to pay you? " From such conversations, we gradually develop a chain of what we could sell without upsetting the supporters of the free open source product and without undermining the trust in the project as a whole. That is, we collect such requests and compare them with the wishes that come from the user community. We look at where there are intersections and, if we understand that some functionality is actually necessary for everyone, and not for any particular company,
There are even companies that say, “Let us pay you for all these features so that they appear in the product faster. We want everything to go into open source, we don't want the feature to be exclusive and / or paid. " This is called sponsored development.
So far, we have formed ideas that commercial add-ons will be more related to large use cases of Nginx: for example, using commercial add-ons it will be easier to manage thousands of instances, there will be advanced performance monitoring, additional functionality designed for hosting, cloud and CDN infrastructures.
- That is, your focus is on the product. Will you sell services separately, for example, implementation, consulting?
- The fact is that the company is small, it will remain small - we do not want to grow to a company of several hundred people. We are actively working with partners, with system integrators, with software and hardware vendors, we are actively looking for channels to work through partners. The consultations will be carried out partly through partners, partly through us. Unfortunately, we ourselves cannot directly provide consulting and technical support services to all users.
- And what awaits ordinary users in the near future, are you planning any new features?
- From the history of changes in the code over the past three months, from the list of releases that we have released, it can be seen that since the formation of the company, we have seriously intensified the development and fixing process. We have integrated quite a lot of improvements and new options. They added, for example, MP4 streaming, which Igor was asked about for several years. The work is in progress, the functionality is developing.
- Do I understand correctly that Igor Sysoev is the main shareholder of the company, and the rest, a smaller share belongs to investors?
- Yes, Igor is the main shareholder, in total there are three founders of the company, and there are, of course, investors as owners, a group of investors - they jointly own some part. By the way, the very process of receiving money from investors is technically very simple - securities are issued in accordance with the relevant legislation, investors buy them for a certain amount. The amount goes to you, you use it to develop the company. This is exactly how everything is arranged with us.
