End Of Development For Grsecurity Announced?

vrtk writes "I received this minutes ago, from the grsecurity mailing list, also displayed on the official site for the open-source security project: 'Beginning today, May 31, 2004, development of grsecurity will cease. On June 7, the website, forums, mailing list, and CVS will be shut down. Due to a sponsor unexpectedly dropping sponsorship of grsecurity while continually promising payment, I began the summer in debt and had to borrow money from family to pay for food. If none of the companies that depend on grsecurity, some of them being very large, are able to sponsor the project, grsecurity will cease to exist. I am not looking for paypal donations at this point, unless those that donate do so with the recognition that despite their donation, grsecurity may still never be returning.'"

Smells like a lawsuit

Sound a lot like material breach of contract with them not coming through with the money. Or else the deliberatly sabatoged it in order to own that dev space.

Re:Smells like a lawsuit

[frisket]

Promises of sponsorship from corporations should be treated as theory, not fact. The only thing that matters is the cash or the credit in your bank account: even a certified check isn't worth a wet fart until it's lodged and cleared.

Corporations are inherently risky to deal with: after all, the reason they incorporated in the first place was to shelter behind the protection of the joint stock limited liability company where their identity can be anonymous and their liability limited.

Re:Smells like a lawsuit

[ttsalo]

Yea, but you need piles of money to go to court to get money. Catch 22.

Re:Smells like a lawsuit

[ron_ivi]

Sounds like an easy lawsuit.

A large corporate sponsor vs. someone broke, in debt, and borrowing money from his family.

I can see it now. "Hey mom, I just got a letter saying if I continue my suit I'm being countersued for $47,000,000, can you loan me $250,000 for a good lawyer?"

Re:Smells like a lawsuit

[YU+Nicks+NE+Way]

Nope -- there's no contract in a gift. A contract requires an exchange of value; a promise of a gift is never a contract.

Re:Smells like a lawsuit

[passthecrackpipe]

Yeah - exactly my thoughts. How does this work?

1.) Do open source project in spare time
2.) Realise people like my stuff and use it
3.) get sacked/quit/start business based on project
4.) ????
5.) Don't profit
6.) Shut down project

While I must confess to not knowing all the sordid details, I see this kind of stuff all the time - people start a business based on an open source model, without realising that it really is pretty hard - just as hard as running a business on a conventional model. They then act as if the whole world owes them a living.....

Re:Smells like a lawsuit

[ibbey]

It's almost blackmail. "Support me else I shut it down."

That's hardly in the spirit of Free Software.

Since when is the spirit of Free Software doing work that benefits others and expecting nothing in return? What any given author expects in return may vary, but expecting money isn't out of line. The author presumably has expenses related to the project and is well within his rights to state that he will not continue development if he can't find someone to offset those expenses.

Remember, though, that since the project is GPL'd, there's nothing stopping you or anyone else from downloading the source & taking over the maintenance & development for him. That's the spirit of open source.

Re:Smells like a lawsuit

[sydb]

I don't think anyone "in free software" thinks development has no cost. I think they are keenly aware what the cost is - usually their time.

It's only a few idiots who equate Free with free.

However I think your charaterisation of open source development is either naive or trollish.

Re:Smells like a lawsuit

[ron_ivi]

"It's almost blackmail. ... That's hardly in the spirit of Free Software."

C'mon guys. It's nothing like blackmail. In fact it demonstrates one of the great strengths of the spirit of free software.

One of the key benefits of open source is that if the originator of the product can't continue the project for any reason (bought by a competitor, switched to a closed-source model, got kicked out of parents basement, got bored) - anyone's free to fork it and continue on.

He's just letting the community know that he's likely to move on and if people depend on it to fork the software now. It's still far more courtious than a commercial company going under _without_ any options for continued support for their customers.

Re:Smells like a lawsuit

[Crashmarik]

On the flipside if your employers (giving you the benefit of the doubt there) checks to you started bouncing would you be in work on monday or would you be at your lawyers ?

Writing software is work. You may enjoy it, it may be like the worlds greatest crossword puzzle, and seeing everything actually do what it should can be better than sex. So what, I don't see any "Enjoyable profession", handing back paychecks en masse. This man has bills to pay, He has been forced to the point where he is tapping his family for cash and you call his not going forward Blackmail ???

Open Source programming is an act by and large of good samaritanism. Its important it helps everyone lead a richer life, but it sure as hell isnt an obligation for those doing the good deed.

As for the bit of "Support Me Or I Shutdown", thats true of everything and everyone its called starving to death and its implicit.

Re:Smells like a lawsuit

[David+Jensen]

"If you do \foo\, I will do \bar\" can be enforced because of reliance on the offer.

If your require performance of some sort to qualify for the 'gift' it is no longer just a gift.

Re:Smells like a lawsuit

[O0o0Oblubb!O0o0O]

This is not necessarily true. In Germany, for example, a gift is a binding contract which is formed when the beneficiary accepts the offer. It has to be in written form though. Oral promises are not binding unless the gift has already changed hands, which makes it non-revokeable.

Re:Smells like a lawsuit

[m1kesm1th]

It's almost blackmail. "Support me else I shut it down."

blackmail ( P ) Pronunciation Key (blkml)
n.

Extortion of money or something else of value from a person by the threat of exposing a criminal act or discreditable information.
Something of value extorted in this manner.
Tribute formerly paid to freebooters along the Scottish border for protection from pillage.

Nope, its not blackmail or even almost blackmail or remotely blackmail.

You're incorrectly quoting the guy also, its less "Support me else I shut it down." and more "Though grsecurity is licensed under the GPL, I am the sole developer and originator of ideas for the project." He is and even if you disagree with him ending the project, you should at least respect him for the work he has done. Its far easier for a larger community to share costs and work amongst themselves and berate others for not having the time/money to continue.

The guy said he's not looking for paypal donations, which means he isn't looking for handouts. What he is looking for is the support that was promised to him.

Since its GPL'd if it needs to continue, then the companies, if they really need the Free Software to be developed, can create a fork of their own.

The spirit of Free Software does encompass support from the community, particular in the form of both Work, Time and Finance. Software isn't Free. It costs time and money to continue, considering he is asking Family for food, I seriously doubt he is able to continue. Additionally just because he started the project, doesn't mean he is compelled to continue it indefinitely.

Or, on the flip side, sounds more like a child throwing toys out of the preverbial pram.

I don't think its like throwing toys out of a proverbial pram, its more like telling it the way it is. I don't know looking at the comments made, they seem less like an argument and more like thrown insults themselves.

Re:Smells like a lawsuit

[Billly+Gates]

Agreed.

Also the main developers does it "for a living" so money is important.

I suppose he could just hand the code to the FSF or Linus to maintain.

But if that is the case he needs developers to donate their time. He could still donate his time of course but will be quite limited if he has another job.

Time for others to step up to the plate to help work on it.

Damn shame

[darth_MALL]

Chalk up another boot to the nuts for the little guy. Good luck to them in the future :(

Grsecurity vs. Openwall

[JuliusRV]

Too bad! It was only last week that I heard that Grsecurity was so promising and more actively delevoped than, for example, Openwall

Re:Grsecurity vs. Openwall

[D_Gr8_BoB]

Solar Designer released the Openwall patch to kernel 2.4.26 on April 17th, three days after the kernel itself was released. That's pretty active maintainance if not development of new features. I like it because it tends to be more conservative than many other security patches out there.

Additional information

[ccTech]

I also submitted this story (rejected) and provided various informational links on this issue:

For a comparison between Grsecurity and SELinux:
http://www.cs.virginia.edu/~jcg8f/GrsecuritySELi nuxCaseStudy.pdf

They also document and explain many of the issues facing the LSM project as well:
http://www.grsecurity.org/lsm.php

It will be interesting to see how the Gentoo Hardened Project will respond to this as well as they have done a great deal of work with grsecurity and provided some exceptional Grsecurity documentation (for the 1.9.x series).
http://www.gentoo.org/proj/en/hardened/index.xml
http://www.gentoo.org/proj/en/hardened/grsecurit y.xml

It will be sad to see this project fade away, especially for those needing an expressive security RBAC/MAC/PAX system. Grsecurity, combined with PAX, provided a well rounded security system that was sensible, somewhat easy to learn, and easier to administrate thanks to the powerful gradm Learning capability.

Re:Additional information

[Elendur]

Openbsd does not have mandatory access controls grsecurity's RBAC. Also, other systems which do provide them don't have the ease of configuration of RBAC or the excellent learning mode.

the decision not to pay him was no doubt made by..

the sort of bastards that make $2500/hour being driven to country clubs to shake hands and joke about 'damned hippies'.

"What, we don't need to pay him?"

"Heh, yeah. Damn fool fell for that Open Source crap. He gets what he deserves."

"Well, Damn Dirty Hippies, etc. Oh, and pass the caviar."

Brad Spender Developer of GRSecurity is a Hero

[phunster]

Brad Spender is truly an Internet hero, a pioneer who made us all safer. He went about his work selflessly, with precision and excellence.

If ever there was a time to band together to save one of our own this is it. Brad has gone into debt while helping to make multi-billion dollar corporations safer. Perhaps at the end of the day they will come through for Brad, perhaps they will not. There must be some way that we can all help him regardless of what his corporate sponsors do.

Re:Brad Spender Developer of GRSecurity is a Hero

Unfortunately you are correct and at the same time incorrect.

1. The kernel developers have no real security experience at all. They are also stubborn and have a certain authority that simply does not get challenged. They actually simply refure to see the points in being proactive and fixing security flaws with better architectures - they just want to fix individual tiny flaws.

2. The kernels are developing. Even the "stable" branches. It's FEATURES that are frozen, not implementations. Grsecurity is a lot implementation centric.

3. There is internal politics in the kernel development team (the inferior exec_shield by RedHat, SELinux, kernel security model architecture, ..).

4. Grsecurity's contents will be outdated very fast. Couple small version numbers will make it take someone a bit more knowing to port the pathes. Soon just the theories will remain and most likely in the current athmosphere no one will really pick the project back up on the tracks.

5. Security is a hard thing to measure. Trying to convince pointy haired managers to pay for something that is FREE (hey, it's open source!) is nearly impossible.

6. Grsecurity is the first package to really fix some fundamental security flaws widely in Linux systems. Spender IS a genuine hero. An unknown hero after a while since the mainstream development is so far off from the secure tracks.

Sorry.. But it looks bad. Really like the dark ages for Linux security.

Re:Brad Spender Developer of GRSecurity is a Hero

[keesh]

No, Brad Spender is an arrogant fucktard who cared more about screwing over people who disagreed with him (for example, he tried to deliberately withold information on a RedHat security flaw until after Fedora Core 2 was released, just to bring them around to his way of thinking) than fixing things.

Re:Brad Spender Developer of GRSecurity is a Hero

[bmcmurphy]

Care to provide some supporting facts?

cease to exist?

[lawngnome]

how can it cease to exist? isnt open source software forever? (well in some form or another) it may not be regularly updated (or updated at all by the looks of the article) but could still prove useful in the future...

Re:cease to exist?

[TWX]

If the main project site is gone and all of the continuing development notes are no longer available, it's much harder for it to continue. Remember, the code itself is just the end product of a process that involves designing, coding, testing, revising, re-testing, etc, etc, etc. While someone who has the GPLed source could continue to work on it, such a person wouldn't have the experience or results from this process that the original developer had.

If the project is fairly mature, like the Linux Kernel, KDE, FVWM, or any other number of projects with lots of developers then it's easier to lose the top guy or gal and continue development. Linus' turning over the previous stable kernel trees to other big Linux guys like Alan Cox or any of the others is an example. One guy or even a very small number of people on a specific, niche utility or patch might not be able to achieve the same.

The space and organization required to keep the project internet-accessible is also a problem, as this case directly shows. He can't afford the space and bandwidth. I feel his pain, it's hard enough just keeping a personal domain with a mild amount of traffic up for almost no money. Trying to run something with backend CGI for forums and CVS isn't free.

I hope that people are able to reorganize this project, but if that doesn't work then it doesn't.

Re:cease to exist?

[westlake]

how can it cease to exist? isnt open source software forever?

how long does an project have to lie dormant before you admit that it is dead?

Re:cease to exist?

[pseudochaotic]

If i understand correctly, it's tied to a specific version of the kernel, so it'll be outdated pretty quickly, and all but useless.

Re:cease to exist?

[Phragmen-Lindelof]

An example of this is maxima. (Quotes from this link.)
"Maxima is a full symbolic computation program. ... Maxima is based on the original Macsyma developed at MIT in the 1970's. It is quite reliable, and has good garbage collection, and no memory leaks."
Maxima was maintained by Professor Schelter at the University of Texas:
"This particular variant of Macsyma was maintained by William Schelter from 1982 until he passed away in 2001. In 1998 he obtained permission to release the source code under GPL."
"Since William Schelter's passing a group of users and developers has formed to keep Maxima alive and kicking. We are currently in a transitional state, deciding what directions to go in next and seeing what our abilities and resources are. Maxima itself is reasonably feature complete at this stage, with abilities such as symbolic integration, 3D plotting, and an ODE solver, but there is a lot of work yet to be done in terms of bug fixing, cleanup, and documentation. This is not to say there will be no new features, but there is much work to be done before that stage will be reached, and for now new features are not likely to be our focus."
There is more history on this project (e.g. here)

Re:cease to exist?

[ameoba]

Why not just move everything over to Sourceforge and not worry about hosting costs?

Re:cease to exist?

[aminorex]

Well, Latin pretty well died in 454 A.D., but they
still speak it in Vatican City in 2004 A.D., and
I recall the film "Rushmore" posing the question
"is Latin really dead?" almost as recently, so we
can put a firm lower bound of 1550 years...

Re:cease to exist?

[jmt9581]

If you read the announcement on his website, he points out that he's received free hosting over the last year and a half, that's not the issue. The issue is buying food for himself.

Isn't it GPL'ed?

[shoppa]

Is grsecurity GPL'ed or not? I always thought it was, which just means that the guy's involvement and leadership will be shut off, not those of others... it's a pain when the CVS tree and mailing list archives are gone but usually resuming development from a late snapshot isn't too bad. Maybe others had mirrored the CVS tree?

Re:Isn't it GPL'ed?

[mcc]

The problem isn't the code itself, which will remain GPLed. But the problem is the code by itself isn't as useful since this is the kind of project that requires constant maintenance. Who's going to host the code? More crucially, who's going to maintain it and ensure it remains compatible with new kernel versions and modules? You? Didn't think so.

The fact anyone could host the project doesn't help unless someone actually does...

Re:Isn't it GPL'ed?

[0x0d0a]

If (at least chunks of it) were merged into the manstream kernel, people wouldn't have to keep manually dealing with breaks that other people introduce with kernel changes.

Re:So what?

[Atzanteol]

Since the developers went and got all selfish about things like 'eating' and 'clothes'?

Poor bastard

[HeLLLight]

Really feel sorry for this guy (or girl). It must really suck when someone promises to fund your project, of which you earn your livley hood from; then the person just dissapears and cuts funding with no explanation (as of yet).

I have never heard of this project till today, but I would not be suprised if this is an all too often occurence in the OSS world.

Hopefully he finds a new sponser so that he can carry on. It really sucks when you put a lot of time and effort into something, then to have someone just pull the plug on you (completly out of your control) and to be then left with nothing.

Good luck.

Do what all FOSS developers do.

Support yourself by selling grsecurity tshirts and coffee mugs.

Re:Do what all FOSS developers do.

[nkh]

I tried to live
off OSS development
and all I got was this
lousy T-shirt!

Re:Do what all FOSS developers do.

[YU+Nicks+NE+Way]

And the back says:

Will trade it for food.

Re:So what?

[skraps]

Since when is corporate monetary sponsorship necessary for an individual to develop open-source software?

Monetary sponsorship isn't a *necessary* ingredient of anything. Sure is nice to have food, though. I guess we could plant gardens or something.

Re:So what?

[Timesprout]

I'll tell IBM to shut down their Linux sponsorship and investment so in that case.

Re:So what?

[benh999]

Because if IBM ceased to be interested in Linux, development on it would suddenly halt?

Re:Open source

[Laxitive]

Gee, this whole "capitalism" thing doesn't seem to be working out for a lot of people either

-Laxitive

What is grsecurity?

[haluness]

It would be nice to know what it is.

Re:What is grsecurity?

[Richard_L_James]

Security focus provided the following good explanation:

"...Grsecurity is a suite of patches (distributed as a single patch file) for the Linux kernel that are an attempt to improve the security of a Linux system. Grsecurity is based on a port of some previous patches for the Linux 2.2 kernel, including Openwall and PaX, which have never been ported to the 2.4 kernel. Grsecurity provides some updates to these patches and has been ported to the Linux 2.4 kernel..." continue reading SecurityFocus's review.

Re:Open source

[skraps]

Just wait some days till many firms and thousand of users will step up and offer support for such a usefull product. We'll talk again then, about the open source business model, my friend.

Seriously, you guys should just collect your arguments into a list and then refer to them by number. It would save typing, and my time re-reading the same old re-hashed arguments.

Re:the decision not to pay him was no doubt made b

[kunudo]

I think someone should disclose the name of the sponsor that pulled out, not to flame them (well, maybe...) but so that others that might be depending on them get to re-evaluate the economics of their projects. Anyone know who it was?

Re:Maybe he should just GET A JOB then!

Can't. He's not Indian.

Re:Open source

[skraps]

Gee, this whole "capitalism" thing doesn't seem to be working out for a lot of people either.

Agreed. But I think we could come up with a better alternative than "starving artist for everyone" syndrome.
FOSS advocates love to talk about how "one day" there will be "thousands" of sponsors for these things (see sibling reply). But look at plain old art. It has been around a lot longer than sofware, and the artists still barely scrape by. I can't grasp how people think that the "software as art" model is going to be any different than the "art as art" model.

Gentoo Hardened?

[djcapelis]

I wonder if the Gentoo Hardened project will continue grsecurity development, they've done a bit of work with it anyways. Gentoo could certainly supply grsecurity with the needed webspace/cvs hosting etc...

I wonder if that option was looked at before spender decided to give up. Does anyone have ideas on why this couldn't be done? Seems fairly simple to me..

Re:Gentoo Hardened?

[Technonotice_Dom]

I don't think it's the actual web hosting that's the problem - I'm sure many people could lend a hand with that. As the home page of grsecurity says, it's having a leader for the project - to think of the ideas and implementations.

I am the sole developer and originator of ideas for the project. Though it would be possible for others to handle maintenance of the project, the quality won't be held to the same standards and will not progress with the same goals I have set for the project.

Which isn't "fairly simple" unfortunately - there's a lot of time and effort involved. And money.

Re:Gentoo Hardened?

[Calibax]

Apparantly you seem to think that all an open source project needs is access to the internet for the website and CVS.

You must be living with your parents still... Unfortunately, it costs money to live by yourself, you know, food, somewhere to sleep, electricity for the computer, toilet paper, weird stuff like that. Some are lucky and can do their Open Source projects at work and be paid for it, some are not.

If you are developing a project in your spare time you are lucky to spend 20 to 30 hours a week on it. If you are full time on that project, that's an additional 40 to 50 hours hours right there.

In this case the guy was working full time on his project based on a promise from a company (rumors are it was Red Hat) that they would sponser the project with money - which in this case really means sponser the lone developer. No money means no project, unless the guy wants to do it in his spare time, which it seems he doesn't. I can't blame him for that.

Re:Gentoo Hardened?

[wolf31o2]

The parent apparently doesn't know everything about how the Gentoo Hardened project and spender got along. To put it kindly, they didn't get along. The manager of the Hardened project did not agree with spender on much and they got into several outright flame wars in public. It got so bad a few weeks back, that solar, the person who maintains grsecurity for Gentoo, was trying to get the Hardened project broken out, simply to remove the Hardened manager from the equasion.

I prefer the grsecurity patches to the other forms of additional kernel security and will be quite sad to see the project die. At the same time, I can't help but think that anyone who expects to make a living from their pet OSS project really needs to take a dose or two of reality. There's a reason that most OSS projects are someone's pet project and manned by volunteers. Company's want our software, and they don't want to pay for it. If they wanted to pay for it, they'd hire someone to write it and patent the hell out of it.

A previous poster had mentioned that consulting is the way to go for an OSS developer, and I can't help but agree with him. It is so much easier for companies to swallow and also it gives more legitimacy to your work, since you're being paid for what you do, rather than taking a handout simply for running a project that the sponsor has no control over.

Re:Gentoo Hardened?

[Tony+Hoyle]

*Never* go full time based on a promise.

I'm currently in the process of finding sponsorship. Sure, I've got promises, but there's no way in hell I'm handing in my notice until there's a contract signed by both parties for at least 12 months.

You also have to be prepared to do some crap just to give value for money outside the project... even if it's a couple of days a week doing something else you've still got 3 days (+weekends depending on your motivation) to do the interesting stuff. So the sponsor wants you to do tech support/sales.. so what? He's giving you a bundle of cash...

Re:Gentoo Hardened?

[djcapelis]

>Apparantly you seem to think that all an open
>source project needs is access to the internet for
>the website and CVS.

Yes, that's exactly what I think. Linus doesn't didn't need a full-time position to work on linux, he happens to have one now but worked at transmeta a bit back and did several other things, he certainly didn't when he was a university student in Helsinki.

Give the project CVS and a website, people will help it, there's people who need this code, this isn't a pet project. If you need the code, you write it. GrSecurity is a project which people will work on, so long as the code remains. If spender isn't willing to work on it, Gentoo Hardened or a similar person should just give whoever wants to step into his position the resources to do so.

My advice to the developer

Apparently you have not learned all the steps of OSS development.

You have successfully completed two stages:
1. Develop free software.
2. Run out of money.

And you quit at this point forgetting about the third step.

3. Launch a massive copyright-infringement patent-violation lawsuit against IBM and pay lawyers with stock.

Re:My advice to the developer

[soulhuntre]

Alternately...

3) Launch a hugely public lawesuit against MS claiming anti-competative practices and get a settlement.

Re:My advice to the developer

[Fuzzums]

4. PROFIT!!! Ehm. no.

background on grsecurity

[Elendur]

For those who don't know, grsecurity is a security oriented patch for the Linux kernel. It provides mandatory access controls, strengthens the chroot system call, adds /proc and filesystem protections, allows for kernel level auditing of almost everything, and includes the PaX patch to provide non-executable memory pages and address space layout randomization.

The MAC part, called RBAC for Role Based Access Controls, is very well done and the best I've seen. Configuration is very easy through a flat file interface. The system enforces that you have certain intelligent configurations set so you can't make simple mistakes destroying your security. It has a learning mode which will automatically give a least access ruleset for the whole system. Amazingly it actually works quite well. Also the learning mode can be turned on for individual roles or subjects making it easy to add a new program to a system with RBAC already running.

In my opinion grsecurity was the best hope for real security on linux for most people as it provides a comprehensive solution, is easy to set up, and it well engineered.

Re:background on grsecurity

[0x0d0a]

Restricted /proc was particularly nice, as the mainstream kernel is still missing it.

Re:So what?

[op00to]

A large portion of linux development would suddenly halt, yes.

Sponsorship is a bad model.

[k98sven]

Sorry to say this, but I feel that sponsorship is ultimately not a good way to run an OSS project.

If you rely on sponsorships, you have to expect this kind of thing to happen. It does. All the time.

If there are businesses which are using your software, then there should be a market for you in consulting. Consulting is a proven business model for OSS development. (Not that it is much more of a guarantee, but at least you have a contract.)

Not to mention that many big businesses view consulting and sponsorship as two very, very different things. It has to do with bookmaking. Money paid as consulting makes it more evident that you are providing a service than money marked down as 'sponsorship'.

Now, if your project is not commercially interesting, and you still want to get paid for doing it, perhaps you should be looking for a research position instead, if it's innovative enough.

And if it's not innovative nor commercially interesting.. Well then it's a hobby, goddamnit! :-)

Re:Sponsorship is a bad model.

[raduf]

And still there is a fact that a single programmer with a hobby is sometimes more productive then a team of hired people, and sponsoryng this guy to do what he wants full time is best for consumers of the software.

Any other activity like consulting would take too much time from him especially if he's not inclined to such things.

What would probably help is more awareness towards this kind of sponsorship. Also getting some value for your money, except the free software, would help too. Maybe preferrencial feature development/bug fixing? there could be a market for this kind of thins with open projects. Maybe even feature auctioning ;)

Re:Sponsorship is a bad model.

[gl4ss]

yeah..

Like mountain climbers.. happened to bump into a lecture by one guy who regularly climbs to the tallest mountains in the world.

what sucks most in his 'job', and what is 'hardest'?
getting sponsorships. he ends up doing pitiful seminars(about mountain climbing) and visiting grocery stores regularly as part of the sponsorship agreements.

Re:So what?

[WaterBottle]

This is where it would be nice to have an entity that "owned" the brand Linux. It would make it possible (maybe not popular) to license the use of the brand to registered corporations (who are doing nicely from it) and feed that money into traditional community projects. Of course there is nothing quite as interesting as a community agreeing on something, but what the hey.

Re:Additional information (broken links)

[ccTech]

WTF slashdot??? When I pasted this in, there were no spaces in the links!

There seems to be a bug with posting in links where a space is inserted at column 49. I've also seen this phenomenon happening at column 54 when previewing as 'Plain Old Text'.

Sorry about that, just remove any spaces in the links and they will work fine - at least until slashdotted into submission. :(

Sponsors for Open-source

[KrisCowboy]

This, I think is the single-most important problem Open-Source software is facing. Sponsors - Money. Since most of the software is free(both as in free-beer and freedom of speech), financially supporting the developers is a bit difficult. What can be done about this? All the big corporations using the open-software can be forced to pay a nominal amount - by nominal, I mean something very less than what a typical prorietary software owner charges. It should be a one-time nominal amount, with upgrades and patches available free of cost. Will it work? We sure can't afford to lose good software due to the lack of sponsors.

Re:Sponsors for Open-source

If you forced users into paying - even if it's just a little bit - it wouldn't be free anymore.

Re:Sponsors for Open-source

[WorldRimWalker]

"big corporations" can be "forced to pay" for free software? How?

Re:Sponsors for Open-source

[mslinux]

Here are some real-world lessons that I learned the hard way:

1. When it comes to business, it's every man for himself... you *really* have to see it that way or some other guy will eat your lunch.

2. Nothing personal, but fuck you. (you being anyone asking for money that isn't compelled by law or contractual obligation). It's simple really, you want people to give *you* their money... not the other way around, got that?

3. Never give anyone a break... that's not how rich men become rich. Do you think that they'd give you a break? Does your landlord give you a break on a month's back rent? How bout the cell phone company... sure, they'll let you skip the early opt-out penality on your 2-year contract ;)

4. Work for yourself... put yourself first 100% of the time. You're in business for you, no one else.

5. It's just business, nothing personal, but fuck you.

With point number 5 constantly in mind, go get 'em tiger. Enough of this cry-baby OSS/Free Software crap. This guy gave grsecurity away for free. No one made him do it. Let's all hope he learned a lesson, I sure as hell did.

Kudos to RMS and Torvalds for giving away top-notch software *and* for not expecting anything in return other than recognition... that's all I've ever given them, and all I ever will.

Re:Sponsors for Open-source

[rastos1]

Sounds like a summary of What They Don't Teach You At Harvard Business School

Re:Sponsors for Open-source

[0x0d0a]

True, and yet it does make me depressed that nobody has proposed a stable, efficient system in which these (obviously significant) limitations of always being out to stab anyone in the back for more resources is present.

Re:So what?

[JohnFluxx]

Jeez. Trusting a company that promises to pay is lofty and unrealistic.

LIDS: a natural alternative

[ospirata]

I have used GR Security for quite some time, and its not that great loss.

OpenWall was mentioned, but I preffer LIDS as a replacement to GRSecurity. The itens below where taken from GRSecurity site. All listed features are at LIDS either:
# Change root (chroot) hardening
# /tmp race prevention
# Extensive auditing
# Prevention of entire classes of exploits related to address space bugs (from the PaX project)
# Additional randomness in the TCP/IP stack
# A restriction that allows a user to only view his/her processes
# Every security alert or audit contains the IP address of the person that caused the event
Besides, LIDS has a clever ACL schema for file protection and a master password, that if an attacker gets root privileges, it could not exploit the machine completly.

Re:LIDS: a natural alternative

[Elendur]

Besides, LIDS has a clever ACL schema for file protection and a master password, that if an attacker gets root privileges, it could not exploit the machine completly.

You claim to have used GRSecurity for some time and yet you claim this as a feature unique to LIDS? The basic protections afforded by a default setup of grsecurity are neat, but the real accomplishment is in RBAC, which is as you say, "a clever ACL schema for file protection..." I'd dare to say it's more clever than what LIDS has actually, with the learning mode which is not at all a trivial thing to write.

Re:LIDS: a natural alternative

[Mind+Booster+Noori]

As a matter of fact, the best alternative I know (IMHO) is WOLK.

The WOLKs are stable and development kernels, containing many useful patches from many projects. Goal: Stability, Scalability, Performance and most important: Security. If you can, use 2.2-WOLK/2.6-WOLK. Kernel 2.4.* is braindamaged and can't be fix.

The only think I dislike about the project is that they don't have faith in 2.4 anymore (which is good) but they still have faith in 2.2 (useless waste of time...)

Re:So what?

[benh999]

He still could have done the rational/mature thing and used sourceforge for CVS and web hosting, then gotten a normal job and worked on grsecurity in his spare time. Intead, he chose to take the position that he was entitled to payment for something he gave away for free. That the corporation broke their promise is beside the point.

Insult to injury

[PsychoKiller]

Not only does he run out of money, he gets a slashdotting too. :(

Re:Question

[ealex292]

Read the website - both questions are answered in a short, 1 paragraph bit of text. GPL: >Though grsecurity is licensed under the GPL, I am >the sole developer and originator of ideas for the >project. Though it would be possible for others to >handle maintenance of the project, the quality >won't be held to the same standards and will not >progress with the same goals I have set for the >project. It is GPL licensed, but he doesn't think that it will keep being developed without him. Hosting: >I am not looking for help with hosting, as the >hosting for grsecurity has been provided for free >for over a year and a half and will continue to >be provided unless the project has to end. Sourceforge isn't useful since he already has free hosting.

Re:So what?

[Timesprout]

Eating!, Eating!! you selfish selfish bastard. I remember when I was a developer there was no eating for us. No, we would suck rocks for days to extract a few minerals and salts. Obviously though a developer cannot live on rocks alone so we would rectally insert small pieces of lumber and the occasional shrub into our colons to make sure we had a balanced diet and plenty of roughage. Ah those were the days !!

Re:Additional information (broken links)

It's the lameness filter preventing page widening. Just post real (tagged) links, mmkay?

that's not how it works

[dekeji]

Sorry, but that's not how OSS development gets funded; you can't just put up some software on a web site and wait for donations.

Grsecurity looks like something you might be able to fund as part of a security consulting business. Or, if dealing with people is not your thing, you might be able to make a living writing books about security and how to use grsecurity. Or you might be able to do it on the side while working for a large company.

If grsecurity is as useful as you think, if there was a lively community around it, and if the code is usable, there is a good chance someone else will pick it up and actually build a successful business around it. If nobody continues development of grsecurity at this point, then it wasn't really a good, live open source project anyway--it was just some useful code released under the GPL.

Please don't complain about it: while your desire to create open source software is admirable, it is still your problem if you fail because you picked a naive business model.

Re:that's not how it works

[theM_xl]

RTFA. He didn't do that. His sponsor PROMISED to pay him, and didn't deliver on that promise.

Re:that's not how it works

[dekeji]

He is doing it now, apparently.

And even if he had had a solid customer rather than merely a promise, for an independent business, developing a single product for a single paying customer is no way to run a business.

People like him give OSS business models a bad name and give companies like Microsoft ammunition against OSS. Lots of proprietary software companies fail in the same way, of course, but failed OSS businesses often blame lack of community support or lack of sponsorship for their failure, even though they actually just made the same business mistakes any of the failed proprietary businesses made.

Re:that's not how it works

[martingunnarsson]

Unless they had a contract, that's not worth anything. Trust noone.

Re:So what?

[AstroDrabb]

You must have the brains of a rat and those who modded this "Insightful" must have equal brain power. Please tell me, what is "Insightful" in

It sounds like what he wanted was employment. Being able to make a living off of a hobby is a lofty and unrealistic goal.

Where is the "Insightful" knowledge that I should have gained from this comment? What it comes down to is this was _not_ a hobby for this guy. He worked full time and a few $BIG_COMPANIES promised him $XYZ in payment if he delivered $ABC. He delivered $ABC, and those $BIG_COMPANIES did not deliver $XYZ in payment. Most likely becuase his code was under the GPL and they could use it without his consent or their payments.

This is what...

[wtrmute]

It would make it possible (maybe not popular) to license the use of the brand to registered corporations

... and then we'd have a tax on operating systems, just like in the one from Redmond. Why would we bother with it, then? I'd as soon switch to FreeBSD and stick with it. We can't have a double standard.

As for the grsecurity developer, it's unfortunate, but FOSS developers really do need a day-job. I understand him being angry at a sponsor who fell through on a contract, but holding the project hostage isn't really the decent thing to do.

Re:Open source

[kawika]

Or perhaps capitalism IS working, and this is the way for people to choose the projects they think are worth supporting.

Does Anybody RTFA's?

[SteveM]

From the link given in the story:

... I am not looking for help with hosting, as the hosting for grsecurity has been provided for free for over a year and a half and will continue to be provided unless the project has to end. ...

And:

... Though grsecurity is licensed under the GPL, ...

How fucking hard was that? And this guy gets a +5 insightful. [shakes head in disbelief]

SteveM

Re:Additional information (broken links)

[pyrrhonist]

WTF slashdot??? When I pasted this in, there were no spaces in the links!

Here, I'll fix it. Your post with clickable links:

For a comparison between Grsecurity and SELinux: click here

They also document and explain many of the issues facing the LSM project as well: here

It will be interesting to see how the Gentoo Hardened Project will respond to this as well as they have done a great deal of work with grsecurity and provided some exceptional Grsecurity documentation (for the 1.9.x series).
Hardened Gentoo
Gentoo Grsecurity Guide

It will be sad to see this project fade away, especially for those needing an expressive security RBAC/MAC/PAX system. Grsecurity, combined with PAX, provided a well rounded security system that was sensible, somewhat easy to learn, and easier to administrate thanks to the powerful gradm Learning capability.

You might want to use HTML next time. Or you might not.

Re:So what?

[WaterBottle]

Thanks for that. Has he made any noises on exercising any rights around this?

Ulterior motives?

[redphive]

I don't want to sound too much like a troll, but is it possible that this is a method to induce payment by the unmentioned sponsor? If the sponsorship was so crucial to the development of the project (which, as stated was done by a single individual for the most part) and the sponsor already has made use of the project, a change to another project, or relying on the OSS community to take over would be too costly or disruptive, that it may be in the best interest of the developer to come to this decision. I feel bad for Brad, grsecurity obviously is/was something he put a lot of time and effort into, and if matters have come up that prevent him from continuing, so be it. I don't, however like the fact that "no one else is good enough to produce the quality work he has" or "lack the vision for the poject", it seems to lack sincerity for some reason, and I wonder if his motives lie somewhere else.

Re:Ulterior motives?

[redphive]

Agreed, I have not looked at his code, and, there is a lot to take in when looking at any new project, coding or not. My point is that I doubt there isn't one person out there that could handle it. It could be a lengthy search, but I don't think it is impossible.

Finding support.

I suppose finding support from other Linux organisations like Gentoo, SuSe(Novell) or RedHat could be a smart thing.

Re:Question

[pavon]

Source and documentation is not what keeps software alive. It is the working knowledge and contributions of the developers that keeps a project alive. You can release all the code you want, but until that code exists in someone else's head it is dead and stagnant.

That is one of the main difference between Linux and the Hurd (the other being iterative programming vs design everything first, code latter). Linus actively facilitated contributions from others and as a result he ended up with a community of developers and a kernal far better than he could have done by himself, while Hurd limped along.

Re:Open source

[Laxitive]

I think you are browsing at +1 moderation, and not seeing the context in which I made my post. Your point is the one I was trying to make, although I didn't state it explicitly.

The subtler strains of sarcasm don't really come across well in text :)

-Laxitive

Since when...

[mbottrell]

What amazes me is that it's automagically assumed that a code-cutter also has business sense to run a successful business.

Remember at the end of the day he's a code-cutter... not a suit... if he was a suit.. he wouldn't be a code-cutter now would he! :[

I must admit as a code-cutter I'm sick of many businesses idea of 'yeah... lets' get it under the GPL... we can use, abuse and not pay for it'.

Bad Karma to this idea of thinking...
These fat-cats still drive home to a nice warm bed, big meal and watch their TV.

How about flipping some $$'s towards the smuck that did all your hard work and ensure he's still around next year when you have a real question abuot the software.

At the end of the day... nothing is FREE... someone pays... unfortunately with a lot of GPL.. it's normally the developer and his family. :(

Re:Since when...

[Unordained]

... that would be why OSS is partially volunteer work. you agree to do it knowing this can happen to you, and that you're okay with it. if you're not, don't take the risk.

the rest of the world operates around "we want this, we'll pay you to do it." around here, we seem to assume that "i want this, you'll pay me to do it" is going to work. it's not, except if, by sheer luck, you happen to want to do something, and get paid to do it, that someone else is willing to pay for already. and then they're using you again.

we're happy to see stuff released as OSS. the more, the better. just don't take the risk if it's not worth it to you, personally. the programmer is the one liable here, it's up to each programmer to decide how much value there is in a particular project/feature.

Promised payment?

[FattMattP]

Due to a sponsor unexpectedly dropping sponsorship of grsecurity while continually promising payment

They promised? You didn't have a contract? Sorry to say it but welcome to the real world. People can be ruthless.

Re:I wonder if

[1lus10n]

the GPL prevents things like that from happening. You should read the GPL to avoid making common misconceptions more prevelant.

GPL

Re:Additional information (broken links)

[ccTech]

I was in reality just trying to keep it simple by not using HTML.

Thanks for reworking it, I did not realize the issue with links and 'Plain Old Text'. I will definitely keep that in mind for next time!

Re:Open source

[Laxitive]

Perhaps. But this one example isn't sufficient evidence for claims that the free software model fails.

About the 'software as art' mode. There is one crucial difference between art and software. Art has no implicit notion of providing functional value - it is inherently aesthetic in nature. Software is all about functional value. Code is not art. Code may be written artfully, but that's just a turn of phrase, and it's incorrect to read too much into it.

The code is art claim is usually made by people trying to tie it in to freedom of speech arguments. However, there's an easier way to go about that: code is speech.

I don't think people use the 'software as art' argument as a tie-in to economic models much.

-Laxitive

Re:Open source

[GPLDAN]

Software is also based on iteration. Buying the 1.0 product of somebody isn't a reason to conclude the deal.

I'd like to see art use that model. Hey, this painting you are buying is 1.0. I have plans to improve it, I'll stop by and work on it some more while it's on your wall.

Re:So what?

[AstroDrabb]

A large portion? Please give us links to this "large" portion of Linux development. Most of IBM's development is focused around the _Linux Kernel_. Linux will go on with or without IBM. IBM's generosity helps a lot and is much appreciated, espcially by me. However, if IBM dropped Linux, it would be just a blip on the radar of Linux development. And development would continue as normal.

Re:Open source

[Laxitive]

Gah, this is the first time I've responded to my own post. But seeing the responses, I think I must clarify:

My parent post was intended as a sarcastic quip at the post that it was responding to. Because the post I was responding to was moderated -1, my response shows up as a top-level post if you're browsing at +1 moderation. I'm not some bitter socialist.

I should have quoted the original post I was responding to. Sorry.

-Laxitive

To quote the immortal Sam Goldwyn:

[mcc]

"A verbal contract isn't worth the paper it's printed on."

Re:Additional information (broken links)

[pyrrhonist]

Thanks for reworking it, I did not realize the issue with links and 'Plain Old Text'.

Sure, no problem. Now you know - and knowing is half the battle. G.I. Joe!

Re:I wonder if

[iminplaya]

Let me put another way. How do you know that Windows or Photoshop, etc. has no "unauthorized" GPL code in it? Don't you need to see the source? If you were to disassemble the program to see the source, are you not violating the DMCA, or some other thing(EULA) that prohibits disassembly or reverse engineering? If you need to violate law in order to enforce the contract, can you use the "illegally" found evidence, no matter how true, in court?

Re:cease to exist? - Security?

[2.246.1010.78]

I would think an outdated security system is much worse than no security system at all. In this respect not updating something really means to kill it.

Help the guy make ends meet

[NitsujTPU]

Somebody should take a collection. This guy got screwed and, even though he is taking down the effort, and will not pursue further development. Somebody should help him to recover the funds that he's sacrificed as part of this effort.

What you people don't understand

IRC log excerpt for you people. The fact is, there will be NO grsecurity without Spender getting some money. Stop hammering his site. No one else is qualified to really carry on developing the Grsecurity. Maintaining (porting to next slightly modified kernels and stuff) perhaps but not truly keeping the development going.

Look at also this:
http://grsecurity.net/~spender/researchpape r.pdf
The guy is a genious. A real gem. He can't be replaced. It's not money or death for the project.

23:55 bleh, i wish a million people weren't doing cvs checkouts right now
23:55 haha
23:55 what i see it, that there will be few projects from it and most of it will die after one month
23:55 i agree
23:55 not to be arrogant or anything
23:55 no, but it is live
23:55 spender : i did it earlier... ;)
23:55 but honestly i don't know of anyone that will take it to what i would have taken it to
23:55 and that's how it works
23:56 maybe because you're the only one that knows the code well
23:56 yes
23:56 well, it could be possible for someone to take it, but without RBAC
23:56 someone else would first need to read all of it a few times
23:56 and the people on slashdot don't get that
23:56 and where do you find someone with such security and kernel internals knowledge?
23:56 i don't think anyone could ever figure out gradm_newlearn.c
23:56 ms: lkml? ;)
23:56 sleight : security?
23:56 lol

The truth about funding.

[thenumberofthebeast]

There is a truth here that points to the fundamental long-term problem for many free software projects.

Whilst I know nothing of grsecurity (but heck this is /. since when do I need to know anything to have an opinion!), and I feel sorry for the guy whos brainchild this is, we can all learn from this tale of woe.

Very few of us have the privilege of sponsorship, or the luxury of independant funding (stand up Mr Stallman), and lets face it, most of our projects aren't as essential as the GNU system, the Kernel, XFree or Apache all of whom have some fairly serious backing in one form or another.

So what does this tell us?

It tells me that if you want free software to succeed, then you can't rely on your free software to provide you with an income. You CAN rely on your knowledge and skills as a consultant, or you can get another job, but if you go out there expecting patronage then you are bound to fail - in the same way that expecting to make it big in your garage band is a fairly uncertain way of earning a living ... everyone I knew who was in a band has gone on to get a 'proper' job - that doesn't mean they have all given up music, just that those who really believed in it are doing other things as well. Those who were only playing at being a rock star gave up years ago.

Giving up your pet project because it hasn't paid your way shows the same lack of principle - or maybe it shows that the project didn't have that much importance to the author.

Imagine where we would be if Linus had got bored, and got a proper job at Burger King 'cos his kernel idea was not going anywhere and he needed to eat. I can't imagine he would have given up on it. Why haven't the Hurd team given up yet?

Principle.

But let's remember, principles aren't about cash.

Re:The truth about funding.

[mmss]

> Imagine where we would be if Linus had got bored, and got a proper job at Burger King 'cos his kernel idea was not going anywhere and he needed to eat. I can't imagine he would have given up on it. Hmmm... If Linus can code without eating some food he must be some kind of god. What is he waiting to smash Microsoft? ;)

Re:Bankruptcy is the bedrock of capitalism

[Too+Much+Noise]

Bad companies must be allowed to fail. Else you wind up with Soviet Union-style state supported industries where the industry pretends to pay the workers who pretend to work.

Only it's not just the communists that do something like this. The western countries call that 'subventions' and 'protectionist trade policies'. Sometimes it actually makes sense (strategic products/industries and so on), sometimes it's just to keep the jobs within the country.

Good. RSBAC is much better

Though it's difficult convincing linus that the linux security api sucks. If grsecurity dies, he'll have essentially little choice, as rsbac will be the only viable option.

Re:Additional information (broken links)

[JohnFluxx]

It's to stop people writing really longs words and screwing up the table widths.

Make them actual links and you won't have that problem.

Been there done that

[Teunis]

That's been my life for the last few years.
Whether with public projects or with private... it seems hard to get support of any kind from anyone in any community.
I've scraped through the last two years working for a company due to go out any minute because it beat dealing with creditors from the last time folks abandoned a project I was on left me holding all the cards.
I hope things work out better for this project. One thing I can say for certain is it sounds a whole pile more useful than just about anything I've worked on *wry grin*

Love that Open Source business model.

[fmaxwell]

I began the summer in debt and had to borrow money from family to pay for food. If none of the companies that depend on grsecurity, some of them being very large, are able to sponsor the project, grsecurity will cease to exist.

Another fine example of the open source business model.

Economics 101: Paying for something that your competitors get for free puts you at an economic disadvantage. Therefore, almost all companies will take open source software and not pay for it.

If General Motors gave away cars and asked for donations to cover R&D, production, etc., do you think that Hertz, Avis, Dollar, Enterprise, or any of the car rental firms would donate money to GM? Of course not. They would all take free cars for as long as GM was able and willing to give them away, though.

I will never understand why many professional software developers are proponents of open source. Buy a big-rig truck and start delivering goods for free. See how many Teamsters rally round you and cheer you on. You'll be lucky if you just get your knees broken.

Re:Love that Open Source business model.

[scrytch]

> Another fine example of the open source business model.

A few companies can make it work as a business model. Not many. Perhaps you're not grasping that to many, it's simply not a model, it's a hobby, and that they do it simply because they love to. Some truly fine work comes from hobbyists in all areas; ARRL and HAM nuts design antennas, recreationists gather comprehensive research, and so on. Could you back an industry with it? Maybe. As reliably as with a paid model? Probably not. But it doesn't keep the OSS model from being the credo of many a computer hobbyist.

Still, if you can't manage to pay people to do better than people will willingly do for free, you're seriously behind the productivity curve buddy. OSS hardly undercuts existing industry, it simply raises the bar. Your produced band for example had better have a more catchy sound than the bar band down the street, and if you want to sell a web server, it had better at least be as good as Apache.

Re:Love that Open Source business model.

[fmaxwell]

Perhaps you're not grasping that to many, it's simply not a model, it's a hobby, and that they do it simply because they love to.

My hobbies include motorcycling, fishing, boating, and RC airplanes (among many others). You don't see me threatening to take down web pages because companies aren't paying me to ride my motorcycle, to fish, boat, or fly model airplanes. If it's a hobby, then fine; treat it like one. Don't give away software for free and then complain that for-profit businesses aren't voluntarily sending you money.

Still, if you can't manage to pay people to do better than people will willingly do for free, you're seriously behind the productivity curve buddy. OSS hardly undercuts existing industry, it simply raises the bar. Your produced band for example had better have a more catchy sound than the bar band down the street, and if you want to sell a web server, it had better at least be as good as Apache.

Show me companies that are not "behind the productivity curve" when compared with Apache, Linux, *BSD, etc. Show me a better commercial browser than Mozilla. Show me a better web server than Apache. Show me better audio extraction software than Exact Audio Copy. Show me better Windows PC hardware monitoring software than Motherboard Monitor.

As you said earlier, to many, it's a hobby. The highest quality telescopes regularly come from the workshops of hobbyists. The best model train structures (houses, buildings, etc.) aren't the pre-assembled ones at hobby stores. They are the ones crafted by hobbyists. Hobbyists don't have deadlines, stockholders, etc. They can spend as much or as little time as they want.

Re:Love that Open Source business model.

[scrytch]

> Show me a better commercial browser than Mozilla.

People are willing to pay money for Opera. I personally cannot understand why, but their money is talking -- for them, it is better. Browsers do have a steep barrier to entry however (Mozilla simply ignores it for the most part, it does not really have to market itself)

> Show me a better web server than Apache

How's Zeus grab you? Runs circles around Apache -- the apache developers themselves will be the first to tell you it's not a speed demon.

Examples, counterexamples: databases. Show me serious OSS competition with Oracle 10g or DB2.

Back on topic, this guy's behavior doesn't impugn the OSS development model or even the business model. It's nothing more than a payment dispute -- they promised to pay him to work on something, they didn't, the guy stops working on it. Sounds reasonable to me. Perhaps they have their reasons, but no one should be made to work for free.

Re:Love that Open Source business model.

[maximilln]

-----
If it's a hobby, then fine; treat it like one
-----
This is an ages old argument and stinks like so much COW DUNG.

Just because someone enjoys what they do does not give big businesses a free pass to leave them in the cold when it comes time to have a home and eat. Should a farmer provide his crops for free just because he enjoys working with the earth? Why don't CEOs work for free? They seem to be enjoying themselves on the golf course often enough. How about politicians? Why don't they work for free? And the policemen... shouldn't they take pride and enjoy helping the community? Shouldn't they be working for free?

The fact of the matter is that the business community is more than happy to charge the population for every piece of crap that they want to cram onto store shelves, but when someone who's not in the select ordained inner circle of business networks puts together a superior product then it's all "best wishes on your hobby! When you go bankrupt, lose your family, and commit suicide because you don't feel like living in the sewer we'll happily pick it up and make money off of it."

Opportunistic b__tards.

If you were half as good at fishing as this guy was at writing security implementation maybe someone would pay you to do it. It remains that you use your mediocrity to justify taking a sick pleasure in watching someone else's efforts leave them penniless and at the end of their rope.

Re:Love that Open Source business model.

[CloudWarrior]

Ah, yes. Zeus. The webserver built to serve porn fast.

Re:Love that Open Source business model.

[fmaxwell]

This is an ages old argument and stinks like so much COW DUNG.

It's an ages old argument that's based on good, solid reasoning. What is so damned confusing to you about the term "hobby"?

Just because someone enjoys what they do does not give big businesses a free pass to leave them in the cold when it comes time to have a home and eat.

He gave them the free pass when he put the code under GPL. He made the choice to let them take his work and give him nothing in return. Now that they have done just that, he's shocked, hurt, and upset.

Should a farmer provide his crops for free just because he enjoys working with the earth?

No, but if he puts his whole crop out by the side of the road with a big sign that says "free fruits and vegetables", then he shouldn't complain that he can't make a living as a farmer.

Shouldn't they be working for free?

I don't think anyone should be working for free. If you want to be paid to write software, then get a job as a software engineer or sell copyrighted software that you have written. Don't give away your work and then hope that some business wants to give you money out of charity. Act like a grown-up and enter into a legally-binding relationship if you want to be paid for your work.

The fact of the matter is that the business community is more than happy to charge the population for every piece of crap that they want to cram onto store shelves, but when someone who's not in the select ordained inner circle of business networks puts together a superior product then it's all "best wishes on your hobby! When you go bankrupt, lose your family, and commit suicide because you don't feel like living in the sewer we'll happily pick it up and make money off of it."

It has nothing to do with being "in the select ordained inner circle of business networks" and everything to do with how he chose to distribute his intellectual property. Did "the business community" force him to put his work under the GPL? Did they prevent him from getting a traditional copyright on the work? Did they prevent him from selling licenses to the product? No. Those choices were his and his alone.

If you were half as good at fishing as this guy was at writing security implementation maybe someone would pay you to do it.

If I was half as good at fishing as you are at being an ass, the oceans would be devoid of life. And if I wanted to be paid to fish, I would not show up at the dock every night giving away my catch to anyone who walked by. If you want to be paid to write software, then don't give it away and then expect for-profit businesses to donate money to you. This may come as a shock, but corporate officers have fiduciary responsibilities to their stockholders and can't just give away money to individuals to whom they have no legal obligations.

It remains that you use your mediocrity to justify taking a sick pleasure in watching someone else's efforts leave them penniless and at the end of their rope.

"Mediocrity"? How dare you!? You know nothing about me or my abilities.

I get no pleasure from knowing that he is in this situation and I resent your claim that I do. I'm sorry that he screwed up his life this way, but I'm not going to blame some business for his woes. I just hope someone reads what I wrote and that it helps them make better decisions than he did.

Re:Love that Open Source business model.

[fmaxwell]

People are willing to pay money for Opera. I personally cannot understand why, but their money is talking -- for them, it is better.

People make all kinds of bad purchase decisions and the products that they choose are not always the best -- even for them.

How's Zeus grab you? Runs circles around Apache -- the apache developers themselves will be the first to tell you it's not a speed demon.

I've never used Zeus, but I'll take your word for it that it is faster than Apache. But there is more to "better" than simply "faster." If it was truly better for most corporations, why would so many run Apache? It's not like the $1700 (U.S.) is a big hurdle for a major corporation.

Show me serious OSS competition with Oracle 10g or DB2.

MySQL. I know a company right now that dropped their Oracle license and is switching to MySQL -- and they do databases as their primary business.

Back on topic, this guy's behavior doesn't impugn the OSS development model or even the business model. It's nothing more than a payment dispute -- they promised to pay him to work on something, they didn't, the guy stops working on it.

It does impugn it. It's not a payment dispute. He wrote "Due to a sponsor unexpectedly dropping sponsorship of grsecurity..." They are within their right and he has no legal recourse. No one was contractually obligated to pay him for his work, and that's the problem with open source.

I recommend that you look at the web page. Instead of asking for money (with which he could have bought food), he has created an Amazon.com: Wish List filled with CDs, DVDs, video games, and gaming video cards. If I were his family, I'd tell him to eat the DVDs and CDs that people sent him in response to his request for donations of same.

Re:Love that Open Source business model.

[donnz]

Just because this particular OSS "business" is failing doesn't impunge on whole model. Many people do very well selling services based on OSS producats *and* contributing to the projects they use.

Strangely, I don't see many posts decrying the "proprietory" business model every time a company fails (which a large number do).

I suggest you actually take an Economics 101 paper some day, the results may surprise you.

Re:Love that Open Source business model.

[fmaxwell]

Just because this particular OSS "business" is failing doesn't impunge on whole model. Many people do very well selling services based on OSS producats *and* contributing to the projects they use.

That's like saying that giving to charity is a great way to generate profits because Microsoft does very well selling software and donating to charities. The failure of this "business" doesn't discredit the whole open source development -- the reasons for the failure do.

Strangely, I don't see many posts decrying the "proprietory" business model every time a company fails (which a large number do).

What's so strange? The proprietary source business model is a proven success, with companies like Microsoft, Oracle, IBM, Symantec, Adobe, etc. all sucessfully employing it. The open source business model is new, largely unproven, and companies developing open source software profitably are few and far between.

I suggest you actually take an Economics 101 paper some day, the results may surprise you.

I already know more about economics than you ever will. That's why I don't develop software under the GPL, publish it on the Internet, and then expect money to come rolling in.

Re:Love that Open Source business model.

[donnz]

Now you are trolling. But here goes, IBM gets most of its revenues from services. It is not alone. This is a model of doing business that works for millions of companies round the world. OSS supports that model. Many (some would say most) service organisations that use OSS to support their services also contribute in some way to the betterment of those products.

See, it's simple, it's all about good service - unlike certain commercial telescope manufacturers I could mention.

Glad to hear you are so knowledgeable about economics - try applying that knowledge.

Re:Love that Open Source business model.

[fmaxwell]

Now you are trolling.

No, I am not.

But here goes, IBM gets most of its revenues from services. It is not alone. This is a model of doing business that works for millions of companies round the world. OSS supports that model.

If I raise vegetables and give them away, I'm sure that businesses would be happy to take the vegetables from me (by the truckload) and sell them. Thus, my labor and investment would support their business model. But that doesn't mean that "open source farming" is a viable way for me to earn a living. Sure, if you give something away, businesses will find a way to profit from it -- but you probably won't see a dime.

Many (some would say most) service organisations that use OSS to support their services also contribute in some way to the betterment of those products.

Fine. grsecurity is a better product because of those businesses. But it's author is still having to borrow money to put food on the table.

Glad to hear you are so knowledgeable about economics - try applying that knowledge.

The article was so biased as to be practically unreadable, but I think that this quote is relevent to our discussion:

While it may well be true that no one can make money from Open Source, that should only serve to discourage suppliers of software. On the demand side, however, consumers are saving tons of money by using Open Source.

That's what I've been saying all along. The author goes on to talk about how open source benefits just about everyone economically except for the developers.

Re:Love that Open Source business model.

[Sj0]

My hobbies include motorcycling, fishing, boating, and RC airplanes (among many others). You don't see me threatening to take down web pages because companies aren't paying me to ride my motorcycle, to fish, boat, or fly model airplanes. If it's a hobby, then fine; treat it like one. Don't give away software for free and then complain that for-profit businesses aren't voluntarily sending you money.

Seems to me that if you were running in races under the impression that you'd be given some sponsorship money, then didn't and had to starve to death for the summer, you'd probably sell your bike. Seems to me this is the same sort of thing...

Anyway, chalk it up to another gulliable guy who forgot that he had to put food on the table. Someday the majority of geeks'll have this figured out, hopefully. :/

Re:Love that Open Source business model.

[0x0d0a]

Another fine example of the open source business model.

Economics 101: Paying for something that your competitors get for free puts you at an economic disadvantage. Therefore, almost all companies will take open source software and not pay for it.

Traditionally, this situation (in game-theoretic terms, the public good problem) is solved by the imposition of government, which compells people to take the choice that, if individually made, would be disadvantageous, but if universally made, would be advantageous.

The US highway system is a good example. Nobody will buy 10' of road; it's useless. On the other hand, if everyone is forced to chip in enough money to fund 10' of roadway, everyone ends up winning.

Open Source is quite arguably more efficient than closed source development. I'd like to see governments recompense companies that use open source in one way or another.

I will never understand why many professional software developers are proponents of open source. Buy a big-rig truck and start delivering goods for free. See how many Teamsters rally round you and cheer you on. You'll be lucky if you just get your knees broken.

That's because with trucking you can't continue to supply demand without bound. There are N packages to be shipped a year; doing work for free means that another person doesn't get the job. With software development, on the other hand, if one niche is filled (suppose we got a really great world class word processor and all the people at Microsoft that work on Word and at Corel that work on WordPerfect lost their jobs), there's *always* another to fill. My car doesn't drive itself, my computer doesn't have human-like intelligence, and I can't snap a couple pictures with a cell phone of an arbitrary room and have the room reconstructed in 3d. Until computers do every single desireable thing in the world that computers could do, software developers will have work.

Re:Love that Open Source business model.

[fmaxwell]

Traditionally, this situation (in game-theoretic terms, the public good problem) is solved by the imposition of government, which compells people to take the choice that, if individually made, would be disadvantageous, but if universally made, would be advantageous.

You are talking to a left-leaning, almost socialist some would say, person and even I'm a bit put off by this. Are you suggesting that government pay companies to use open source software (such as grsecurity) in lieu of commercial offerings? Talk about a double whammy! The authors still get no compensation and the government pays companies to not purchase commercial software. If you were talking about compensating authors, that would be a different matter, but paying companies to use free software?

With software development, on the other hand, if one niche is filled (suppose we got a really great world class word processor and all the people at Microsoft that work on Word and at Corel that work on WordPerfect lost their jobs), there's *always* another to fill.

I disagree. There aren't an infinite number of niches to fill. Even of those that do exist, only a small percentage of them could economically support commercial software developers. If there is an unending supply of profitable niches to fill, why are so many software engineers unemployed?

Re:Love that Open Source business model.

[fmaxwell]

Seems to me that if you were running in races under the impression that you'd be given some sponsorship money, then didn't and had to starve to death for the summer, you'd probably sell your bike. Seems to me this is the same sort of thing...

The difference is that I'd get a signed contract with the sponsor before I started racing. This guy was spending his life writing software based on the belief that some company was going to donate money to him.

Anyway, chalk it up to another gulliable guy who forgot that he had to put food on the table. Someday the majority of geeks'll have this figured out, hopefully. :/

I'm sorry for him, but if you go to the web page, you will find that his requested donations consists primarily of an Amazon.com "Wish List" of items like DVDs, video games, and CDs. If I were having to borrow money to buy food, I'd lose the Amazon.com Wish List and start pushing a PayPal account.

Re:Love that Open Source business model.

[0x0d0a]

If there is an unending supply of profitable niches to fill, why are so many software engineers unemployed?

Because there was just a huge shift in employment (outsourcing) and it takes the market a while to adjust.

Re:Love that Open Source business model.

[fmaxwell]

Proven success, if your aim is to keep churning out products which are basically shit and full of bugs (talking about Microsoft)...{snip}Microsoft is so very afraid right now. Spreading FUD everywhere, including web forums like Slashdot.

In mentioning Microsoft (and Oracle, IBM, Symantec, etc.), I was speaking about the viability of the closed source business model, not about whether it produces superior software. I really think that you latched onto the entire Microsoft thing way too much. You hate Microsoft. We get it. But let's stick to the topic at hand.

I don't need antivirus stuff as I'm running Linux, so I'm not familiar with Symantec.

I find Symantec's antivirus software to be substandard, but running Linux is only a protection against viruses so long as Linux remains a relatively unpopular OS. If the idiots who run any attachment sent to them move to Linux, the virus writers will follow.

Re:Love that Open Source business model.

[Sj0]

True, dat. To be honest though, if it's as popular as people say, why not just fork it, and since he seems to be the only one who can work on it, according to many posts here, stop development of the gpl version to focus on something you can walk up to a company and sell? Seems to me like creating a market then jumping right in. :)

Re:Love that Open Source business model.

[jcuervo]

Economics 101: Paying for something that your competitors get for free puts you at an economic disadvantage. Therefore, almost all companies will take open source software and not pay for it.

Letting the "something" go under puts you all at an economic disadvantage.

Re:Love that Open Source business model.

[fmaxwell]

Letting the "something" go under puts you all at an economic disadvantage.

No, it keeps you all on an even footing. If given the choice of financing something that will equally benefit my firm and all of its competitors, I would not finance that thing. Suppose I paid $100,000 and my competitors paid nothing. My costs would be $100,000 greater than theirs, yet they would enjoy the same benefits, giving them an economic advantage. That $100K could have been used to hire an additial employee, to take out additional ads, etc.

Re:Love that Open Source business model.

[jcuervo]

No, it keeps you all on an even footing.

I see what you're saying, but look at it this way: how much would you save later on? Take the patches this dude wrote. Is it worth $100k for better[0] security on your systems, or $500k later when your systems get cracked? (Maybe that's a bit exaggerated, but you get the idea.)

Even if you're paying for your competitors, you're still saving money. Maybe you could even come to some sort of agreement with them to chip in equally for the project.

[0] As far as I know.

Re:Love that Open Source business model.

[fmaxwell]

I see what you're saying, but look at it this way: how much would you save later on?

How much would your competitors save later on? Capitalism is about gaining a monetary advantage over your competition. That's why software for business has traditionally been closed source and commercial.

Maybe you could even come to some sort of agreement with them to chip in equally for the project.

Now you are talking. But that's where the open source model falls apart. Everyone who does not contribute gets a monetary reward: They get the advantages of the product at their competitors' expense.

Open Source == Philanthropy

[PureFiction]

End of story. Sometimes you can actually make a bit of money doing. Sometimes you can make some damn good money doing it.

But in the end, open source == philanthropy and it's just a question of who is donating what. (time, money, advocacy, etc)

Re:I wonder if

[1lus10n]

If you illegally use the source and it can be proven it negates all laws regarding the possible protection of it. A theif's stolen property is not his, therefor it is not subjected to legal protection. By stealing something you broke the law, and hence waived any rights you might have had regarding the stolen property.

Of course it still has to be proven. Which is where the problem lies (most of us dont feel like spending time reverse engineering proprietary products). However most companies that have their hand caught in the cookie jar will co-operate rather than risk losing millions in lawsuits. (there have been quite a few companies recently that have "given in")

Re:NO

[iminplaya]

People would look for signature strings in suspiciously similar closed source products anyway...

Well, I, for one, hope it's that easy. With all the restrictions that can be put on us, I would like to see a real enforceable way that we can do the same to them. That's why I put forth the question. Some people took it the wrong way. No, not those of you who actually responded, but the folks "behind the scenes".

WTF is Open Source anyway?

[im+a+fucking+coward]

Just in case everyone forgot, open source was meant to satisfy a programing itch, not necessarily provide a living. The fact that so many coders are able to use it to maintain a standard of living is an unintended side effect.

Though it would be possible for others to handle maintenance of the project, the quality won't be held to the same standards and will not progress with the same goals I have set for the project.

Without a signed, insured contract what guarantee did the sponsor(s) have that the maintainer(s) was doing a competent job anyway? I guess they had the same guarantee the main dev had in getting paid, i.e. none.

No offense meant to the dev, but come the hell on. This is one of the weirdest cases of sour grapes I've read in the OS department.

Re:WTF is Open Source anyway?

[soulhuntre]

Without a signed, insured contract what guarantee did the sponsor(s) have that the maintainer(s) was doing a competent job anyway? I guess they had the same guarantee the main dev had in getting paid, i.e. none.

I agree. We have no idea what happened behind the scenes here. Did he possibly miss a targeted delivery? Did he refuse to add a feature they needed? Did he prove unreliable?

Companies will rarely toss money at someone like this and not want something (at least performance) intreturn... for all we know they had a good reason to decide the money would be wasted.

Welcome to reality.

Perhaps because he's broke?

[Calibax]

One of the wonderful things about the legal system is that you have no money, you have little chance to get any justice. I guess the guy took Red Hat to be an honorable company whose word could be trusted.

Shame on Red Hat for promising to sponsor the project and then reneging. At this point I'm glad that I switched to SuSE

True capitalism

[3770]

Wow, you have just created a place where software _truly_ will be written according to capitalist rules. It will be like an auction, where the programmer that asks the least will snatch the bid, and it is absolutely location independent.

Then how will you compete with India?

Maybe that is the future. We will have to get used to that none of that development will be done in the U.S. At least not by anyone that doesn't live with his parents.

Re:I wonder if

[iminplaya]

Of course it still has to be proven. Which is where the problem lies...

Thanks for the info. That was reason I asked the question. How can we get proof?

However most companies that have their hand caught in the cookie jar will co-operate rather than risk losing millions in lawsuits (there have been quite a few companies recently that have "given in")

I'm sure the "smaller" companies will give in, but how can we deal with a certain company or companies that are big enough to just consider fines and lawsuits as "just part of doing business" and adjust their prices accordingly? Contrary to what the people behind the scenes are saying, I'm not flaimbaiting here. I'm just interested in finding a way to keep people honest. A perfectly legitimate concern, no?

Re:So what?

[SilentChris]

"He worked full time and a few $BIG_COMPANIES promised him $XYZ in payment if he delivered $ABC."

Which is kind of the reason some programmers (most?) shouldn't be involved with money-related matters and $BIG_COMPANIES. "Promised" means absolutely nothing in the business world.

He should've let someone else handle financial issues if he was having trouble making rent. Instead, like most programmers, he unfortunately felt that if he mastered one system, he's mastered them all. Not usually the case.

Voluntary contributions to OSS == non-starter

[whatthef*ck]

If you want to see how willing users are to financially support the OSS products they use, go to the main page of Sourceforge and look at the list of "Top Downloads". You'll notice that the 4th most downloaded program, Azureus - BitTorrent Client, has a little "$" icon next to it indicating that it's set up to accept Paypal donations. The list of all its donations, which can be viewed here, shows that on average they get maybe one donation a week, but two days ago they were downloaded over 22,000 times.

If you develop open source software with any expectations of making money from it, you're in for a big letdown.

Re:Voluntary contributions to OSS == non-starter

[ln+-sf+head+ass]

The page you linked up only shows donations by users registered on SourceForge. I donated, and do not show up there, not having so registered. There are probably others. While the donations not shown may not be enough to put his kids through college, they probably provide a bit of beer money.

As far as willingness to pay goes, I am a thousand times more likely to give money to a programmer that makes something I use and just asks for it, as opposed to nagware or crippleware, which I will either do without or find another alternative for every time.

The truth hurts

[Canberra+Bob]

The big BIG problem for the FOSS business model for the little guy is some large company running off with the product and either offering it themselves, or in this case not bothering to contribute anything back.

And yes, software costs money to develop. Even if you do it in your spare time, that is time that could be spent on a profit earning venture. For better or worse, we live in a capitalistic society. You go to the supermarket, they will expect you to pay cash for what you buy.

And the FOSS zealots ARE partially responsible for poor young students / software developers spending huge amounts of their valuable time for free. All over slashdot the zealots will flame anyone who dares to suggest that to run a business you have to think past just simply offering FOSS software / services. It is always suggested that FOSS is the way of the future, all large companies are shifting to FOSS etc etc etc. Why do you think IBM loves Linux? Not because they have a love for their fellow human being - they can get it for free! They can undercut the opposition. If they are true believers in FOSS philosophy, wheres the source code for DB2? Yeahh...suuure..they have fully embraced open source havent they?

Yes, FOSS is a noble cause, but please PLEASE stop trying to convince kids that they will make money from their efforts. Consulting makes money for the little guy, developing FOSS doesnt.

Re:The truth hurts

[maximilln]

-----
And the FOSS zealots ARE partially responsible
-----
No. You had it right the first time...

-----
The big BIG problem for the FOSS business model for the little guy is some large company running off with the product and either offering it themselves, or in this case not bothering to contribute anything back.
-----
This has been happening for years. Big companies produce crap which they charge way too much for. Some guy who makes a similar product in his free time produces something better and asks to be paid. The big company will either swamp him out of the business or leave him out to dry.

Big companies, since they've worked so closely with politicians to guarantee that they always have the upper hand, have a social responsibility to offer real paying jobs to these people. The people at the tops of the pyramids have never, not in ten thousand years, seen things from this point of view. The world is their circus and we are merely expendable entertainers. It's really nothing more than a carefully protected system of slavery.

Laying the blame on people who choose to advocate a full circle "play fair" policy is of the same mentality as destroying something you want if you can't own it.

Re:The truth hurts

[Canberra+Bob]

I will justify myself.

I am not blaming the zealots for the companies not playing fair. I hold the zealots responsible for not presenting the full story to young developers.

We know big business does not play fair. Young kids with no experience with business do not. If you are going to tell them that FOSS is great / the way of the future etc, you should also point out the problems that may be encounter. Many zealots do not.

Note that I am drawing a distinction between FOSS advocates and FOSS zealots. Advocates generally do accept that there are downsides and will let others know. The big problem in the FOSS community is the very high percentage of zealots running around that sometimes drown out the sensible advice of the more knowledgable advocates.

The point I am trying to get at is this:
If you know that big business does not play fair, but keep that fact from someone you are advising to take up FOSS development just so that you can "convert" them, then yes you are also partially responsible of they get screwed over. You did not do the screwing, but you knew there was a possibility of it happening and did not warn them.

Re:The truth hurts

[maximilln]

Alright. We agree.

I don't know what's the bigger travesty: The FOSS zealots that don't try to educate young kids about the real way the business world works or THE SCHOOL SYSTEMS which fill their heads full of all of this crap about the best product winning, and the fair opportunities in the business world, and all the same junk that the FOSS zealots are guilty of.

We should really just take the candy coating off of life and tell the kids as soon as they hit six years old,"Look, kid, unless your family is independently wealthy or you get lucky enough to win the lottery, expect to live a life which is boring and controlled by other people. You are nothing but a blowjob machine for whoever ends up being your manager. The sooner you accept that as the way the world works the easier life will be."

Re:The truth hurts

[Canberra+Bob]

I am getting a bit off-topic here, but what the heck

I agree with you up to a point. But, I disagree that life is so pointless. The problem lies with people going into a profession because they have been pressured into it - friends, family, society etc. And the source of the problem generally lies with people doing a job and then trying to base their lifestyle around their work. When you think about it, thats absurd! Employment is to make money to pay for you to lead the lifestyle you want to. And yet people find themselves giving up the things they love because it does not fit around their work!

In schools people should be encouraged to follow what they enjoy. Why are they not? Because that starts undermining capitalism. The almighty dollar is meant to be the driver behind everything. Schools tend to encourage students to persue the most highly paid career that they can with little regard for what they enjoy or what they want out of life. If making a million dollars means less to someone than a good family life, why are they encouraged into high stress positions when they will be much happier with a nice quiet 9-5 job? No, they wont make millions, but they will be much happier with their life.

If everyone just followed their dreams, life would be so much more enjoyable! Dont like your boss? Leave, do something else. No you may not work in IT for a while, but you can always do it in your spare time, and it will be far more enjoyable to you (been there done that). Get a less stressful job and just enjoy life!

So, to bring my rant to a point:
I would take the total opposite approach to what you suggest. Encourage kids that life is there to be enjoyed, and they should follow their dreams, and to hell with what anyone else thinks of them.

Re:The truth hurts

[maximilln]

-----
The almighty dollar is meant to be the driver behind everything.
-----
I blame the government bloat for this. We're so top heavy with individuals who are infused with greed in this world that it's only logical that the rest of us are pressured into constantly chasing the almighty dollar. Those in power have plenty but are complete misers while the rest of us get horse-whipped at work to barely pay the bills. It's outrageous but looking back across history I guess I can't ever see a time when society ever did play fair.

I agree that we need to pursue things that we enjoy and find enjoyment in the simpler aspects of life but, at the same time, no one lives in this world rent free.

-----
I would take the total opposite approach to what you suggest. Encourage kids that life is there to be enjoyed, and they should follow their dreams, and to hell with what anyone else thinks of them.
-----
I would love to agree with you. You have read all the other posts on this topic, though, haven't you? The moment we enjoy what we do then we open ourselves up to working for free because it's a "hobby". Corporate management has a monopoly on guilt trips and browbeatings "You should be lucky to have a job you enjoy!" "You act like you deserve a promotion/raise!" "If you don't get this done you're going to lose your job!"

Ideally, in ages past, a person would find something that they enjoyed doing and the community around them would find a use for their skills. Nowadays the large corporations have everything pigeonholed, and refined, and plotted out, and mechanized, that there's no room for individual creativity or pursuit of personal goals. It's like the money misers at the top of the system don't care that people will do best what they enjoy doing. They don't want a happy population. They want unhappy ditch diggers who are so busy biting at each others' throats that we never notice who's really causing the misery.

I dunno. I'd like to _not_ be a pessimist but I've seen first hand how nonchalant the world is to stand by and watch a person get used, beat up, and thrown away like so much worthless trash. Once again it seems like only those who are independently well off have a leg to stand on when it comes to sitting at the bargaining table with the corporate/political masters.

Re:The truth hurts

[Canberra+Bob]

This is rather strange. We think along very similar lines on this issue, but arrive at totally different conclusions.

I know where youre coming from, and I used to think along the same lines. Then I figured out it is all about trade-offs. Generally you trade money (or potential money) for enjoyment. If you love research, then you will not get a well paid job. If you want a well paid job, then chances are you will not really enjoy it. It comes down to what means more to you. The greater income or the job you prefer. If you want to spend a greater time with your kids, then you have to accept your income will suffer. Generally we expect our quality of life to be at a certain level, which requires money, so its a tough balancing act.

People in positions of power have never wanted thinking, happy populations. People who are content with their life have too much time to think about things and are less likely to accept orders from superiors. It is much easier to control a population if there is someone to blame for their problems. Whats my answer? To think and be happy. Sounds corny, but just imagine if the majority of the population had the same attitude what would happen.

On the subject of programming as a hobby, there is no way I would program for free for a company, no matter how much I enjoyed it. For myself I love playing around, my favourite being writing up simulations. If a company wants to make money off my work, then they can pay me for it. I give it to my friends for free, anyone else has to accept that my time and effort went into it and should compensate me for it.

The problem comes when you lose the distinction between work and fun. Your boss asks you to do something IT related outside your job description. Because you enjoy IT, you do it for fun, not realising that now you have done it, you will be expected to support what you have done, and it will be added to your current workload for no extra pay. For me, work is work. If they want me to do something, no matter whether I enjoy it or not, they pay for it. They are using it to fill their coffers, they can pass some of it my way too. Is this selfish? Probably, but I do not apologise for this attitude one bit. Its all about playing the game depending on what the rules are, and adjusting your strategy accordingly. At work you have to play the corporate game, but out of work there is no reason why your dickhead boss has to make the rest of your life miserable - thats your life to enjoy however you please.

Society needs a change in thought

[maximilln]

I read through the comments and it's all the same. People think it's a shame that this guy got shafted. Everyone agrees that what he did for Linux security was worthwhile and good work. Everyone also recognizes that large corporations are happily taking everything they want from open source without feeling obligated to support it.

While this guy paid "the ultimate price" by facing bankruptcy, or homelessness, and joblessness, this is not a new problem the US economic society. People who give 120% at their jobs have typically been seen as little more than rubes by middle and upper management. There's something to be taken from all of this.

If you are a true geek/nerd you will remember back to school days when you were busy acing tests and pushing the class. You will remember the disgusted looks from your average classmates when you were solving complex physics/math/political problems in your head and they were busy looking out the window wondering when the bell would ring. As it turns out, it is those average classmates who now sit in positions of middle and upper management. They never needed to overachieve. Their family was comfortable and there was no pressure to excel. Now that they are no longer in the same class as the overachievers, but rather sitting in a positon of control, they are ready to exact their revenge for years of intellectual humbling.

Middle managers and upper managers have no conscience. They see the world as something that they can milk dry without ever giving back. The system has become so skewed and top-heavy that, for the most part, they're right. Look at the average productivity of American workers. They've got us horse-whipped and scared sh_tless that we'll be the next ones scrambling to vacate before the bank forcloses on the mortgage and sends the repo man for the car. It would take years of happily firing overachievers before the actual impact of not getting any real productive work done begins to take any noticeable toll on them.

One previous poster pointed out,"At the end of the golfing day these guys still drive home in their Jags and BMWs to a $5 million dollar house on 30 acres of land and eat more caviar". It's the plain, unadultered, grim truth. Unless Society, in general, grows a conscience and begins to fairly compensate people like Spender and the Grsecurity team then they (the management and the government officials that they're sleeping with) will work us all over until every last vein is dry. This isn't up to the government to legislate or the universities to come up with research funding. This is about the social responsibility of big corporations to start giving back. For all the limos, and private planes, and tax deductions, and stock investments which are artificially inflated by the retirement investments of the workers, you'd think that someone could cough up $75k/year to fund this guy.

Re:Society needs a change in thought

[Lobo93]

Anarchism for dummies

1. Co-operate.

Even simpler.

Re:Society needs a change in thought

[HuguesT]

I wouldn't get fixed up on the revenge thing. I've seen with my own eyes highly intelligent, technically literate people take up management positions and little by little move from a situation where they understood the technical matters and paid attention to the plebs to one where they didn't care about anything or anyone, just because they could.

It's not revenge over the nerds, it's just plain, unadulterated power and human nature.

To help you understand, do you care about what the cleaners at your place of work do? What about the homeless people on your way home? do you care why people in Sudan are dying in drove right now? No, because you don't have to.

Everybody sucks.

Re:Society needs a change in thought

[skifreak87]

As was pointed out before it's basic economics. Let's say I run a business and benefit from this project. Let's also assume that I have $75k/yr disposable income to pay this guy with. Why should I? The stuff is GPL/OSS and all my competitors can use it. All it will do is fund something that makes the industry more efficient because if I really start benefiting from it, my competitors will starrt using it. As a business, I have no incentive to make the industry more efficient, only to improve my position relative to my competitors and thus profit more.

It's not about being selfish it's about spending my money more wisely (such as investing it and getting a return on it that benefits me not something that only benefits customers and doesn't help me). Let's not be naive here.

Why not you?

[FanaticalDesperado]

Somebody should take a collection

Why don't you take up a collection for the guy? Personally, I see this as a hard lesson that the guy just learned. If a company is promising you money then you should get it in a contract! If a company won't put it in a contract, you have two choices:
1. Tell them that you need the funds up front so you can afford to dedicate yourself to the project. If they won't do that, then you work on the project as time and money allow from your personal schedule and budget. You don't go into debt on the promise that a company is going to give you money. If it is important enough to the company they will give him the money or put it in a contract.
2. Don't do the work. If you do, don't complain about the losses you incur. It's your own bad choices that create the debt.

While the company might have done something sleazy, they have no legal obligation to pay him anything. He should not have sacrificed those funds on something so flimsy as a copmany's promise.

Re:So what?

[YOU+LIKEWISE+FAIL+IT]

If that's the case, is Linux really "free" afterall, or is it beholden to commercial, sponsor interests? I'd hate to think it was turning into Fox News.

Interesting....

[metalmaniac1759]

They want e-mails about donations to be sent at spender@grsecurity.com .... :-)

Nandz.

Why not commit it to the kernel?

[teval]

I may be being naive, but if it's as good as people say it is. Why won't the kernel team commit it?

What are the disadvantages to having more security in the kernel to begin with? If it were unstable I could understand (but.. I'm gathering that because it's secure it's also stable). There's also the little bit of then not having 1 developer handling it. As the new patches break it, it will slowly be updated before the next release and so on. I'm sure some kernel maintainer out there is interested in security.

They can make it optional, even if it's automatically off by default, it'd make things a lot simpler.

Re:Why not commit it to the kernel?

[finkployd]

Why won't the kernel team commit it?

Unfortunately the answer is pretty simple. I have a lot of respect for the kernel team but they know absolutely nothing when it comes to security. LKML can be a very eye opening and frightening list if you are a security geek.

Finkployd

Spender may or may not be a hero

[fw3]

But grsec being dead should be no surprise.

I read the 'comparative to LSM/SEL' links posted above, they are hardly complete, and while they may be arguably correct pont for point I couldn't agree with them.

If GRSEC is so good why have I never heard of any fully developed policy models? SE-Linux can run pretty much out of the box on a fully-featured server. I've run it without undue difficulty on 3 different distributions.

Spender and the RSBAC people both like to get up and say tbat LSM is no good. Lots of reasons are given e.g. "it doesn't provide full Bell-LaPadula security assurance" or "parts are patented".

I would counter:

Both grsec and rsbac are piecemeal solutions, pretty much a hodgepodge of admittedly good ideas patching the kernel to implement 'security'. By comparison LSM/SEL are integrated into the mainline kernel now, and the chosen perimiter is a pretty good one for practically improving Unix (Linux) security issues.

The 'Bell-La Padula' argument basically is complaining that SEL isn't setup for MLS (Multi-level-secure) so it must be no fscking good (TM). This of course is neglecting that the *target* audience for MLS computing (CIA, NSA, DOD ...) have given up on it, my understading is that most MLS implementations have been replaced with air-gapped systems to deal with the levels.

Now if the intended users if MLS (class B and A TCSEC evaluated systems) who have very deep pockets indeed have scrapped them who the hell are the targetted users?

As an amusing side story the founder of a distribution based on RSBAC not only had no idea about this when he started the project, he also had no idea what MLS was and had never read word one of the TCSEC. And when he did he was suddenly wondering how to get evaluated (for a certification that's no longer even available).

So basically I think Spender is interested in being *right*, not interested in doing collaborative work and when something better (in the sense of *practical and useful* came along he had little more to do than poke technical holes in it.

So I'm not in the least surprised that he's losing his funding. LSM/SEL is available, works now and is cost-effective to actually use on production servers.

It's the easiest thing in the world to point out that someone else's system design is not perfectly secure. However practical security is more a matter of practice and process than design anyway. And in the final analysis if you're not willing to make something that actually works (and to work with others to achieve that) then you're gonna have a hard time finding customers.

Re:Spender may or may not be a hero

[Elendur]

It's hard to follow your argument. Grsecurity is not an abstract "right" but impractical approach.

LSM/SEL is available, works now and is cost-effective to actually use on production servers.
Grsecurity is available, works now, and is cost-effective to use on production servers. It's also better for all the reasons mentioned in the argument against LSM. In the field of security being "right" is of much more value than being popular, and I fail to see any valid argument in your post beyond the fact that SELinux is more popular than grsecurity.

Re:Spender may or may not be a hero

[Mind+Booster+Noori]

LSM/SEL is on the main kernel branch. Am I the only to see the obvious advantages of this? Yes, GRsec had some cute stuff that LSM/SEL doesn't have... yet. Want to hurry things up? Help develop LSM/SEL and stop whining about the loss of GRSec. GRSec was important in many ways, now things must go on.

Re:Spender may or may not be a hero

[fw3]

s/popular/supported/.

I'll try to repeat what you're not following then.

LSM (and SEL) were done by teams formed from 'stakeholders' i.e. there was some interest within the kernel core team (principally ted t'so and greg K-H I think) and there were a half dozen or so groups who'd been independently patching the kernel and maintaining those patches.

Basically these people saw a strong reason to establish a baseline for improving the security of the kernel generally.

The people involved have considerable experience in security infrastructure (e.g. evaluated systems, TCSEC and Common Criteria). They know the requirements and they know particularly that the MLS systems have pretty much run their course.

In fact SEL has an MLS policy but no-one (to my knowlege) is using it or writing extensions.

LSM dropped the desire for audit early on because it was determined that 'correct' audit (complete and robust enough for evaluated-design) would inherently affect the performance of the kernel as well as being more invasive (needed 3x more hooks than the enforcement code is using). It was felt that Linus would in no way accept the changes needed to do audit *correctly*. And this pretty well cause SGI to drop out of the process.

Now *today* Redhat is implementing SEL security into RHEL and have hired a few people to work on it. Mitre and others have done extensive work on SEL policy.

In the field of security being "right" is of much more value than being popular

Err, no. 'right' in the absence of context easily becomes a matter of 'Platonic Ideals Forms'. Surely security systems ought to be theoretically well founded (see 'verified design' in TCSEC). In practice securing real-world systems involves both good design and real world compromises.

Anyhow if grsec is in fact all that useful then someone will pick it up and either fork or carry on the design work.

Sponsorship of Open Source

[s-orbital]

Keep in mind this company was charitable enough to sponsor and open source project - something which probably never brought them much money.

If a former sponsor is hated for no longer giving their hard-earned money, who the hell would want to sponsor a bunch of ungreatful hippies er... people in the future?

Re:Sponsorship of Open Source

[bluephone]

Apparently they WEREN'T charitable enough to actually cut the checks they promied with their sponsorship, hence the problem.

Let's sum up...

[stienman]

So far my understanding is that

GRSecurity:
* Fixes the problems in Linux that normally make Linux hard to secure
* Is very kernel version specific (ie, maintenance intensive)
* Easy to use
* Roughly equivilant to, or slightly better than, many other existing hardening 'patches'

The author backs some of this up by saying: "Though grsecurity is licensed under the GPL, I am the sole developer and originator of ideas for the project. Though it would be possible for others to handle maintenance of the project, the quality won't be held to the same standards and will not progress with the same goals I have set for the project."

So - it's either badly designed or grossly incomplete. Or both.

If it is maintenance intensive then the system needs a redesign from the bottom up, or deeper - draw up new specifications keeping in mind the limitations of the system you are modifying.

If it's grossly incomplete then there is little loss to the community. It may have been a great personal loss, but you should never, ever do what this devloper did - float a loan for someone else which they could not personally handle. You don't have to be a business wizard in order to feed yourself.

From Michael Gerber's book "E-Myth Revisited":
Poor businesspeople work "in" the business - they're technicians who daily make the product or service. The business can't succeed without the individual, who may be a genius at providing a product or service but spends every day firefighting.
Brilliant company owners work "on" the business. They build systems, processes, and techniques so the business runs smoothly. These awsome managers don't just solve problems, they invent solutions that eliminate problems forever, or that automatically deal with the issue when it comes up again.(emphasis mine)

If this project requires constant maintenance, or cannot survive without this particular programmer, then it is firmly in the 'poor firefighting technician' category.

Poor guy. I hope he gets on his feet and succesfully finds something that fulfills his need to create. This obviously is not the kind of work he's cut out for, though, and I hope, for his sake, that he chooses not to allow further sponsership of his work on this project.

-Adam

boo-freakin-hoo

[the-build-chicken]

...I'm all pissy because no one will pay me for the 'free' software that I decided to develop.

Hero my ass

see here for an example of his adolescent attitude.

He is a person sits on exploits so he can release them at opportune times to make his project look good and other projects look bad, rather than taking the correct path: reporting the bugs to the developers so they can be fixed. I.e he is simply a blackhat, pretending to be something he is not. I wouldn't trust my security to someone who behaves like this.

Re:Hero my ass

Wooow. No wonder this guy is unemployed. *No*one* should trust him about security. Take about a walking liability...

Re:Hero my ass

[brennz]

If they weren't providing his paycheck, how can he be obligated to provide exploits on someone else's timetable?

I don't blame him for releasing things when it is convenient to him.

The last time I told a developer about flaws in his commercial product, his website had him claiming "he himself had found some security flaws" and he gave me 0 credit, nor compensation for the hours I spent testing out other vulnerabilities on his commercial product, nor the time spent helping him realize what he was doing wrong.

What about the Dual-Licensing model?

[ngunton]

Does anyone have any insight on the Dual License model used by MySQL AB? They apparently make MySQL available under both a commercial license and GPL.

So, in theory, the community at large gets to use MySQL "for free" (thus giving MySQL a large user, test and debugging base), while commercial clients that desire accountability and support can get the commercial license (thus paying for all the developers and, I guess, millions of free users). It sounds cockeyed, but apparently it's working for them. Isn't this a good possibility for Open Source projects to make money while still remaining true to the spirit of the GPL?

Re:I wonder if

[1lus10n]

IIRC cisco (owner of linksys) was caught using modified GPL code in their wireless routers, they forked it over. They are a fairly large company. (although some people say they didnt fork everything/enough over)

Think of it this way, if a company is convicted in court of using code illegaly whats to prevent the plantiff (code owner) from demanding X money and a *FULL* source audit ? That would be such a PITA for most companies that its just not worth it, Although some will be dumb enough/stubborn enough to risk it.

I'm just interested in finding a way to keep people honest. A perfectly legitimate concern, no?

Right now its on of the biggest concerns from an open source developers POV. IMHO.

If you want it to be solid, get it in writing.

[Kjella]

Promises are well - promises. If was supposed to get money for developing feature XYZ, put it in a contract. Kinda like one of those "bounty" contracts, you could have multiple bounties from different companies for the same feature.

Companies don't like to pay for what their competitors get for free. But if you can round them up and say "For X$ from each of you, I will develop feature Y" they're much more likely to agree. If they don't really want to pay that, you'll know up front, before you are in debt and before doing free work for them.

If this sounds too business-like, well he was trying to make a business writing code. So he should have acted a bit more like a business too. No, hobby coders don't need this. But if this had just been his hobby, we wouldn't be having this discussion...

Kjella

Switch to OpenBSD

OpenBSD provides the same main features as GRsecurity :

- Non-executable stack
- Non-executable heap (W^X)
- mmap() and malloc() randomization
- Source port randomization
- per-user firewall using pf and the "user" directive

About Brad Spender being an asshole

[^BR]

This post by Marius Amodt Eriksen is most insightful.

Re:About Brad Spender being an asshole

[adric]

I thought this posting to debian-devel was fairly telling as well... especially the bit about withholding information on a known (to him only, apparently) vulnerability. I had a fairly high opinion of grsecurity up until that point, but these days I think that SE Linux is probably the way to go.

Rather inflated self worth?

[Tinfoil]

Though it would be possible for others to handle maintenance of the project, the quality won't be held to the same standards and will not progress with the same goals I have set for the project.

Anyone else think that's kind of a load?

Re:Rather inflated self worth?

[porkchop_d_clown]

Feel free to prove him wrong, then.

Re:Rather inflated self worth?

[Tinfoil]

Mm, point taken.

However, in the whole of the OS community, I am sure there is one person that is as equally qualified the gentleman who currently maintains the project?

Still, a damn shame that he's had to do this.

Re:the decision not to pay him was no doubt made b

[joshmccormack]

Understandable reaction, and might even be an accurate description of what happened. But there's a lesson in there, too - if you need money in exchange for what you do, your first jobs should be sales and accounts receivables, followed possibly by legal and marketing, then development or whatever else it is you do.

Clients will wait to the last possible moment to give you any money, 'forgetting' they were supposed to. How much worse will donations be?

It's unfortunate, but true, and not at all a poor reflection on developers like this one. When people are willing to copy software, music and movies illegally, just think how little insentive they have for giving money when they don't have to to something they can freely use.

Just as hard?

[John+Harrison]

just as hard as running a business on a conventional model.

I would guess that it is in some ways much harder. You are giving away all of your unique IP, so some of those that might be your paying customers in a conventional model are simply using your software for free.

Of course you could argue that it is easier because you have access to tools, libraries, a community of debuggers and testers, and other advantages of open source. But none of those advantages actually brings in the cash, they just cut down on your expenses.

Besides, it doesn't sound like this guy was running a business, just asking for large donations. There is a difference.

Why not use the Street Performer protocol

[Slinky+Saves+the+Wor]

You could use the Schneier's Street Performer protocol with Open Source software. The idea is simply this: release the next version of the software only after a certain amount of money has been received. Repeat.

Of course this doesn't work if the entire development is in a publicly readable place e.g. a CVS repository, so the access to that should be restricted. The released version would be Open Source, of course. Some would not pay and still copy it, but who cares, it's Open Source! If nobody pays, there will be no further versions.

Also, there's nothing wrong in writing Open Source software, but you would be crazy to do it as your day job without funding. Write it as a hobby, the way it should be. Fund it with something else, if need be. Also, don't get involved with companies without a good lawyer and written contracts.

When you are inside a system which is built on the concept of money, you have to take that into account. If the world was Open Source, everything for free to everyone, and you'd have the idea of Money brought into it, the idea would probably not live long, since it's alien to that system. Likewise in reality... Don't start playing with money unless you want to play by the rules that powerful idea requires.

Or, you could write a new license which demands all corporations and other for-profit entities to pay for using that software, but non-profits and individuals would get away for free like it is now. Kind of like the Qt license.

Re:Voluntary contributions to OSS == non-starter

[whatthef*ck]

While the donations not shown may not be enough to put his kids through college, they probably provide a bit of beer money.

Like I said, if you develop open source software with any expectations of making money from it, you're in for a big letdown.

Ac says wrong?

[fw3]

ok well I admit that I haven't worked extensively with this, however as a concept it's certainly not uniqe to grsec.

SEL's permissive mode can be used the same way and the same for OpenBSD's systrace.

The problem is that for this to work in a production environment, you may well need to exercise all branches of the code you're running.

What are you planning to tell the boss when your Oracle or Mysql db throw an exception that you didn't happen to hit during trial runs? How are you going to roll out linux+grsec+mozilla to secure an enterprises desktops and expect that all legitimate behaviors have been covered?

I believe you when you say grsec's tool is better than the others, however *designing* a policy (and having an environment that facilitates design e.g. Type/Domain in Flask) is a different and arguably better approach.

Re:So what?

[op00to]

Erm, when I refer to Linux, I mean the kernel. That's what Linux is, that nifty binary image that sits on your hardware and makes your SOFTWARE DISTRIBUTION work. Ok, let's set this semantics argument aside.

Here's your link, asshat.

We're arguing about degrees, which is pretty silly and definately pointless. I think the important theme to take away from this is that IBM is a fine example of why OSS kicks ass. I don't have the resources to get the stuff done that IBM gets done. Luckily, IBM does have the resources! It works out for everyone. If they did pull support, linux wouldn't break, but development would surely slow down.

Re:So what?

[AstroDrabb]

So just what was that link supposed to show asshat? Grab the change log for 2.6.6 (ChangeLog-2.6.6). Use grep and a regex to search for ibm change entries (not just the string ibm), there should be about 160 or so. No use grep and a regex to search for total changes, there should be about 1,696 or so changes. So that is what? About 9% of the changes to kernel 2.6.6 were from ibm. I wouldn't call that A large portion of linux development would suddenly halt as your original post tried to claim.

Is IBM's development important and appreciated? Yes. Would it really slow down the Linux kernel much? Nope. Someone else would pick up and run with the ball. That is one of the benefits of OSS.

Re:So what?

[rifter]

He still could have done the rational/mature thing and used sourceforge for CVS and web hosting, then gotten a normal job and worked on grsecurity in his spare time. Intead, he chose to take the position that he was entitled to payment for something he gave away for free. That the corporation broke their promise is beside the point.

The problem with this model is that there are serious legal questions involved. Most IT positions, even though they involve no design or coding at all, include a IP agreement as a requirement which states that anything you create, even in your spare time, even if it has nothing to do with your work, belongs to the company you work for. Granted these agreements are of questionable enforcability, but they have been used to quash open source development in the past.

This is besides the fact that as a developer it is much less likely that his work at a regular position will not be in some way related to his work on his open source project. This will of course weaken his legal defense should the hiring company decide to say they own his project now.

Re:So what?

[rifter]

I have before. I'm still owed close to $10k by web site advertising agencies. I continued to operate my web site in the red for two years. I was making money to do something I enjoyed.

Despite being upset by having to shell out $400/mo for hosting, I did not throw a fit like this guy.

I don't think announcing that you canot afford to host the grsecurity sites and work on it as much as you used to when that is clearly the case constitutes "throwing a fit." He stated the truth as it is. This is not a threat to take his ball and go home; it is a smple statement of the facts at hand. He gave his users and partners due warning. Thankfully because of open source the project will likely continue, but the original maintainer is going to be too busy with personal life issues for awhile to adequately maintain the project. Such is life. I think his approach was very mature; at least he was willing to admit he was licked and that his plan was not going to work.

Re:So what?

[sumdumass]

I'm wondering how much of his time this project consumed on a normal basis. it almost osunds like if he had a couple more, it might not have been that way.

But yea, I think he did the reasonable thing by informing those that were depening on him of the situation. He said he wasn't looking for pay pall donation or anythign like that so you know it isn't a "give me money or else" thing. It sounds like he is looking for corperate sponsor like they have in automobile racing or some other type of sports.

Re:Voluntary contributions to OSS == non-starter

[jcuervo]

Saw this on the donations page.

nobody A slashdot link to the Donations Page convinced me. 1-2 donations a week is TERRIBLE!

Well, guess we know what #2 is:

1) Develop open-source software
2) Slashdot!
3) Profit!