Bruce Perens Warns Grsecurity Breaches the Linux Kernel's GPL License

Bruce Perens co-founded the Open Source Initiative with Eric Raymond. Now he's sharing a "strong opinion" that companies should avoid the Grsecurity security patch for the Linux kernel "because it presents a contributory infringement and breach of contract risk." Slashdot reader NewGnu shared Bruce's comments: [I]t would fail a fair-use test... Because of its strongly derivative nature of the kernel, it must be under the GPL version 2 license, or a license compatible with the GPL and with terms no more restrictive than the GPL. Earlier versions were distributed under GPL version 2... My understanding from several reliable sources is that customers are verbally or otherwise warned that if they redistribute the Grsecurity patch, as would be their right under the GPL, that they will be assessed a penalty: they will no longer be allowed to be customers, and will not be granted access to any further versions of Grsecurity. GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition...

This is tantamount to the addition of a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms. Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kernel, terminates, and the copyright of the Linux Kernel is infringed. The contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached.
Perens advises companies to discuss his position with their attorneys, adding "In the public interest, I am willing to discuss this issue with companies and their legal counsel, under NDA, without charge."

Does Anyone Use That?

[segedunum]

Grsecurity is snakeoil dogshit.

Re: Does Anyone Use That?

Thanks for that well reasoned remark, way to contribute. The core kernel crowds utter unreasoning hostility toward grsecurity is well documented by now. Its made a laughing stock of the security of the stock kernel for decades, and nobody likes to be shown to be an idiot. Grsecurity recently changed its terms due to widespread abuse of its mark. I assume it has something to do with these new terms, and potentially these announcements were triggered by complaints made by way of retaliation.

Re: Does Anyone Use That?

Submit good patches and we'll merge them. Hell, report some bugs. But no, that's not how you guys operate. You work in an ivory tower for months and send us a massive patch that lacks any organization or any reasonable way to break it down for review. At this point, we think you should take your pile of "security" patches and go write your own kernel to go with it.

Re: Does Anyone Use That?

[segedunum]

Anonymous cowards protesting how Grsecurity have been so badly abused by everyone. Diddems. How predictable.

They chuck patches they *know* won't be accepted upstream, whinge that they are being exploited when someone tries to make them palatable and rinses and repeats the whole process because they know it would destroy their pointless value proposition otherwise. As Linus said, their patches are utter garbage. They can either put up or shut up.

Re: Does Anyone Use That?

[Desler]

Whinge means to whine. It is not a synonym of cringe.

Re: Does Anyone Use That?

[segedunum]

FFS, we really have brought out the fuckwits today. Mind you, I'm not on Slashdot much these days so it could be a regular occurrence. 'Whinge'. Google is your friend.

Re:Does Anyone Use That?

[volkerdi]

Linus, is that you?

Re: Does Anyone Use That?

[james_marsh]

Yep it's like someone is testing a bot designed to drown out reason, much like the comments on news sites seem to be these days. People are pushing BSD and no one has even mentioned netcraft. Not like the old days at all.

Re: Does Anyone Use That?

[Brockmire]

There's history between grsecurity and the kernel people going back years. Bitching about large patch and disagreeing on importance of various behaviour sums it up. It's super paranoid security people against defensive kernel programmers who feel attacked for their code and decisions. At no time did I get the impression it was as bad as dealing with someone like apk. But there was a lot of butt hurt to go around.

Re: Does Anyone Use That?

[Brockmire]

Alliterates. Is this irony?

Re: Does Anyone Use That?

[guruevi]

Seems like the Grsecurity guys have no idea how to work with others and instead of respecting the copyright of many of their past contributors, they simply steal it in the hopes of making a buck before it dies in obscurity.

Re: Does Anyone Use That?

[geoskd]

Fuck the good ideas and flaws that get fixed, submit pretty patches or fuck off

Patches can introduce bugs and security flaws as easily as they can fix them.

Every where I have worked has a had a strict policy of one issue per pull request for that very reason. Reviewing code is hard enough when its a single issue at a time.

Re: Does Anyone Use That?

[gnasher719]

What I hear: "wah, you should be spoonfeeding us this because it's over our heads. Fuck the good ideas and flaws that get fixed, submit pretty patches or fuck off."

What I hear from you is that you have no idea how software development works. Yes, absolutely, if you supply something that cannot be integrated, then fuck off.

Re: Does Anyone Use That?

[Zero__Kelvin]

You don't hear very well. The kernel is good because they follow a process. That process involves submitting code that can be readily reviewed before being accepted. "Trust us, it's great" gets a "go fick yourself", and that is exactly as it should be. If you think ANYTHING is over their head but not over the heads of the grsecurity devs you are clueless, but even if that were the case it is up to them to justify and explain their code or beat rocks.

Re: Does Anyone Use That?

Spoonfeeding? Over their heads? Bullshit. Rather that the submitters are way out of their league when it comes how to submit code.

The burden of work should be on those submitting the patch not those receiving it.

If you submit shitty patches or patches so massive it takes unreasonable amount of time to review them, I would be pissed off if they were accepted.

Also, if you submit a patch that addresses several issues, how should the review process be handled? If one part is not approved, then the entire patch is denied, right? Or do you always want someone else to do your work for you?

Re: Does Anyone Use That?

[Zero__Kelvin]

Great point. Linus should really consult someone who has written some quality code and has experience reviewing and accepting or rejecting patches ... oh, wait!

Re: Does Anyone Use That?

[rtb61]

I would be extremely suspect of any company that supplied blob patches, like M$ does to hide the individual elements of that patch. Straight up, I would suspect them of trying to put in a back door. So the question is to put all the effort into tearing down and completely dissecting that blob and only apply those elements of it that have been fully checked or just bin it and do the coding directly, which will likely be quicker.

Everyone knows exactly the reason why kernel patches at keep neat, specific and fully detailed and a security company should know better than others. This code blob probably a try it on and the next one, the attack blob. Lets be honest everyone knows the CIA/NSA would pay tens of millions in corrupt bribes to get a back door forced into Linux.

Re: Does Anyone Use That?

[Zero__Kelvin]

It doesn't sound right because you are the only one making such a ridiculous claim.

Linus on Grsecurity

Don't bother with grsecurity.

Their approach has always been "we don't care if we break anything, we'll just claim it's because we're extra secure".

The thing is a joke, and they are clowns. When they started talking about people taking advantage of them, I stopped trying to be polite about their bullshit.

Their patches are pure garbage.

Linus

Re: Linus on Grsecurity

[110010001000]

I'll take the judgement of the guy who actually wrote the kernel over a Grsecurity shill.

Re: Linus on Grsecurity

[110010001000]

All software has bugs. It is natural. He can be trusted because he has proven himself.

Re: Linus on Grsecurity

[mean+pun]

Linus is not a God, and often gets things spectacularly wrong (remember BitKeeper?) .

Uh, last I checked, Linus ended up writing an open source clone of BitKeeper that became immensely popular and is now used by just about every software company in the world, including Microsoft. You might have heard of it. What are you trying to say here?

In a sense that's spectacularly wrong, no? I mean, he was wrong (to trust the BitKeeper guy), and he took spectacular revenge. Of course in this sense we should then hope he gets hacked, because the result could be another spectacular piece of software, possibly upstaging grsecurity.

Re: Linus on Grsecurity

[nitehawk214]

Since you exist in 2006, can you warn us about the housing crisis and ISIS?

Re: Linus on Grsecurity

[guruevi]

How do you upstate grsecurity? Their patches add zero net worth of security, they just hope by calling something security it will sell to some large companies.

If they want to add to security, submit patches to the kernel where things are broken.

Re: Linus on Grsecurity

[guruevi]

You don't sound like a security expert either. If the kernels are so buggy, write patches and demonstrable exploit code.

Re: Linus on Grsecurity

[Zero__Kelvin]

You win the "Most Ridiculous Faux Reasoning on the Internet" award!

Re: Linus on Grsecurity

[Zero__Kelvin]

We know the whole story better than you. Those warning Linus didn't think, like I am sure Linus DID, "This works and saves time. If anything changes I will take a couple weeks and spin something up that is better when it is time." He also couldn't have predicted that another guy would violate the terms, reverse engineer the protocol, and try to implement a bikeeper clone. Blame that asshat.

Re: Linus on Grsecurity

[vux984]

"In a sense that's spectacularly wrong, no?"

Was Linus spectacularly wrong or were the BitKeeper people spectactularly wrong? I've always taken that sequence of events as a calculated risk... he didn't expect bitkeeper would revoke their use of bitkeeper; but he also know he could replace it quickly if they were boneheaded enough to do it.

They revoked the license. He wrote git over the weekend. And ... problem solved. Not really a big deal after all.

Re: Linus on Grsecurity

[Bruce+Perens]

This is hysterically funny if you actually understand what Tridge did.

Re: Linus on Grsecurity

[duke_cheetah2003]

The only people who like git are trend chasing hipsters (like JavaScript "programmers") who have never used other systems. Professionals, on the other hand, prefer Mercurial or one of the numerous other DVCS and VCS that exist.

If only this were true. But it's not. It's my perspective that most programmers who adopt the usage of any version control tend to stick with the first one they learn. After that, they become loyal to that package, even if it dies off, they cling to the known quantity. That's in my view, how people pick their version control. It's rare anyone switches from one to another, unless forced to do so by an external.

Some people might use one outside of their normal to work with another team, but for their own projects, they'll stick to their first/favorite.

Re: Linus on Grsecurity

[Bruce+Perens]

Tridge used telnet to get to the Bitkeeper server port, and typed "HELP". That was the great crime!

Most people who understand this believe that Larry over-reacted.

My personal conclusion was that Larry made things much worse for himself with his own behavior. I hope he learned something and is doing better now.

Re: Linus on Grsecurity

[Bruce+Perens]

Walter Tichy is our savior! :-)

The truth is that most people don't use 95% of the feature set of a version control system, and everything they wanted was there in RCS back in 1982.

Re: Linus on Grsecurity

[phantomfive]

Local branches are super-great, though.

Re: Linus on Grsecurity

[Zero__Kelvin]

So Tridgell ... the guy who reverse engineered Microsoft's SMB protocol and created SAMBA, was just curious about the protocol but had no intent of doing anything with the information then? Is that really what you believe?

Re: Linus on Grsecurity

[Zero__Kelvin]

So ... You DO know that EVERY version of the Linux kernel is freely available via git, thereby disproving your claim in its entirety, right? Also, your Stallmanesque/ idealistic version of "free" and Linus' pragmatic, free as in "open" version differ. He made a choice you didn't like, but time has shown that it wasn't a debilitating choice.

Re: Linus on Grsecurity

[jeremyp]

And now because of the Linus Worship, we are all stuck with having to use the pile of shit that is git.

Re: Linus on Grsecurity

[jeremyp]

My first was CVS, then I progressed to svn, after that to Mercurlal which is my favourite, but I grudgingly use git now because my dev tool only supports it and svn. Of the source code control tools I have used, git is without doubt not as bad as CVS. Other than that it would have been better if it had never existed.

Re: Linus on Grsecurity

[BadDreamer]

So where is the damage caused by Linus in all this? The whole point of bringing this up is to show how Linus is not to be trusted, and that means that the decision by Linus must have caused damage, or it would be pointless bringing it up.

So where is the damage? What bad thing does Linux carry with it from this decision? How are we crippled by Linus' decision?

Re: Linus on Grsecurity

[mean+pun]

The whole point of bringing this up is to show how Linus is not to be trusted, and that means that the decision by Linus must have caused damage, or it would be pointless bringing it up.

Wot? No. I have no idea where you get all this from.

Look, I like Linus. He knows what he's doing, both technically and with people management. I trust his evaluation of grsecurity.

My lighthearted point is simply that (arguably) Linus was wrong to use BitKeeper, but that he recovered from the issue in a spectacular way by writing his own software that has upstaged BitKeeper. Therefore, he was 'spectacularly wrong' about BitKeeper. See? It's a joke. No? I guess you had to be there then...

Re:Linus on Grsecurity

[martinfb]

Do you care to site where this can be verified?

Re: Linus on Grsecurity

[almitydave]

The only people who like git are trend chasing hipsters (like JavaScript "programmers") who have never used other systems. Professionals, on the other hand, prefer Mercurial or one of the numerous other DVCS and VCS that exist.

If only this were true. But it's not. It's my perspective that most programmers who adopt the usage of any version control tend to stick with the first one they learn. After that, they become loyal to that package, even if it dies off, they cling to the known quantity.

Well, I started with Rational ClearCase and use git now; in between I used (in no particular order) VSS, PVCS, CVSNT (+TortoiseCVS), and TFS. git is my preferred system of all of those, solving every shortcoming I personally experienced.

I doubt your assertion holds for programmers who moved from file-locking "checkout-and-edit" based systems to an "update-and-merge" paradigm. The latter is so much easier. By the end of my use of VSS, I was basically doing that anyway with one directory containing the source-controlled copy, and another directory containing the copy I actually worked on, and just merging back and forth as necessary.

Re: Linus on Grsecurity

[Zero__Kelvin]

Hopefully you realize I didn't waste my time reading your drivelous rant about nothing.

Re: Linus on Grsecurity

[duke_cheetah2003]

I doubt your assertion holds for programmers who moved from file-locking "checkout-and-edit" based systems to an "update-and-merge" paradigm. The latter is so much easier. By the end of my use of VSS, I was basically doing that anyway with one directory containing the source-controlled copy, and another directory containing the copy I actually worked on, and just merging back and forth as necessary.

I can only speak from my own experience. I've been using Perforce for far too long. I don't wanna migrate to anything else cuz it's a pain in the ass and I'll likely lose all the prior versions of my stuff if I resubmit to a new system. There's supposedly conversion tools for Perforce to around, but I'm wary. I stick to my known quantity. It's still old school 'checkout-and-edit.' Which is good in my book, cuz damn as I get older, I have trouble keeping track of what I was working on. Knowing what I have checked out is a pretty good indicator of what I need to be looking at.

I suppose my original post in my own experience, and from the people I've met in my life, most folks my age dislike learning new systems, so I guestimated most people think like I do, and those I've been in contact with.

Electric Fence

My favorite Bruce Perens software is Electric Fence. He wrote that in the early days of Linux, originally writing it for SunOS and then porting it to Linux back at the beginning. Bruce knows his shit since way before Linux was even a gleam in Torvalds's eye. Thanks Bruce!

Re:Good example of why to avoid the GPL.

[epyT-R]

Unless of course the goal is to keep the software open/modifiable by all while disallowing poaching by closed source developers. This frees the project from parasitic closed developers. They'll have to write their own code if they want to keep it closed.

sounds about right

[spongman]

i usually fall into the "GPL is less free than BSD" camp, but in this case I agree fully with Perens. the Linux kernel is GPL, everyone who works on it agrees accepts that. if you don't like the GPL or the conditions it places on you, or how you (and others) can distribute your code - then go the fuck somewhere else.

Re:sounds about right

[GerryGilmore]

Wait a danged minute here! How can a core kernel change be considered "externally linked code"? If it truly just links, there's no GPL issue. Methinks you've stretched too far trying to make your point and fell off the logic cliff.

Re:sounds about right

[segedunum]

On the contrary, a huge amount of innovation and development has happened with Linux because everyone knows where they stand. Take a look at the 'open source' competitors to Linux. They are nowhere to be seen.

Re:sounds about right

[Bruce+Perens]

Forcing the same license requirements on actual changes to the kernel versus imposing the same license restriction on any downstream externally linked code is not going to attract many competent developers or those who specifically employee developers who can extend and enhance the functionality running against the kernel.

Whoa! Aren't you talking about the most successful strategy for developing a kernel ever? There seem to be no shortage of developers of high competence working on the Linux kernel, including those supported by companies. Hey, we even got Microsoft to do it after their earlier and widely publicized GPL paranoia.

I seriously doubt any kernel team, no matter the budget, can come close to what has been done with Linux.

Re:sounds about right

[UnknowingFool]

What a marvelous way to stop innovation in it's tracks.

[sarcasm]How dare people who draw up a contract expect you to abide by the contract when you agree to it. How dare they, sir![/sarcasm]

Forcing the same license requirements on actual changes to the kernel versus imposing the same license restriction on any downstream externally linked code is not going to attract many competent developers or those who specifically employee developers who can extend and enhance the functionality running against the kernel.

Er what? The patches that grsecurity are to the kernel which they are bundling with their code and then enforce new conditions on the kernel.

It seems the only ones who are allowed to reap any monetary rewards from the Linux ecosystem are the GPL cheerleaders collecting their consultant fees for their efforts in spreading the Open Source gospel. And who really cares what Linus thinks? The man seems to have graduated with honors from the Donald Trump public speaking University.

Ad hominem attack. Who cares what the maintainer/developer of Linux says about Linux? Are you daft?

The man basically ported the Unix kernel to the x86 architecture.

Um, you don't know the history of Linux or Unix do you? By port, you mean "write from scratch?" If you knew anything about the history of either you'd know why that statement is woefully ignorant.

He wasn't even the first person to try before Windows swept them to the curb in the early years of the PC.

No one claims he was the first any more than anyone claims that Windows was the first GUI. At least anyone who knows the history of computing.

So while his achievement is impressive he did change water into wine. And he also belongs to the club of people who make a substantial amount of coin while simultaneously telling those lower in the food chain that they need to donate their work for the public good and if they want to make an actual living they should remain in the Republic of the Anonymous Cubicle and take solace in their monkey coding endeavors.

I'm sorry but did I miss the edict from Lord Linus about donating my time and programming skills to the public good, Comrade? I seem to think that any donation I made to Linux was of my own free will and that I wasn't chained to a computer slaving away at code for years while being shocked periodically.

Re:sounds about right

[epyT-R]

by 'innovation', you mean whatever snakeoil your company wants to sell using the work of others? You do know that the kernel license doesn't apply to userspace, right? Userspace libs and executables have their own licenses (GPL or otherwise).

If you think linux is a 'unix kernel' then you are seriously misinformed. It's a unix work-a-like.

Re:Good example of why to avoid the GPL.

[Dogtanian]

Clippy says, "It appears you're starting yet another GPL vs. BSD holy war discussion. Would You Like Help?"

* Yes, please link to one of the approximately 17,000 near-identical discussions of this nature we've already had on Slashdot over the years.

* No, I'd rather pointlessly go through the exact same longwinded to-ing and fro-ing and restatements of the same old facts purely to indulge my personal need, despite the fact I know the chances of any new insight coming out of the billionth tedious discussion of this long-established subject is next to nothing, despite the fact that those on both sides feel the need to repeat the same entrenched positions- which mostly come down to personal philosophy and not an incomplete understanding of the issues (which everyone knows full well by now) and will therefore be unlikely to change in the face of the discussion (not that this was the point anyway).

(Joking aside, I'm pretty sure the OP knows all this and is intentionally trolling; I'm also pretty sure the replying AC above isn't, which IMHO makes it worse).

Re:The GPL is asinine

[Eravnrekaree]

I completely disagree. Situations like Grsecurity make me glad it is written the way it is.

Please Read The Entire Statement

[Bruce+Perens]

You should read the entire statement, because there are things missing from the quote above that are important. The most important part is the legal theory:

By operating under their policy of terminating customer relations upon distribution of their GPL-licensed software, Open Source Security Inc., the owner of Grsecurity, creates an expectation that the customer's business will be damaged by losing access to support and later versions of the product, if that customer exercises their re-distribution right under the GPL license. This is tantamount to the addition of a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms. Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kernel, terminates, and the copyright of the Linux Kernel is infringed. The contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached.

Also, this is important to keep me in compliance with the law:

I am an intellectual property and technology specialist who advises attorneys, not an attorney. This is my opinion and is offered as advice to your attorney. Please show this to him or her. Under the law of most states, your attorney who is contracted to you is the only party who can provide you with legal advice.

It's important to consider the goals of the GPL. You get great Free Software, but it's not a gift. It is sharing with rules that must be followed. You are required to keep it Free. And one of the implied purposes of the GPL is to cause more great Free Software to be made. This means that derivative works that are not shared really go against the purpose as well as the wording of the GPL.

Re:Please Read The Entire Statement

[Teun]

It's important to consider the goals of the GPL. You get great Free Software, but it's not a gift. It is sharing with rules that must be followed. You are required to keep it Free. And one of the implied purposes of the GPL is to cause more great Free Software to be made. This means that derivative works that are not shared really go against the purpose as well as the wording of the GPL.

Amen, it's especially through the GPL that future developers are enabled to stand on the shoulders of the present.
Nothing gets lost, we all win.

Re: Please Read The Entire Statement

[110010001000]

Even if that were true, the GPL is open and free to read. You should have read it before you created Grsecurity.

Re:Please Read The Entire Statement

[Bruce+Perens]

They don't want to play well with others. They should base on BSD or make their own kernel. No legal issues if they did that.

Re:Please Read The Entire Statement

[Kjella]

To me this smells like a blurb written to create a PR stink even though it has no legal substance. Nobody has the right to future business, I can say stuff like "If you start selling real fur products I'll boycott your store" and it would be "tantamount to the addition of a term" for our business relationship but legally it doesn't exist. You're not obliged to listen, I'm not obliged to come back. That loss of business might be seen as a "penalty" but it's the flip side of voting with my wallet. I don't see that it's any different for suppliers, vendors and subcontractors - they don't have to do any more business than what's already agreed on. Any other interpretation would require Grsecurity to be forced to serve customers they don't want to, which is to read waaaaaay too much into the GPL.

Re:Please Read The Entire Statement

[Bruce+Perens]

It's the time sequence that is important in proving a legal theory of this sort. The customer has been warned before the act of distribution that their business would be damaged as a consequence of distribution. If they just coincidentally fired a customer without warning them first, it would be much harder to make a case.

Re: Please Read The Entire Statement

[guruevi]

Not really. If you have entered into a contract with a company that buy your products you cannot after the fact add terms such as those about your customer using real fur.

It is similar to what happens here, the company has entered into a contract with Linux (the real fur) and GRsecurity has entered into the same contract but now GRsecurity is saying you can't execute your contract with Linux and they won't either even though you have the contract with them that explicitly says otherwise.

GRSecurity cannot patch the kernel and sell their product, regardless how crappy it is without breaking their contract with Linux and/or violating the contract their customers have with Linux.

Re:Please Read The Entire Statement

[DRJlaw]

It's important to consider the goals of the GPL. You get great Free Software, but it's not a gift. It is sharing with rules that must be followed. You are required to keep it Free. And one of the implied purposes of the GPL is to cause more great Free Software to be made. This means that derivative works that are not shared really go against the purpose as well as the wording of the GPL.

Yes, and you don't get to change the rules either, Bruce.

What they're doing is not "tantamount to the addition of a term to the GPL prohibiting distribution or creating a penalty for distribution." The person to whom the code is distributed (for sake of argument, "you") remains free to distribute that code to anyone, and that anyone remains free to distribute the code to anyone else.

What they're doing is refusing to distribute a future version of the code to you -- which the GPL permits (e.g., limited availability). If they distribute the code under section 3a, they have no obligation to distribute the code to any other party, i.e., they cannot be compelled to distribute updated versions of the code to you.

Their only obligation to distribute a future version of the code to anyone in particular would arise under a support contract. But the GPL does not require that support even be provided, much less govern support contracts. If they want to condition further support upon non-disclosure of the code, they could do it stupidly -- by having long term support contracts, lump sum fees, and a termination provision (courts dislike forfeiture-like penalties) -- or wisely -- by having month to month terms, monthly fees, and simply refusing to renew at the end of the term. There's no mechanism, whether in copyright or contract, to force them to continue to accommodate a customer that they do not want to deal with after they've complied with GPLv2 section 3a and any support contract's current term has expired.

If they've done this wisely, they're within the letter of the license and this is another instance, like Tivoization, where the free software community is simply going to have to learn to adapt.

This means that derivative works that are not shared really go against the purpose as well as the wording of the GPL.

You haven't convinced me that this goes against the wording of the GPL. As to the purpose, since you've succeeded in having the GPL held to form a contract, you'll have to take the "four corners" doctrine, construction against the draftsperson, and all the rest of contract law along for the ride as well. Once a party can show literal compliance with a contract's terms, attempts to add "tantamount" obligations or argue "tantamount" violations become extremely difficult. In the end, both sides have to follow the rules of the document.

Re:Please Read The Entire Statement

[DRJlaw]

Bruce,

Your blog post states that "the contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached."

This is quite concerning. Please explain how you believe that the contract from the Linux kernel developers to the customer has been breached. What violation has the customer committed? More specifically, since the GPLv2 sec. 6 specifies that "[e]ach time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions," how do you contend that the customer is "subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity?" If the customer doesn't redistribute code to a third party, axiomatically they cannot be in breach of anything. I remind you that according to GPLv2 sec. 0, "Activities other than copying, distribution and modification are not covered by this License; they are outside its scope," and that only distribution, not modification alone, triggers secs. 2(b) and 3.

I think that you owe those customers something better than vague threats and an invitation to spend capital contacting their attorney.

Re:Please Read The Entire Statement

[Bruce+Perens]

A lot of people are not understanding the the importance of the time sequence. Because of the actions of Open Source Security Inc. to date, the customer already knows that there is a threat to cause them business damage if they exercise their right to distribution, before they perform the act of distribution. That's an additional term.

You are treating this as if the consequences of distribution are the only relevant element, and as if they only happen after distribution. This is not the case.

Re:Please Read The Entire Statement

[Bruce+Perens]

Let's look at what the magistrate said:

Defendant contends that Plaintiff's reliance on the unsigned GNU GPL fails to plausibly demonstrate mutual assent, that is, the existence of a contract. Not so. The GNU GPL, which is attached to the complaint, provides that the Ghostscript user agrees to its terms if the user does not obtain a commercial license. Plaintiff alleges that Defendant used Ghostscript, did not obtain a commercial license, and represented publicly that its use of Ghostscript was licensed under the GNL GPU. These allegations sufficiently plead the existence of a contract. See, e.g., MedioStream, Inc. v. Microsoft Corp., 749 F. Supp. 2d 507, 519 (E.D. Tex. 2010) (concluding that the software owner had adequately pled a claim for breach of a shrink-wrap license).

You are misinterpreting the GPL when you say this:

If the customer doesn't redistribute code to a third party, axiomatically they cannot be in breach of anything.

The GPL is Open Source Security Inc.'s only permission to create and distribute a derivative work of the Linux kernel. I don't believe that anyone is denying that Grsecurity was created and distributed, and is derivative. The customer is obtaining and making use of an infringing derivative work. The status of the kernel is "All Rights Reserved" because the GPL has terminated, and that very clearly makes the customer a contributory infringer.

You are taking a very simplistic view of the GPL that doesn't fit what you appear to be representing with your user name. Did you actually sit for the Bar? I know there are a lot of people with a J.D. who don't ever practice, it's a personal choice, but I would have expected a bit more depth in interpretation.

Re:Please Read The Entire Statement

[DRJlaw]

You are taking a very simplistic view of the GPL that doesn't fit what you appear to be representing with your user name. Did you actually sit for the Bar?

Why yes, Bruce, I have, and am licensed in multiple states. I actively practice intellectual property law as well.

The customer is obtaining and making use of an infringing derivative work. The status of the kernel is "All Rights Reserved" because the GPL has terminated, and that very clearly makes the customer a contributory infringer.

The license granted to the customer certainly has not terminated. Section 6 grants the customer that license separate and apart from Grsecurity, and the GPL does not provide any grounds for terminating the customer's license, as opposed to Grsecurity's license. You should also reread the termination provision of GPLv2 sec. 4: "However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance."

In addition, your alleged infringer has granted the customer a license to the infringer's modification under the GPLv2, and nobody else has standing to assert that the customer is allegedly infringing that "infringing derivative work."

Your argument is that if the license to an upstream distrubtor has been terminated, the downstream users are unlicensed and become liable for e.g., copyright infringement and breach of contract. In my view that directly contradicts GPLv2 secs. 4 and 6, and also raises a great big "red flag" for people like my clients.

I suppose I'll simply have to refer your argument to Eben....

Re:Please Read The Entire Statement

[Bruce+Perens]

OK, if you're a real lawyer, I have no problem arguing law with you. I've won against folks who were admitted to the supreme court before.

The license granted to the customer certainly has not terminated.

The customer has that license for the kernel. They do not have that license for Grsecurity, because Grsecurity's license to the kernel terminated, and Grsecurity did not have the right to grant the GPL to the customer for an infringing derivative work. If Grsecurity was an independent work rather than derivative, it would have been different.

This belongs to a class of arguments I see very frequently, in which the defendant has not complied with the GPL but repeatedly offers the language of the GPL in their defense as if they get to cherry-pick the terms they like.

Sure, refer it to Eben. He's already been copied and has so far not chosen to differ. Richard chose not to be involved because he felt Grsecurity would not listen to him, and he has bigger fish to fry.

Re:Please Read The Entire Statement

[Kjella]

It's the time sequence that is important in proving a legal theory of this sort. The customer has been warned before the act of distribution that their business would be damaged as a consequence of distribution. If they just coincidentally fired a customer without warning them first, it would be much harder to make a case.

What theory? It doesn't matter if they tell you why up front, after the fact or not at all. Tortuous interference with business is when a third party sabotages a business relationship, a company's own choice to stop doing business with you is not damage under any theory of liability I've heard of. You might have expected future business and its absence may cause all kinds of problems, but basic freedom of association says they don't have to if they don't want to. That they're specifically not doing business with you because you exercised your rights under the GPL is to me a bit like using your free speech. It might be legal, but it's not free from consequences and I really doubt any court will try to prescribe that it should be.

Re:Please Read The Entire Statement

[DRJlaw]

The customer has that license for the kernel.

Which means that the original developers cannot properly sue the customers for infringement or breach of contract concerning use of the Linux kernel. Check. You've now admitted that there's no basis for liability absent a customer's own violation of the GPL.

They do not have that license for Grsecurity, because Grsecurity's license to the kernel terminated...

But the original developers do not own Grsecurity's modifications. In addition, the original developers cannot sue a user licensed to use the Linux kernel for using Grsecurity's modifications, since users are expressly licensed to modify the original developers' code themselves by the GPL (sec. 2)! Nor can Grsecurity sue any user for using Grsecurity's modifications, since Grsecurity either licensed the modifications to customers (and all users via the GPLv2) or it will be estopped from claiming infringement due to the purported license.

and Grsecurity did not have the right to grant the GPL to the customer for an infringing derivative work.

Wrong. Grsecurity use a GPL license for its own code whenever it chooses. Whether Grsecurity remains licensed to use the Linux kernel or not, both the Linux kernel and Grsecurity's modifications are GPL licensed - the first sentence of GPLv2 sec. 6 expressly says so. Termination of the kernel license to Grsecurity does not affect the rights of their customers, or any other users, per GPLv2 secs. 4 and 6.

If Grsecurity was an independent work rather than derivative, it would have been different.

Denied. You have not explained how Grsecurity cannot license its own modifications under the GPL, nor how anyone other than Grsecurity could sue users for using those modifications. You have admitted that customers and users are licensed to use the Linux kernel even if Grsecurity is not. You will have to admit that users can modify the Linux kernel if they so choose, even using non-GPLv2 modifications, so long as they do not publish or distribute the result (GPLv2 secs. 2 and 3).

To reiterate, the customer has been licensed by the original developers for the original kernel and by Grsecurity for the modifications. If the customers comply with the GPL by, e.g., not publishing or distributing the combination of licensed code, there is no ground to terminate the license from the original developers to the customers and thus no infringement or breach of contract by those customers.

This belongs to a class of arguments I see very frequently, in which the defendant has not complied with the GPL but repeatedly offers the language of the GPL in their defense as if they get to cherry-pick the terms they like.

This is the sort of sloppy reasoning that I see very frequently. You are attempting to treat Grsecurity and the customers as one and the same, when I have been asking specifically about the customers in this instance. You now concede that the customers are licensed, and you cannot identify anything that the customers themselves have done in breach of the licenses, yet you contend that the customers are potentially liable for "contributory infringement" and breach of contract.

The mere fact that you accuse customers of potential "contributory infringement" shows how wrong you are. A contributory infringer is "[o]ne who knowingly induces, causes or materially contributes to copyright infringement, by another but who has not committed or participated in the infringing acts him or herself, may be held liable as a contributory infringer if he or she had knowledge, or reason to know, of the infringement."

How does the customer induce, cause, or contribute to copyright infringement by another by merely using Grsecurity's product? For that matter, how does a customer breach the GPL merely by using Grsecurity's product?

I'm not cherry picking terms. Identify the specific term of the GPLv2 that the customer, not Grsecurity, has not complied with.

Re:Please Read The Entire Statement

[Bruce+Perens]

Which means that the original developers cannot properly sue the customers for infringement or breach of contract concerning use of the Linux kernel. Check. You've now admitted that there's no basis for liability absent a customer's own violation of the GPL.

I admitted no such thing. And telling me what I admitted, when I haven't, is a rhetorical trick, not argument.

Grsecurity is an unlicensed derivative work and it's owned in part by the kernel developers because it necessarily includes portions of the original work. The GPL does not apply to it at all. The fact that the user has the GPL for some other copy of a Linux kernel does not license the infringing derivative work to the user. Nor does it grant Open Source Security Inc. the ability to convey the GPL for that work.

But the original developers do not own Grsecurity's modifications.

Actually, they do! Not the whole thing, but the derivative work necessarily incorporates a significant portion of the original work, and this is definitely true for the patch format used. The GPL doesn't apply to that copy as its terms were not honored, and OSS never had a right to convey the GPL originally on that copy. A GPL conveyed by someone else for another copy of Linux does not apply to the infringing derivative work. Grsecurity has no right to distribute it at all. The Linux kernel developers own the only remedy that will make its legal use possible.

Termination of the kernel license to Grsecurity does not affect the rights of their customers, or any other users, per GPLv2 secs. 4 and 6.

It does indeed if Grsecurity never had the right to convey the GPL on that work to the users in the first place. You can't convey it on a derivative work without a license from the owners of the work it was derived from. Grsecurity did not have that license because they did not comply with it.

Denied. You have not explained how Grsecurity cannot license its own modifications under the GPL, nor how anyone other than Grsecurity could sue users for using those modifications. You have admitted that customers and users are licensed to use the Linux kernel even if Grsecurity is not. You will have to admit that users can modify the Linux kernel if they so choose, even using non-GPLv2 modifications, so long as they do not publish or distribute the result (GPLv2 secs. 2 and 3).

OK, this one is too much. Look, I know that lawyers will try to fool the other side to win an argument. I've had it happen before. It's not going to make me accept your argument. I explained clearly where Grsecurity could not license its infringing derivative work. You're being silly to contend that anyone can license an infringing derivative work to someone else without a lot more permission than the GPL contains.

To reiterate, the customer has been licensed by the original developers for the original kernel and by Grsecurity for the modifications.

The infringing derivative work was never licensed to the customers, because Grsecurity never had a right to license it to anyone. The copies of the kernel that are under the GPL came to the customer another way, if they have any, and the fact that the user has the GPL from someone else on another copy does not automatically license the infringing derivative work to the customer.

A contributory infringer is "[o]ne who knowingly induces, causes or materially contributes to copyright infringement, by another but who has not committed or participated in the infringing acts him or herself, may be held liable as a contributory infringer if he or she had knowledge, or reason to know, of the infringement."

They have now been informed that there's a good chance of risk of contributory infringement and to check with their counsel. It's public knowledge now. They're paying for copies. That's how they become

Re: Please Read The Entire Statement

[Bruce+Perens]

What if they used an NDA instead? And how is the effect any different?

Re:Please Read The Entire Statement

[phantomfive]

Your analysis seems on point: if they've acted to prevent redistributing of their changes, then they've violated the GPL. However I am a little less clear on this paragraph:

As a customer, it’s my opinion that you would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity.

I feel like the customers will still get full rights to use the Linux kernel (as long as they don't redistribute the binaries). I'm not sure where the contributory infringement and breach of contract come from.

Re:Please Read The Entire Statement

[phantomfive]

ok, I've read your argument elsewhere regarding the contributory infringement. In a lot of ways, it's like the cleanflicks case.....you are not allowed to edit and sell the edited DVDs, but you are allowed to sell metadata indicating which parts of the original movie can be modified, even though such metadata is clearly a derivative work. That would be analogous to allowing an end-user to download the kernel elsewhere, then apply the patches to it separately.

DVDs are a little different because they fall under the Family Entertainment and Copyright Act. The Linux kernel does not. I can't think of any case that applies to this directly. Applying the abstraction, comparison, filtration test, it seems reasonable that if Grsecurity lost the right to redistribute the Linux Kernel, they would at least lose the right to those portions of the code which allow them to integrate directly with the kernel, or are directly related to Linux. IF that happens, of course the patch would be useless.

So the question is, if you have a license from Grsecurity to use the parts of code they own, and a license from Linux for parts of the code that they own, why can't you use them together? The real question is about the jointly-owned portion of the code (after the abstraction, comparison, filtration test). Are you able use that or not? If not, why not?

Re: Please Read The Entire Statement

[Cacadril]

...taking code written by other people...force it to also be released under the GPL. ...stealing other people's code

This resembles the rapist who thinks the girl forced him to do it by being so female and attractive.

The linux kernel was there first, GPL and all. Nobody was "forced" to write GRSecurity as a patch to Linux. Nobody wrote code innocently only to have it taken away from them afterwards. GRSecurity does not work without the Linux kernel, or, if you can make it work without, you are free to do so,

...that happens to link to GPL code

This is another distortion of the facts. The code does not "happen to link" totally by accident or by evil acts of the Linux crowd. First, I doubt it just links, without any patching of existing code. We are talking about applying patches, that is, creating a derivative work in the form of a modified compilation unit. Who is "taking" other people's code here? And who is applying the patches? Who is doing the linking?

Re:Please Read The Entire Statement

[DRJlaw]

Grsecurity is an unlicensed derivative work and it's owned in part by the kernel developers because it necessarily includes portions of the original work. The GPL does not apply to it at all.

Those portions of the original work have been licensed to the customers by the GPLv2 sec 6. The license to those portions of the original work cannot be terminated per GPLv2 sec 4. The customer is also expressly licensed to make such a combination by GPLv2 sec. 2 so long as they do not publish or distribute the combined work.

End of story.

They're paying for copies. That's how they become a contributory infringer.

No. Merely purchasing the existing combination of code does not provide the required right and ability to supervise or control the infringing activity. You are well outside the bounds of your expertise, and it shows.

Re:Please Read The Entire Statement

[DRJlaw]

Just to be clear Bruce,

The fact that the user has the GPL for some other copy of a Linux kernel does not license the infringing derivative work to the user.

This appears to be the crux of our differences. GPLv2 sec. 4 states:

4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

That section says that the customer has a licence for that copy of the Linux kernel, not any other. Section 4 does not apply only to users who received copies from distributors who were completely in compliance with the GPL, because sec. 6 would make the emphasized language entirely superfluous under that interpretation:

6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions.

The customer is not "sublicensed" by the distributor, and therefore does not have their license terminated by termination of the license to the distributor under sec. 6 alone. In short, GPL2 sec. 4 says that the user is not responsible for the sins of a distributor. Every user of GPL licensed code is independently licensed by every contributor to that GPL licensed code to use the copy of the code that they have received, regardless of the compliance of intermediaries, so long as that individual user complies with the GPL.

The argument to the contrary is the "great big 'red flag'" that I've referred to. I'm quite certain that you haven't run that argument by Eben or the FSF, because it necessarily means that anyone using GPL code must audit the person or entity that they received the code from, not only for the copy that they received, but all copies that that distributor has ever distributed, so ensure that they have a license to "that" copy of the GPL-ed code and not "some other copy" of the code.

If you wanted to stoke the perception that GPLed code is "toxic" in yet another unhelpful and nebulous way, you couldn't have picked a better way...

Re:Please Read The Entire Statement

[Bruce+Perens]

Because the GPL doesn't apply to the infringing derivative work, as it terminated when it was not complied with, and Open Source Security, Inc. doesn't have a right to license it to others or to apply the GPL to it. So, the customers have a work with no valid license and the kernel developers own the only remedy that would permit its legal use.

If the customers had the GPL on that work, distribution might be relevant. They don't. Also keep in mind that distribution is not the only thing you can do to violate the GPL. You can create a derivative work that is in violation even before distribution.

Re:Please Read The Entire Statement

[Bruce+Perens]

No. Merely purchasing the existing combination of code does not provide the required right and ability to supervise or control the infringing activity. You are well outside the bounds of your expertise, and it shows.

In this case, it's the reverse. I understand how the software is applied (this is why I'm an expert witness in demand) and you're out of your expertise, sorry. The customer applies the patch. That gives them control of the infringing activity.

Those portions of the original work have been licensed to the customers by the GPLv2 sec 6. The license to those portions of the original work cannot be terminated per GPLv2 sec 4. The customer is also expressly licensed to make such a combination by GPLv2 sec. 2 so long as they do not publish or distribute the combined work.

Weren't you going to ask Eben about this? Why don't you do so, and get back to me. I still don't believe they're licensed.

By the way, I got the Grsecurity agreement. They actually put down in writing how they restrict the customer's GPL rights.

Re:Please Read The Entire Statement

[Bruce+Perens]

I just copied Eben again this morning, as I'd received a copy of the Grsecurity Stable Patch Access Agreement, which I had not previously had in hand. I also included another link to my article. No word from Eben yet.

While the user may not be responsible for the sins of the distributor, this is only the case after the distributor successfully conveys the GPL to the user upon the work. I contend that the distributor never had the right to convey the GPL to the user at all upon an infringing derivative work, and that a direct grant by the kernel developers to the user is thus never triggered.

Also, keep in mind that if the user does successfully receive the GPL on a work, they must be fully in compliance (section 4) for the GPL to continue. If the "sins" of the distributor are repeated by the user, the user is not in compliance. The point here is that the user need not pay for a "sin" which they do not repeat, nor may the distributor perform a deliberate action which terminates the user's GPL rights unless the user repeats that action.

When the user receives the infringing derivative work, and when the user applies the patch, they inherit the previous infringement from the distributor. The GPL does not wash clean that infringing status for the user.

Re:Please Read The Entire Statement

[phantomfive]

Because the GPL doesn't apply to the infringing derivative work, as it terminated when it was not complied with, and Open Source Security, Inc. doesn't have a right to license it to others or to apply the GPL to it. So, the customers have a work with no valid license and the kernel developers own the only remedy that would permit its legal use.

The counter-argument here is that the customers already have a valid license to the Linux kernel, with the GPL already granted, and the GPL allows them to modify the kernel in almost any way. I see elsewhere that you've written to Eben Moglen on the topic, so I'll wait to see what he says.

You can create a derivative work that is in violation even before distribution.

How would you do that? The GPL allows essentially any kind of modification (as long as you make a 'prominent' note of the modifications in the source).

Re:Please Read The Entire Statement

[phantomfive]

I want to add some analysis here, following the appellate court's ruling in Oracle v Google (if you haven't read it already, I strongly recommend reading it, because it is clear-minded and I fully expect it to set the precedent for software copyright cases for a long, long time).

So, imagine the 'owner' of the Linux kernel sued the customer of Grsecurity. Following OvG, the courts would first apply the Abstraction, Filtration, and Comparison test to figure out what is infringing. So the question is, what is infringing? After running the AFC test, there is nothing left that the customer doesn't have a license to. The Linux kernel 'owner' has given the end-user the right to use all of his(her) code. There is nothing left that the 'owner' can say that the customer doesn't have a license to.

Now, if the user doesn't have the right to use the code remaining after the AFC test, I would be interested in hearing an argument as to why not.

Re:Please Read The Entire Statement

[DRJlaw]

While the user may not be responsible for the sins of the distributor, this is only the case after the distributor successfully conveys the GPL to the user upon the work. I contend that the distributor never had the right to convey the GPL to the user at all upon an infringing derivative work, and that a direct grant by the kernel developers to the user is thus never triggered.

And I contend that you're wrong. In the SFLC's own words:

Automatic Downstream Licensing

Each time you redistribute a GPLâ(TM)d program, the recipient automatically receives a license, under the terms of the GPL involved, from every upstream licensor whose copyrighted material is present in the work you redistribute. You can think of this as creating a three-dimensional rather than linear flow of license rights. Every recipient of the work is âoein privity,â or is directly receiving a license from every licensor.

This mechanism of automatic downstream licensing is central to the working of copyleft. Every licensor independently grants licenses, and every licensor independently terminates the license on violation. In the case of GPLv2, this termination is automatic, while under GPLv3 the party breaching the licenseâ(TM)s terms may be able to cure before termination. Parties further downstream from the infringing party remain licensed, so long as they donâ(TM)t themselves commit infringing actions. Their licenses come directly from all the upstream holders, and are not dependent on the license of the breaching party who distributed to them. For the same reason, an infringer who acquires another copy of the program has not thereby acquired any new license rights: once any upstream licensor of that program has terminated the license for breach of its terms, no new automatic license will issue to the recipient just by acquiring another copy.

It does not matter whether "the distributor []ever had the right to convey the GPL to the user." The user takes their license directly from every contributor, and cannot be liable for using a GPLed work unless they themselves directly violate the GPL.

I no longer need your clarification. It's eminently clear that you're in the wrong.

Re:Please Read The Entire Statement

[ale2011]

GPLv2 sec. 4 states:

4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

That section says that the customer has a licence for that copy of the Linux kernel, not any other. Section 4 does not apply only to users who received copies from distributors who were completely in compliance with the GPL, because sec. 6 would make the emphasized language entirely superfluous under that interpretation:

That would seem to imply that a patch can be considered not to be derivative work. Is it so?

Some versions of the Grsecurity article seem to imply that Bruce is the only one who argues that's a violation. IANAL, and I think if that's not a violation then the GPL is badly written (perhaps thet's why there is v3.) RMS's statement is unusually laconic.

Re:Please Read The Entire Statement

[Bruce+Perens]

The infringing derivative work is not the software which the Linux developers license to people under the GPL. It is a separate work to which the GPL does not apply and to which the Linux developers hold a copyright interest and the only remedy which can permit its legal use. The Linux developers never intended to license that work, they still haven't, the GPL doesn't apply to it.

Re:Please Read The Entire Statement

[Bruce+Perens]

You are also ignoring the paragraph after the one you cited:

Protection Against Additional Restrictions Usersâ(TM) freedoms cannot be protected if parties can add restrictive terms to the copyleft. The âoeno additional restrictionsâ principle is therefore unwaivable if the GPL licenses are to achieve their primary objective. GPLv2 therefore requires that the only license terms available for works based on GPLv2 works are the terms of GPLv2. GPLv3, in Â7, enumerates a few classes of permissible additional terms, to allow very limited license variations in particular circumstances. But with these exceptions, the âoeno further restrictionsâ principle applies strictly. For these reasons, acceptance requirements or ceremonies, including âoeclick to acceptâ installation routines, violate the terms of GPL.

By this interpretation, both the distributor who offered an additional term and the customer who accepted it in breach.

I should also add that SFLC's interpretation of the GPL is not binding upon anyone but SFLC, and arguably not even them. I certainly don't have to accept it or abide by it.

Re:Good example of why to avoid the GPL.

[K.+S.+Kyosuke]

Good. Everyone who doesn't like Linux's license is perfectly free to support any of the BSDs.

Re:Good example of why to avoid the GPL.

[Stormwatch]

"Most quotes on the internet are made up."
        - Albert Einstein

Not related to their mark

[Bruce+Perens]

Grsecurity recently changed its terms due to widespread abuse of its mark.

Dear AC,

If that's really their intent, they're confused. Or maybe you don't understand? The GPL doesn't have anything to do with trademarks. And Grsecurity did not bother to create a trademark for their product that was different from the versions with the old GPL-only terms, which are still in use. If trademark was the problem, they'd need to create a new one for their commercial product.

This, unfortunately, would not mitigate the GPL issue, which is copyright and contract related.

Re:Not related to their mark

Hi Bruce, as far as I understand it grsecurity changed its terms back in April. They seem to suggest that they supply patches to the kernel released under GPLv2 terms, but will refuse to offer further subscription support to anyone who distributes those patches. I don't know if there is a rider over "with our mark on them" on this or not, but if so wouldn't that place them in the same position as Redhat? I seem to recall that a similar situation arose with Virtuozzo in the early days, except they were distributing a complete kernel binary rather than a patch to the source, with a termination of support clause.

I can clearly see where your bone of contention is, but wonder if by attempting to protect the GPL you aren't potentially relying on an equally bad position (ie is the party modifying the kernel then forced to release their changes whether they want to or not?)

Have you tried contacting them? I'd be interested to learn what their side of the story is. For the record, I am not related to grsecurity in any way. I've had one or two brief contacts with members in the past, that's it.

Re:Not related to their mark

[Bruce+Perens]

Redhat sequesters their support information from non-customers. It's really difficult to make a case that the support data is derivative of the Open Source involved. I don't believe Red Hat has attempted to stop any of their customers from redistributing an actual patch. Just other information.

I don't know about Virtuozzo, sorry.

I did not contact Open Source Security Inc. as they had by that time already had extensive and somewhat acrimonious discussions with others in the community.

I think my legal theory holds water. I am bothered by the sort of action that Open Source Security Inc. is doing, and felt that informing the customers (albeit indirectly, in places like Slashdot) was the best way to effect a change. This was a case where publicity was the most effective means of effecting change (even if the only change is that someone else doesn't try to do what's being done with Grsecurity) and was less expensive for all sides than a lawsuit.

Re:Not related to their mark

I've had a look over their agreement here, and there is nothing to prevent redistribution of a patch under the terms and conditions of the GPLv2. It states that if it a patch is distributed outside of the terms of the GPLv2, then access to further patches in the future (not the patch provided) will be denied, on a works for hire basis.

I honestly don't think you've got all your ducks lined up here, and yes, I realise who I'm saying it to and how the hordes here will descend upon me.

Re:Not related to their mark

[Bruce+Perens]

The problem isn't with the text there. It's with what else they have told their customers. It doesn't even have to be in writing.

I have witnesses. If there was ever a case, obviously the prosecution would have to depose people to make this point. I am not actually planning on a case, though. I think this warning will have the desired effect.

Re:Not related to their mark

Fair enough, far be it from me to actually RTFA (this is Slashdot, after all). Thanks for taking the time to (re)explain that. As much as I'd like to support grsecurity, I tend to do so from a technical perspective. It's a real shame if what the witnesses have said is true, and I have no reason to doubt them. I'd still like to hear the other side of the story, though.

Re:Not related to their mark

[buchner.johannes]

I think my legal theory holds water.

Lets say I release (sell) v1.0 of my software to person A, B and C under GPL2. Then B does something I don't like, but I can't do anything about it, because they received the software and can propagate it further under GPL2.

The following year, I sell v2.0 of my software to person A and C under GPL2, but don't sell it to person B any more. They do not have any right to receive it from me. If A or C pass it on to B, they are free to do that. But I can put arbitrary restrictions on to whom I give my software, if it is a new version -- I can decide for every release.

There is no addition of terms or restrictions of the GPL needed. It's just who you release your software to. Now if A is the general public, all restrictions are basically moot.

Re:Not related to their mark

[Bruce+Perens]

A lot of people are having a problem with the time sequence of events.

Let's say you warn someone in advance that you will harm their business by withdrawing their support and removing them from your customer list, should they exercise their right which is granted to them under the GPL. That's adding a term.

Let's say that you never warn them about anything, they distribute stuff, and you decide to downsize your business and fire them as a customer. That is not adding a term.

It took me a while to get this straight myself, for a while I knew something was wrong but did not realize the importance of the time sequence. But I think I could help to win a case with this, if one came up.

Re:Not related to their mark

[Bruce+Perens]

I think there is lots of room for people to make security patches to the kernel, and for them to do them one at a time and get the kernel team to accept them. They belong in the mainline, not a patch.

If they need some special subsystem to support them, they should put that in the form of as small a patch as possible, get the kernel team to accept that, and then to make individual patches that make use of that facility.

In contrast, Grsecurity is a big patch built up over years, and I hear not always a careful one.

It is difficult to get the kernel team to accept things. That is not a misfeature. They set really high standards, not just that the code works but that it's easy to read and review, is modular and does not put dirty fingers all over the kernel, and is well-architected according to the esthetic style of the kernel developers. Not everything meets those standards, and because there's an esthetic style it's sometimes down to personal style of the programmer and not everyone fits. But that's still not a misfeature.

Re:Not related to their mark

[jeremyp]

The GPL says nothing about what support you must provide to your customers. In fact, it says that the software is distributed without warranty of any kind which means you do not have any obligation to provide any support or maintenance.

If you then say we will provide support but only if you don't redistributed our software, you are not infringing any of their rights under the GPL that I can see. I don't think it's right, but I wouldn't be confident that it is illegal.

Re:Not related to their mark

[squiggleslash]

I'm confused, and I'm happy to be proven wrong, but I'm having trouble with this:

Let's say you warn someone in advance that you will harm their business by withdrawing their support and removing them from your customer list, should they exercise their right which is granted to them under the GPL. That's adding a term.

I'm not sure how it's adding a term unless one of the rights granted by the GPL is one of those that the "warning" is stating will be taken away. As I see it, this is little different to a straightforward "You can use this under the GPL, or you can voluntarily give up your rights under the GPL and accept this combination of rights and restrictions instead. Your choice." I don't see the latter as violating the GPL in any way - if it does, perhaps that means we need to revisit what the GPL does, as it's perfectly reasonable under certain circumstances.

For example, if someone wants me to support a piece of software, I don't want them to make changes to it without my knowledge, otherwise it's impossible for me to adequately support them. But if your reading of the GPL is correct, then if the heart of the software is GPL'd, I wouldn't be able to have them to make that agreement, especially if I supply the software to them.

Re:Not related to their mark

[Bruce+Perens]

I got a copy of Grsecurity's Stable Patch Access Agreement. It's a written term, given to you before the act of distribution. It's rather imprudent of them to write it down if you ask me.

The entire point of the language against additional terms in the GPL is so that others can not negotiate with you for you to give up any of your GPL rights.

I don't think this gives you an obligation to support software you didn't provide. You are not, in that case, refusing to support the software that you did provide. In contrast, Grsecurity shuts the customer off entirely.

Re:Not related to their mark

[squiggleslash]

Ah, so (still confused, but I think I see what you're getting at) - are you saying it was a straightforward "You can choose our terms or the GPLs, but if you choose the latter you don't get the software at all (from us, but who else are you going to get it from if nobody else has it who hasn't agreed to our terms)?"

Because yes, I can understand why that would be a problem. Part of me is fearful it might still actually be legal to do that.

Re: Good example of why to avoid the GPL.

[viperidaenz]

How? You're completely forbidden to make derivative works of Microsoft Windows. You're also forbidden to distribute it in any way.

Re:Good example of why to avoid the GPL.

[Teun]

Indeed, as we know free is not gratis.
The GPL keeps the existing software and its derivatives free to use by and for all.

Re:Good example of why to avoid the GPL.

[Eravnrekaree]

The GPL is reasonable, You want to use someone elses code you should give back the improvements you make. I dont see anything wrong with that.

Re:Good example of why to avoid the GPL.

It's been said over and over - it's not about YOUR freedom, it's about the continued freedom of THE CODE

If you're not willing to pay "the price" of the GPL stop whining and go use some other code base with terms you can accept. But if you won't comply with the GPL, nothing else gives you the right to redistribute GPL'd code or or derivative works of it.

Re:Good example of why to avoid the GPL.

[93+Escort+Wagon]

"Most quotes on the internet are made up."

        - Albert Einstein

Yeah, right there you've demonstrated the "internet problem" in a nut shell... taking an Abraham Lincoln quote and then mis-attributing it to Albert Einstein.

Re: The GPL is asinine

[110010001000]

How is it sneaky? The GPL is open and readable. Poor Grsecurity guy: you are going to lose.

Re:The GPL is asinine

[segedunum]

This means that merely linking your own original code with GPL code (that remains open source) and distributing it requires that you also release your own original code under the GPL.

No it doesn't. Nvidia do this with their binary kernel module and have done for a very long time. The deciding factor is distribution.

Re:Community

[Bruce+Perens]

But if Bruce or Eric decide to sue Debian or Canonical (or whomever) for shipping GRSecurity with the kernel, I'll watch while the community turns on them like a pack of &@#$ wolves and their reputation takes a perpetual hit.

Bill,

Debian would have the previous version before this licensing problem came up.

I am not the plaintiff in any theoretical case, and in any case am not interested in suing Debian. That's not me. But this should be a wake-up call to Debian.

Regarding CDDL vs. GPL, Sun quite deliberately applied that license and refused to dual-license. One would imagine they had Linux in mind when that decision was made. Oracle continues that. It doesn't seem that anyone on the Linux side started that fight. And given the decision in Oracle v. Google that copyright can pass across APIs, at Oracle's behest, it does not seem to me that CDDL-GPL combinations are legally safe even if you dynamically link.

Re:Good example of why to avoid the GPL.

[Scarletdown]

"When the Internet is invented, I think it would be really cool if people misquoted me on it."

    -- Abraham Lincoln

Re:Good example of why to avoid the GPL.

[lucm]

"The definition of insanity is misquoting the same thing over and over and expecting different attributions."
- President Benjamin Franklin

Question mark abuse

[lucm]

Did you really ask this? Seriously. Did you?
Your opinion of GPL aside, are you remotely aware of law at all? Seriously. Are you?

I'd be curious to see if on your keyboard the "?" key is as worn down as the space bar.

Re: Question mark abuse

[that+this+is+not+und]

They have trained their dog to bump the ? key with it's nose periodically. The dogs nose is softer and wetter than a finger, meaning there is less wear to the keycap.

Re:The GPL is asinine

It's one thing to require that modifications to source code remain open source. I think it's onerous, but at least it's not infecting anything it links to. However, the GPL require that any derivative works that make use of any GPL code be released under the GPL if they're distributed at all. This means that merely linking your own original code with GPL code (that remains open source) and distributing it requires that you also release your own original code under the GPL. This is an asinine restriction on freedom, and precisely why the GPL is evil. If you actually care about freedom, require that the original code and direct modifications to it remain open source, but let linked code be released under any license. That's a completely reasonable compromise, but the asinine GPL doesn't allow for it.

GPL does exactly what it is designed to do: it gives freedom to its users by preventing evil companies to use unscrupulous methods against the people.

For example, if GPL did not exist and Linux was where it is today but it had a BSD license, Microsoft could use their same old monopolistic technique of "embrance, extend, extinguish" and:
1) start selling their own "Linux" solution
2) modify the kernel to add extra features so companies adopt it and becomes very popular
3) introduce "proprietary" extensions (that are copyrighted and licensed under proprietary license) that make it incompatible with the original kernel but all new apps require it
4) charge everyone increasing prices for same old thing because users are now locked into single solution
5) spy on users and sell their private information for additional profit

See here: https://en.wikipedia.org/wiki/Embrace%2C_extend_and_extinguish

The point is, GPL is good for the people (i.e. end users).

The only people that think GPL is bad are:
1) Companies that want to screw everyone to make a profit (think SCO).
2) People that are fanboys of windows/apple/whatever
3) People that don't know any better

Re: The GPL is asinine

If it wasnt for "other peoples code" being free, they wouldnt have anything to patch. I cant tell if youre trolling or if youre really that stupid.

This is a problem affecting all OSS licenses

[Lirodon]

I've seen multiple pieces of software, including Paint.net and Classic Shell, change to proprietary licenses because of this exact issue; being able to effectively plagiarize a program just because it's open source and you can theoretically do anything to it, like change the name and claim it as your own, claim it's a "new version" that's littered with malware or add-ons that aren't open source, etc. Open source licenses do not give you a carte blanche to infringe on any other proprietary intellectual property associated with the software, such as trademarks and trade dress.

Re:This is a problem affecting all OSS licenses

[Bruce+Perens]

Actually, the GPL and a trademark registration will keep just what you're talking about from happening. Going proprietary won't give you any more protection unless you're talking about just locking up the source. But you have to enforce once in a while to keep idiots from breaking the rules.

Re: This is a problem affecting all OSS licenses

[guruevi]

No you cannot do that under proper open source licenses such as the GPL. In the cases of paint.net and classic shell and many more, they just want to have other people build and fix their product and then once successful, they want to close it and sell a commercial product. It's the main reason never to contribute to anything obscure that is under a MIT or BSD license.

Re:This is a problem affecting all OSS licenses

[Lirodon]

Well, this is the same case. Their code, despite being heavily modified, is still being attributed to them as their work, thus violating its integrity because it is not the grsecurity..

Re: The GPL is asinine

[segedunum]

Why, so you can take other people's hard work like Grsecurity and force them to release their code publicly....

Errrrr, they've taken an entire fucking kernel that they didn't write to peddle their snakoil.

Re:Good example of why to avoid the GPL.

[TechyImmigrant]

How is doing things secretly under NDA "in the public interest"?

It's the first question he would be asked. "Will do discuss this under NDA". So he's getting that out of the way before they start.

Re:Good example of why to avoid the GPL.

[Bruce+Perens]

That's your right. Of course, this matters more if you've actually released anything under it.

I should tell you, though, I have had more than one person who used gift-style licenses come crying to me about how badly they were abused. Some decide the GPL is a better idea too late...

Re:Good example of why to avoid the GPL.

[Bruce+Perens]

Right. Nobody and their legal counsel want to talk about this without an NDA. I am taking on some liability by accepting an NDA and still doing the whole thing for free.

Re: Good example of why to avoid the GPL.

[Bruce+Perens]

The problem with using the Founder's Copyright is that Public Domain is not more free for the aggregate of all people than the GPL would be. It's just an invitation to integrate the public code into private works without returning anything, while the GPL promotes that more code is shared.

Re: Good example of why to avoid the GPL.

[Entrope]

The GPL does not require any "giving back". It says that if you change the software, and give the changed version to somebody else, you must give them (a) the source code and (b) a GPL-compatible license for the combined/modified software. You could call that obligatory giving forward, but not obligatory giving back.

Do like...

[101percent]

Linux should do like OpenBSD did with pf and just replace it. All this yelling and screaming just turns people away.

Re:Do like...

[101percent]

This drama is on every relevant website.

Re:Sounds wrong: do they distribute anything that'

[Bruce+Perens]

They don't have to distribute the kernel to violate the GPL in this case. Copyright also restricts the creation of derivative works. Grsecurity definitely is derivative of the kernel. The GPL would be their only permission to create and distribute a derivative work of the kernel. And one of the terms of the GPL is that you can't add any rules to your derivative that aren't in the GPL itself.

With respect, your understanding of copyright and licensing isn't quite complete. This is not a personal criticism, it's true for most people. But legal theories based on what you know so far might not be correct.

Re:The GPL is asinine

[epyT-R]

There's a subset of symbols that nongpl kernel modules are allowed to link to.

Re:Good example of why to avoid the GPL.

[dissy]

If the GPL was really about freedom then it would contain exactly one sentence.
"You are free to do whatever you want with this software. "

Wow, why do you hate freedom so much?

How am I "free" if I, as you claim, am forced to grant permission to others that allows them to assume ownership of everything I make, and at the same time deny me usage and possession of everything I make?

Sounds like forced slavery to me...

Re:What is Grsecurity?

[ledow]

There's been a few articles on this already.

It's an external patch-set that adds security features to the Linux kernel.

And now the guy who runs it wants to charge for it, and stop people distributing it, even though it is inherently a GPL-based work.

He's also a pain in the arse, but that's besides the point.

Re:Good example of why to avoid the GPL.

[Bruce+Perens]

Creator of the Open Source AMBE codec. He doesn't want his name known because he doesn't want to be sued by DVSI.

Re:Good example of why to avoid the GPL.

[Bruce+Perens]

You understand the difference between "me libertarianism" and "us libertarianism". Some of these folks are offended that they aren't allowed to keep slaves.

Re:Sounds wrong: do they distribute anything that'

[Wrath0fb0b]

Hi Bruce,

Since you say that GRSecurity is 'definitely' a derivative work, and since you know about a million times more than I do, let's accept that claim as a fact for a moment.

GRSecurity is primary distributed as a set of patches which modify the Linux kernel's operation in various ways. The end user takes those patches and combines them with the kernel to achieve the desired (or maybe not, doesn't matter). According to your claim, they are not permitted to do so without license from the original work (the kernel).

The implications of this claim seem to be very broad and, to me, undesirable. It would seem to indicate that people would not be free to build and share aftermarket enhancements for any commercial product that contains a creative element (that is eligible for copyright) without license from the company that produced it.

For instance, Subaru sells a car containing an ECU, and no doubt that Subaru retains copyright in the code that runs in that ECU. Joe and his friends develop a software patch for this ECU in order to improve the characteristics of their automobile or to make it compatible with some other usage or accessory. According to your claim, this is a derivative work (it patches the ECU software, the ECU software is copyright) and so if Joe distributes this patch without license from Subaru, he is liable for infringement.

Or for another example, a company sells an electronic microscope to Janice's school. Janice and her friends patch the software running on the microscope to improve the noise reduction algorithm or increase the maximum frame rate. Janice wishes to distribute this improvement to other students. Again, the same story.

So much then for Janice and Joe's right to tinker with the software running on their devices then.

[ For what it's worth, if I were writing the law instead of describing it, I would avoid this entire mess and make it clear that a patch or modification on an existing work that does not itself any part of the original is not derivative. It's just a set of instructions for how the rightful possessor of the originator work can change it, nothing more. ]

Re:Sounds wrong: do they distribute anything that'

[Bruce+Perens]

This is a very large discussion and I'm not going to put in the hour necessary to explain it fully. One of the relevant cases is Galoob Games v. Nintendo. In that case, the Game Genie made by Galoob, which let you have infinite lifetime and ammo and thus cheat in Nintendo games, was thought to be a derivative work by Nintendo. Galoob won, because the Game Genie connected to a plug and only modified a few memory locations.

Unlike the modularity of the Game Genie and that of some of the other things you mention, Grsecurity does not limit itself to dealing with Linux through its APIs (like the plugs in the Nintendo console and game cartrige). Instead, Grsecurity gets dirty fingers all over the kernel internals. So, it's derivative.

I am very much a supporter of right to repair and to interoperate, and we should discuss that another time.

Re:What is Grsecurity?

[Bruce+Perens]

He's also a pain in the arse, but that's besides the point.

You would think. But look at the previous problem children: Larry McVoy did not comport himself very well around the Bitkeeper issue, and the then board of OSI tell me he wasn't too nice around them either. Things might have gone better for him had he behaved differently.

Hans Reiser. Had a reputation for abusing the kernel community before he killed poor Nina. I only talked with her on the phone and had lunch once with him, but I am astonished I don't get bad dreams...

I am sure there are other examples...

Re:Good example of why to avoid the GPL.

[Megol]

Code have no freedom, nor rights. Information have no desires.

Re: Sounds wrong: do they distribute anything that

[guruevi]

You are more than welcome to make derivatives of the Linux kernel and sell them (see Android). You do however have to comply with the license and thus you should see GPLed release code on sites from Samsung etc (which you often but not always do).

The company is not required to release the code publically either, only their customers can demand the code, however this has to be under the same license (thus you cannot do like Amlogic does and claim NDA for the Linux kernel)

Re: Good example of why to avoid the GPL.

[Zero__Kelvin]

Likewise, laws against murder are the worst! Sure, they protect me, at least as much as any law can, but they don't allow me to murder whomever I want! This is why laws against murder are horrible and have to go!

Re:Good example of why to avoid the GPL.

[Megol]

I understand the GPL is "word libertarianism" a.k.a "just do as I say libertarianism" a.k.a. not libertarianism at all. Many (not most) GPL adherents see it as an inspired text with religious meaning and try to redefine common terms. No you people don't get to change the meaning of freedom and you don't get to define what people should want.

The GPL have an important place among other software licenses. It however do allow people to keep the metaphorical slaves as long as they swear to uphold the holy GPL. Most other licenses accept that it isn't about the holy idea but about allowing others to modify, study and distribute creations with the question of (still metaphorical) slaves being controlled by other, separate, rules.

Re: Good example of why to avoid the GPL.

[Gr8Apes]

The problem with using the Founder's Copyright is that Public Domain is not more free for the aggregate of all people than the GPL would be. It's just an invitation to integrate the public code into private works without returning anything, while the GPL promotes that more code is shared.

Well, that depends upon whether you want freedom or a set of rules. I respect your opinion on most things, but in this case you cannot make the case that GPL is about freedom, because its not. It's about controlling those who use it while giving them great latitude in one way, but constraining them greatly in others. The closest thing to freedom regarding copyright and code are licenses such as MIT, BSD, and the Apache 2 licenses, and even those have clauses constraining use. They're just a lot less restraining than the GPL (2 or 3).

Re: Good example of why to avoid the GPL.

[Gr8Apes]

I'd call it relinquishing control of your software. We don't touch GPL source or libraries anywhere I have worked precisely because of this show-stopping feature of GPL.

Re: Sounds wrong: do they distribute anything that

[Bruce+Perens]

My contention is that the current state with Grsecurity is like releasing it under NDA. I just wanted to make sure you understood that part.

Re:And this is why...

[marcle]

Sadly, it's not just the open source community, it's the whole damn industry...

Re:Good example of why to avoid the GPL.

[dissy]

It however do allow people to keep the metaphorical slaves as long as they swear to uphold the holy GPL.

No one is forcing the GPL on anyone.
Absolutely no one is forced to take GPL code and do anything with it. Not a single person.

Slaves do not by definition have the choice to not be a slave.

If you don't want to "uphold the holy GPL" as you call it, you are perfectly free to get code in any one of many other ways.
You can find code licensed in some other way.
You can learn to code and write your own.
You can pay someone to write it for you and give you copyright ownership, after which you can license it in anyway you please, including not licencing it at all.

You are the one redefining "freedom", "slaves", and "forced" here.

Re:And this is why...

[Bruce+Perens]

Sometimes it seems that people are accusing me of inventing intellectual property. It is the proprietary industry that created this mess. I just try to promote a sane corner where we can get away from them.

Re:Good example of why to avoid the GPL.

[duke_cheetah2003]

You can learn to code and write your own.
You can pay someone to write it for you and give you copyright ownership, after which you can license it in anyway you please, including not licencing it at all.

Not so sure these are entirely viable in every situation. One can easily run afoul of patents when writing your own code. Additionally, if your code looks and/or acts like someone elses code, you can easily be accused of stealing it by entities protecting whatever it is you seemed to have re-invented.

While programming and coding should be fairly free and loose with regards to the above concerns, it is not. Not in this reality. Tread carefully.

Re:Uhhhhhhh

[Bruce+Perens]

No, nobody is making it up. What has your interaction been with them since April?

Re:Good example of why to avoid the GPL.

[duke_cheetah2003]

As an addendum to the above, I just wanted to point out, the above scenarios won't activate until you start making money with your work. You'll be absolutely amazed how much crazy will come out of the woodwork, then claim patents, theft and/or any other sort of misrepresentation in order to grab a slice of your pie.

Again, tread carefully.

Re:Uhhhhhhh

[Bruce+Perens]

Could you email that to bruce at perens dot com, please?

Re:Good example of why to avoid the GPL.

[dissy]

I don't think I understand what you are meaning to say.

Yes, those are valid concerns when writing your own code and hiring someone to write code for you...

But compared to the other options listed (using code under another license, and using GPL code while agreeing to the GPL), plus the option the parent poster said was preferable, namely using GPL code while violating copyright laws in doing so, I'm fairly certain all of those have the same patent risk just the same.

Even purchasing a license to commercial closed code isn't free of those risks.
Although if the commercial entity you purchase the code from is also the patent holder for the process it works by, your risk is greatly reduced at least so far as being sued for a patent violation.

As for the problem of "being accused of a crime you didn't commit", at least in the US, this is a risk everyone is exposed to no matter what they do in life.
Unfortunately that can happen if you stay in bed sleeping for 23 hours a day, if you happen to piss off the wrong person in you one waking hour.

As a warning to people, fair enough.
I just don't see what any of those have to do with the "need" to violate copyright laws like the parent was saying is the best option regarding copyright licenses.

Re:Good example of why to avoid the GPL.

[hord]

My software is released under this license: "This software is information. It is subject only to local laws of physics." Basically just obey the laws of physics. Like a good lump of matter.

Re:Getting a second opinion?

[_merlin]

That would be Bruce Breckets

you're after.

Re: Good example of why to avoid the GPL.

[drinkypoo]

I'd call it relinquishing control of your software.

That's exactly what it is. Some people find that letting go results in a better deal. Some don't.

Re:What is Grsecurity?

[drinkypoo]

The problem here however is that you have achieved a most effective advertisement for Grsecurity. I have been using Linux since '96 and had never heard of Grsecurity until reading this story. I am unlikely to start using it now, but still...

I have heard of it, and I took it as a warning. I'm clearly not going to dick with grsecurity now. Is it an advertisement for, or against?

Re:Good example of why to avoid the GPL.

[epyT-R]

Then perhaps free software developers should write their own kernel with a license that disallows those "parasitic closed developers" from deploying software on it.

If, as you say, they need closed developers, why should they do that?

But they won't because they need closed source software in fact the GNU project would have been an utter failure if it weren't for the preamble in the Linux kernel license that exempts software making kernel syscalls from being infected with the GPL license terms.

I suspect the MODULE_LICENSE() macro acts as the barrier between what they consider GPL kernel internals and 'boilerplate' code. GPL (and GPL/MIT hybrid) licensed code gets full access while others do not. It's not hard to write closed drivers for linux if you want to, but you'll be limited to what you can touch. You need not worry about 'infection' from GPL code just as the kernel devs don't need to worry about 'infections' from closed blobs. Just remember that nonfree modules 'taint' the kernel, so if your users have crashes, the devs will not support them nor accept bug reports. Seems fair to me as you cannot expect them to support software they don't have the source for.

you just seem incredibly ignorant of the fact that the free software movement would be completely defunct if it weren't for the ability of closed and open source developers to collaborate on the GNU/Linux platform.

What are you babbling about? All three licenses allow such collaboration. Obviously, the industry chose to involve itself with linux or, like you said, it would not be where it is today.

Re: Good example of why to avoid the GPL.

[someone1234]

In other words, you expect stuff for free but you don't want to give the same to others.

Re:Good example of why to avoid the GPL.

[sexconker]

If you want the code to be free, then release it freely. Code under the GPL is NOT free. It is encumbered.

Re:Uhhhhhhh

[sexconker]

Will you sign an NDA first?

Re:Good example of why to avoid the GPL.

[TheRaven64]

The growth in use of permissive licenses (particularly if you look at github) over restrictive ones is a demonstration of pragmatism and the idea that not everything must be free and we can have non-free and free components working together and cooperating rather than focussing on a pure free software ideology.

I wouldn't necessarily even go that far. I am entirely in favour of a world in which all software comes with the FSF's four freedoms. The reason I release code under FreeBSD / MIT licenses is that this seems like a path that has an actual transition plan. If there's a BSDL project available that does 90% of what you need, then you can adopt it and add the remaining 10% without needing to change your business model. Most of the time, it's then cheaper to release the code. If it doesn't give you a competitive advantage, then upstreaming your changes means that your maintenance costs go down (and, often, other people will fix your bugs, in exchange for being able to use your new features).

If there's only a GPL'd project available, then I've worked with a lot of companies that aren't 100% sure that they will never want to do anything that the GPL prohibits and so will instead write a proprietary version (if you're lucky, you can persuade them to write a permissively licensed version). The GPL'd project doesn't ever enter the company (particularly with GPLv3, where anyone who owns patents gets very nervous) and so they never see the benefits of Free Software. It doesn't provide them with a transition path.

This transition path is particularly important because around 90% of all software developers are employed by companies that are not primarily computer companies. They are developing software for in-house use and so implicitly have all of the four freedoms (because they own the copyright), but don't contribute anything to the wider ecosystem (other than money to Microsoft, Oracle, SAP, and so on). Getting them to start using, contributing to, and then preferring open source solutions can unlock a lot of developer resources.

Re: Good example of why to avoid the GPL.

[orlanz]

You are a bloody idiot who can't parse sentences. Finish 3rd grade first please.

Re:Good example of why to avoid the GPL.

[cas2000]

If there's only a GPL'd project available, then I've worked with a lot of companies that aren't 100% sure that they will never want to do anything that the GPL prohibits and so will instead write a proprietary version

Good. The GPL is working as designed.

You do realise that that's a feature, not a bug, don't you? It's an anti-leeching provision. They should not be benefiting from the work of GPL developers if they're unwilling to abide by the terms.

In that case. they should be writing their own or paying for a proprietary product. Exactly the same as if they don't want to pay the license fee and/or royalties for a commercial product, they have to write their own or get what they need from someone else (incl. of course, GPL software).

This transition path is particularly important because around 90% of all software developers are employed by companies that are not primarily computer companies. They are developing software for in-house use and so implicitly have all of the four freedoms (because they own the copyright)

these companies are exactly the ones who benefit most from copyleft software. They're not making money from the software, so there's no financial incentive to avoid copyleft. In fact, there's a huge incentive to use copyleft code because they can co-operate in improving the code and gain the benefit of sharing the dev workload with similar companies and enthusiastic individuals.

copyleft is better for their needs because they don't have to worry about free-loaders or anyone else taking their contributions and embedding them in proprietary/commercial software.

And many/most of them don't distribute even binaries of their code (and certainly not binaries of any proprietary business-logic or other code), it's all in-house use, so they don't even have to distribute their changes if they don't want to.

BSD-style licenses are only good for two kinds of developers:

1. Gigantic software & hardware corporations who want to profit from open code without incurring any obligation to contribute back (i.e. parasites who sometimes manage a decent emulation of a symbiote). This is where the huge push towards non-copyleft licensing is coming from.

It's even better than exploiting interns, and the unpaid programmers provide their own desks and computers.

2. Developers who really don't give a fuck about what is done with their code when they release it (a much smaller group than you appear to imagine).

Everyone else is better off with copyleft.

Re: Good example of why to avoid the GPL.

[cas2000]

1. who the fuck are you to decide what are the "wrong" reasons?

2. I don't particularly care if users give something back or not. I do, however, care a great deal about parasites trying to steal my code into their proprietary shitware. THAT is why whatever I write is GPL, and also why I almost never contribute to non-copyleft projects.

The GPL has one of the license features I care most about: ONCE FREE, ALWAYS FREE.

Re: Good example of why to avoid the GPL.

[cas2000]

[...]but in this case you cannot make the case that GPL is about freedom, because its not. It's about controlling those who use it[...]

I'm so sick of seeing this bullshit.

The ONLY (alleged) "freedom" that the GPL restricts is the "freedom" to fuck over downstream users and take away the rights granted to them by the upstream authors and all contributors.

Only psychopaths, wannabe-psychopaths, and psychopath-sympathisers think that that's a "freedom" worth supporting.

Re:Good example of why to avoid the GPL.

[Megol]

It however do allow people to keep the metaphorical slaves as long as they swear to uphold the holy GPL.

No one is forcing the GPL on anyone.
Absolutely no one is forced to take GPL code and do anything with it. Not a single person.

Slaves do not by definition have the choice to not be a slave.

If you don't want to "uphold the holy GPL" as you call it, you are perfectly free to get code in any one of many other ways.
You can find code licensed in some other way.
You can learn to code and write your own.
You can pay someone to write it for you and give you copyright ownership, after which you can license it in anyway you please, including not licencing it at all.

You are the one redefining "freedom", "slaves", and "forced" here.

I am? First of all I don't remember writing anything about someone forcing someone other, let's see... No, I didn't define nor use the word "forced". That's an indication that you maybe should re-read my post. I don't define slaves (just continued the _bad_ analogy used in the post I replied to) and I don't define free - as that definition is well known and can be looked up if needed. So no, I do not redefine anything.

The GPL people like to pretend their idea of freedom under certain conditions (that actually reduces freedoms) is the "true" definition of Freedom. That's bogus. Real freedom is to be able to do what one want. GPL hinders some of those wants of certain people/organizations/corporations. That's fine by me, as I think the GPL is a good license for _some_ things but limits freedoms too much for most things. But I'll not let people pretend removing freedoms makes something more free - they could argue that those limitations on freedom is better (which I generally don't agree with (but see above)) but outright lying is bullshit.

To answer your first paragraph last: I never claimed or hinted anyone is forced to use the GPL or even (if they choose to use the GPL) to follow the semi-religious ideas of the FSF. So why do you like to pretend I did? I didn't use the word forced/force at all nor anything that could be constructed as being forced to do something.

Re: The GPL is asinine

[jeremyp]

It doesn't link to GPL code, it is a patch. That means it is a modification of GPL code.

Re: Good example of why to avoid the GPL.

[Gr8Apes]

I'm so sick of seeing this bullshit.

The ONLY (alleged) "freedom" that the GPL restricts is the "freedom" to fuck over downstream users and take away the rights granted to them by the upstream authors and all contributors.

Only psychopaths, wannabe-psychopaths, and psychopath-sympathisers think that that's a "freedom" worth supporting.

Chip on your shoulder much? I cannot extend GPL code in any meaningful way and resell it and keep my IP private. I can extend it and use it internally, so a services based function is perfectly fine. But as soon as I want to sell a license to the code or supply an appliance, I must also legally give a copy of my source. So, the answer is to not extend GPL code in my IP and keep my IP mine.

Should I hoist a bucket of water from the well, should I then give that water to everyone that wants some? After all, they all the ability to hoist (extend code) themselves, right?

Re: Good example of why to avoid the GPL.

[Gr8Apes]

I've contributed back to several projects so that's untrue. Just not the core IP of my work. I have no issue contributing fixes, I do have issues with my core work being legally opened up to the world because I use 1 API call in a library under that wondrous entity known as the GPL v3, especially that one clause that can be added that slips my mind at the moment.

Re: Good example of why to avoid the GPL.

[cas2000]

> But as soon as I want to sell a license to the code or supply an appliance, I must also legally give a copy of my source.

YES. THAT'S THE FUCKING POINT OF THE GPL.

> So, the answer is to not extend GPL code in my IP and keep my IP mine.

1. "IP" aka "Intellectual Property" is a meaningless bullshit propaganda term.

2. Again, that's the fucking point of the GPL. If you're not willing to abide by the terms, you don't get to fucking benefit from the code.

Write your own fucking code from scratch, or buy it, or do whatever the fuck you want that doesn't involve you parasitising other people's work, other people's contribution to the common good, for your own private fucking profit.

> Should I hoist a bucket of water from the well, should I then give that water to everyone that wants some? After all, they all the ability to hoist (extend code) themselves, right?

right, you're just another libertarian psychopath. why am i not surprised.

Perception of the GPL

[Bruce+Perens]

If you wanted to stoke the perception that GPLed code is "toxic" in yet another unhelpful and nebulous way, you couldn't have picked a better way...

Actually, all I see so far is that an intentional GPL violator's customers are not protected from that intentional violation. It's not at all clear that this is in any way different from the proprietary software licensing world, where a contributory infringement case brought on the customer rather than the vendor is a frequent strategy.

I check out the software licenses that are offered to my customers. Sometimes I red-light a proprietary software vendor because I don't believe they have the right to offer their own software. This is often obvious from their licensing. Similarly, a company should not accept a commercial issue of a GPL work if it's not sure the vendor has a right to offer the work.

I am sorry that due diligence is required, but of course the Free Software folks didn't invent this intellectual property mess.

Re:Uhhhhhhh

[Bruce+Perens]

I got a copy of the agreement. It's here. It's pretty clearly in violation. The offending language is:

Notwithstanding these rights and obligations, the User acknowledges that redistribution of the provided stable patches or changelogs outside of the explicit obligations under the GPL to User's customers will result in termination of access to future updates of grsecurity stable patches and changelogs.

The entire point of the langauge in section 6 of the GPL is so that another party can not cause you to negotiate away your GPL rights.

Re: Good example of why to avoid the GPL.

[Gr8Apes]

> I cannot extend GPL code in any meaningful way and resell it and keep my IP private.

Just another way of saying "fuck over downstream users and take away the rights granted to them by the upstream authors and all contributors."

You'll note that avoid this, because I respect the legal aspects of the GPL:

So, the answer is to not extend GPL code in my IP and keep my IP mine.

Re: Good example of why to avoid the GPL.

[Gr8Apes]

> But as soon as I want to sell a license to the code or supply an appliance, I must also legally give a copy of my source.

YES. THAT'S THE FUCKING POINT OF THE GPL.

Translation: I don't have a leg to stand on but I'm really angry and you should just accept my assertion, because it's profane and CAPITALIZED!!!!

> So, the answer is to not extend GPL code in my IP and keep my IP mine.

1. "IP" aka "Intellectual Property" is a meaningless bullshit propaganda term.

How about I keep my work mine and sell it based on my terms. Would that work for you, since you seem to have trouble with the semantics of the GPL and IP as it translates to work?

2. Again, that's the fucking point of the GPL. If you're not willing to abide by the terms, you don't get to fucking benefit from the code.

Translation: Here I fail again to understand your post, but I'm still angry, and profanity always adds extra weight to my points.

Write your own fucking code from scratch, or buy it, or do whatever the fuck you want that doesn't involve you parasitising other people's work, other people's contribution to the common good, for your own private fucking profit.

Once your frothing stage has subsided and you've actually comprehended what was written in the GP, you'll note that's exactly what I said, and that your apparent psychotic OCD need to vomit verbal diarrhea against anything perceived as negatively impacting the GPL only reiterates exactly what I posted.

> Should I hoist a bucket of water from the well, should I then give that water to everyone that wants some? After all, they all the ability to hoist (extend code) themselves, right?

right, you're just another libertarian psychopath. why am i not surprised.

The only one showing psychopathic tendencies is you. This analogy was merely to clarify that if I did the work, I shouldn't be forced to give it away. Now, should I choose to haul a second bucket and pass it around, great, and I very well might (and in reality I have).

Re: Good example of why to avoid the GPL.

[Gr8Apes]

Is it a derivative work if you write 100K LOCs and 1 rarely used method in an odd library calls a GPL'd method?

Just another attempt...

[martinfb]

Just another attempt to steal income from unsuspecting open source users.

Capitalism at it's WORST!

Re: Sounds wrong: do they distribute anything that

[guruevi]

Yes I do, many companies try to do this though and I'm not sure Linus has ever actively tried to stop them. Samsung, Amlogic, HP, Netgear, Minix have all done it some time in the past or are still actively refusing to release Linux source code they have modified or require some form of NDA before they will give it to you, companies in China are even worse than companies in the US.

I've contacted the FSF about it prior and they seem unwilling to pursue the case unless portions of GNU software are included in the distribution which makes it a bit of a chicken and egg problem, they won't give me the source and the binaries don't contain comments/licenses so it's unclear as to whom they are actually infringing against and FSF won't pursue it unless you can prove the source code contains GNU licensed material.

Given Linus is also more of a technical rather than legal mind, I doubt the GPLv2 on the Kernel is even enforceable at this point unless individual coders want to pursue cases against their more recent contributions.

Re: Good example of why to avoid the GPL.

[Gr8Apes]

What *I* write is absolutely *my* software. I like to keep it that way for certain things I write, so I avoid anything GPL'd.

Re: Good example of why to avoid the GPL.

[Gr8Apes]

And people like me will never see nor use your software, and be at a competitive advantage by writing only what we need, and not the kitchen sink approach you likely used.

Re: Good example of why to avoid the GPL.

[Gr8Apes]

> Is it a derivative work if you write 100K LOCs and 1 rarely used method in an odd library calls a GPL'd method?

Irrelevant how much you write or how you interface, according to FSF - what matters is whether the combined code makes a "single program."

Exactly, why risk someone *stealing* your code because you mistakenly or erroneously somehow linked to a single API call? Which is why we avoid GPL code like the plague it is. And yes, someone taking something from you because you linked to a library that links to a library that links to a library that calls a piece of GPL code is why you should always fully audit your entire library dependency tree and strictly control it. It's also why the maven repo system sucks more than a little bit, because it doesn't really help you with this situation much at all. Gradle is no better in this regard, btw.

Re:Good example of why to avoid the GPL.

[Scarletdown]

"Pull my finger!"

-- The idiot sitting in the control center next to the guy who pushed the button to do the Trinity test.

Re: Good example of why to avoid the GPL.

[cas2000]

you're a fucking moron who doesn't understand the GPL and whines about the fact that it does exactly what it intends to do.

Re:Good example of why to avoid the GPL.

[dissy]

You are absolutely correct, you were not one of the people using the term "forced" nor redefining it.
I apologize for my mistake.

But you still keep referring to the GPL removing freedoms.
You are aware that it is copyright law that removes your freedom to, as you say, to be able to do what one wants.

The GPL, like most licenses, actually *counters* the removal of rights that copyright law forces on you.

As you say, it may not grant you all the rights you wish to have, but not giving you something is quite different from taking something you do have away.
Copyright law takes nearly everything away, and the license gives it back to you.

Re:Sounds wrong: do they distribute anything that'

[Wrath0fb0b]

How in the world can there be a right to repair/improve when anything that modifies the internals of a copyrighted work is a derivative work?

For instance, a modification to a car ECU would not "deal with it through its APIs" (there aren't any API, it's not meant to be accessed by developers!) and would "get its dirty fingers over the ECU internals" (since there is surely no nice external interface to modify the behavior). So there goes the right in that respect.

Similarly for any attempt to improve nearly any non-extensible closed system. In fact, now that I think about it, this means there is a very high incentive for a company that wishes to lock tinkerers out to design things to be as closed and rigid as possible. The lack of configurability will means that anyone wishing to tinker will need to 'modify the internals' and the closed nature of the system means there will no API to deal with. Both of those factors will increase the chance that any aftermarket modification is a derivative work and thus empower the company to bar its distribution without license.

It would be very unfortunate if our system incentivized this sort of engineering by conferring additional rights based on engineering details about API and configurability.

Re: Good example of why to avoid the GPL.

[david_thornley]

That's a valid attitude. Lambasting the GPL for being something you don't want is less so. The GPL protects freedom, just not in a way that's useful to you and the way you operate.

Re:Good example of why to avoid the GPL.

[david_thornley]

If I release code under the GPL, anyone can use it for whatever software they want to write.

Re:Good example of why to avoid the GPL.

[david_thornley]

The GPL provides you with very restricted patent protections. Someone else with a patent can come along and screw you over.

What the GPL does is give you an automatic license for the patents actually used that are actually held by upstream providers. There's no reason you can't negotiate your own patent licenses, just as there's no reason you can't write your own code.

Most of the non-copyleft licenses I've looked at have no mention of patents, so you're in trouble with that.

Again, if you don't want the benefits of the GPL, don't use GPLed code. You're whining that GPLed code has certain protections that shield you from some inconveniences you whine about.

Re:Good example of why to avoid the GPL.

[sexconker]

If I release code under the GPL, anyone can use it for whatever software they want to write.

Can they sell it? Can they bundle it? Can they do so without providing the source to modifications they've made? Can they ... ?

The GPL is restrictive. You may like the ways it's restrictive, but not everyone does. And just what are we talking about? v1? v2? v3? Some modification of any of the above?

Re: Good example of why to avoid the GPL.

[Gr8Apes]

That's a valid attitude. Lambasting the GPL for being something you don't want is less so. The GPL protects freedom, just not in a way that's useful to you and the way you operate.

It doesn't protect "freedom" at all under any standard definition. It does a great job of restricting freedom, however.

Re: Good example of why to avoid the GPL.

[Gr8Apes]

Riddle me this, oh wise AC - why does the Linux kernel not use GPL v3?

Re: Good example of why to avoid the GPL.

[Gr8Apes]

I understand the licenses much better than you, apparently. I also understand my and my employers needs. So far there has only been 1 case where GPL software was acceptable.

Re: Good example of why to avoid the GPL.

[Gr8Apes]

Maybe that library's author didn't want you to be able to make that call without paying him or opening your code.

Maybe he did, but maybe someone a couple of dependencies up didn't, and also didn't properly legally vette their code.

Re: Good example of why to avoid the GPL.

[Gr8Apes]

Ah, but the GPL can take from you if you're not careful. It's very wise to know exactly what the GPL costs you, because it can cost you.

The entire point was that the GPL forces you to relinquish control of your work. It's implied that only happens if you use GPL'd code, which is why I normally don't touch anything with GPL on it.

Re: Good example of why to avoid the GPL.

[mfnickster]

The entire point was that the GPL forces you to relinquish control of your work. It's implied that only happens if you use GPL'd code, which is why I normally don't touch anything with GPL on it.

No, it most certainly does not. You own your own work; you can use GPL or not, or dual- or triple-license it if you want.

If you use someone else's code, COPYRIGHT LAW forces you to abide by the author's license, not GPL.

Re: Good example of why to avoid the GPL.

[Gr8Apes]

The GPL is nothing without copyright law.

Re: Good example of why to avoid the GPL.

[Gr8Apes]

Without copyright law, I don't have to worry about being forced to distribute any additions I might do to such code either, because the code wouldn't be protected any more than MIT, BSD, or Apache, and actually less.

Re:Good example of why to avoid the GPL.

[david_thornley]

Can they sell it? Can they bundle it?

Sure. No problem.

Can they do so without providing the source to modifications they've made?

If they're bundling, sure. Otherwise, no.

The GPL is restrictive. You may like the ways it's restrictive, but not everyone does

Correct. However, it's a free license in that it allows anyone to distribute the software, with or without modification, under the terms of the license. You may not like the restrictions, but many people do. I don't think it's the best license for everything. For example, I'm just as happy that Microsoft was able to appropriate BSD-licensed networking code for Windows, which would not have happened if not for the less restrictive licensing.

And just what are we talking about? v1? v2? v3? Some modification of any of the above?

I've never seen GPLv1. Presumably I could find a copy if I liked, but I've never seen software with that as a license. There are, AFAIK, three versions of both v2 and v3: the standard license, the Library/Lesser license, and the Affero license (which applies to server-side software on the Web or similar environment). The answers, to the best of my knowledge, are the same with the Affero and standard licenses for both versions. For the LGPLs, if you use an LGPLed library, you are free to distribute as a DLL with source, with none of the software that calls it necessarily being GPLed in any form.

Re: Good example of why to avoid the GPL.

[david_thornley]

If you have some GPLed software, you may copy it as you please. You may make changes as you please. You can redistribute as you please. What you can't do is change the license, which makes it incompatible with certain business models.

Re: Good example of why to avoid the GPL.

[Gr8Apes]

Have you ever decompiled a sizable project and tried to do anything with it? I have.

Re:Good example of why to avoid the GPL.

[sexconker]

So you admit your response to my post was incorrect and completely pointless?

If you want the code to be free, then release it freely. Code under the GPL is NOT free. It is encumbered.

If I release code under the GPL, anyone can use it for whatever software they want to write.

Code under the GPL is not free. There are restrictions involved, and you have admitted this. If you release code under the GPL, people are NOT free to use it for whatever software they want to write. They are free to use it for software they want to write and release under certain restrictions. If someone wants to use GPL code directly in closed-source software, they cannot. There's a legal maze to navigate with any version of the GPL. It's a showstopper for many, despite your personal feelings on the matter.

If you want your code to be used freely, then let it be used freely. Not some sort of politically-motivated, feel-good, anti-corporation, abusive definition of "freely".

Re:Good example of why to avoid the GPL.

[david_thornley]

Ah, so we're back in the insult level of debate.

You're wrong about "If you release code under the GPL, people are NOT free to use it for whatever software they want to write.", of course. Anybody can use GPLed code to write whatever they want. Your " If someone wants to use GPL code directly in closed-source software, they cannot." is correct, but I never said anything otherwise. Software itself is not Free or proprietary on its own, that's an attribute people assign to it with licensing. "There's a legal maze to navigate with any version of the GPL." is also false, since all versions of the GPL are reasonably clearly written and understandable. It's not a legal maze, unless you're looking for loopholes to abuse the license, which you shouldn't be doing anyway. " It's a showstopper for many, despite your personal feelings on the matter." is partly true. Some people want to do things incompatible with the GPL, and that's their business, but any whining about how someone else didn't let them use the code for their own specific purposes is unbecoming. Some people just have inept and lazy lawyers, who'd rather advise their clients to do nothing rather than do a little work to understand the legal situation.

Re:Perens...

[mfnickster]

> Has "derivative work" ever been defined in a legal sense?

https://www.law.cornell.edu/uscode/text/17/101