Slashdot Mirror
End Of Development For Grsecurity Announced?
vrtk writes "I received this minutes ago, from the grsecurity mailing list, also displayed on the official site for the open-source security project: 'Beginning today, May 31, 2004, development of grsecurity will cease. On
June 7, the website, forums, mailing list, and CVS will be shut down. Due to a sponsor unexpectedly dropping sponsorship of grsecurity while
continually promising payment, I began the summer in debt and had to borrow money from family to pay for food. If none of the companies that
depend on grsecurity, some of them being very large, are able to sponsor the project, grsecurity will cease to exist. I am not looking for paypal
donations at this point, unless those that donate do so with the recognition that despite their donation, grsecurity may still never be
returning.'"
Sound a lot like material breach of contract with them not coming through with the money. Or else the deliberatly sabatoged it in order to own that dev space.
Chalk up another boot to the nuts for the little guy. Good luck to them in the future :(
Too bad! It was only last week that I heard that Grsecurity was so promising and more actively delevoped than, for example, Openwall
Since when is corporate monetary sponsorship necessary for an individual to develop open-source software?
I also submitted this story (rejected) and provided various informational links on this issue:
i nuxCaseStudy.pdf
l
t y.xml
For a comparison between Grsecurity and SELinux:
http://www.cs.virginia.edu/~jcg8f/GrsecuritySEL
They also document and explain many of the issues facing the LSM project as well:
http://www.grsecurity.org/lsm.php
It will be interesting to see how the Gentoo Hardened Project will respond to this as well as they have done a great deal of work with grsecurity and provided some exceptional Grsecurity documentation (for the 1.9.x series).
http://www.gentoo.org/proj/en/hardened/index.xm
http://www.gentoo.org/proj/en/hardened/grsecuri
It will be sad to see this project fade away, especially for those needing an expressive security RBAC/MAC/PAX system. Grsecurity, combined with PAX, provided a well rounded security system that was sensible, somewhat easy to learn, and easier to administrate thanks to the powerful gradm Learning capability.
Just wait some days till many firms and thousand of users will step up and offer support for such a usefull product. We'll talk again then, about the open source business model, my friend.
the sort of bastards that make $2500/hour being driven to country clubs to shake hands and joke about 'damned hippies'.
"What, we don't need to pay him?"
"Heh, yeah. Damn fool fell for that Open Source crap. He gets what he deserves."
"Well, Damn Dirty Hippies, etc. Oh, and pass the caviar."
Brad Spender is truly an Internet hero, a pioneer who made us all safer. He went about his work selflessly, with precision and excellence.
If ever there was a time to band together to save one of our own this is it. Brad has gone into debt while helping to make multi-billion dollar corporations safer. Perhaps at the end of the day they will come through for Brad, perhaps they will not. There must be some way that we can all help him regardless of what his corporate sponsors do.
how can it cease to exist? isnt open source software forever? (well in some form or another) it may not be regularly updated (or updated at all by the looks of the article) but could still prove useful in the future...
Is SourceForge not an option for this guy? That should relieve present/future hosting costs
I also looked around on the site for the license... is grsecurity released under the GPL? If so, how will it "cease to exist?" I thought the whole point of GPL/OSS was to prevent that sort of thing from happening.
If he didn't release it under the GPL/OSS license, then I have as much pity for the man as I would for MS losing its "sponsors."
My karma really hurts.
Is grsecurity GPL'ed or not? I always thought it was, which just means that the guy's involvement and leadership will be shut off, not those of others... it's a pain when the CVS tree and mailing list archives are gone but usually resuming development from a late snapshot isn't too bad. Maybe others had mirrored the CVS tree?
I have never heard of this project till today, but I would not be suprised if this is an all too often occurence in the OSS world.
Hopefully he finds a new sponser so that he can carry on. It really sucks when you put a lot of time and effort into something, then to have someone just pull the plug on you (completly out of your control) and to be then left with nothing.
Good luck.
does anybody know who is that sponsor that quit?
Support yourself by selling grsecurity tshirts and coffee mugs.
n:t:
somebody is going to take it "closed source" and then use the DMCA to prohibit anyone from looking for the GPL code inside.
What?
Gee, this whole "capitalism" thing doesn't seem to be working out for a lot of people either
-Laxitive
It would be nice to know what it is.
It's those pirates from the music industry. They steal software and never pay for it.
Karma: -2147483648 (Mostly affected by integer overflow)
I think someone should disclose the name of the sponsor that pulled out, not to flame them (well, maybe...) but so that others that might be depending on them get to re-evaluate the economics of their projects. Anyone know who it was?
Can't. He's not Indian.
I read it was Red Hat. Can't really believe that though; I mean why just Red Hat?!
I first heard baout it when it showed up in the kernel config menu. i wasn't sure what it was so I left it alone. To this day I've never quite understood what it did. I gather it was for hardening the kernel? I can't say I'm going to miss it since I never saw any use for it.
WURD!!
FOSS advocates love to talk about how "one day" there will be "thousands" of sponsors for these things (see sibling reply). But look at plain old art. It has been around a lot longer than sofware, and the artists still barely scrape by. I can't grasp how people think that the "software as art" model is going to be any different than the "art as art" model.
Karma: -2147483648 (Mostly affected by integer overflow)
I wonder if the Gentoo Hardened project will continue grsecurity development, they've done a bit of work with it anyways. Gentoo could certainly supply grsecurity with the needed webspace/cvs hosting etc...
I wonder if that option was looked at before spender decided to give up. Does anyone have ideas on why this couldn't be done? Seems fairly simple to me..
I touch computers in naughty places
Apparently you have not learned all the steps of OSS development.
You have successfully completed two stages:
1. Develop free software.
2. Run out of money.
And you quit at this point forgetting about the third step.
3. Launch a massive copyright-infringement patent-violation lawsuit against IBM and pay lawyers with stock.
Linux Gold Corporation that is. Sleezy metals company that hires people to push their stick. Could be the next Bre-X (I hope).
For those who don't know, grsecurity is a security oriented patch for the Linux kernel. It provides mandatory access controls, strengthens the chroot system call, adds /proc and filesystem protections, allows for kernel level auditing of almost everything, and includes the PaX patch to provide non-executable memory pages and address space layout randomization.
The MAC part, called RBAC for Role Based Access Controls, is very well done and the best I've seen. Configuration is very easy through a flat file interface. The system enforces that you have certain intelligent configurations set so you can't make simple mistakes destroying your security. It has a learning mode which will automatically give a least access ruleset for the whole system. Amazingly it actually works quite well. Also the learning mode can be turned on for individual roles or subjects making it easy to add a new program to a system with RBAC already running.
In my opinion grsecurity was the best hope for real security on linux for most people as it provides a comprehensive solution, is easy to set up, and it well engineered.
Sorry to say this, but I feel that sponsorship is ultimately not a good way to run an OSS project.
:-)
If you rely on sponsorships, you have to expect this kind of thing to happen. It does. All the time.
If there are businesses which are using your software, then there should be a market for you in consulting. Consulting is a proven business model for OSS development. (Not that it is much more of a guarantee, but at least you have a contract.)
Not to mention that many big businesses view consulting and sponsorship as two very, very different things. It has to do with bookmaking. Money paid as consulting makes it more evident that you are providing a service than money marked down as 'sponsorship'.
Now, if your project is not commercially interesting, and you still want to get paid for doing it, perhaps you should be looking for a research position instead, if it's innovative enough.
And if it's not innovative nor commercially interesting.. Well then it's a hobby, goddamnit!
Don't understand why would any company pay for open source project. If money is needed for the development, it is better having the competitors to pay for it. If the project ran out of funding, well, as long as the source code is there, no worry.
WTF slashdot??? When I pasted this in, there were no spaces in the links!
:(
There seems to be a bug with posting in links where a space is inserted at column 49. I've also seen this phenomenon happening at column 54 when previewing as 'Plain Old Text'.
Sorry about that, just remove any spaces in the links and they will work fine - at least until slashdotted into submission.
1) Open Source doesn't have viruses 'cause it isn't popular. /. is just a a colossal groupthink.
2) (some arbitrary version of windows) hasn't crashed on me, its rock-solid.
3) Aw,
and many more.....
This is the same guy that has threatened many competing projects. He goes to their development channels and claims to have found vulnerabilities in their software. He offers nothign useful, doesn't offer to disclose the bugs. If he isn't willing to disclose what he has found why bother making these claims...
This, I think is the single-most important problem Open-Source software is facing. Sponsors - Money. Since most of the software is free(both as in free-beer and freedom of speech), financially supporting the developers is a bit difficult. What can be done about this? All the big corporations using the open-software can be forced to pay a nominal amount - by nominal, I mean something very less than what a typical prorietary software owner charges. It should be a one-time nominal amount, with upgrades and patches available free of cost. Will it work? We sure can't afford to lose good software due to the lack of sponsors.
I took the time to respond to your post because I'm still waiting for K5 to load the front page. I type real slow.
</hat>
<hat type="tin-foil">
Microsoft, Baystar and SCO are connected, if we assume the grapevine is correct about Red Hat being the sponsor. It's no secret that those have played a big role in RH's latest endeavours.
</hat>
Marxist evolution is just N generations away!
I have used GR Security for quite some time, and its not that great loss.
/tmp race prevention
OpenWall was mentioned, but I preffer LIDS as a replacement to GRSecurity. The itens below where taken from GRSecurity site. All listed features are at LIDS either:
# Change root (chroot) hardening
#
# Extensive auditing
# Prevention of entire classes of exploits related to address space bugs (from the PaX project)
# Additional randomness in the TCP/IP stack
# A restriction that allows a user to only view his/her processes
# Every security alert or audit contains the IP address of the person that caused the event
Besides, LIDS has a clever ACL schema for file protection and a master password, that if an attacker gets root privileges, it could not exploit the machine completly.
Not only does he run out of money, he gets a slashdotting too. :(
It's the lameness filter preventing page widening. Just post real (tagged) links, mmkay?
Sorry, but that's not how OSS development gets funded; you can't just put up some software on a web site and wait for donations.
Grsecurity looks like something you might be able to fund as part of a security consulting business. Or, if dealing with people is not your thing, you might be able to make a living writing books about security and how to use grsecurity. Or you might be able to do it on the side while working for a large company.
If grsecurity is as useful as you think, if there was a lively community around it, and if the code is usable, there is a good chance someone else will pick it up and actually build a successful business around it. If nobody continues development of grsecurity at this point, then it wasn't really a good, live open source project anyway--it was just some useful code released under the GPL.
Please don't complain about it: while your desire to create open source software is admirable, it is still your problem if you fail because you picked a naive business model.
It would make it possible (maybe not popular) to license the use of the brand to registered corporations
... and then we'd have a tax on operating systems, just like in the one from Redmond. Why would we bother with it, then? I'd as soon switch to FreeBSD and stick with it. We can't have a double standard.
As for the grsecurity developer, it's unfortunate, but FOSS developers really do need a day-job. I understand him being angry at a sponsor who fell through on a contract, but holding the project hostage isn't really the decent thing to do.
Or perhaps capitalism IS working, and this is the way for people to choose the projects they think are worth supporting.
Based on the quality (sic) of the grandparent, the only response should be with "hat, ass".
It's not a bug, it's a feature. Really, it's intentional. I once wrote CmdrTaco about it and while he didn't say why he mentioned it was intentional.
From the link given in the story:
And:
How fucking hard was that? And this guy gets a +5 insightful. [shakes head in disbelief]
SteveM
PDF] SELinux and grsecurity: A Case Study Comparing Linux Security ... ... can allow or deny access to an object [1]). Both grsecurity and SELinux will respect ...
File Format: PDF/Adobe Acrobat - View as HTML
DAC if DAC permits less access than the respective MAC implementation.
www.cs.virginia.edu/ ~jcg8f/GrsecuritySELinuxCaseStudy.pdf - Similar pages
/* l'Intellect, Stupide ! " */
Here, I'll fix it. Your post with clickable links:
You might want to use HTML next time. Or you might not.Show me on the doll where his noodly appendage touched you.
I don't want to sound too much like a troll, but is it possible that this is a method to induce payment by the unmentioned sponsor? If the sponsorship was so crucial to the development of the project (which, as stated was done by a single individual for the most part) and the sponsor already has made use of the project, a change to another project, or relying on the OSS community to take over would be too costly or disruptive, that it may be in the best interest of the developer to come to this decision. I feel bad for Brad, grsecurity obviously is/was something he put a lot of time and effort into, and if matters have come up that prevent him from continuing, so be it. I don't, however like the fact that "no one else is good enough to produce the quality work he has" or "lack the vision for the poject", it seems to lack sincerity for some reason, and I wonder if his motives lie somewhere else.
I suppose finding support from other Linux organisations like Gentoo, SuSe(Novell) or RedHat could be a smart thing.
SIGN A FUCKING CONTRACT then instead of relying on their promises, pisso!
Results 1 - 10 of about 581 for files for bankruptcy
Hmm. Only 581 results? Capitalism seems to be working for more people than not
-Laxitive
Bad companies must be allowed to fail. Else you wind up with Soviet Union-style state supported industries where the industry pretends to pay the workers who pretend to work.
I think you are browsing at +1 moderation, and not seeing the context in which I made my post. Your point is the one I was trying to make, although I didn't state it explicitly.
:)
The subtler strains of sarcasm don't really come across well in text
-Laxitive
What amazes me is that it's automagically assumed that a code-cutter also has business sense to run a successful business.
:[
:(
Remember at the end of the day he's a code-cutter... not a suit... if he was a suit.. he wouldn't be a code-cutter now would he!
I must admit as a code-cutter I'm sick of many businesses idea of 'yeah... lets' get it under the GPL... we can use, abuse and not pay for it'.
Bad Karma to this idea of thinking...
These fat-cats still drive home to a nice warm bed, big meal and watch their TV.
How about flipping some $$'s towards the smuck that did all your hard work and ensure he's still around next year when you have a real question abuot the software.
At the end of the day... nothing is FREE... someone pays... unfortunately with a lot of GPL.. it's normally the developer and his family.
Prevent email address forgery. Publish SPF records for y
It took you 20 minutes to debug that?
I was in reality just trying to keep it simple by not using HTML.
Thanks for reworking it, I did not realize the issue with links and 'Plain Old Text'. I will definitely keep that in mind for next time!
Perhaps. But this one example isn't sufficient evidence for claims that the free software model fails.
About the 'software as art' mode. There is one crucial difference between art and software. Art has no implicit notion of providing functional value - it is inherently aesthetic in nature. Software is all about functional value. Code is not art. Code may be written artfully, but that's just a turn of phrase, and it's incorrect to read too much into it.
The code is art claim is usually made by people trying to tie it in to freedom of speech arguments. However, there's an easier way to go about that: code is speech.
I don't think people use the 'software as art' argument as a tie-in to economic models much.
-Laxitive
sourceforge! Or is there some reason why this project can't be hosted there?
Maybe this person should get funded the way that one bsd developer got.: http://bsd.slashdot.org/article.pl?sid=04/04/12/13 50249&mode=thread&tid=122&tid=185&tid=190&tid=98&t id=99
In addition i once had an idea: create a site where people can list "features" that should be implemented in a program and the person who implements that feature gets a certain amount of money - lets say 800$. However not one person pays the entire 800$ instead anyone who also really wants that feature implemented donates for example 50$.
Something like that could be useful for creating an entire exchange replacement. The person(s) wich adds the features to an existing leading oss collaboration program gets x amount of $.
How about that? Any ideas or thoughts?
Software is also based on iteration. Buying the 1.0 product of somebody isn't a reason to conclude the deal.
I'd like to see art use that model. Hey, this painting you are buying is 1.0. I have plans to improve it, I'll stop by and work on it some more while it's on your wall.
Gah, this is the first time I've responded to my own post. But seeing the responses, I think I must clarify:
My parent post was intended as a sarcastic quip at the post that it was responding to. Because the post I was responding to was moderated -1, my response shows up as a top-level post if you're browsing at +1 moderation. I'm not some bitter socialist.
I should have quoted the original post I was responding to. Sorry.
-Laxitive
"A verbal contract isn't worth the paper it's printed on."
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Sure, no problem. Now you know - and knowing is half the battle. G.I. Joe!
Show me on the doll where his noodly appendage touched you.
If someone does disclose the name of the sponsor, you would hope they disclose all the details of the agreement as well. There might have been certain clauses in there that allow the sponsor to back out whenever they feel necessary.
somebody is going to take it "closed source" and then use the DMCA to prohibit anyone from looking for the GPL code inside.
People would look for signature strings in suspiciously similar closed source products anyway, and if anything was found they'd be pretty much unable to whine. If you are found to be infringing on copyright yourself I think you have little right to try to invoke the DMCA as a defense.
I would think an outdated security system is much worse than no security system at all. In this respect not updating something really means to kill it.
Somebody should take a collection. This guy got screwed and, even though he is taking down the effort, and will not pursue further development. Somebody should help him to recover the funds that he's sacrificed as part of this effort.
IRC log excerpt for you people. The fact is, there will be NO grsecurity without Spender getting some money. Stop hammering his site. No one else is qualified to really carry on developing the Grsecurity. Maintaining (porting to next slightly modified kernels and stuff) perhaps but not truly keeping the development going.
e r.pdf
;) ;)
Look at also this:
http://grsecurity.net/~spender/researchpap
The guy is a genious. A real gem. He can't be replaced. It's not money or death for the project.
23:55 bleh, i wish a million people weren't doing cvs checkouts right now
23:55 haha
23:55 what i see it, that there will be few projects from it and most of it will die after one month
23:55 i agree
23:55 not to be arrogant or anything
23:55 no, but it is live
23:55 spender : i did it earlier...
23:55 but honestly i don't know of anyone that will take it to what i would have taken it to
23:55 and that's how it works
23:56 maybe because you're the only one that knows the code well
23:56 yes
23:56 well, it could be possible for someone to take it, but without RBAC
23:56 someone else would first need to read all of it a few times
23:56 and the people on slashdot don't get that
23:56 and where do you find someone with such security and kernel internals knowledge?
23:56 i don't think anyone could ever figure out gradm_newlearn.c
23:56 ms: lkml?
23:56 sleight : security?
23:56 lol
There is a truth here that points to the fundamental long-term problem for many free software projects.
/. since when do I need to know anything to have an opinion!), and I feel sorry for the guy whos brainchild this is, we can all learn from this tale of woe.
... everyone I knew who was in a band has gone on to get a 'proper' job - that doesn't mean they have all given up music, just that those who really believed in it are doing other things as well. Those who were only playing at being a rock star gave up years ago.
Whilst I know nothing of grsecurity (but heck this is
Very few of us have the privilege of sponsorship, or the luxury of independant funding (stand up Mr Stallman), and lets face it, most of our projects aren't as essential as the GNU system, the Kernel, XFree or Apache all of whom have some fairly serious backing in one form or another.
So what does this tell us?
It tells me that if you want free software to succeed, then you can't rely on your free software to provide you with an income. You CAN rely on your knowledge and skills as a consultant, or you can get another job, but if you go out there expecting patronage then you are bound to fail - in the same way that expecting to make it big in your garage band is a fairly uncertain way of earning a living
Giving up your pet project because it hasn't paid your way shows the same lack of principle - or maybe it shows that the project didn't have that much importance to the author.
Imagine where we would be if Linus had got bored, and got a proper job at Burger King 'cos his kernel idea was not going anywhere and he needed to eat. I can't imagine he would have given up on it. Why haven't the Hurd team given up yet?
Principle.
But let's remember, principles aren't about cash.
Just another reason not to use the GPL. Creative Commons has a license which allows for only non-commercial use (commercial users would have to pay for it), and there is always shareware, although Shareware is not applicable to this case.
Though it's difficult convincing linus that the linux security api sucks. If grsecurity dies, he'll have essentially little choice, as rsbac will be the only viable option.
It's to stop people writing really longs words and screwing up the table widths.
Make them actual links and you won't have that problem.
That's been my life for the last few years.
Whether with public projects or with private... it seems hard to get support of any kind from anyone in any community.
I've scraped through the last two years working for a company due to go out any minute because it beat dealing with creditors from the last time folks abandoned a project I was on left me holding all the cards.
I hope things work out better for this project. One thing I can say for certain is it sounds a whole pile more useful than just about anything I've worked on *wry grin*
Holy shit, it really is true after all: /. is at least ten times more interesting to read if you adjust your preferences to give "Flamebait" a +6 bonus.
I began the summer in debt and had to borrow money from family to pay for food. If none of the companies that depend on grsecurity, some of them being very large, are able to sponsor the project, grsecurity will cease to exist.
Another fine example of the open source business model.
Economics 101: Paying for something that your competitors get for free puts you at an economic disadvantage. Therefore, almost all companies will take open source software and not pay for it.
If General Motors gave away cars and asked for donations to cover R&D, production, etc., do you think that Hertz, Avis, Dollar, Enterprise, or any of the car rental firms would donate money to GM? Of course not. They would all take free cars for as long as GM was able and willing to give them away, though.
I will never understand why many professional software developers are proponents of open source. Buy a big-rig truck and start delivering goods for free. See how many Teamsters rally round you and cheer you on. You'll be lucky if you just get your knees broken.
it's as easy as looking @ the page's mirrors to see who the sponsor was, because the mirrors only display one sponsor:
Hypersec http://www.hypersec.co.uk/ hrm.
That's a sad story. Perhaps he can sell his story to Hollywood to make some money. Let this be a lesson for other young programmers: Unlike Richard Stallman wants you to believe, you really cannot make a living writing free software.
End of story. Sometimes you can actually make a bit of money doing. Sometimes you can make some damn good money doing it.
But in the end, open source == philanthropy and it's just a question of who is donating what. (time, money, advocacy, etc)
Just in case everyone forgot, open source was meant to satisfy a programing itch, not necessarily provide a living. The fact that so many coders are able to use it to maintain a standard of living is an unintended side effect.
Though it would be possible for others to handle maintenance of the project, the quality won't be held to the same standards and will not progress with the same goals I have set for the project.
Without a signed, insured contract what guarantee did the sponsor(s) have that the maintainer(s) was doing a competent job anyway? I guess they had the same guarantee the main dev had in getting paid, i.e. none.
No offense meant to the dev, but come the hell on. This is one of the weirdest cases of sour grapes I've read in the OS department.
One of the wonderful things about the legal system is that you have no money, you have little chance to get any justice. I guess the guy took Red Hat to be an honorable company whose word could be trusted.
Shame on Red Hat for promising to sponsor the project and then reneging. At this point I'm glad that I switched to SuSE
Wow, you have just created a place where software _truly_ will be written according to capitalist rules. It will be like an auction, where the programmer that asks the least will snatch the bid, and it is absolutely location independent.
Then how will you compete with India?
Maybe that is the future. We will have to get used to that none of that development will be done in the U.S. At least not by anyone that doesn't live with his parents.
The Internet is full. Go Away!!!
If you develop open source software with any expectations of making money from it, you're in for a big letdown.
I doubt it is Red Hat, they don't use GRSecurity, they use SELinux (which is IMNHO a better long term solution).
As far as willingness to pay goes, I am a thousand times more likely to give money to a programmer that makes something I use and just asks for it, as opposed to nagware or crippleware, which I will either do without or find another alternative for every time.
The big BIG problem for the FOSS business model for the little guy is some large company running off with the product and either offering it themselves, or in this case not bothering to contribute anything back.
And yes, software costs money to develop. Even if you do it in your spare time, that is time that could be spent on a profit earning venture. For better or worse, we live in a capitalistic society. You go to the supermarket, they will expect you to pay cash for what you buy.
And the FOSS zealots ARE partially responsible for poor young students / software developers spending huge amounts of their valuable time for free. All over slashdot the zealots will flame anyone who dares to suggest that to run a business you have to think past just simply offering FOSS software / services. It is always suggested that FOSS is the way of the future, all large companies are shifting to FOSS etc etc etc. Why do you think IBM loves Linux? Not because they have a love for their fellow human being - they can get it for free! They can undercut the opposition. If they are true believers in FOSS philosophy, wheres the source code for DB2? Yeahh...suuure..they have fully embraced open source havent they?
Yes, FOSS is a noble cause, but please PLEASE stop trying to convince kids that they will make money from their efforts. Consulting makes money for the little guy, developing FOSS doesnt.
A man walks into a bar, and takes a seat up at the end. The regular patrons are all sitting around, and occasionally in their conversations, one of them will call out a number and be greated by uproarious laughter from the multitude.
After a while, the man asks the bartender, "What's the scoop? That guy just called out '26', and everyone thought it was the funniest thing since Steve Martin - I don't understand."
The bartender replied, "Well, all my regulars have been here so long, they know all of each others jokes. To save time, we just drew up a chart, and now we refer to them by number."
"Oh," thought the man, "I see. Mind if I give it a go?"
"Be my guest." said the bartender. So the man walked down to the crowded part of the bar and said, "Hey guys... #43!"
The crowd went absolutely nuts, people falling off their barstools laughing, holding their sides, spilling their drinks. The man somewhat worriedly asked the bartender, who was himself leaning up against the back of the bar and wheezing with laughter, "What did I just do?!" The bartender replied, "Haha! We've never heard that one before!"
I read through the comments and it's all the same. People think it's a shame that this guy got shafted. Everyone agrees that what he did for Linux security was worthwhile and good work. Everyone also recognizes that large corporations are happily taking everything they want from open source without feeling obligated to support it.
While this guy paid "the ultimate price" by facing bankruptcy, or homelessness, and joblessness, this is not a new problem the US economic society. People who give 120% at their jobs have typically been seen as little more than rubes by middle and upper management. There's something to be taken from all of this.
If you are a true geek/nerd you will remember back to school days when you were busy acing tests and pushing the class. You will remember the disgusted looks from your average classmates when you were solving complex physics/math/political problems in your head and they were busy looking out the window wondering when the bell would ring. As it turns out, it is those average classmates who now sit in positions of middle and upper management. They never needed to overachieve. Their family was comfortable and there was no pressure to excel. Now that they are no longer in the same class as the overachievers, but rather sitting in a positon of control, they are ready to exact their revenge for years of intellectual humbling.
Middle managers and upper managers have no conscience. They see the world as something that they can milk dry without ever giving back. The system has become so skewed and top-heavy that, for the most part, they're right. Look at the average productivity of American workers. They've got us horse-whipped and scared sh_tless that we'll be the next ones scrambling to vacate before the bank forcloses on the mortgage and sends the repo man for the car. It would take years of happily firing overachievers before the actual impact of not getting any real productive work done begins to take any noticeable toll on them.
One previous poster pointed out,"At the end of the golfing day these guys still drive home in their Jags and BMWs to a $5 million dollar house on 30 acres of land and eat more caviar". It's the plain, unadultered, grim truth. Unless Society, in general, grows a conscience and begins to fairly compensate people like Spender and the Grsecurity team then they (the management and the government officials that they're sleeping with) will work us all over until every last vein is dry. This isn't up to the government to legislate or the universities to come up with research funding. This is about the social responsibility of big corporations to start giving back. For all the limos, and private planes, and tax deductions, and stock investments which are artificially inflated by the retirement investments of the workers, you'd think that someone could cough up $75k/year to fund this guy.
+++ATHZ 99:5:80
just take a look at OpenPaX for a version of GrSecurity that also aims for modularity so that parts of it may get merged into mainline. Right now OpenPaX is GrSecurity minus RBAC. How bad/good SELinux might be we already have it in mainline and should use/replace/extend it.
First of all we need to get the randomization/restriction features of OpenPaX into mainline and can thereafter think about exec-shield vs PaX and which RBAC is best...
linux is fast as hell but it should be safe/secure too
Open source at it's best...blame THIS one on MS...
Somebody should take a collection
Why don't you take up a collection for the guy? Personally, I see this as a hard lesson that the guy just learned. If a company is promising you money then you should get it in a contract! If a company won't put it in a contract, you have two choices:
1. Tell them that you need the funds up front so you can afford to dedicate yourself to the project. If they won't do that, then you work on the project as time and money allow from your personal schedule and budget. You don't go into debt on the promise that a company is going to give you money. If it is important enough to the company they will give him the money or put it in a contract.
2. Don't do the work. If you do, don't complain about the losses you incur. It's your own bad choices that create the debt.
While the company might have done something sleazy, they have no legal obligation to pay him anything. He should not have sacrificed those funds on something so flimsy as a copmany's promise.
While I agree that capitalism is "the nuts", that is possibly one of the worst formed arguments I have ever heard on slashdot, and I've been reading at -1 for about seven ( seven?! could it be seven? ) years. Congratulations.
They want e-mails about donations to be sent at spender@grsecurity.com .... :-)
Nandz.
I may be being naive, but if it's as good as people say it is. Why won't the kernel team commit it?
What are the disadvantages to having more security in the kernel to begin with? If it were unstable I could understand (but.. I'm gathering that because it's secure it's also stable). There's also the little bit of then not having 1 developer handling it. As the new patches break it, it will slowly be updated before the next release and so on. I'm sure some kernel maintainer out there is interested in security.
They can make it optional, even if it's automatically off by default, it'd make things a lot simpler.
I read the 'comparative to LSM/SEL' links posted above, they are hardly complete, and while they may be arguably correct pont for point I couldn't agree with them.
If GRSEC is so good why have I never heard of any fully developed policy models? SE-Linux can run pretty much out of the box on a fully-featured server. I've run it without undue difficulty on 3 different distributions.
Spender and the RSBAC people both like to get up and say tbat LSM is no good. Lots of reasons are given e.g. "it doesn't provide full Bell-LaPadula security assurance" or "parts are patented".
I would counter:
Both grsec and rsbac are piecemeal solutions, pretty much a hodgepodge of admittedly good ideas patching the kernel to implement 'security'. By comparison LSM/SEL are integrated into the mainline kernel now, and the chosen perimiter is a pretty good one for practically improving Unix (Linux) security issues.
The 'Bell-La Padula' argument basically is complaining that SEL isn't setup for MLS (Multi-level-secure) so it must be no fscking good (TM). This of course is neglecting that the *target* audience for MLS computing (CIA, NSA, DOD ...) have given up on it, my understading is that most MLS implementations have been replaced with air-gapped systems to deal with the levels.
Now if the intended users if MLS (class B and A TCSEC evaluated systems) who have very deep pockets indeed have scrapped them who the hell are the targetted users?
As an amusing side story the founder of a distribution based on RSBAC not only had no idea about this when he started the project, he also had no idea what MLS was and had never read word one of the TCSEC. And when he did he was suddenly wondering how to get evaluated (for a certification that's no longer even available).
So basically I think Spender is interested in being *right*, not interested in doing collaborative work and when something better (in the sense of *practical and useful* came along he had little more to do than poke technical holes in it.
So I'm not in the least surprised that he's losing his funding. LSM/SEL is available, works now and is cost-effective to actually use on production servers.
It's the easiest thing in the world to point out that someone else's system design is not perfectly secure. However practical security is more a matter of practice and process than design anyway. And in the final analysis if you're not willing to make something that actually works (and to work with others to achieve that) then you're gonna have a hard time finding customers.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
Keep in mind this company was charitable enough to sponsor and open source project - something which probably never brought them much money.
If a former sponsor is hated for no longer giving their hard-earned money, who the hell would want to sponsor a bunch of ungreatful hippies er... people in the future?
Patent: from Latin patere, to be open
So far my understanding is that
GRSecurity:
* Fixes the problems in Linux that normally make Linux hard to secure
* Is very kernel version specific (ie, maintenance intensive)
* Easy to use
* Roughly equivilant to, or slightly better than, many other existing hardening 'patches'
The author backs some of this up by saying: "Though grsecurity is licensed under the GPL, I am the sole developer and originator of ideas for the project. Though it would be possible for others to handle maintenance of the project, the quality won't be held to the same standards and will not progress with the same goals I have set for the project."
So - it's either badly designed or grossly incomplete. Or both.
If it is maintenance intensive then the system needs a redesign from the bottom up, or deeper - draw up new specifications keeping in mind the limitations of the system you are modifying.
If it's grossly incomplete then there is little loss to the community. It may have been a great personal loss, but you should never, ever do what this devloper did - float a loan for someone else which they could not personally handle. You don't have to be a business wizard in order to feed yourself.
From Michael Gerber's book "E-Myth Revisited":
Poor businesspeople work "in" the business - they're technicians who daily make the product or service. The business can't succeed without the individual, who may be a genius at providing a product or service but spends every day firefighting.
Brilliant company owners work "on" the business. They build systems, processes, and techniques so the business runs smoothly. These awsome managers don't just solve problems, they invent solutions that eliminate problems forever, or that automatically deal with the issue when it comes up again.(emphasis mine)
If this project requires constant maintenance, or cannot survive without this particular programmer, then it is firmly in the 'poor firefighting technician' category.
Poor guy. I hope he gets on his feet and succesfully finds something that fulfills his need to create. This obviously is not the kind of work he's cut out for, though, and I hope, for his sake, that he chooses not to allow further sponsership of his work on this project.
-Adam
...I'm all pissy because no one will pay me for the 'free' software that I decided to develop.
grsecurity by Brad Spengler
gewg_
Yep, without a company backing things up, open source is as vulnerable or maybe more vulnerable to closed source, but don't mention that around the fucking zealots here.
He worked full time and a few $BIG_COMPANIES promised him $XYZ in payment if he delivered $ABC.
He delivered $ABC, and those $BIG_COMPANIES did not deliver $XYZ in payment.
If he has an agreement in hand (and it's for a sufficient amount of $$), you would think a lawyer will take the case.
If so, Brad will eventually get at least partial payment (minus lawyer's fees), but the **project** gets (irretrievably?) stalled.
gewg_
see here for an example of his adolescent attitude.
He is a person sits on exploits so he can release them at opportune times to make his project look good and other projects look bad, rather than taking the correct path: reporting the bugs to the developers so they can be fixed. I.e he is simply a blackhat, pretending to be something he is not. I wouldn't trust my security to someone who behaves like this.So, in theory, the community at large gets to use MySQL "for free" (thus giving MySQL a large user, test and debugging base), while commercial clients that desire accountability and support can get the commercial license (thus paying for all the developers and, I guess, millions of free users). It sounds cockeyed, but apparently it's working for them. Isn't this a good possibility for Open Source projects to make money while still remaining true to the spirit of the GPL?
Promises are well - promises. If was supposed to get money for developing feature XYZ, put it in a contract. Kinda like one of those "bounty" contracts, you could have multiple bounties from different companies for the same feature.
Companies don't like to pay for what their competitors get for free. But if you can round them up and say "For X$ from each of you, I will develop feature Y" they're much more likely to agree. If they don't really want to pay that, you'll know up front, before you are in debt and before doing free work for them.
If this sounds too business-like, well he was trying to make a business writing code. So he should have acted a bit more like a business too. No, hobby coders don't need this. But if this had just been his hobby, we wouldn't be having this discussion...
Kjella
Live today, because you never know what tomorrow brings
OpenBSD provides the same main features as GRsecurity :
- Non-executable stack
- Non-executable heap (W^X)
- mmap() and malloc() randomization
- Source port randomization
- per-user firewall using pf and the "user" directive
There has been only one person on #adamantix ever who insisted on discussing MLS, BLP, TCSEC, LSM and SELinux. It's nice to see that this person has found a much more appropriate outlet for ranting about these subjects.
Groetjes,
Peter Busser (founder of an RSBAC based distribution called Adamantix)
Well well...
You can not develop free software in a world where no baker bakes free bread. That's called capitalism you know.
Feel free to move to North Corea or sth. They will give you free bread for free sw.
http://www.marxists.org/
J
This post by Marius Amodt Eriksen is most insightful.
You have never heard of any fully developed policy models? You are supposed to run the automatic learning that is the biggest part of Spender's work. It makes you what you need, the really least working set of rights for your individual setup.
The rules generated with the newest versions are accurate and extremely tight. It is a painless and very working system. That is why no one is distributing ready policies.
it's not redhat, but a company from a country south to the US (err, trying to be politically correct here and not implicate the entire nation down there).
Though it would be possible for others to handle maintenance of the project, the quality won't be held to the same standards and will not progress with the same goals I have set for the project.
Anyone else think that's kind of a load?
tinfoilmedia
Understandable reaction, and might even be an accurate description of what happened. But there's a lesson in there, too - if you need money in exchange for what you do, your first jobs should be sales and accounts receivables, followed possibly by legal and marketing, then development or whatever else it is you do.
Clients will wait to the last possible moment to give you any money, 'forgetting' they were supposed to. How much worse will donations be?
It's unfortunate, but true, and not at all a poor reflection on developers like this one. When people are willing to copy software, music and movies illegally, just think how little insentive they have for giving money when they don't have to to something they can freely use.
I would guess that it is in some ways much harder. You are giving away all of your unique IP, so some of those that might be your paying customers in a conventional model are simply using your software for free.
Of course you could argue that it is easier because you have access to tools, libraries, a community of debuggers and testers, and other advantages of open source. But none of those advantages actually brings in the cash, they just cut down on your expenses.
Besides, it doesn't sound like this guy was running a business, just asking for large donations. There is a difference.
Lasers Controlled Games!
Fuck you.
That was fun, and it didn't cost a thing!
You could use the Schneier's Street Performer protocol with Open Source software. The idea is simply this: release the next version of the software only after a certain amount of money has been received. Repeat.
Of course this doesn't work if the entire development is in a publicly readable place e.g. a CVS repository, so the access to that should be restricted. The released version would be Open Source, of course. Some would not pay and still copy it, but who cares, it's Open Source! If nobody pays, there will be no further versions.
Also, there's nothing wrong in writing Open Source software, but you would be crazy to do it as your day job without funding. Write it as a hobby, the way it should be. Fund it with something else, if need be. Also, don't get involved with companies without a good lawyer and written contracts.
When you are inside a system which is built on the concept of money, you have to take that into account. If the world was Open Source, everything for free to everyone, and you'd have the idea of Money brought into it, the idea would probably not live long, since it's alien to that system. Likewise in reality... Don't start playing with money unless you want to play by the rules that powerful idea requires.
Or, you could write a new license which demands all corporations and other for-profit entities to pay for using that software, but non-profits and individuals would get away for free like it is now. Kind of like the Qt license.
I do not moderate.
That was an insightful and informative post but some of the open source fanatics modded it down so people would not see it. Why the ____ don't I have mod points when I need them?
SEL's permissive mode can be used the same way and the same for OpenBSD's systrace.
The problem is that for this to work in a production environment, you may well need to exercise all branches of the code you're running.
What are you planning to tell the boss when your Oracle or Mysql db throw an exception that you didn't happen to hit during trial runs? How are you going to roll out linux+grsec+mozilla to secure an enterprises desktops and expect that all legitimate behaviors have been covered?
I believe you when you say grsec's tool is better than the others, however *designing* a policy (and having an environment that facilitates design e.g. Type/Domain in Flask) is a different and arguably better approach.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
- Unlike GRsecurity, it is available under a free license
- It won't wither on the vine if one person (even Theo) goes away
- Most importantly, it doesn't suck.
nobody A slashdot link to the Donations Page convinced me. 1-2 donations a week is TERRIBLE!
Well, guess we know what #2 is:
Assume I was drunk when I posted this.