Slashdot Mirror
Bruce Perens Warns Grsecurity Breaches the Linux Kernel's GPL License (perens.com)
Bruce Perens co-founded the Open Source Initiative with Eric Raymond. Now he's sharing a "strong opinion" that companies should avoid the Grsecurity security patch for the Linux kernel "because it presents a contributory infringement and breach of contract risk." Slashdot reader NewGnu shared Bruce's comments:
[I]t would fail a fair-use test... Because of its strongly derivative nature of the kernel, it must be under the GPL version 2 license, or a license compatible with the GPL and with terms no more restrictive than the GPL. Earlier versions were distributed under GPL version 2... My understanding from several reliable sources is that customers are verbally or otherwise warned that if they redistribute the Grsecurity patch, as would be their right under the GPL, that they will be assessed a penalty: they will no longer be allowed to be customers, and will not be granted access to any further versions of Grsecurity. GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition...
This is tantamount to the addition of a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms. Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kernel, terminates, and the copyright of the Linux Kernel is infringed. The contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached.
Perens advises companies to discuss his position with their attorneys, adding "In the public interest, I am willing to discuss this issue with companies and their legal counsel, under NDA, without charge."
This is tantamount to the addition of a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms. Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kernel, terminates, and the copyright of the Linux Kernel is infringed. The contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached.
Perens advises companies to discuss his position with their attorneys, adding "In the public interest, I am willing to discuss this issue with companies and their legal counsel, under NDA, without charge."
This is yet another good example of why infectious software licenses like those in the GPL family should be completely avoided. Despite all of the talk about "freedom", the GPL licenses are some of the most onerous and restrictive. They are just too risky to deal with. It's best to avoid them, and to instead just stick with licenses that are truly free, like the MIT and BSD licenses.
Grsecurity is snakeoil dogshit.
Don't bother with grsecurity.
Their approach has always been "we don't care if we break anything, we'll just claim it's because we're extra secure".
The thing is a joke, and they are clowns. When they started talking about people taking advantage of them, I stopped trying to be polite about their bullshit.
Their patches are pure garbage.
Linus
What does Bruce Brackets have to say about all this? ;)
Anons need not reply. Questions end with a question mark.
It's one thing to require that modifications to source code remain open source. I think it's onerous, but at least it's not infecting anything it links to. However, the GPL require that any derivative works that make use of any GPL code be released under the GPL if they're distributed at all. This means that merely linking your own original code with GPL code (that remains open source) and distributing it requires that you also release your own original code under the GPL. This is an asinine restriction on freedom, and precisely why the GPL is evil. If you actually care about freedom, require that the original code and direct modifications to it remain open source, but let linked code be released under any license. That's a completely reasonable compromise, but the asinine GPL doesn't allow for it.
My favorite Bruce Perens software is Electric Fence. He wrote that in the early days of Linux, originally writing it for SunOS and then porting it to Linux back at the beginning. Bruce knows his shit since way before Linux was even a gleam in Torvalds's eye. Thanks Bruce!
Look at the little monkey dancing to the tune of Red Hat's organ grinder.
i usually fall into the "GPL is less free than BSD" camp, but in this case I agree fully with Perens. the Linux kernel is GPL, everyone who works on it agrees accepts that. if you don't like the GPL or the conditions it places on you, or how you (and others) can distribute your code - then go the fuck somewhere else.
https://trac.ffmpeg.org/query?...
read about them.
There are lots of situations where we violate the terms of GPL if we were to distribute the Linux kernel. The trick has always been to not distribute the kernel in that situation. For example, you don't find too many distros that ship with NVIDIA's proprietary drivers because there was always the question that it would be a GPL violation to do so (yes), but we still have the drivers and the end-user can install them herself if she chooses.
Look, I don't give a shit about violating copyright for the sake of violating copyright. The companies that are all-take-and-no-give, like cheap router manufacturers, that cause the community danger with their unpatched crap - the community tolerates the lawsuits against them.
But if Bruce or Eric decide to sue Debian or Canonical (or whomever) for shipping GRSecurity with the kernel, I'll watch while the community turns on them like a pack of fucking wolves and their reputation takes a perpetual hit.
It's bad enough people playing lawyer with the CDDL vs. GPL nonsense with ZFS - these licenses are intended to help the community, not harm it. People who get lost in the weeds of licenses instead of figuring out how to make the community better are our version of bureaucrats and frankly many of us don't have much use for them.
Any form of legal system that harms its society is immoral and ought to be, and will be, dismantled.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
You should read the entire statement, because there are things missing from the quote above that are important. The most important part is the legal theory:
Also, this is important to keep me in compliance with the law:
It's important to consider the goals of the GPL. You get great Free Software, but it's not a gift. It is sharing with rules that must be followed. You are required to keep it Free. And one of the implied purposes of the GPL is to cause more great Free Software to be made. This means that derivative works that are not shared really go against the purpose as well as the wording of the GPL.
Bruce Perens.
Dear AC,
If that's really their intent, they're confused. Or maybe you don't understand? The GPL doesn't have anything to do with trademarks. And Grsecurity did not bother to create a trademark for their product that was different from the versions with the old GPL-only terms, which are still in use. If trademark was the problem, they'd need to create a new one for their commercial product.
This, unfortunately, would not mitigate the GPL issue, which is copyright and contract related.
Bruce Perens.
Did you really ask this? Seriously. Did you?
Your opinion of GPL aside, are you remotely aware of law at all? Seriously. Are you?
I'd be curious to see if on your keyboard the "?" key is as worn down as the space bar.
lucm, indeed.
I've seen multiple pieces of software, including Paint.net and Classic Shell, change to proprietary licenses because of this exact issue; being able to effectively plagiarize a program just because it's open source and you can theoretically do anything to it, like change the name and claim it as your own, claim it's a "new version" that's littered with malware or add-ons that aren't open source, etc. Open source licenses do not give you a carte blanche to infringe on any other proprietary intellectual property associated with the software, such as trademarks and trade dress.
I think that argument sounds wrong.
Do they distribute anything that's under the GPL? The summary speaks of patches. That means they don't distribute the Linux kernel, which is GPL, but only their own code.
Since they don't distribute the kernel, they don't need a license for it, as there's no copying for which copyright applies. And their own software they can distribute under whatever terms they like.
As long as it's not bundled along with the kernel, they don't even touch the kernel's GPL. It's the customer that patches their code.
And also, since the GPL is not an EULA, their customers are free to do whatever they want. That includes linking the kernel with a GPL incompatible patch, as long as they do not themselves distribute the result. Only distributing it would violate the GPL.
Death to CNN! Long live the new flesh!
Linux should do like OpenBSD did with pf and just replace it. All this yelling and screaming just turns people away.
They don't have to distribute the kernel to violate the GPL in this case. Copyright also restricts the creation of derivative works. Grsecurity definitely is derivative of the kernel. The GPL would be their only permission to create and distribute a derivative work of the kernel. And one of the terms of the GPL is that you can't add any rules to your derivative that aren't in the GPL itself.
With respect, your understanding of copyright and licensing isn't quite complete. This is not a personal criticism, it's true for most people. But legal theories based on what you know so far might not be correct.
Bruce Perens.
Open source can be abused as well that's why you all had to come up with a GPLv-(everyone loves us)-3.0.
I scanned the comments looking for some explanation of what Grsecurity is and where it comes from but no luck. With too many Slashdot stories it's like trying to join a conversation half way through. I could go and look it up but thought I'd post this instead.
Grsecurity is definitely a derived work of the kernel, which I think grsecurity doesn't even doubt. After all, the patches they distribute are licensed under the GPL. They don't prevent you from using your rights under the GPL, they might not want to do further business with you if you do, but you can still use the rights and share the code legally.
To me it seems the legal question is whether or not they are using their influence to, indirectly, add a non-disclosure clause to the GPL. I am not a judge so I cant answer that but it doesn't look that clear cut to me.
As sort-of blessed by Stallman? Well, at least before they made their peace with CentOs by eating them?
Hi Bruce,
Since you say that GRSecurity is 'definitely' a derivative work, and since you know about a million times more than I do, let's accept that claim as a fact for a moment.
GRSecurity is primary distributed as a set of patches which modify the Linux kernel's operation in various ways. The end user takes those patches and combines them with the kernel to achieve the desired (or maybe not, doesn't matter). According to your claim, they are not permitted to do so without license from the original work (the kernel).
The implications of this claim seem to be very broad and, to me, undesirable. It would seem to indicate that people would not be free to build and share aftermarket enhancements for any commercial product that contains a creative element (that is eligible for copyright) without license from the company that produced it.
For instance, Subaru sells a car containing an ECU, and no doubt that Subaru retains copyright in the code that runs in that ECU. Joe and his friends develop a software patch for this ECU in order to improve the characteristics of their automobile or to make it compatible with some other usage or accessory. According to your claim, this is a derivative work (it patches the ECU software, the ECU software is copyright) and so if Joe distributes this patch without license from Subaru, he is liable for infringement.
Or for another example, a company sells an electronic microscope to Janice's school. Janice and her friends patch the software running on the microscope to improve the noise reduction algorithm or increase the maximum frame rate. Janice wishes to distribute this improvement to other students. Again, the same story.
So much then for Janice and Joe's right to tinker with the software running on their devices then.
[ For what it's worth, if I were writing the law instead of describing it, I would avoid this entire mess and make it clear that a patch or modification on an existing work that does not itself any part of the original is not derivative. It's just a set of instructions for how the rightful possessor of the originator work can change it, nothing more. ]
This is a very large discussion and I'm not going to put in the hour necessary to explain it fully. One of the relevant cases is Galoob Games v. Nintendo. In that case, the Game Genie made by Galoob, which let you have infinite lifetime and ammo and thus cheat in Nintendo games, was thought to be a derivative work by Nintendo. Galoob won, because the Game Genie connected to a plug and only modified a few memory locations.
Unlike the modularity of the Game Genie and that of some of the other things you mention, Grsecurity does not limit itself to dealing with Linux through its APIs (like the plugs in the Nintendo console and game cartrige). Instead, Grsecurity gets dirty fingers all over the kernel internals. So, it's derivative.
I am very much a supporter of right to repair and to interoperate, and we should discuss that another time.
Bruce Perens.
You are more than welcome to make derivatives of the Linux kernel and sell them (see Android). You do however have to comply with the license and thus you should see GPLed release code on sites from Samsung etc (which you often but not always do).
The company is not required to release the code publically either, only their customers can demand the code, however this has to be under the same license (thus you cannot do like Amlogic does and claim NDA for the Linux kernel)
Custom electronics and digital signage for your business: www.evcircuits.com
All kernel work should be GPL. It's time that Linus steps up his act. Because of his stance that it's ok for GPU vendors are ok to make non-GPL licensed kernel modules, we get into this shit. And while that position was defendable in the '90s when Linux was new, now it isn't.
It's because of this that Android phones are stuck at whatever kernel version the proprietary drivers enforce. E-waste galore...
GRSec might be flawed, but it cannot be considered more absurd than the original MySQL license, nor morally worse than proprietary kernel drivers.
Linus, wake up and create a timeline for proprietary drivers to phase out!
Linux will never takeover the desktop. You spend more time on pedantic licensing arguments than MAKING SHIT WORK BETTER!
My contention is that the current state with Grsecurity is like releasing it under NDA. I just wanted to make sure you understood that part.
Bruce Perens.
It is a perfectly viable business model: they are not licensing the linux kernel, they are only licensing patches, and possibly some technical support. You don't get any right besides using the patches, whatever you do internally with the linux kernel and the patches is your own thing. If you distribute the kernel, you may have to make the patches available but that is a liability a liability for using linux anyways. Do they care about the community? NO, they are not forced by license to do it.
Don't like it? sue them. VMware got away with much more, so it is pretty likely a waste of time.
My company has purchased grsecurity patches in a fashion where it's possible for someone to buy a product and request source from us under the GPL. We have been told explicitly by OSS that we are to provide source and honor the GPL. There have been no caveats or asterisks associated with it either, it is very straightforward.
Are people just making this shit up for fun or something? What gives?
From GRSecurity's "Stable Patch Agreement":
"Notwithstanding these rights and obligations, the User acknowledges that redistribution of the provided stable patches or changelogs outside of the explicit obligations under the GPL to User's customers will result in termination of access to future updates of grsecurity stable patches and changelogs."
IE: If you choose to redistribute, other than in the case of a demand made by a user, retaliation will occur
I think that above the bullshit there is actual legal issue here.
If i took GPLed code, made some changes and produced a patch, which is a list of instructions on how to replay my modifications on the original source to get to the same result I did. The original code is GPL so is the resulting code after applying the patches.
But is the patch itself under GPL? Are instructions on changing a GPLed software not a separately copyright-able content?
So what grsecurity do is sell patches. They technically do not distribute a piece of or a whole GPLed software. They can claim full rights over those patches.
Are the patches a derivative work of the kernel? They may be considered "Based on the Program" but "Based on.." defined as a modified copy of the Program. And patches are nothing more then modification instructions.
Legally grsecurity can't prevent their customers from distributing the GPLed result of applications of their patches.
What they can is ask nicely for their customers not to do it and be angry if their customers will distribute the patched version.
What they can't do is sue anyone over copyright violation. Because the customer did not distribute grsecurity patch but the modified kernel itself.
Bruce has an annoying habit of reading legal documents to say what he wants them to say instead of what they actually say.
Call me when ESR or RMS chimes in.
Actually, all I see so far is that an intentional GPL violator's customers are not protected from that intentional violation. It's not at all clear that this is in any way different from the proprietary software licensing world, where a contributory infringement case brought on the customer rather than the vendor is a frequent strategy.
I check out the software licenses that are offered to my customers. Sometimes I red-light a proprietary software vendor because I don't believe they have the right to offer their own software. This is often obvious from their licensing. Similarly, a company should not accept a commercial issue of a GPL work if it's not sure the vendor has a right to offer the work.
I am sorry that due diligence is required, but of course the Free Software folks didn't invent this intellectual property mess.
Bruce Perens.
Just another attempt to steal income from unsuspecting open source users.
Capitalism at it's WORST!
Self-importance and self-indulgence is the root of ALL evil.
Yes I do, many companies try to do this though and I'm not sure Linus has ever actively tried to stop them. Samsung, Amlogic, HP, Netgear, Minix have all done it some time in the past or are still actively refusing to release Linux source code they have modified or require some form of NDA before they will give it to you, companies in China are even worse than companies in the US.
I've contacted the FSF about it prior and they seem unwilling to pursue the case unless portions of GNU software are included in the distribution which makes it a bit of a chicken and egg problem, they won't give me the source and the binaries don't contain comments/licenses so it's unclear as to whom they are actually infringing against and FSF won't pursue it unless you can prove the source code contains GNU licensed material.
Given Linus is also more of a technical rather than legal mind, I doubt the GPLv2 on the Kernel is even enforceable at this point unless individual coders want to pursue cases against their more recent contributions.
Custom electronics and digital signage for your business: www.evcircuits.com
How in the world can there be a right to repair/improve when anything that modifies the internals of a copyrighted work is a derivative work?
For instance, a modification to a car ECU would not "deal with it through its APIs" (there aren't any API, it's not meant to be accessed by developers!) and would "get its dirty fingers over the ECU internals" (since there is surely no nice external interface to modify the behavior). So there goes the right in that respect.
Similarly for any attempt to improve nearly any non-extensible closed system. In fact, now that I think about it, this means there is a very high incentive for a company that wishes to lock tinkerers out to design things to be as closed and rigid as possible. The lack of configurability will means that anyone wishing to tinker will need to 'modify the internals' and the closed nature of the system means there will no API to deal with. Both of those factors will increase the chance that any aftermarket modification is a derivative work and thus empower the company to bar its distribution without license.
It would be very unfortunate if our system incentivized this sort of engineering by conferring additional rights based on engineering details about API and configurability.
Some Legal Analysis:
--
The GRSecurity patch snakes through almost the entire kernel; it really touches everywhere
(and Brad Spengler etc have publicly attested to this as a bullet point as it doesn't only
add features but fixes various in-place security errors); and not even as a monolithic block,
it puts a paw here, and there, and there (so on and so on for 8MBs), with the deft agility of a cat,
and the dexterity of a vine wrapped every which-way around the many branches of a bush:
it is a non-separable derivative work.
A counter example would be the Nvidia GFX driver: a portion of that driver works across platforms.
That portion which works on Linux, Windows, etc is a separable work and thus can be argued
to be standalone before a court. Furthermore, in the Nvidia case, that portion was likely
developed on another platform and the wrapper was then built to conform to it.
The wrapper itself that interfaces with linux is licensed under the same terms as linux.
Other drivers can be written in a similar way.
With GRSecurity, on the other-hand, that is absolutely impossible. GRSecurity exists
only to give the linux kernel "self protection" (their words IIRC). They do this
by going in with a scalpel to thousands of areas in the kernel and making small
but important* edits and additions, as-well as by writing some new routines to then
use throughout the kernel.
Unlike a plug-in; their derivative work does not and cannot stand alone.
The Anime-Subs cases reaffirmed somewhat recently that a derivative work
that cannot stand alone and is not authorized is an infringing work.
(Ex: You're a fan, you listen to the Anime Girl cartoon in Japanese,
you write down what they say, you distribute that: that text is a
derivative work and not a standalone one: it required the existence
of the cartoon to itself exist or have any meaning).
I think the situations are very different thusly and that a court
would find GRSecurity to be infringing. If the GRSecurity patch is not
a derivative work then nothing in the realm of source-code is.
To Brad Spengler I'm referred to as a "troll" (months, perhaps a year later
in a discussion I was not involved in), for engaging with RMS on the issue earlier
(something which remains in Mr Spengler's mind:
http://www.openwall.com/lists/kernel-hardening/2017/06/04/24 ...
>... It has been nearly 4 months now and despite repeated follow-ups, I still
>haven't received anything back more than an automated reply. Likewise
>regarding some supposed claims by RMS which were published last year by
>internet troll mikeeusa -- I have been trying since June 3rd of last
>year to get any response from him, but have been unable to. So when you
(RMS' opinion can be seen here:
(*7) https://lists.debian.org/debian-user/2016/06/msg00020.html )
As for making modifications: To create the patch Brad Spengler modified the
linux-kernel over the course of 15 years, and to continue continually producing
new patches he continually modifies the linux-kernel even more. Without
permission of the license he has no right to modify the kernel. The mechanical
modification that is done by patching is a red-herring in this case since it's
not needed to argue infringement on Mr Spengler's part once he has been found
to have added an additional term to the agreement between him and further
distributees of the derivative work. Once he has done that, he has violated
the license grant, and he no-longer has a right to distribute the work, nor
to distribute derivative works, nor to modify the work in-order to create
future derivative works.
--
Correction to common
programmer's misunderstanding
--
They don't have to add a term to the GPL per-se as the GPL is not a party to the agreement, it is "merely" the (not-fully integrated) writing describing the license that the rights-holders have granted GRSecurity et al
Nina committed adultery against Hans Reiser, she also divorced him.
Such is forbidden by the God of the book of the Law (Deuteronomy). (The man is the ba'al (master))
Hans Reiser did the correct thing in killing Nina Reiser, as commanded by the Overlord of the Armies.
Hans Reiser didn't obey the white man's false idol Jesus; but Jesus clearly isn't Hans Reiser's God.
Those who entice one to follow another judge/ruler/God are commanded to be killed immediatly.
Which is why your Jesus was killed.
>To me it seems the legal question is whether or not they are using their influence to, indirectly, add a non-disclosure clause to the GPL.
They are forbidden by the terms from adding additional restrictions between an agreement between THEM and furthur Distributees.
They are adding an additional term.
Open and shut. Blatant violation.
No, you programmers who scream "BUT THEY DIDNT ADD THE ADDITIONAL TERM __TO_THE_GPL__!!!!" They added it to the agreement between them and the furthur distributee, which the terms underwhich linux is distributed explicitly forbids.
The licenses is NOT BETWEEN "The GPL" and GRSecurity but between THE LINUX RIGHTS-HOLDERS (linus et al) and GRSecurity. "The GPL" is the memorization of the license grant. It disallows additional restrictions placed by GRSecurity on people to whom it distributes a derivative work.
It is NOT saying (in that section) "oh you just can't pen your restriction in here, go write it on a napkin or something wink wink nod". (*cough codicil*)
No, you Programmers do NOT know what you're talking about when it comes to the Law. Yes I _DO_ know what I'm talking about.
Wrath0fb0b:
Copyright is alienable in the same way real and personal property is.
Complain to the legislature if you don't like it you fucking idiot.
I can place whatever restrictions I like on MY property. I can allow you to use it (license) and then rescind at will. That's what being alienable in the same way real and personal property is means. Go read the copyright statute you fucking self-sure retard.
Even if you possess my intellectual property, does not mean you OWN it (in the way you might own a physical object), unless I ASSIGN copyright TO YOU.
Fucking retards here.
And they think they know more than lawyers and law technicians.
The fire rises...