End Of Development For Grsecurity Announced?

vrtk writes "I received this minutes ago, from the grsecurity mailing list, also displayed on the official site for the open-source security project: 'Beginning today, May 31, 2004, development of grsecurity will cease. On June 7, the website, forums, mailing list, and CVS will be shut down. Due to a sponsor unexpectedly dropping sponsorship of grsecurity while continually promising payment, I began the summer in debt and had to borrow money from family to pay for food. If none of the companies that depend on grsecurity, some of them being very large, are able to sponsor the project, grsecurity will cease to exist. I am not looking for paypal donations at this point, unless those that donate do so with the recognition that despite their donation, grsecurity may still never be returning.'"

the decision not to pay him was no doubt made by..

the sort of bastards that make $2500/hour being driven to country clubs to shake hands and joke about 'damned hippies'.

"What, we don't need to pay him?"

"Heh, yeah. Damn fool fell for that Open Source crap. He gets what he deserves."

"Well, Damn Dirty Hippies, etc. Oh, and pass the caviar."

Brad Spender Developer of GRSecurity is a Hero

[phunster]

Brad Spender is truly an Internet hero, a pioneer who made us all safer. He went about his work selflessly, with precision and excellence.

If ever there was a time to band together to save one of our own this is it. Brad has gone into debt while helping to make multi-billion dollar corporations safer. Perhaps at the end of the day they will come through for Brad, perhaps they will not. There must be some way that we can all help him regardless of what his corporate sponsors do.

Re:Brad Spender Developer of GRSecurity is a Hero

[keesh]

No, Brad Spender is an arrogant fucktard who cared more about screwing over people who disagreed with him (for example, he tried to deliberately withold information on a RedHat security flaw until after Fedora Core 2 was released, just to bring them around to his way of thinking) than fixing things.

cease to exist?

[lawngnome]

how can it cease to exist? isnt open source software forever? (well in some form or another) it may not be regularly updated (or updated at all by the looks of the article) but could still prove useful in the future...

Re:cease to exist?

[TWX]

If the main project site is gone and all of the continuing development notes are no longer available, it's much harder for it to continue. Remember, the code itself is just the end product of a process that involves designing, coding, testing, revising, re-testing, etc, etc, etc. While someone who has the GPLed source could continue to work on it, such a person wouldn't have the experience or results from this process that the original developer had.

If the project is fairly mature, like the Linux Kernel, KDE, FVWM, or any other number of projects with lots of developers then it's easier to lose the top guy or gal and continue development. Linus' turning over the previous stable kernel trees to other big Linux guys like Alan Cox or any of the others is an example. One guy or even a very small number of people on a specific, niche utility or patch might not be able to achieve the same.

The space and organization required to keep the project internet-accessible is also a problem, as this case directly shows. He can't afford the space and bandwidth. I feel his pain, it's hard enough just keeping a personal domain with a mild amount of traffic up for almost no money. Trying to run something with backend CGI for forums and CVS isn't free.

I hope that people are able to reorganize this project, but if that doesn't work then it doesn't.

Re:cease to exist?

[pseudochaotic]

If i understand correctly, it's tied to a specific version of the kernel, so it'll be outdated pretty quickly, and all but useless.

Re:So what?

[Atzanteol]

Since the developers went and got all selfish about things like 'eating' and 'clothes'?

Poor bastard

[HeLLLight]

Really feel sorry for this guy (or girl). It must really suck when someone promises to fund your project, of which you earn your livley hood from; then the person just dissapears and cuts funding with no explanation (as of yet).

I have never heard of this project till today, but I would not be suprised if this is an all too often occurence in the OSS world.

Hopefully he finds a new sponser so that he can carry on. It really sucks when you put a lot of time and effort into something, then to have someone just pull the plug on you (completly out of your control) and to be then left with nothing.

Good luck.

Re:So what?

[skraps]

Since when is corporate monetary sponsorship necessary for an individual to develop open-source software?

Monetary sponsorship isn't a *necessary* ingredient of anything. Sure is nice to have food, though. I guess we could plant gardens or something.

Re:So what?

[Timesprout]

I'll tell IBM to shut down their Linux sponsorship and investment so in that case.

Re:Open source

[Laxitive]

Gee, this whole "capitalism" thing doesn't seem to be working out for a lot of people either

-Laxitive

What is grsecurity?

[haluness]

It would be nice to know what it is.

Sponsorship is a bad model.

[k98sven]

Sorry to say this, but I feel that sponsorship is ultimately not a good way to run an OSS project.

If you rely on sponsorships, you have to expect this kind of thing to happen. It does. All the time.

If there are businesses which are using your software, then there should be a market for you in consulting. Consulting is a proven business model for OSS development. (Not that it is much more of a guarantee, but at least you have a contract.)

Not to mention that many big businesses view consulting and sponsorship as two very, very different things. It has to do with bookmaking. Money paid as consulting makes it more evident that you are providing a service than money marked down as 'sponsorship'.

Now, if your project is not commercially interesting, and you still want to get paid for doing it, perhaps you should be looking for a research position instead, if it's innovative enough.

And if it's not innovative nor commercially interesting.. Well then it's a hobby, goddamnit! :-)

that's not how it works

[dekeji]

Sorry, but that's not how OSS development gets funded; you can't just put up some software on a web site and wait for donations.

Grsecurity looks like something you might be able to fund as part of a security consulting business. Or, if dealing with people is not your thing, you might be able to make a living writing books about security and how to use grsecurity. Or you might be able to do it on the side while working for a large company.

If grsecurity is as useful as you think, if there was a lively community around it, and if the code is usable, there is a good chance someone else will pick it up and actually build a successful business around it. If nobody continues development of grsecurity at this point, then it wasn't really a good, live open source project anyway--it was just some useful code released under the GPL.

Please don't complain about it: while your desire to create open source software is admirable, it is still your problem if you fail because you picked a naive business model.

Re:So what?

[AstroDrabb]

You must have the brains of a rat and those who modded this "Insightful" must have equal brain power. Please tell me, what is "Insightful" in

It sounds like what he wanted was employment. Being able to make a living off of a hobby is a lofty and unrealistic goal.

Where is the "Insightful" knowledge that I should have gained from this comment? What it comes down to is this was _not_ a hobby for this guy. He worked full time and a few $BIG_COMPANIES promised him $XYZ in payment if he delivered $ABC. He delivered $ABC, and those $BIG_COMPANIES did not deliver $XYZ in payment. Most likely becuase his code was under the GPL and they could use it without his consent or their payments.

Re:Open source

[kawika]

Or perhaps capitalism IS working, and this is the way for people to choose the projects they think are worth supporting.

Re:Sponsors for Open-source

If you forced users into paying - even if it's just a little bit - it wouldn't be free anymore.

Ulterior motives?

[redphive]

I don't want to sound too much like a troll, but is it possible that this is a method to induce payment by the unmentioned sponsor? If the sponsorship was so crucial to the development of the project (which, as stated was done by a single individual for the most part) and the sponsor already has made use of the project, a change to another project, or relying on the OSS community to take over would be too costly or disruptive, that it may be in the best interest of the developer to come to this decision. I feel bad for Brad, grsecurity obviously is/was something he put a lot of time and effort into, and if matters have come up that prevent him from continuing, so be it. I don't, however like the fact that "no one else is good enough to produce the quality work he has" or "lack the vision for the poject", it seems to lack sincerity for some reason, and I wonder if his motives lie somewhere else.

Finding support.

I suppose finding support from other Linux organisations like Gentoo, SuSe(Novell) or RedHat could be a smart thing.

Re:Question

[pavon]

Source and documentation is not what keeps software alive. It is the working knowledge and contributions of the developers that keeps a project alive. You can release all the code you want, but until that code exists in someone else's head it is dead and stagnant.

That is one of the main difference between Linux and the Hurd (the other being iterative programming vs design everything first, code latter). Linus actively facilitated contributions from others and as a result he ended up with a community of developers and a kernal far better than he could have done by himself, while Hurd limped along.

Since when...

[mbottrell]

What amazes me is that it's automagically assumed that a code-cutter also has business sense to run a successful business.

Remember at the end of the day he's a code-cutter... not a suit... if he was a suit.. he wouldn't be a code-cutter now would he! :[

I must admit as a code-cutter I'm sick of many businesses idea of 'yeah... lets' get it under the GPL... we can use, abuse and not pay for it'.

Bad Karma to this idea of thinking...
These fat-cats still drive home to a nice warm bed, big meal and watch their TV.

How about flipping some $$'s towards the smuck that did all your hard work and ensure he's still around next year when you have a real question abuot the software.

At the end of the day... nothing is FREE... someone pays... unfortunately with a lot of GPL.. it's normally the developer and his family. :(

Re:Isn't it GPL'ed?

[mcc]

The problem isn't the code itself, which will remain GPLed. But the problem is the code by itself isn't as useful since this is the kind of project that requires constant maintenance. Who's going to host the code? More crucially, who's going to maintain it and ensure it remains compatible with new kernel versions and modules? You? Didn't think so.

The fact anyone could host the project doesn't help unless someone actually does...

Re:Smells like a lawsuit

[ron_ivi]

Sounds like an easy lawsuit.

A large corporate sponsor vs. someone broke, in debt, and borrowing money from his family.

I can see it now. "Hey mom, I just got a letter saying if I continue my suit I'm being countersued for $47,000,000, can you loan me $250,000 for a good lawyer?"

Love that Open Source business model.

[fmaxwell]

I began the summer in debt and had to borrow money from family to pay for food. If none of the companies that depend on grsecurity, some of them being very large, are able to sponsor the project, grsecurity will cease to exist.

Another fine example of the open source business model.

Economics 101: Paying for something that your competitors get for free puts you at an economic disadvantage. Therefore, almost all companies will take open source software and not pay for it.

If General Motors gave away cars and asked for donations to cover R&D, production, etc., do you think that Hertz, Avis, Dollar, Enterprise, or any of the car rental firms would donate money to GM? Of course not. They would all take free cars for as long as GM was able and willing to give them away, though.

I will never understand why many professional software developers are proponents of open source. Buy a big-rig truck and start delivering goods for free. See how many Teamsters rally round you and cheer you on. You'll be lucky if you just get your knees broken.

Re:Love that Open Source business model.

[fmaxwell]

Perhaps you're not grasping that to many, it's simply not a model, it's a hobby, and that they do it simply because they love to.

My hobbies include motorcycling, fishing, boating, and RC airplanes (among many others). You don't see me threatening to take down web pages because companies aren't paying me to ride my motorcycle, to fish, boat, or fly model airplanes. If it's a hobby, then fine; treat it like one. Don't give away software for free and then complain that for-profit businesses aren't voluntarily sending you money.

Still, if you can't manage to pay people to do better than people will willingly do for free, you're seriously behind the productivity curve buddy. OSS hardly undercuts existing industry, it simply raises the bar. Your produced band for example had better have a more catchy sound than the bar band down the street, and if you want to sell a web server, it had better at least be as good as Apache.

Show me companies that are not "behind the productivity curve" when compared with Apache, Linux, *BSD, etc. Show me a better commercial browser than Mozilla. Show me a better web server than Apache. Show me better audio extraction software than Exact Audio Copy. Show me better Windows PC hardware monitoring software than Motherboard Monitor.

As you said earlier, to many, it's a hobby. The highest quality telescopes regularly come from the workshops of hobbyists. The best model train structures (houses, buildings, etc.) aren't the pre-assembled ones at hobby stores. They are the ones crafted by hobbyists. Hobbyists don't have deadlines, stockholders, etc. They can spend as much or as little time as they want.

Re:Love that Open Source business model.

[donnz]

Just because this particular OSS "business" is failing doesn't impunge on whole model. Many people do very well selling services based on OSS producats *and* contributing to the projects they use.

Strangely, I don't see many posts decrying the "proprietory" business model every time a company fails (which a large number do).

I suggest you actually take an Economics 101 paper some day, the results may surprise you.

Open Source == Philanthropy

[PureFiction]

End of story. Sometimes you can actually make a bit of money doing. Sometimes you can make some damn good money doing it.

But in the end, open source == philanthropy and it's just a question of who is donating what. (time, money, advocacy, etc)

WTF is Open Source anyway?

[im+a+fucking+coward]

Just in case everyone forgot, open source was meant to satisfy a programing itch, not necessarily provide a living. The fact that so many coders are able to use it to maintain a standard of living is an unintended side effect.

Though it would be possible for others to handle maintenance of the project, the quality won't be held to the same standards and will not progress with the same goals I have set for the project.

Without a signed, insured contract what guarantee did the sponsor(s) have that the maintainer(s) was doing a competent job anyway? I guess they had the same guarantee the main dev had in getting paid, i.e. none.

No offense meant to the dev, but come the hell on. This is one of the weirdest cases of sour grapes I've read in the OS department.

Re:Smells like a lawsuit

[ibbey]

It's almost blackmail. "Support me else I shut it down."

That's hardly in the spirit of Free Software.

Since when is the spirit of Free Software doing work that benefits others and expecting nothing in return? What any given author expects in return may vary, but expecting money isn't out of line. The author presumably has expenses related to the project and is well within his rights to state that he will not continue development if he can't find someone to offset those expenses.

Remember, though, that since the project is GPL'd, there's nothing stopping you or anyone else from downloading the source & taking over the maintenance & development for him. That's the spirit of open source.

Re:Gentoo Hardened?

[wolf31o2]

The parent apparently doesn't know everything about how the Gentoo Hardened project and spender got along. To put it kindly, they didn't get along. The manager of the Hardened project did not agree with spender on much and they got into several outright flame wars in public. It got so bad a few weeks back, that solar, the person who maintains grsecurity for Gentoo, was trying to get the Hardened project broken out, simply to remove the Hardened manager from the equasion.

I prefer the grsecurity patches to the other forms of additional kernel security and will be quite sad to see the project die. At the same time, I can't help but think that anyone who expects to make a living from their pet OSS project really needs to take a dose or two of reality. There's a reason that most OSS projects are someone's pet project and manned by volunteers. Company's want our software, and they don't want to pay for it. If they wanted to pay for it, they'd hire someone to write it and patent the hell out of it.

A previous poster had mentioned that consulting is the way to go for an OSS developer, and I can't help but agree with him. It is so much easier for companies to swallow and also it gives more legitimacy to your work, since you're being paid for what you do, rather than taking a handout simply for running a project that the sponsor has no control over.

Voluntary contributions to OSS == non-starter

[whatthef*ck]

If you want to see how willing users are to financially support the OSS products they use, go to the main page of Sourceforge and look at the list of "Top Downloads". You'll notice that the 4th most downloaded program, Azureus - BitTorrent Client, has a little "$" icon next to it indicating that it's set up to accept Paypal donations. The list of all its donations, which can be viewed here, shows that on average they get maybe one donation a week, but two days ago they were downloaded over 22,000 times.

If you develop open source software with any expectations of making money from it, you're in for a big letdown.

The truth hurts

[Canberra+Bob]

The big BIG problem for the FOSS business model for the little guy is some large company running off with the product and either offering it themselves, or in this case not bothering to contribute anything back.

And yes, software costs money to develop. Even if you do it in your spare time, that is time that could be spent on a profit earning venture. For better or worse, we live in a capitalistic society. You go to the supermarket, they will expect you to pay cash for what you buy.

And the FOSS zealots ARE partially responsible for poor young students / software developers spending huge amounts of their valuable time for free. All over slashdot the zealots will flame anyone who dares to suggest that to run a business you have to think past just simply offering FOSS software / services. It is always suggested that FOSS is the way of the future, all large companies are shifting to FOSS etc etc etc. Why do you think IBM loves Linux? Not because they have a love for their fellow human being - they can get it for free! They can undercut the opposition. If they are true believers in FOSS philosophy, wheres the source code for DB2? Yeahh...suuure..they have fully embraced open source havent they?

Yes, FOSS is a noble cause, but please PLEASE stop trying to convince kids that they will make money from their efforts. Consulting makes money for the little guy, developing FOSS doesnt.

Re:Smells like a lawsuit

[sydb]

I don't think anyone "in free software" thinks development has no cost. I think they are keenly aware what the cost is - usually their time.

It's only a few idiots who equate Free with free.

However I think your charaterisation of open source development is either naive or trollish.

Society needs a change in thought

[maximilln]

I read through the comments and it's all the same. People think it's a shame that this guy got shafted. Everyone agrees that what he did for Linux security was worthwhile and good work. Everyone also recognizes that large corporations are happily taking everything they want from open source without feeling obligated to support it.

While this guy paid "the ultimate price" by facing bankruptcy, or homelessness, and joblessness, this is not a new problem the US economic society. People who give 120% at their jobs have typically been seen as little more than rubes by middle and upper management. There's something to be taken from all of this.

If you are a true geek/nerd you will remember back to school days when you were busy acing tests and pushing the class. You will remember the disgusted looks from your average classmates when you were solving complex physics/math/political problems in your head and they were busy looking out the window wondering when the bell would ring. As it turns out, it is those average classmates who now sit in positions of middle and upper management. They never needed to overachieve. Their family was comfortable and there was no pressure to excel. Now that they are no longer in the same class as the overachievers, but rather sitting in a positon of control, they are ready to exact their revenge for years of intellectual humbling.

Middle managers and upper managers have no conscience. They see the world as something that they can milk dry without ever giving back. The system has become so skewed and top-heavy that, for the most part, they're right. Look at the average productivity of American workers. They've got us horse-whipped and scared sh_tless that we'll be the next ones scrambling to vacate before the bank forcloses on the mortgage and sends the repo man for the car. It would take years of happily firing overachievers before the actual impact of not getting any real productive work done begins to take any noticeable toll on them.

One previous poster pointed out,"At the end of the golfing day these guys still drive home in their Jags and BMWs to a $5 million dollar house on 30 acres of land and eat more caviar". It's the plain, unadultered, grim truth. Unless Society, in general, grows a conscience and begins to fairly compensate people like Spender and the Grsecurity team then they (the management and the government officials that they're sleeping with) will work us all over until every last vein is dry. This isn't up to the government to legislate or the universities to come up with research funding. This is about the social responsibility of big corporations to start giving back. For all the limos, and private planes, and tax deductions, and stock investments which are artificially inflated by the retirement investments of the workers, you'd think that someone could cough up $75k/year to fund this guy.

Re:Society needs a change in thought

[Lobo93]

Anarchism for dummies

1. Co-operate.

Even simpler.

Re:Society needs a change in thought

[HuguesT]

I wouldn't get fixed up on the revenge thing. I've seen with my own eyes highly intelligent, technically literate people take up management positions and little by little move from a situation where they understood the technical matters and paid attention to the plebs to one where they didn't care about anything or anyone, just because they could.

It's not revenge over the nerds, it's just plain, unadulterated power and human nature.

To help you understand, do you care about what the cleaners at your place of work do? What about the homeless people on your way home? do you care why people in Sudan are dying in drove right now? No, because you don't have to.

Everybody sucks.

Re:Smells like a lawsuit

[ron_ivi]

"It's almost blackmail. ... That's hardly in the spirit of Free Software."

C'mon guys. It's nothing like blackmail. In fact it demonstrates one of the great strengths of the spirit of free software.

One of the key benefits of open source is that if the originator of the product can't continue the project for any reason (bought by a competitor, switched to a closed-source model, got kicked out of parents basement, got bored) - anyone's free to fork it and continue on.

He's just letting the community know that he's likely to move on and if people depend on it to fork the software now. It's still far more courtious than a commercial company going under _without_ any options for continued support for their customers.

Re:Sponsors for Open-source

[mslinux]

Here are some real-world lessons that I learned the hard way:

1. When it comes to business, it's every man for himself... you *really* have to see it that way or some other guy will eat your lunch.

2. Nothing personal, but fuck you. (you being anyone asking for money that isn't compelled by law or contractual obligation). It's simple really, you want people to give *you* their money... not the other way around, got that?

3. Never give anyone a break... that's not how rich men become rich. Do you think that they'd give you a break? Does your landlord give you a break on a month's back rent? How bout the cell phone company... sure, they'll let you skip the early opt-out penality on your 2-year contract ;)

4. Work for yourself... put yourself first 100% of the time. You're in business for you, no one else.

5. It's just business, nothing personal, but fuck you.

With point number 5 constantly in mind, go get 'em tiger. Enough of this cry-baby OSS/Free Software crap. This guy gave grsecurity away for free. No one made him do it. Let's all hope he learned a lesson, I sure as hell did.

Kudos to RMS and Torvalds for giving away top-notch software *and* for not expecting anything in return other than recognition... that's all I've ever given them, and all I ever will.

Why not you?

[FanaticalDesperado]

Somebody should take a collection

Why don't you take up a collection for the guy? Personally, I see this as a hard lesson that the guy just learned. If a company is promising you money then you should get it in a contract! If a company won't put it in a contract, you have two choices:
1. Tell them that you need the funds up front so you can afford to dedicate yourself to the project. If they won't do that, then you work on the project as time and money allow from your personal schedule and budget. You don't go into debt on the promise that a company is going to give you money. If it is important enough to the company they will give him the money or put it in a contract.
2. Don't do the work. If you do, don't complain about the losses you incur. It's your own bad choices that create the debt.

While the company might have done something sleazy, they have no legal obligation to pay him anything. He should not have sacrificed those funds on something so flimsy as a copmany's promise.

Re:Smells like a lawsuit

[Crashmarik]

On the flipside if your employers (giving you the benefit of the doubt there) checks to you started bouncing would you be in work on monday or would you be at your lawyers ?

Writing software is work. You may enjoy it, it may be like the worlds greatest crossword puzzle, and seeing everything actually do what it should can be better than sex. So what, I don't see any "Enjoyable profession", handing back paychecks en masse. This man has bills to pay, He has been forced to the point where he is tapping his family for cash and you call his not going forward Blackmail ???

Open Source programming is an act by and large of good samaritanism. Its important it helps everyone lead a richer life, but it sure as hell isnt an obligation for those doing the good deed.

As for the bit of "Support Me Or I Shutdown", thats true of everything and everyone its called starving to death and its implicit.

Re:Spender may or may not be a hero

[Mind+Booster+Noori]

LSM/SEL is on the main kernel branch. Am I the only to see the obvious advantages of this? Yes, GRsec had some cute stuff that LSM/SEL doesn't have... yet. Want to hurry things up? Help develop LSM/SEL and stop whining about the loss of GRSec. GRSec was important in many ways, now things must go on.

Re:Hero my ass

Wooow. No wonder this guy is unemployed. *No*one* should trust him about security. Take about a walking liability...

Re:About Brad Spender being an asshole

[adric]

I thought this posting to debian-devel was fairly telling as well... especially the bit about withholding information on a known (to him only, apparently) vulnerability. I had a fairly high opinion of grsecurity up until that point, but these days I think that SE Linux is probably the way to go.

Just as hard?

[John+Harrison]

just as hard as running a business on a conventional model.

I would guess that it is in some ways much harder. You are giving away all of your unique IP, so some of those that might be your paying customers in a conventional model are simply using your software for free.

Of course you could argue that it is easier because you have access to tools, libraries, a community of debuggers and testers, and other advantages of open source. But none of those advantages actually brings in the cash, they just cut down on your expenses.

Besides, it doesn't sound like this guy was running a business, just asking for large donations. There is a difference.