Vivian Voss

Read on LinkedIn

The Kernel Question

linux freebsd law security

Borrowed Land ■ Episode 01

“We use Linux. It is open source. Therefore, we are sovereign.”

This assumption underpins every European sovereign cloud strategy, every government migration plan, every Gaia-X white paper. Open source equals independence. The source code is available, ergo we control our destiny.

Quite reassuring. Until you look at the governance.

The Claim

Europe wants digital independence. The EU signed a declaration in November 2025. Germany launched sovereign cloud initiatives. Estonia called it “a matter of national survival.” All rather stirring. All built on the same unexamined foundation: Linux is open source, therefore it is ours.

The logic has a certain elegance. It also has a certain gap. Sovereignty is not a licence. It is governance: who decides what goes in, who decides what comes out, and whose laws apply when the two disagree.

The Deed

The Linux kernel had 11,089 active contributors in 2025, representing 1,780 organisations. That sounds rather democratic. The distribution of those contributions is rather less so: 84.3 per cent of commits came from corporate developers. The top contributors by volume: Intel, Google, Meta, Red Hat (IBM), Oracle, Microsoft, AMD. Overwhelmingly US-headquartered, US-jurisdiction companies.

Linux Kernel Contributions 2025 11,089 contributors ■ 1,780 organisations 84.3% corporate commits Top contributors by commit volume Intel US Google US Meta US Red Hat (IBM) US Oracle US Microsoft US AMD US

The Linux Foundation governs the ecosystem. Platinum membership costs $500,000 per year. Each Platinum member receives an individual board seat. All Gold members share three seats. All Silver members share one. Platinum members include Intel, Google, Microsoft, IBM, Oracle, Cisco, Qualcomm, Samsung, and Tencent. The Foundation pays Linus Torvalds’ salary.

Linux Foundation: Board Seat Allocation $500,000/year Platinum: 9 individual seats Intel Google MSFT IBM Oracle Cisco Qual. Sams. Tenc. $100,000/year Gold: 3 shared seats $5,000-$20,000/year Silver: 1 shared seat

The GPL guarantees access to the code. It does not guarantee governance, direction, or independence from jurisdiction. Availability and sovereignty are not synonyms, however much the slide decks wish they were.

The Precedent

On 18 October 2024, Greg Kroah-Hartman, one of the most senior kernel maintainers, removed twelve Russian nationals from the kernel MAINTAINERS file. The stated reason: “various compliance requirements.” No community vote. No governance process. No appeal mechanism. US sanctions law, specifically OFAC regulations, required it.

Torvalds’ response was characteristically direct: “It’s entirely clear why the change was done, it’s not getting reverted.”

The Precedent, 18 October 2024 US OFAC Sanctions Law Office of Foreign Assets Control, US Treasury 12 Russian maintainers removed from MAINTAINERS Community vote? None Governance process? None Appeal mechanism? None Reverted? “No.”

The precedent is not that Russians were removed. Nations impose sanctions; one may agree or disagree with any particular set. The precedent is that US law determined who may contribute to the Linux kernel, and there was no mechanism within the project’s governance to challenge it. The kernel’s governance structure had no circuit breaker, no counter-authority, no process by which a non-US jurisdiction could have objected. The decision was made. The decision stood.

For a European government minister drafting a “digital sovereignty” strategy built on Linux, this should be the paragraph that keeps them awake. Not because the removal was wrong, but because it was possible, and nothing in the governance structure prevents it from happening again, to anyone, for any reason that US law deems sufficient.

The Governance Gap

Let us be precise about what the GPL does and does not guarantee.

The GPL guarantees that you can read the source code. It guarantees that you can modify it. It guarantees that you can distribute your modifications. These are substantial rights. They are also entirely beside the point when the question is governance.

Open Source ≠ Sovereignty GPL Guarantees Read the source code Modify the source code Distribute modifications Sovereignty Requires Governance influence Jurisdictional independence Development infrastructure Contributor independence One is a licence. The other is an architecture decision.

Governance means: who decides what features are added. Who determines the security model. Who chooses which hardware to support. Who sets the development roadmap. And, as October 2024 demonstrated, who determines which humans are permitted to contribute.

The development infrastructure tells its own story. The primary hosting platform is GitHub, owned by Microsoft. The kernel archives live on kernel.org, operated by the Linux Foundation, a US-incorporated entity. The toolchain, the CI systems, the mailing lists: all hosted on infrastructure subject to US law.

A European government building its “sovereign cloud” on Linux is building on land it does not own, governed by a foundation it does not control, subject to a jurisdiction it cannot influence. The deed is in someone else’s name. The source code is merely the view from the window.

The Fork Illusion

“But you can fork it!” The reflexive response to any governance concern in open source. And yes, technically, you can. The GPL expressly permits it.

Maintaining that fork is another matter entirely. The Linux kernel receives approximately 75,000 commits per year. 84.3 per cent of those come from the corporate pipeline: Intel engineers optimising for Intel hardware, Google engineers optimising for Google’s data centres, AMD engineers adding support for AMD chips. A European fork without that pipeline would need to replicate or replace that contribution volume independently. The French Gendarmerie runs 103,000 desktops on Linux. It took twenty years of sustained institutional commitment, and they still run upstream, not a fork.

Schleswig-Holstein is migrating 30,000 PCs to open-source desktops, saving an estimated 15 million euros per year. Admirable. But “migrating to Linux” is not “gaining sovereignty over Linux.” It is changing landlords (from Microsoft to the Linux Foundation) and hoping the new one is more agreeable.

The Alternative

Alternatives exist. They are not perfect, they are not turnkey, and they will not appear in a Gartner Magic Quadrant. But they demonstrate that a different governance model is possible.

Governance Comparison Linux Foundation FreeBSD Board Corporate seats ($500K) 9 elected members Election Membership fee Active committers vote Funding $273M revenue (2023) $2M donations (2024) Jurisdiction US (Delaware) US (Colorado) Licence GPL (copyleft) BSD (permissive) Fork Requires GPL compliance No obligations to upstream FreeBSD Foundation is also US-incorporated, but governance is not pay-to-play.

FreeBSD: an elected core team of nine members, chosen biennially by active committers, not by chequebook. A donation-funded foundation with a 2024 budget of $1.37 million for the OS and $673,000 for advocacy. No corporate board seats. No $500,000 entry fee. The BSD licence, permissive rather than copyleft, means a European entity can fork the entire system, maintain it independently, and owe nothing to the upstream project. No governance dependency. No jurisdictional strings.

This is not an advertisement for FreeBSD. It is an existence proof: that an operating system can be governed by its contributors rather than its sponsors, and that the licence can enable genuine independence rather than merely source access. Other projects with similar governance models exist. The point is not which one you choose. The point is that the choice exists, and Europe is not making it.

The Exit

Sovereignty is not a licence. It is not a press release. It is not a Gaia-X working group with a hundred-page PDF and no shipping code.

Sovereignty is governance. Who sits at the table. Whose laws apply when there is a dispute. Whose interests set the roadmap. And the first honest step is the simplest one: stop conflating “the source code is available” with “we are independent.”

One is a licence. The other is an architecture decision. Europe has optimised for the licence and neglected the architecture. The kernel question is not “can we read the code?” It is “who governs the machine?”

The answer, today, is a foundation in Delaware, funded by corporations in California, subject to sanctions law from Washington. The source code is open. The governance is not. And sovereignty built on borrowed land is not sovereignty at all.

The Numbers

For those who prefer their sovereignty with data:

Linux kernel contributors 2025: 11,089 developers, 1,780 organisations. Corporate commits: 84.3 per cent. Top contributors by volume: Intel, Google, Meta, Red Hat (IBM), Oracle.

Linux Foundation Platinum membership: $500,000 per year, individual board seat. Gold members: three shared seats. Silver members: one shared seat.

Russian maintainer removal: 18 October 2024, twelve developers, citing OFAC compliance. Torvalds: “It’s not getting reverted.”

FreeBSD Core Team: nine elected members, biennial election by active committers. FreeBSD Foundation 2024 budget: $1.37 million for the OS, $673,000 for advocacy. No corporate board seats. No pay-to-play governance.

French Gendarmerie (GendBuntu): 103,164 workstations, 97 per cent coverage, twenty years. Schleswig-Holstein: 30,000 PCs migrating, €15 million per year saved.