Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bruce Perens Warns Grsecurity Breaches the Linux Kernel's GPL License (perens.com)

Posted by EditorDavid on from the kernel-copyrights dept.

Bruce Perens co-founded the Open Source Initiative with Eric Raymond. Now he's sharing a "strong opinion" that companies should avoid the Grsecurity security patch for the Linux kernel "because it presents a contributory infringement and breach of contract risk." Slashdot reader NewGnu shared Bruce's comments: [I]t would fail a fair-use test... Because of its strongly derivative nature of the kernel, it must be under the GPL version 2 license, or a license compatible with the GPL and with terms no more restrictive than the GPL. Earlier versions were distributed under GPL version 2... My understanding from several reliable sources is that customers are verbally or otherwise warned that if they redistribute the Grsecurity patch, as would be their right under the GPL, that they will be assessed a penalty: they will no longer be allowed to be customers, and will not be granted access to any further versions of Grsecurity. GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition...

This is tantamount to the addition of a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms. Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kernel, terminates, and the copyright of the Linux Kernel is infringed. The contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached.
Perens advises companies to discuss his position with their attorneys, adding "In the public interest, I am willing to discuss this issue with companies and their legal counsel, under NDA, without charge."

20 of 474 comments (clear)

  1. Does Anyone Use That? by segedunum · · Score: 5, Funny

    Grsecurity is snakeoil dogshit.

    1. Re: Does Anyone Use That? by Anonymous Coward · · Score: 5, Interesting

      Submit good patches and we'll merge them. Hell, report some bugs. But no, that's not how you guys operate. You work in an ivory tower for months and send us a massive patch that lacks any organization or any reasonable way to break it down for review. At this point, we think you should take your pile of "security" patches and go write your own kernel to go with it.

    2. Re: Does Anyone Use That? by geoskd · · Score: 5, Informative

      Fuck the good ideas and flaws that get fixed, submit pretty patches or fuck off

      Patches can introduce bugs and security flaws as easily as they can fix them.

      Every where I have worked has a had a strict policy of one issue per pull request for that very reason. Reviewing code is hard enough when its a single issue at a time.

      --
      I wish I had a good sig, but all the good ones are copyrighted
    3. Re: Does Anyone Use That? by gnasher719 · · Score: 4, Interesting

      What I hear: "wah, you should be spoonfeeding us this because it's over our heads. Fuck the good ideas and flaws that get fixed, submit pretty patches or fuck off."

      What I hear from you is that you have no idea how software development works. Yes, absolutely, if you supply something that cannot be integrated, then fuck off.

    4. Re: Does Anyone Use That? by Zero__Kelvin · · Score: 4, Insightful

      You don't hear very well. The kernel is good because they follow a process. That process involves submitting code that can be readily reviewed before being accepted. "Trust us, it's great" gets a "go fick yourself", and that is exactly as it should be. If you think ANYTHING is over their head but not over the heads of the grsecurity devs you are clueless, but even if that were the case it is up to them to justify and explain their code or beat rocks.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  2. Linus on Grsecurity by Anonymous Coward · · Score: 4, Informative

    Don't bother with grsecurity.

    Their approach has always been "we don't care if we break anything, we'll just claim it's because we're extra secure".

    The thing is a joke, and they are clowns. When they started talking about people taking advantage of them, I stopped trying to be polite about their bullshit.

    Their patches are pure garbage.

    Linus

    1. Re: Linus on Grsecurity by 110010001000 · · Score: 4, Insightful

      I'll take the judgement of the guy who actually wrote the kernel over a Grsecurity shill.

  3. Re:Good example of why to avoid the GPL. by epyT-R · · Score: 4, Insightful

    Unless of course the goal is to keep the software open/modifiable by all while disallowing poaching by closed source developers. This frees the project from parasitic closed developers. They'll have to write their own code if they want to keep it closed.

  4. sounds about right by spongman · · Score: 5, Insightful

    i usually fall into the "GPL is less free than BSD" camp, but in this case I agree fully with Perens. the Linux kernel is GPL, everyone who works on it agrees accepts that. if you don't like the GPL or the conditions it places on you, or how you (and others) can distribute your code - then go the fuck somewhere else.

  5. Re:Good example of why to avoid the GPL. by Dogtanian · · Score: 4, Interesting

    Clippy says, "It appears you're starting yet another GPL vs. BSD holy war discussion. Would You Like Help?"

    * Yes, please link to one of the approximately 17,000 near-identical discussions of this nature we've already had on Slashdot over the years.

    * No, I'd rather pointlessly go through the exact same longwinded to-ing and fro-ing and restatements of the same old facts purely to indulge my personal need, despite the fact I know the chances of any new insight coming out of the billionth tedious discussion of this long-established subject is next to nothing, despite the fact that those on both sides feel the need to repeat the same entrenched positions- which mostly come down to personal philosophy and not an incomplete understanding of the issues (which everyone knows full well by now) and will therefore be unlikely to change in the face of the discussion (not that this was the point anyway).

    (Joking aside, I'm pretty sure the OP knows all this and is intentionally trolling; I'm also pretty sure the replying AC above isn't, which IMHO makes it worse).

    --
    "Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
  6. Please Read The Entire Statement by Bruce+Perens · · Score: 5, Informative

    You should read the entire statement, because there are things missing from the quote above that are important. The most important part is the legal theory:

    By operating under their policy of terminating customer relations upon distribution of their GPL-licensed software, Open Source Security Inc., the owner of Grsecurity, creates an expectation that the customer's business will be damaged by losing access to support and later versions of the product, if that customer exercises their re-distribution right under the GPL license. This is tantamount to the addition of a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms. Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kernel, terminates, and the copyright of the Linux Kernel is infringed. The contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached.

    Also, this is important to keep me in compliance with the law:

    I am an intellectual property and technology specialist who advises attorneys, not an attorney. This is my opinion and is offered as advice to your attorney. Please show this to him or her. Under the law of most states, your attorney who is contracted to you is the only party who can provide you with legal advice.

    It's important to consider the goals of the GPL. You get great Free Software, but it's not a gift. It is sharing with rules that must be followed. You are required to keep it Free. And one of the implied purposes of the GPL is to cause more great Free Software to be made. This means that derivative works that are not shared really go against the purpose as well as the wording of the GPL.

    --
    Bruce Perens.
    1. Re:Please Read The Entire Statement by Teun · · Score: 4, Insightful

      It's important to consider the goals of the GPL. You get great Free Software, but it's not a gift. It is sharing with rules that must be followed. You are required to keep it Free. And one of the implied purposes of the GPL is to cause more great Free Software to be made. This means that derivative works that are not shared really go against the purpose as well as the wording of the GPL.

      Amen, it's especially through the GPL that future developers are enabled to stand on the shoulders of the present.
      Nothing gets lost, we all win.

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
    2. Re:Please Read The Entire Statement by Bruce+Perens · · Score: 4, Informative

      They don't want to play well with others. They should base on BSD or make their own kernel. No legal issues if they did that.

      --
      Bruce Perens.
  7. Not related to their mark by Bruce+Perens · · Score: 4, Informative

    Grsecurity recently changed its terms due to widespread abuse of its mark.

    Dear AC,

    If that's really their intent, they're confused. Or maybe you don't understand? The GPL doesn't have anything to do with trademarks. And Grsecurity did not bother to create a trademark for their product that was different from the versions with the old GPL-only terms, which are still in use. If trademark was the problem, they'd need to create a new one for their commercial product.

    This, unfortunately, would not mitigate the GPL issue, which is copyright and contract related.

    --
    Bruce Perens.
    1. Re:Not related to their mark by Bruce+Perens · · Score: 4, Interesting

      The problem isn't with the text there. It's with what else they have told their customers. It doesn't even have to be in writing.

      I have witnesses. If there was ever a case, obviously the prosecution would have to depose people to make this point. I am not actually planning on a case, though. I think this warning will have the desired effect.

      --
      Bruce Perens.
  8. Re:Good example of why to avoid the GPL. by 93+Escort+Wagon · · Score: 5, Funny

    "Most quotes on the internet are made up."

            - Albert Einstein

    Yeah, right there you've demonstrated the "internet problem" in a nut shell... taking an Abraham Lincoln quote and then mis-attributing it to Albert Einstein.

    --
    #DeleteChrome
  9. Re:Community by Bruce+Perens · · Score: 4, Informative

    But if Bruce or Eric decide to sue Debian or Canonical (or whomever) for shipping GRSecurity with the kernel, I'll watch while the community turns on them like a pack of &@#$ wolves and their reputation takes a perpetual hit.

    Bill,

    Debian would have the previous version before this licensing problem came up.

    I am not the plaintiff in any theoretical case, and in any case am not interested in suing Debian. That's not me. But this should be a wake-up call to Debian.

    Regarding CDDL vs. GPL, Sun quite deliberately applied that license and refused to dual-license. One would imagine they had Linux in mind when that decision was made. Oracle continues that. It doesn't seem that anyone on the Linux side started that fight. And given the decision in Oracle v. Google that copyright can pass across APIs, at Oracle's behest, it does not seem to me that CDDL-GPL combinations are legally safe even if you dynamically link.

    --
    Bruce Perens.
  10. Re:Good example of why to avoid the GPL. by lucm · · Score: 4, Funny

    "The definition of insanity is misquoting the same thing over and over and expecting different attributions."
    - President Benjamin Franklin

    --
    lucm, indeed.
  11. Question mark abuse by lucm · · Score: 4, Funny

    Did you really ask this? Seriously. Did you?
    Your opinion of GPL aside, are you remotely aware of law at all? Seriously. Are you?

    I'd be curious to see if on your keyboard the "?" key is as worn down as the space bar.

    --
    lucm, indeed.
  12. Re:Good example of why to avoid the GPL. by Bruce+Perens · · Score: 4, Informative

    Right. Nobody and their legal counsel want to talk about this without an NDA. I am taking on some liability by accepting an NDA and still doing the whole thing for free.

    --
    Bruce Perens.