Bruce Perens Warns Grsecurity Breaches the Linux Kernel's GPL License

Bruce Perens co-founded the Open Source Initiative with Eric Raymond. Now he's sharing a "strong opinion" that companies should avoid the Grsecurity security patch for the Linux kernel "because it presents a contributory infringement and breach of contract risk." Slashdot reader NewGnu shared Bruce's comments: [I]t would fail a fair-use test... Because of its strongly derivative nature of the kernel, it must be under the GPL version 2 license, or a license compatible with the GPL and with terms no more restrictive than the GPL. Earlier versions were distributed under GPL version 2... My understanding from several reliable sources is that customers are verbally or otherwise warned that if they redistribute the Grsecurity patch, as would be their right under the GPL, that they will be assessed a penalty: they will no longer be allowed to be customers, and will not be granted access to any further versions of Grsecurity. GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition...

This is tantamount to the addition of a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms. Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kernel, terminates, and the copyright of the Linux Kernel is infringed. The contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached.
Perens advises companies to discuss his position with their attorneys, adding "In the public interest, I am willing to discuss this issue with companies and their legal counsel, under NDA, without charge."

Does Anyone Use That?

[segedunum]

Grsecurity is snakeoil dogshit.

Re: Does Anyone Use That?

Submit good patches and we'll merge them. Hell, report some bugs. But no, that's not how you guys operate. You work in an ivory tower for months and send us a massive patch that lacks any organization or any reasonable way to break it down for review. At this point, we think you should take your pile of "security" patches and go write your own kernel to go with it.

Re: Does Anyone Use That?

[segedunum]

Anonymous cowards protesting how Grsecurity have been so badly abused by everyone. Diddems. How predictable.

They chuck patches they *know* won't be accepted upstream, whinge that they are being exploited when someone tries to make them palatable and rinses and repeats the whole process because they know it would destroy their pointless value proposition otherwise. As Linus said, their patches are utter garbage. They can either put up or shut up.

Re: Does Anyone Use That?

[Brockmire]

There's history between grsecurity and the kernel people going back years. Bitching about large patch and disagreeing on importance of various behaviour sums it up. It's super paranoid security people against defensive kernel programmers who feel attacked for their code and decisions. At no time did I get the impression it was as bad as dealing with someone like apk. But there was a lot of butt hurt to go around.

Re: Does Anyone Use That?

[Brockmire]

Alliterates. Is this irony?

Re: Does Anyone Use That?

[geoskd]

Fuck the good ideas and flaws that get fixed, submit pretty patches or fuck off

Patches can introduce bugs and security flaws as easily as they can fix them.

Every where I have worked has a had a strict policy of one issue per pull request for that very reason. Reviewing code is hard enough when its a single issue at a time.

Re: Does Anyone Use That?

[gnasher719]

What I hear: "wah, you should be spoonfeeding us this because it's over our heads. Fuck the good ideas and flaws that get fixed, submit pretty patches or fuck off."

What I hear from you is that you have no idea how software development works. Yes, absolutely, if you supply something that cannot be integrated, then fuck off.

Re: Does Anyone Use That?

[Zero__Kelvin]

You don't hear very well. The kernel is good because they follow a process. That process involves submitting code that can be readily reviewed before being accepted. "Trust us, it's great" gets a "go fick yourself", and that is exactly as it should be. If you think ANYTHING is over their head but not over the heads of the grsecurity devs you are clueless, but even if that were the case it is up to them to justify and explain their code or beat rocks.

Re: Does Anyone Use That?

[rtb61]

I would be extremely suspect of any company that supplied blob patches, like M$ does to hide the individual elements of that patch. Straight up, I would suspect them of trying to put in a back door. So the question is to put all the effort into tearing down and completely dissecting that blob and only apply those elements of it that have been fully checked or just bin it and do the coding directly, which will likely be quicker.

Everyone knows exactly the reason why kernel patches at keep neat, specific and fully detailed and a security company should know better than others. This code blob probably a try it on and the next one, the attack blob. Lets be honest everyone knows the CIA/NSA would pay tens of millions in corrupt bribes to get a back door forced into Linux.

Linus on Grsecurity

Don't bother with grsecurity.

Their approach has always been "we don't care if we break anything, we'll just claim it's because we're extra secure".

The thing is a joke, and they are clowns. When they started talking about people taking advantage of them, I stopped trying to be polite about their bullshit.

Their patches are pure garbage.

Linus

Re: Linus on Grsecurity

[110010001000]

I'll take the judgement of the guy who actually wrote the kernel over a Grsecurity shill.

Re: Linus on Grsecurity

[guruevi]

You don't sound like a security expert either. If the kernels are so buggy, write patches and demonstrable exploit code.

Re: Linus on Grsecurity

[duke_cheetah2003]

The only people who like git are trend chasing hipsters (like JavaScript "programmers") who have never used other systems. Professionals, on the other hand, prefer Mercurial or one of the numerous other DVCS and VCS that exist.

If only this were true. But it's not. It's my perspective that most programmers who adopt the usage of any version control tend to stick with the first one they learn. After that, they become loyal to that package, even if it dies off, they cling to the known quantity. That's in my view, how people pick their version control. It's rare anyone switches from one to another, unless forced to do so by an external.

Some people might use one outside of their normal to work with another team, but for their own projects, they'll stick to their first/favorite.

Re:Good example of why to avoid the GPL.

[epyT-R]

Unless of course the goal is to keep the software open/modifiable by all while disallowing poaching by closed source developers. This frees the project from parasitic closed developers. They'll have to write their own code if they want to keep it closed.

sounds about right

[spongman]

i usually fall into the "GPL is less free than BSD" camp, but in this case I agree fully with Perens. the Linux kernel is GPL, everyone who works on it agrees accepts that. if you don't like the GPL or the conditions it places on you, or how you (and others) can distribute your code - then go the fuck somewhere else.

Re:Good example of why to avoid the GPL.

[Dogtanian]

Clippy says, "It appears you're starting yet another GPL vs. BSD holy war discussion. Would You Like Help?"

* Yes, please link to one of the approximately 17,000 near-identical discussions of this nature we've already had on Slashdot over the years.

* No, I'd rather pointlessly go through the exact same longwinded to-ing and fro-ing and restatements of the same old facts purely to indulge my personal need, despite the fact I know the chances of any new insight coming out of the billionth tedious discussion of this long-established subject is next to nothing, despite the fact that those on both sides feel the need to repeat the same entrenched positions- which mostly come down to personal philosophy and not an incomplete understanding of the issues (which everyone knows full well by now) and will therefore be unlikely to change in the face of the discussion (not that this was the point anyway).

(Joking aside, I'm pretty sure the OP knows all this and is intentionally trolling; I'm also pretty sure the replying AC above isn't, which IMHO makes it worse).

Please Read The Entire Statement

[Bruce+Perens]

You should read the entire statement, because there are things missing from the quote above that are important. The most important part is the legal theory:

By operating under their policy of terminating customer relations upon distribution of their GPL-licensed software, Open Source Security Inc., the owner of Grsecurity, creates an expectation that the customer's business will be damaged by losing access to support and later versions of the product, if that customer exercises their re-distribution right under the GPL license. This is tantamount to the addition of a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms. Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kernel, terminates, and the copyright of the Linux Kernel is infringed. The contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached.

Also, this is important to keep me in compliance with the law:

I am an intellectual property and technology specialist who advises attorneys, not an attorney. This is my opinion and is offered as advice to your attorney. Please show this to him or her. Under the law of most states, your attorney who is contracted to you is the only party who can provide you with legal advice.

It's important to consider the goals of the GPL. You get great Free Software, but it's not a gift. It is sharing with rules that must be followed. You are required to keep it Free. And one of the implied purposes of the GPL is to cause more great Free Software to be made. This means that derivative works that are not shared really go against the purpose as well as the wording of the GPL.

Re:Please Read The Entire Statement

[Teun]

It's important to consider the goals of the GPL. You get great Free Software, but it's not a gift. It is sharing with rules that must be followed. You are required to keep it Free. And one of the implied purposes of the GPL is to cause more great Free Software to be made. This means that derivative works that are not shared really go against the purpose as well as the wording of the GPL.

Amen, it's especially through the GPL that future developers are enabled to stand on the shoulders of the present.
Nothing gets lost, we all win.

Re:Please Read The Entire Statement

[Bruce+Perens]

They don't want to play well with others. They should base on BSD or make their own kernel. No legal issues if they did that.

Re:Please Read The Entire Statement

[Bruce+Perens]

It's the time sequence that is important in proving a legal theory of this sort. The customer has been warned before the act of distribution that their business would be damaged as a consequence of distribution. If they just coincidentally fired a customer without warning them first, it would be much harder to make a case.

Re:Please Read The Entire Statement

[Bruce+Perens]

A lot of people are not understanding the the importance of the time sequence. Because of the actions of Open Source Security Inc. to date, the customer already knows that there is a threat to cause them business damage if they exercise their right to distribution, before they perform the act of distribution. That's an additional term.

You are treating this as if the consequences of distribution are the only relevant element, and as if they only happen after distribution. This is not the case.

Re:Please Read The Entire Statement

[Bruce+Perens]

Let's look at what the magistrate said:

Defendant contends that Plaintiff's reliance on the unsigned GNU GPL fails to plausibly demonstrate mutual assent, that is, the existence of a contract. Not so. The GNU GPL, which is attached to the complaint, provides that the Ghostscript user agrees to its terms if the user does not obtain a commercial license. Plaintiff alleges that Defendant used Ghostscript, did not obtain a commercial license, and represented publicly that its use of Ghostscript was licensed under the GNL GPU. These allegations sufficiently plead the existence of a contract. See, e.g., MedioStream, Inc. v. Microsoft Corp., 749 F. Supp. 2d 507, 519 (E.D. Tex. 2010) (concluding that the software owner had adequately pled a claim for breach of a shrink-wrap license).

You are misinterpreting the GPL when you say this:

If the customer doesn't redistribute code to a third party, axiomatically they cannot be in breach of anything.

The GPL is Open Source Security Inc.'s only permission to create and distribute a derivative work of the Linux kernel. I don't believe that anyone is denying that Grsecurity was created and distributed, and is derivative. The customer is obtaining and making use of an infringing derivative work. The status of the kernel is "All Rights Reserved" because the GPL has terminated, and that very clearly makes the customer a contributory infringer.

You are taking a very simplistic view of the GPL that doesn't fit what you appear to be representing with your user name. Did you actually sit for the Bar? I know there are a lot of people with a J.D. who don't ever practice, it's a personal choice, but I would have expected a bit more depth in interpretation.

Re:Please Read The Entire Statement

[Bruce+Perens]

OK, if you're a real lawyer, I have no problem arguing law with you. I've won against folks who were admitted to the supreme court before.

The license granted to the customer certainly has not terminated.

The customer has that license for the kernel. They do not have that license for Grsecurity, because Grsecurity's license to the kernel terminated, and Grsecurity did not have the right to grant the GPL to the customer for an infringing derivative work. If Grsecurity was an independent work rather than derivative, it would have been different.

This belongs to a class of arguments I see very frequently, in which the defendant has not complied with the GPL but repeatedly offers the language of the GPL in their defense as if they get to cherry-pick the terms they like.

Sure, refer it to Eben. He's already been copied and has so far not chosen to differ. Richard chose not to be involved because he felt Grsecurity would not listen to him, and he has bigger fish to fry.

Re:Please Read The Entire Statement

[Bruce+Perens]

Which means that the original developers cannot properly sue the customers for infringement or breach of contract concerning use of the Linux kernel. Check. You've now admitted that there's no basis for liability absent a customer's own violation of the GPL.

I admitted no such thing. And telling me what I admitted, when I haven't, is a rhetorical trick, not argument.

Grsecurity is an unlicensed derivative work and it's owned in part by the kernel developers because it necessarily includes portions of the original work. The GPL does not apply to it at all. The fact that the user has the GPL for some other copy of a Linux kernel does not license the infringing derivative work to the user. Nor does it grant Open Source Security Inc. the ability to convey the GPL for that work.

But the original developers do not own Grsecurity's modifications.

Actually, they do! Not the whole thing, but the derivative work necessarily incorporates a significant portion of the original work, and this is definitely true for the patch format used. The GPL doesn't apply to that copy as its terms were not honored, and OSS never had a right to convey the GPL originally on that copy. A GPL conveyed by someone else for another copy of Linux does not apply to the infringing derivative work. Grsecurity has no right to distribute it at all. The Linux kernel developers own the only remedy that will make its legal use possible.

Termination of the kernel license to Grsecurity does not affect the rights of their customers, or any other users, per GPLv2 secs. 4 and 6.

It does indeed if Grsecurity never had the right to convey the GPL on that work to the users in the first place. You can't convey it on a derivative work without a license from the owners of the work it was derived from. Grsecurity did not have that license because they did not comply with it.

Denied. You have not explained how Grsecurity cannot license its own modifications under the GPL, nor how anyone other than Grsecurity could sue users for using those modifications. You have admitted that customers and users are licensed to use the Linux kernel even if Grsecurity is not. You will have to admit that users can modify the Linux kernel if they so choose, even using non-GPLv2 modifications, so long as they do not publish or distribute the result (GPLv2 secs. 2 and 3).

OK, this one is too much. Look, I know that lawyers will try to fool the other side to win an argument. I've had it happen before. It's not going to make me accept your argument. I explained clearly where Grsecurity could not license its infringing derivative work. You're being silly to contend that anyone can license an infringing derivative work to someone else without a lot more permission than the GPL contains.

To reiterate, the customer has been licensed by the original developers for the original kernel and by Grsecurity for the modifications.

The infringing derivative work was never licensed to the customers, because Grsecurity never had a right to license it to anyone. The copies of the kernel that are under the GPL came to the customer another way, if they have any, and the fact that the user has the GPL from someone else on another copy does not automatically license the infringing derivative work to the customer.

A contributory infringer is "[o]ne who knowingly induces, causes or materially contributes to copyright infringement, by another but who has not committed or participated in the infringing acts him or herself, may be held liable as a contributory infringer if he or she had knowledge, or reason to know, of the infringement."

They have now been informed that there's a good chance of risk of contributory infringement and to check with their counsel. It's public knowledge now. They're paying for copies. That's how they become

Re:Please Read The Entire Statement

[Bruce+Perens]

No. Merely purchasing the existing combination of code does not provide the required right and ability to supervise or control the infringing activity. You are well outside the bounds of your expertise, and it shows.

In this case, it's the reverse. I understand how the software is applied (this is why I'm an expert witness in demand) and you're out of your expertise, sorry. The customer applies the patch. That gives them control of the infringing activity.

Those portions of the original work have been licensed to the customers by the GPLv2 sec 6. The license to those portions of the original work cannot be terminated per GPLv2 sec 4. The customer is also expressly licensed to make such a combination by GPLv2 sec. 2 so long as they do not publish or distribute the combined work.

Weren't you going to ask Eben about this? Why don't you do so, and get back to me. I still don't believe they're licensed.

By the way, I got the Grsecurity agreement. They actually put down in writing how they restrict the customer's GPL rights.

Re:Good example of why to avoid the GPL.

[K.+S.+Kyosuke]

Good. Everyone who doesn't like Linux's license is perfectly free to support any of the BSDs.

Not related to their mark

[Bruce+Perens]

Grsecurity recently changed its terms due to widespread abuse of its mark.

Dear AC,

If that's really their intent, they're confused. Or maybe you don't understand? The GPL doesn't have anything to do with trademarks. And Grsecurity did not bother to create a trademark for their product that was different from the versions with the old GPL-only terms, which are still in use. If trademark was the problem, they'd need to create a new one for their commercial product.

This, unfortunately, would not mitigate the GPL issue, which is copyright and contract related.

Re:Not related to their mark

Hi Bruce, as far as I understand it grsecurity changed its terms back in April. They seem to suggest that they supply patches to the kernel released under GPLv2 terms, but will refuse to offer further subscription support to anyone who distributes those patches. I don't know if there is a rider over "with our mark on them" on this or not, but if so wouldn't that place them in the same position as Redhat? I seem to recall that a similar situation arose with Virtuozzo in the early days, except they were distributing a complete kernel binary rather than a patch to the source, with a termination of support clause.

I can clearly see where your bone of contention is, but wonder if by attempting to protect the GPL you aren't potentially relying on an equally bad position (ie is the party modifying the kernel then forced to release their changes whether they want to or not?)

Have you tried contacting them? I'd be interested to learn what their side of the story is. For the record, I am not related to grsecurity in any way. I've had one or two brief contacts with members in the past, that's it.

Re:Not related to their mark

[Bruce+Perens]

Redhat sequesters their support information from non-customers. It's really difficult to make a case that the support data is derivative of the Open Source involved. I don't believe Red Hat has attempted to stop any of their customers from redistributing an actual patch. Just other information.

I don't know about Virtuozzo, sorry.

I did not contact Open Source Security Inc. as they had by that time already had extensive and somewhat acrimonious discussions with others in the community.

I think my legal theory holds water. I am bothered by the sort of action that Open Source Security Inc. is doing, and felt that informing the customers (albeit indirectly, in places like Slashdot) was the best way to effect a change. This was a case where publicity was the most effective means of effecting change (even if the only change is that someone else doesn't try to do what's being done with Grsecurity) and was less expensive for all sides than a lawsuit.

Re:Not related to their mark

I've had a look over their agreement here, and there is nothing to prevent redistribution of a patch under the terms and conditions of the GPLv2. It states that if it a patch is distributed outside of the terms of the GPLv2, then access to further patches in the future (not the patch provided) will be denied, on a works for hire basis.

I honestly don't think you've got all your ducks lined up here, and yes, I realise who I'm saying it to and how the hordes here will descend upon me.

Re:Not related to their mark

[Bruce+Perens]

The problem isn't with the text there. It's with what else they have told their customers. It doesn't even have to be in writing.

I have witnesses. If there was ever a case, obviously the prosecution would have to depose people to make this point. I am not actually planning on a case, though. I think this warning will have the desired effect.

Re:Not related to their mark

[Bruce+Perens]

A lot of people are having a problem with the time sequence of events.

Let's say you warn someone in advance that you will harm their business by withdrawing their support and removing them from your customer list, should they exercise their right which is granted to them under the GPL. That's adding a term.

Let's say that you never warn them about anything, they distribute stuff, and you decide to downsize your business and fire them as a customer. That is not adding a term.

It took me a while to get this straight myself, for a while I knew something was wrong but did not realize the importance of the time sequence. But I think I could help to win a case with this, if one came up.

Re: Good example of why to avoid the GPL.

[viperidaenz]

How? You're completely forbidden to make derivative works of Microsoft Windows. You're also forbidden to distribute it in any way.

Re:Good example of why to avoid the GPL.

[Teun]

Indeed, as we know free is not gratis.
The GPL keeps the existing software and its derivatives free to use by and for all.

Re:Good example of why to avoid the GPL.

[93+Escort+Wagon]

"Most quotes on the internet are made up."

        - Albert Einstein

Yeah, right there you've demonstrated the "internet problem" in a nut shell... taking an Abraham Lincoln quote and then mis-attributing it to Albert Einstein.

Re:Community

[Bruce+Perens]

But if Bruce or Eric decide to sue Debian or Canonical (or whomever) for shipping GRSecurity with the kernel, I'll watch while the community turns on them like a pack of &@#$ wolves and their reputation takes a perpetual hit.

Bill,

Debian would have the previous version before this licensing problem came up.

I am not the plaintiff in any theoretical case, and in any case am not interested in suing Debian. That's not me. But this should be a wake-up call to Debian.

Regarding CDDL vs. GPL, Sun quite deliberately applied that license and refused to dual-license. One would imagine they had Linux in mind when that decision was made. Oracle continues that. It doesn't seem that anyone on the Linux side started that fight. And given the decision in Oracle v. Google that copyright can pass across APIs, at Oracle's behest, it does not seem to me that CDDL-GPL combinations are legally safe even if you dynamically link.

Re:Good example of why to avoid the GPL.

[lucm]

"The definition of insanity is misquoting the same thing over and over and expecting different attributions."
- President Benjamin Franklin

Question mark abuse

[lucm]

Did you really ask this? Seriously. Did you?
Your opinion of GPL aside, are you remotely aware of law at all? Seriously. Are you?

I'd be curious to see if on your keyboard the "?" key is as worn down as the space bar.

Re:Good example of why to avoid the GPL.

[TechyImmigrant]

How is doing things secretly under NDA "in the public interest"?

It's the first question he would be asked. "Will do discuss this under NDA". So he's getting that out of the way before they start.

Re:This is a problem affecting all OSS licenses

[Bruce+Perens]

Actually, the GPL and a trademark registration will keep just what you're talking about from happening. Going proprietary won't give you any more protection unless you're talking about just locking up the source. But you have to enforce once in a while to keep idiots from breaking the rules.

Re:Good example of why to avoid the GPL.

[Bruce+Perens]

That's your right. Of course, this matters more if you've actually released anything under it.

I should tell you, though, I have had more than one person who used gift-style licenses come crying to me about how badly they were abused. Some decide the GPL is a better idea too late...

Re:Good example of why to avoid the GPL.

[Bruce+Perens]

Right. Nobody and their legal counsel want to talk about this without an NDA. I am taking on some liability by accepting an NDA and still doing the whole thing for free.

Re: Good example of why to avoid the GPL.

[Entrope]

The GPL does not require any "giving back". It says that if you change the software, and give the changed version to somebody else, you must give them (a) the source code and (b) a GPL-compatible license for the combined/modified software. You could call that obligatory giving forward, but not obligatory giving back.

Re:Sounds wrong: do they distribute anything that'

[Bruce+Perens]

They don't have to distribute the kernel to violate the GPL in this case. Copyright also restricts the creation of derivative works. Grsecurity definitely is derivative of the kernel. The GPL would be their only permission to create and distribute a derivative work of the kernel. And one of the terms of the GPL is that you can't add any rules to your derivative that aren't in the GPL itself.

With respect, your understanding of copyright and licensing isn't quite complete. This is not a personal criticism, it's true for most people. But legal theories based on what you know so far might not be correct.

Re:Sounds wrong: do they distribute anything that'

[Bruce+Perens]

This is a very large discussion and I'm not going to put in the hour necessary to explain it fully. One of the relevant cases is Galoob Games v. Nintendo. In that case, the Game Genie made by Galoob, which let you have infinite lifetime and ammo and thus cheat in Nintendo games, was thought to be a derivative work by Nintendo. Galoob won, because the Game Genie connected to a plug and only modified a few memory locations.

Unlike the modularity of the Game Genie and that of some of the other things you mention, Grsecurity does not limit itself to dealing with Linux through its APIs (like the plugs in the Nintendo console and game cartrige). Instead, Grsecurity gets dirty fingers all over the kernel internals. So, it's derivative.

I am very much a supporter of right to repair and to interoperate, and we should discuss that another time.

Re:Good example of why to avoid the GPL.

[dissy]

It however do allow people to keep the metaphorical slaves as long as they swear to uphold the holy GPL.

No one is forcing the GPL on anyone.
Absolutely no one is forced to take GPL code and do anything with it. Not a single person.

Slaves do not by definition have the choice to not be a slave.

If you don't want to "uphold the holy GPL" as you call it, you are perfectly free to get code in any one of many other ways.
You can find code licensed in some other way.
You can learn to code and write your own.
You can pay someone to write it for you and give you copyright ownership, after which you can license it in anyway you please, including not licencing it at all.

You are the one redefining "freedom", "slaves", and "forced" here.

Re:Good example of why to avoid the GPL.

[TheRaven64]

The growth in use of permissive licenses (particularly if you look at github) over restrictive ones is a demonstration of pragmatism and the idea that not everything must be free and we can have non-free and free components working together and cooperating rather than focussing on a pure free software ideology.

I wouldn't necessarily even go that far. I am entirely in favour of a world in which all software comes with the FSF's four freedoms. The reason I release code under FreeBSD / MIT licenses is that this seems like a path that has an actual transition plan. If there's a BSDL project available that does 90% of what you need, then you can adopt it and add the remaining 10% without needing to change your business model. Most of the time, it's then cheaper to release the code. If it doesn't give you a competitive advantage, then upstreaming your changes means that your maintenance costs go down (and, often, other people will fix your bugs, in exchange for being able to use your new features).

If there's only a GPL'd project available, then I've worked with a lot of companies that aren't 100% sure that they will never want to do anything that the GPL prohibits and so will instead write a proprietary version (if you're lucky, you can persuade them to write a permissively licensed version). The GPL'd project doesn't ever enter the company (particularly with GPLv3, where anyone who owns patents gets very nervous) and so they never see the benefits of Free Software. It doesn't provide them with a transition path.

This transition path is particularly important because around 90% of all software developers are employed by companies that are not primarily computer companies. They are developing software for in-house use and so implicitly have all of the four freedoms (because they own the copyright), but don't contribute anything to the wider ecosystem (other than money to Microsoft, Oracle, SAP, and so on). Getting them to start using, contributing to, and then preferring open source solutions can unlock a lot of developer resources.

Re:Good example of why to avoid the GPL.

[cas2000]

If there's only a GPL'd project available, then I've worked with a lot of companies that aren't 100% sure that they will never want to do anything that the GPL prohibits and so will instead write a proprietary version

Good. The GPL is working as designed.

You do realise that that's a feature, not a bug, don't you? It's an anti-leeching provision. They should not be benefiting from the work of GPL developers if they're unwilling to abide by the terms.

In that case. they should be writing their own or paying for a proprietary product. Exactly the same as if they don't want to pay the license fee and/or royalties for a commercial product, they have to write their own or get what they need from someone else (incl. of course, GPL software).

This transition path is particularly important because around 90% of all software developers are employed by companies that are not primarily computer companies. They are developing software for in-house use and so implicitly have all of the four freedoms (because they own the copyright)

these companies are exactly the ones who benefit most from copyleft software. They're not making money from the software, so there's no financial incentive to avoid copyleft. In fact, there's a huge incentive to use copyleft code because they can co-operate in improving the code and gain the benefit of sharing the dev workload with similar companies and enthusiastic individuals.

copyleft is better for their needs because they don't have to worry about free-loaders or anyone else taking their contributions and embedding them in proprietary/commercial software.

And many/most of them don't distribute even binaries of their code (and certainly not binaries of any proprietary business-logic or other code), it's all in-house use, so they don't even have to distribute their changes if they don't want to.

BSD-style licenses are only good for two kinds of developers:

1. Gigantic software & hardware corporations who want to profit from open code without incurring any obligation to contribute back (i.e. parasites who sometimes manage a decent emulation of a symbiote). This is where the huge push towards non-copyleft licensing is coming from.

It's even better than exploiting interns, and the unpaid programmers provide their own desks and computers.

2. Developers who really don't give a fuck about what is done with their code when they release it (a much smaller group than you appear to imagine).

Everyone else is better off with copyleft.

Re: Good example of why to avoid the GPL.

[cas2000]

[...]but in this case you cannot make the case that GPL is about freedom, because its not. It's about controlling those who use it[...]

I'm so sick of seeing this bullshit.

The ONLY (alleged) "freedom" that the GPL restricts is the "freedom" to fuck over downstream users and take away the rights granted to them by the upstream authors and all contributors.

Only psychopaths, wannabe-psychopaths, and psychopath-sympathisers think that that's a "freedom" worth supporting.

Perception of the GPL

[Bruce+Perens]

If you wanted to stoke the perception that GPLed code is "toxic" in yet another unhelpful and nebulous way, you couldn't have picked a better way...

Actually, all I see so far is that an intentional GPL violator's customers are not protected from that intentional violation. It's not at all clear that this is in any way different from the proprietary software licensing world, where a contributory infringement case brought on the customer rather than the vendor is a frequent strategy.

I check out the software licenses that are offered to my customers. Sometimes I red-light a proprietary software vendor because I don't believe they have the right to offer their own software. This is often obvious from their licensing. Similarly, a company should not accept a commercial issue of a GPL work if it's not sure the vendor has a right to offer the work.

I am sorry that due diligence is required, but of course the Free Software folks didn't invent this intellectual property mess.

Re:Uhhhhhhh

[Bruce+Perens]

I got a copy of the agreement. It's here. It's pretty clearly in violation. The offending language is:

Notwithstanding these rights and obligations, the User acknowledges that redistribution of the provided stable patches or changelogs outside of the explicit obligations under the GPL to User's customers will result in termination of access to future updates of grsecurity stable patches and changelogs.

The entire point of the langauge in section 6 of the GPL is so that another party can not cause you to negotiate away your GPL rights.