Bruce Perens Warns Grsecurity Breaches the Linux Kernel's GPL License

Bruce Perens co-founded the Open Source Initiative with Eric Raymond. Now he's sharing a "strong opinion" that companies should avoid the Grsecurity security patch for the Linux kernel "because it presents a contributory infringement and breach of contract risk." Slashdot reader NewGnu shared Bruce's comments: [I]t would fail a fair-use test... Because of its strongly derivative nature of the kernel, it must be under the GPL version 2 license, or a license compatible with the GPL and with terms no more restrictive than the GPL. Earlier versions were distributed under GPL version 2... My understanding from several reliable sources is that customers are verbally or otherwise warned that if they redistribute the Grsecurity patch, as would be their right under the GPL, that they will be assessed a penalty: they will no longer be allowed to be customers, and will not be granted access to any further versions of Grsecurity. GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition...

This is tantamount to the addition of a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms. Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kernel, terminates, and the copyright of the Linux Kernel is infringed. The contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached.
Perens advises companies to discuss his position with their attorneys, adding "In the public interest, I am willing to discuss this issue with companies and their legal counsel, under NDA, without charge."

Does Anyone Use That?

[segedunum]

Grsecurity is snakeoil dogshit.

Re: Does Anyone Use That?

Submit good patches and we'll merge them. Hell, report some bugs. But no, that's not how you guys operate. You work in an ivory tower for months and send us a massive patch that lacks any organization or any reasonable way to break it down for review. At this point, we think you should take your pile of "security" patches and go write your own kernel to go with it.

Re: Does Anyone Use That?

[geoskd]

Fuck the good ideas and flaws that get fixed, submit pretty patches or fuck off

Patches can introduce bugs and security flaws as easily as they can fix them.

Every where I have worked has a had a strict policy of one issue per pull request for that very reason. Reviewing code is hard enough when its a single issue at a time.

Re: Does Anyone Use That?

[gnasher719]

What I hear: "wah, you should be spoonfeeding us this because it's over our heads. Fuck the good ideas and flaws that get fixed, submit pretty patches or fuck off."

What I hear from you is that you have no idea how software development works. Yes, absolutely, if you supply something that cannot be integrated, then fuck off.

Re: Does Anyone Use That?

[Zero__Kelvin]

You don't hear very well. The kernel is good because they follow a process. That process involves submitting code that can be readily reviewed before being accepted. "Trust us, it's great" gets a "go fick yourself", and that is exactly as it should be. If you think ANYTHING is over their head but not over the heads of the grsecurity devs you are clueless, but even if that were the case it is up to them to justify and explain their code or beat rocks.

Re: Does Anyone Use That?

[rtb61]

I would be extremely suspect of any company that supplied blob patches, like M$ does to hide the individual elements of that patch. Straight up, I would suspect them of trying to put in a back door. So the question is to put all the effort into tearing down and completely dissecting that blob and only apply those elements of it that have been fully checked or just bin it and do the coding directly, which will likely be quicker.

Everyone knows exactly the reason why kernel patches at keep neat, specific and fully detailed and a security company should know better than others. This code blob probably a try it on and the next one, the attack blob. Lets be honest everyone knows the CIA/NSA would pay tens of millions in corrupt bribes to get a back door forced into Linux.

Linus on Grsecurity

Don't bother with grsecurity.

Their approach has always been "we don't care if we break anything, we'll just claim it's because we're extra secure".

The thing is a joke, and they are clowns. When they started talking about people taking advantage of them, I stopped trying to be polite about their bullshit.

Their patches are pure garbage.

Linus

Re: Linus on Grsecurity

[110010001000]

I'll take the judgement of the guy who actually wrote the kernel over a Grsecurity shill.

Re: Linus on Grsecurity

[guruevi]

You don't sound like a security expert either. If the kernels are so buggy, write patches and demonstrable exploit code.

Re:Good example of why to avoid the GPL.

[epyT-R]

Unless of course the goal is to keep the software open/modifiable by all while disallowing poaching by closed source developers. This frees the project from parasitic closed developers. They'll have to write their own code if they want to keep it closed.

sounds about right

[spongman]

i usually fall into the "GPL is less free than BSD" camp, but in this case I agree fully with Perens. the Linux kernel is GPL, everyone who works on it agrees accepts that. if you don't like the GPL or the conditions it places on you, or how you (and others) can distribute your code - then go the fuck somewhere else.

Re:Good example of why to avoid the GPL.

[Dogtanian]

Clippy says, "It appears you're starting yet another GPL vs. BSD holy war discussion. Would You Like Help?"

* Yes, please link to one of the approximately 17,000 near-identical discussions of this nature we've already had on Slashdot over the years.

* No, I'd rather pointlessly go through the exact same longwinded to-ing and fro-ing and restatements of the same old facts purely to indulge my personal need, despite the fact I know the chances of any new insight coming out of the billionth tedious discussion of this long-established subject is next to nothing, despite the fact that those on both sides feel the need to repeat the same entrenched positions- which mostly come down to personal philosophy and not an incomplete understanding of the issues (which everyone knows full well by now) and will therefore be unlikely to change in the face of the discussion (not that this was the point anyway).

(Joking aside, I'm pretty sure the OP knows all this and is intentionally trolling; I'm also pretty sure the replying AC above isn't, which IMHO makes it worse).

Please Read The Entire Statement

[Bruce+Perens]

You should read the entire statement, because there are things missing from the quote above that are important. The most important part is the legal theory:

By operating under their policy of terminating customer relations upon distribution of their GPL-licensed software, Open Source Security Inc., the owner of Grsecurity, creates an expectation that the customer's business will be damaged by losing access to support and later versions of the product, if that customer exercises their re-distribution right under the GPL license. This is tantamount to the addition of a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms. Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kernel, terminates, and the copyright of the Linux Kernel is infringed. The contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached.

Also, this is important to keep me in compliance with the law:

I am an intellectual property and technology specialist who advises attorneys, not an attorney. This is my opinion and is offered as advice to your attorney. Please show this to him or her. Under the law of most states, your attorney who is contracted to you is the only party who can provide you with legal advice.

It's important to consider the goals of the GPL. You get great Free Software, but it's not a gift. It is sharing with rules that must be followed. You are required to keep it Free. And one of the implied purposes of the GPL is to cause more great Free Software to be made. This means that derivative works that are not shared really go against the purpose as well as the wording of the GPL.

Re:Please Read The Entire Statement

[Teun]

It's important to consider the goals of the GPL. You get great Free Software, but it's not a gift. It is sharing with rules that must be followed. You are required to keep it Free. And one of the implied purposes of the GPL is to cause more great Free Software to be made. This means that derivative works that are not shared really go against the purpose as well as the wording of the GPL.

Amen, it's especially through the GPL that future developers are enabled to stand on the shoulders of the present.
Nothing gets lost, we all win.

Re:Please Read The Entire Statement

[Bruce+Perens]

They don't want to play well with others. They should base on BSD or make their own kernel. No legal issues if they did that.

Not related to their mark

[Bruce+Perens]

Grsecurity recently changed its terms due to widespread abuse of its mark.

Dear AC,

If that's really their intent, they're confused. Or maybe you don't understand? The GPL doesn't have anything to do with trademarks. And Grsecurity did not bother to create a trademark for their product that was different from the versions with the old GPL-only terms, which are still in use. If trademark was the problem, they'd need to create a new one for their commercial product.

This, unfortunately, would not mitigate the GPL issue, which is copyright and contract related.

Re:Not related to their mark

[Bruce+Perens]

The problem isn't with the text there. It's with what else they have told their customers. It doesn't even have to be in writing.

I have witnesses. If there was ever a case, obviously the prosecution would have to depose people to make this point. I am not actually planning on a case, though. I think this warning will have the desired effect.

Re: Good example of why to avoid the GPL.

[viperidaenz]

How? You're completely forbidden to make derivative works of Microsoft Windows. You're also forbidden to distribute it in any way.

Re:Good example of why to avoid the GPL.

[Teun]

Indeed, as we know free is not gratis.
The GPL keeps the existing software and its derivatives free to use by and for all.

Re:Good example of why to avoid the GPL.

[93+Escort+Wagon]

"Most quotes on the internet are made up."

        - Albert Einstein

Yeah, right there you've demonstrated the "internet problem" in a nut shell... taking an Abraham Lincoln quote and then mis-attributing it to Albert Einstein.

Re:Community

[Bruce+Perens]

But if Bruce or Eric decide to sue Debian or Canonical (or whomever) for shipping GRSecurity with the kernel, I'll watch while the community turns on them like a pack of &@#$ wolves and their reputation takes a perpetual hit.

Bill,

Debian would have the previous version before this licensing problem came up.

I am not the plaintiff in any theoretical case, and in any case am not interested in suing Debian. That's not me. But this should be a wake-up call to Debian.

Regarding CDDL vs. GPL, Sun quite deliberately applied that license and refused to dual-license. One would imagine they had Linux in mind when that decision was made. Oracle continues that. It doesn't seem that anyone on the Linux side started that fight. And given the decision in Oracle v. Google that copyright can pass across APIs, at Oracle's behest, it does not seem to me that CDDL-GPL combinations are legally safe even if you dynamically link.

Re:Good example of why to avoid the GPL.

[lucm]

"The definition of insanity is misquoting the same thing over and over and expecting different attributions."
- President Benjamin Franklin

Question mark abuse

[lucm]

Did you really ask this? Seriously. Did you?
Your opinion of GPL aside, are you remotely aware of law at all? Seriously. Are you?

I'd be curious to see if on your keyboard the "?" key is as worn down as the space bar.

Re:This is a problem affecting all OSS licenses

[Bruce+Perens]

Actually, the GPL and a trademark registration will keep just what you're talking about from happening. Going proprietary won't give you any more protection unless you're talking about just locking up the source. But you have to enforce once in a while to keep idiots from breaking the rules.

Re:Good example of why to avoid the GPL.

[Bruce+Perens]

That's your right. Of course, this matters more if you've actually released anything under it.

I should tell you, though, I have had more than one person who used gift-style licenses come crying to me about how badly they were abused. Some decide the GPL is a better idea too late...

Re:Good example of why to avoid the GPL.

[Bruce+Perens]

Right. Nobody and their legal counsel want to talk about this without an NDA. I am taking on some liability by accepting an NDA and still doing the whole thing for free.

Re: Good example of why to avoid the GPL.

[Entrope]

The GPL does not require any "giving back". It says that if you change the software, and give the changed version to somebody else, you must give them (a) the source code and (b) a GPL-compatible license for the combined/modified software. You could call that obligatory giving forward, but not obligatory giving back.

Re:Sounds wrong: do they distribute anything that'

[Bruce+Perens]

This is a very large discussion and I'm not going to put in the hour necessary to explain it fully. One of the relevant cases is Galoob Games v. Nintendo. In that case, the Game Genie made by Galoob, which let you have infinite lifetime and ammo and thus cheat in Nintendo games, was thought to be a derivative work by Nintendo. Galoob won, because the Game Genie connected to a plug and only modified a few memory locations.

Unlike the modularity of the Game Genie and that of some of the other things you mention, Grsecurity does not limit itself to dealing with Linux through its APIs (like the plugs in the Nintendo console and game cartrige). Instead, Grsecurity gets dirty fingers all over the kernel internals. So, it's derivative.

I am very much a supporter of right to repair and to interoperate, and we should discuss that another time.

Re:Good example of why to avoid the GPL.

[dissy]

It however do allow people to keep the metaphorical slaves as long as they swear to uphold the holy GPL.

No one is forcing the GPL on anyone.
Absolutely no one is forced to take GPL code and do anything with it. Not a single person.

Slaves do not by definition have the choice to not be a slave.

If you don't want to "uphold the holy GPL" as you call it, you are perfectly free to get code in any one of many other ways.
You can find code licensed in some other way.
You can learn to code and write your own.
You can pay someone to write it for you and give you copyright ownership, after which you can license it in anyway you please, including not licencing it at all.

You are the one redefining "freedom", "slaves", and "forced" here.

Re:Good example of why to avoid the GPL.

[TheRaven64]

The growth in use of permissive licenses (particularly if you look at github) over restrictive ones is a demonstration of pragmatism and the idea that not everything must be free and we can have non-free and free components working together and cooperating rather than focussing on a pure free software ideology.

I wouldn't necessarily even go that far. I am entirely in favour of a world in which all software comes with the FSF's four freedoms. The reason I release code under FreeBSD / MIT licenses is that this seems like a path that has an actual transition plan. If there's a BSDL project available that does 90% of what you need, then you can adopt it and add the remaining 10% without needing to change your business model. Most of the time, it's then cheaper to release the code. If it doesn't give you a competitive advantage, then upstreaming your changes means that your maintenance costs go down (and, often, other people will fix your bugs, in exchange for being able to use your new features).

If there's only a GPL'd project available, then I've worked with a lot of companies that aren't 100% sure that they will never want to do anything that the GPL prohibits and so will instead write a proprietary version (if you're lucky, you can persuade them to write a permissively licensed version). The GPL'd project doesn't ever enter the company (particularly with GPLv3, where anyone who owns patents gets very nervous) and so they never see the benefits of Free Software. It doesn't provide them with a transition path.

This transition path is particularly important because around 90% of all software developers are employed by companies that are not primarily computer companies. They are developing software for in-house use and so implicitly have all of the four freedoms (because they own the copyright), but don't contribute anything to the wider ecosystem (other than money to Microsoft, Oracle, SAP, and so on). Getting them to start using, contributing to, and then preferring open source solutions can unlock a lot of developer resources.