It has been deeply troubling to watch the current situation in Ukraine, from the terrifying threats from Vladimir Putin to online footage of bombings, shootings, and resulting damage. I can only try to imagine what Ukrainians are going through and feeling right now.

Stewing on the bleakness of the situation, I got to wondering about what, if anything, I, my company, Scarf, and the open-source community broadly could collectively and concretely do to aid the victims of this reprehensible invasion. While Scarf is still a relatively new platform, we do facilitate the distribution of software to end-users all over the world, every day. And so I took a peek at Scarf’s analytics of OSS usage and here’s what I found:

My analysis showed that Scarf has fulfilled ongoing software download requests from at least 17 distinct sources that have been confirmed to originate from the Russian Government. This activity primarily comprises their downloading of containerized applications via Scarf Gateway, including internal communications & chat, IT service orchestration, and more. The traffic spans multiple government departments, including The Federal Guard Service, The Ministry of Finance, The Main Center of Information and Computing, Ministry of Culture, and others. 

Today, open-source software powers just about everything we touch. I’m constantly reminded of that as I work day-in and day-out building Scarf. That still doesn’t make it any less heartbreaking to see beautiful open technology being exploited by forces like the Russian government so they can more effectively invade Ukraine. It then begs the question of how else they might be leveraging OSS, today, and in the future. With the looming threat of Russian Intelligence organizations resorting to cyber attacks to get their way, it’s hard to imagine OSS not playing a key role.

The notion of Russian government cyber attack operations leveraging software downloaded through Scarf’s platform is unacceptable. The notion of facilitating the atrocious invasion we're witnessing in Ukraine is not acceptable. As a result, Scarf will be blocking all package and container downloads originating from Russian Government sources until further notice. Traffic originating from other Russian sources such as businesses, civilian internet service providers, or otherwise, will be unaffected by this change. 

Scarf will not provide services to governments that are actively working to incite global-scale war. We stand for peace and open collaboration. Scarf stands with the people of Ukraine however we can.

Our ask for the open-source community

I’d like to call other companies in the open-source space large and small to follow suit where possible. It's time we pay more attention to the distribution channels of our software and have a better understanding of how our software is being used. This is precisely why every package and container registry also needs to offer increased distribution observability, so that we can make these efforts effective across the OSS ecosystem. If the ethos of open-source teaches us anything, it’s that when everyone chips in to help, everyone wins.