Slashdot Mirror


End Of Development For Grsecurity Announced?

vrtk writes "I received this minutes ago, from the grsecurity mailing list, also displayed on the official site for the open-source security project: 'Beginning today, May 31, 2004, development of grsecurity will cease. On June 7, the website, forums, mailing list, and CVS will be shut down. Due to a sponsor unexpectedly dropping sponsorship of grsecurity while continually promising payment, I began the summer in debt and had to borrow money from family to pay for food. If none of the companies that depend on grsecurity, some of them being very large, are able to sponsor the project, grsecurity will cease to exist. I am not looking for paypal donations at this point, unless those that donate do so with the recognition that despite their donation, grsecurity may still never be returning.'"

7 of 306 comments (clear)

  1. Smells like a lawsuit by Anonymous Coward · · Score: 3, Interesting

    Sound a lot like material breach of contract with them not coming through with the money. Or else the deliberatly sabatoged it in order to own that dev space.

    1. Re:Smells like a lawsuit by YU+Nicks+NE+Way · · Score: 3, Interesting

      Nope -- there's no contract in a gift. A contract requires an exchange of value; a promise of a gift is never a contract.

  2. Re:the decision not to pay him was no doubt made b by kunudo · · Score: 4, Interesting

    I think someone should disclose the name of the sponsor that pulled out, not to flame them (well, maybe...) but so that others that might be depending on them get to re-evaluate the economics of their projects. Anyone know who it was?

  3. Re:Brad Spender Developer of GRSecurity is a Hero by Anonymous Coward · · Score: 4, Interesting

    Unfortunately you are correct and at the same time incorrect.

    1. The kernel developers have no real security experience at all. They are also stubborn and have a certain authority that simply does not get challenged. They actually simply refure to see the points in being proactive and fixing security flaws with better architectures - they just want to fix individual tiny flaws.

    2. The kernels are developing. Even the "stable" branches. It's FEATURES that are frozen, not implementations. Grsecurity is a lot implementation centric.

    3. There is internal politics in the kernel development team (the inferior exec_shield by RedHat, SELinux, kernel security model architecture, ..).

    4. Grsecurity's contents will be outdated very fast. Couple small version numbers will make it take someone a bit more knowing to port the pathes. Soon just the theories will remain and most likely in the current athmosphere no one will really pick the project back up on the tracks.

    5. Security is a hard thing to measure. Trying to convince pointy haired managers to pay for something that is FREE (hey, it's open source!) is nearly impossible.

    6. Grsecurity is the first package to really fix some fundamental security flaws widely in Linux systems. Spender IS a genuine hero. An unknown hero after a while since the mainstream development is so far off from the secure tracks.

    Sorry.. But it looks bad. Really like the dark ages for Linux security.

  4. Gentoo Hardened? by djcapelis · · Score: 5, Interesting

    I wonder if the Gentoo Hardened project will continue grsecurity development, they've done a bit of work with it anyways. Gentoo could certainly supply grsecurity with the needed webspace/cvs hosting etc...

    I wonder if that option was looked at before spender decided to give up. Does anyone have ideas on why this couldn't be done? Seems fairly simple to me..

    --
    I touch computers in naughty places
  5. Re:Grsecurity vs. Openwall by D_Gr8_BoB · · Score: 3, Interesting

    Solar Designer released the Openwall patch to kernel 2.4.26 on April 17th, three days after the kernel itself was released. That's pretty active maintainance if not development of new features. I like it because it tends to be more conservative than many other security patches out there.

  6. Let's sum up... by stienman · · Score: 3, Interesting

    So far my understanding is that

    GRSecurity:
    * Fixes the problems in Linux that normally make Linux hard to secure
    * Is very kernel version specific (ie, maintenance intensive)
    * Easy to use
    * Roughly equivilant to, or slightly better than, many other existing hardening 'patches'

    The author backs some of this up by saying: "Though grsecurity is licensed under the GPL, I am the sole developer and originator of ideas for the project. Though it would be possible for others to handle maintenance of the project, the quality won't be held to the same standards and will not progress with the same goals I have set for the project."

    So - it's either badly designed or grossly incomplete. Or both.

    If it is maintenance intensive then the system needs a redesign from the bottom up, or deeper - draw up new specifications keeping in mind the limitations of the system you are modifying.

    If it's grossly incomplete then there is little loss to the community. It may have been a great personal loss, but you should never, ever do what this devloper did - float a loan for someone else which they could not personally handle. You don't have to be a business wizard in order to feed yourself.

    From Michael Gerber's book "E-Myth Revisited":
    Poor businesspeople work "in" the business - they're technicians who daily make the product or service. The business can't succeed without the individual, who may be a genius at providing a product or service but spends every day firefighting.
    Brilliant company owners work "on" the business. They build systems, processes, and techniques so the business runs smoothly. These awsome managers don't just solve problems, they invent solutions that eliminate problems forever, or that automatically deal with the issue when it comes up again.(emphasis mine)

    If this project requires constant maintenance, or cannot survive without this particular programmer, then it is firmly in the 'poor firefighting technician' category.

    Poor guy. I hope he gets on his feet and succesfully finds something that fulfills his need to create. This obviously is not the kind of work he's cut out for, though, and I hope, for his sake, that he chooses not to allow further sponsership of his work on this project.

    -Adam