Linux Kernel Hardeners Grsecurity Sue Open Source's Bruce Perens

An anonymous reader shares a report from The Register: In late June, noted open-source programmer Bruce Perens [a longtime Slashdot reader] warned that using Grsecurity's Linux kernel security could invite legal trouble. "As a customer, it's my opinion that you would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity," Perens wrote on his blog. The following month, Perens was invited to court. Grsecurity sued the open-source doyen, his web host, and as-yet-unidentified defendants who may have helped him draft that post, for defamation and business interference. Grsecurity offers Linux kernel security patches on a paid-for subscription basis. The software hardens kernel defenses through checks for common errors like memory overflows. Perens, meanwhile, is known for using the Debian Free Software Guidelines to draft the Open Source Definition, with the help of others.

Grsecurity used to allow others to redistribute its patches, but the biz ended that practice for stable releases two years ago and for test patches in April this year. It offers its GPLv2 licensed software through a subscription agreement. The agreement says that customers who redistribute the code -- a right under the GPLv2 license -- will no longer be customers and will lose the right to distribute subsequent versions of the software. According to Perens, "GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition." A legal complaint (PDF) filed on behalf of Grsecurity in San Francisco, California, insists the company's software complies with the GPLv2. Grsecurity's agreement, the lawsuit states, only applies to future patches, which have yet to be developed. Perens isn't arguing that the GPLv2 applies to unreleased software. Rather, he asserts the GPLv2, under section 6, specifically forbids the addition of contractual terms.

Prove it's true

That would put a full stop to Gr's suit.
But besides that, it's pretty clear this is an intimidation move because it would be relatively trivial to just show you're not doing it.

Re:Prove it's true

Yeah, suing the god damned web hoster as well is a sure sign they want to discourage this kind of talk in future.

Re:Prove it's true

[thesupraman]

I would suggest that if that is their intention, they do not know Mr Perens very well, and have not done their homework.
I suspect they are currently experiencing bit of a surprise in the reaction to their attempted strong-arming..
I also suspect they are rather wet-behind-the-ears (at least their decision makers) in the area of kernel security, to try such a play.

They are trying to play a legal-loophole game, when never goes down very well with the kernel maintainers, to say the least.
And they have quite possibly forgotten the fact that the maintainers could make their lives a LOT harder basically at well, by making their patches unworkable in subsequent releases..

Or they could just say sorry, and hope that they get some forgiveness - I am betting they wont..

Re: Prove it's true

[SLi]

How would it be trivial to show? They assert what they do is legal; Bruce asserts it is not. It's mostly a dispute of law, not of facts.

Re:Prove it's true

This demand proves Perens' point about dealing with Grsecurity stuff inviting legal trouble.

Either way from GPL violations or from a litigious company like this case.

Re:Prove it's true

[FooAtWFU]

Proving it's true would not put a full stop to the suit; it would be a thing that you prove in the suit itself. This is expensive because it means you're paying lawyers lots of money. The thing that's supposed to put a full stop to the suit is an anti-SLAPP motion, because this appears to be a Strategic Lawsuit Against Public Participation; among other things, this typically stays all discovery, saving much expense,

Unfortunately I'm not up to speed on California-specific anti-SLAPP statutes.

Re: Prove it's true

[guruevi]

Even so, regardless of the facts on the matter, Bruce is entitled to his opinion, even if he ends up being wrong. GRSecurity just shot themselves again in the other foot with this.

Re:Prove it's true

And they have quite possibly forgotten the fact that the maintainers could make their lives a LOT harder basically at well, by making their patches unworkable in subsequent releases..

That isn't really a viable solution.
Writing kernel code specifically to make it incompatible rather than to get the best solution will cause all sorts of problems.

They could release new code under a non-GPL license that is mostly identical with GPL but prohibits usage together with grsecurities software, but I'm not sure such a license will hold up in court and it is a bit against the free software mindset.
(OK, BSD is a bit more along the lines of "You can do whatever you want, even if you use the code for things I don't like" than GPL, but the idea is still to be in that direction.)

No, the only viable path I see is to defend yourself in court and then counter-sue for your costs.

Re: Prove it's true

[MrMr]

Readinb the first part of the complaint they appear to claim that their future versions of the linux kernel will violate the gpl2 license. I guess that would make it a declaration of intent rather than an outright breach of contrzct...

Re:Prove it's true

[gnasher719]

Proving it's true would not put a full stop to the suit; it would be a thing that you prove in the suit itself. This is expensive because it means you're paying lawyers lots of money.

Bruce Perens' councel is Heather Meeker of Oâ(TM)Melveny and Meyers, author of a book about use of Open Source software in the enterprise. I wouldn't be surprised if she gives him a good deal for representation in court if needed. (I thought Bruce Perens is a lawyer as well, but probably respects the old saying "a man who represents himself in court has a fool for a lawyer and a fool for a client").

What he said is "It is my strong opinion..." which I think stops what he says from being libel. GrSecurity could have replied "It is our strong opinion that Bruce Perens is incompetent and has no idea what he is talking about", which would probably not be libel for the same reason, being an opinion and not declared to be fact. Suing him has no chance of winning, and the huge risk that a court might agree that Bruce Perens' opinion is actually correct. That's most likely something that he would argue, in addition to the 100% winner argument "I said it was just my opinion".

Re:Prove it's true

[drinkypoo]

I would suggest that if that is their intention, they do not know Mr Perens very well, and have not done their homework.

I would suggest that they definitely know who Bruce Perens is, and that their legal counsel is simply a typical self-described type A who wants to fuck everything.

Re:Prove it's true

[jenningsthecat]

Bruce Perens' councel is Heather Meeker of Oâ(TM)Melveny and Meyers...

I suspect Perens and Ms Meeker will also have some assistance from the EFF. The potential chilling effects of this suit, and its blatant misuse of judicial process, are too important for the EFF to remain on the sidelines for long.

Re:Prove it's true

Their legal counsel is a one-man firm, and if you read his online reviews, they are all about his patent filings. It sounds like he is in over his head.

Perens is using a big firm that has lawyers for every sort of legal issue, and his lead attorney wrote a book on Open Source licensing. If she has built expertise in Open Source, she and Perens would have worked together before.

Re:Prove it's true

Perens stated in his web site article on Grsecurity that he is not an attorney, but an intellectual property expert who advises attorneys. And then he went on to say that this article was advice to your attorney, who is the only person who can give you legal advice. It sounds like he covered his 6 about not giving legal advice in a more graceful way than "IANAL". And by doing so he probably cemented that this was opinion. He'd win the case.

Re:Prove it's true

[arth1]

While he's not an attorney at law, he knows a few things about it, and I'm sure he'll use lawyers quite well.

And I also suspect that he won't be posting here, but will follow the generally sound advice that when hit with a lawsuit, do not comment on it except through lawyers. Anything said is potential ammunition or intel for your adversaries, neither of which helps your case.

Re: Prove it's true

[arth1]

GRSecurity just shot themselves again in the other foot with this.

Only four more feet to go, then.

Re:Prove it's true

Someone should start a go fund me to pay to get Ken "popehat" white to join Peren's legal team. That would be like bringing a bazooka to a knife fight. The entertainment value would be well worth the cost.

Re:Prove it's true

Claiming opinion is not a 100% defense to libel. As was shown in the case cited in the complaint itself, you can still be liable if what you said isn't legally an opinion. For example, "It is my opinion that Bob killed Janet," is not an opinion, but a "statement of verifiable fact" that is dressed up to look like an opinion. In this case, there is a very good argument that at least some of the language he used is a verifiable fact, although it probably isn't up to the level of damages they are looking for. Most of the big statements he uses are actual opinions.

Re: Prove it's true

Fact: GPL2 doesn't allow for extra clauses
Fact: they added their own clause

Factual enough for ya!?!?

Re: Prove it's true

Except that your second "fact" is wrong.

They did not modify the GPL. They offered a contract for services on GPL'd software.

Re:Prove it's true

[drinkypoo]

And I also suspect that he won't be posting here, but will follow the generally sound advice that when hit with a lawsuit, do not comment on it except through lawyers.

I suspect that there will be a public statement, because cases in the public interest are won partly in the public sphere. I further suspect that Bruce himself will let us know about it when it happens, but that he won't engage in [much] commentary in the story, and that any he does engage in will be cleared through his lawyer. But that costs money, so he won't do any more of it than is absolutely necessary.

Re:Prove it's true

But to prove libel one has pass a bar showing some sort of malicious intent to defame which is going to be unlikely. Simply saying something you do not like or that may make you look bad does not pass that bar.

Re: Prove it's true

Your claim is irrelevant, they don't have to modify the GPL, in fact they could not. But tacking on more clauses as your own license terms is what they did and is what is not allowed by the license of the code they did not write.

Re:Prove it's true

[phantomfive]

GRSecurity is demanding a jury trial, which means the emotional power of the lawyers on each side will play an important part, which means they are trying to make it as painful as possible for Bruce, even if they lose.

Re:Prove it's true

[phantomfive]

I thought Bruce Perens is a lawyer as well, but probably respects the old saying "a man who represents himself in court has a fool for a lawyer and a fool for a client"

He is not. In this situation he has consistently presented himself as an expert witness.

The problem here is that GRSecurity grants their customers patches under the GPL2, but then explicitly states that if the customers redistribute the patches to other people, then GRSecurity will punish them by not giving them any more patches in the future. This obviously contrary to the spirit of the GPL, but GRSecurity claims the exact wording of the GPL, "You may not impose any further restrictions on the recipients' exercise of the rights granted herein", is not contradicted by threatening to punish customers in this way.

This issue is now being brought up directly to be tested in court. I think there is absolutely nothing that could make Bruce happier in this situation. He got exactly what he wanted. The only tricky part is the jury trial, but the facts are obvious enough here, that can be circumvented with a summary judgement.

Re:Prove it's true

At that rate, are we going to see version 2 of Groklaw?

Re:Prove it's true

[phantomfive]

These are the two quotes GRSecurity singled out as being false. If they can be trivially proven true, then GRSecurity will be thrown out of court:

Defendants, in the Posting, stated that "[Customers] should avoid the Grsecurity product sold at grsecurity.net because it presents a contributory infringement and breach of contract risk.”

Defendants further stated that Plaintiff was in violation of the GPLv2, and thus “[a]s a customer, ... [Plaintiff’s clients] would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity.”

Re: Prove it's true

No, I don't see any evidence that they did. They just said they wont offer you services in the future if you do something. As long as they aren't modifying your existing GPL rights I don't see a legal problem.

Re:Prove it's true

That seems to be reasonable, but in actuality, juries are very anti-SLAPP. It is very easy for them to imagine themselves in the position of the parties being hit with the lawsuit, especially once they see the parties include the hosting companies and other "innocent bystanders" of the actual actions being sued over.

Re: Prove it's true

TheGPL does not allow this. You can not modify the terms, now or in the future.

Re: Prove it's true

[nazsco]

from the summary, their attack will be "our current modules can be distributed, that's why we made them gpl2. our announcements were for future modules, which will not be gpl2. the acused told everyone they would be criminals by being our clients because we would release the new modules as gpl2, which we won't. hence he is disrupting our business. "

  to help the truth come out, everyone here who is their clients and never distributed the current modules because everyone knows that is what they were saying to beging with, do file an amicus brief! now! ...well, monday.

cheers!

Re:Prove it's true

[phantomfive]

What he said is "It is my strong opinion..." which I think stops what he says from being libel.

No, merely stating "this is my opinion" is not enough to stop a statement from being libel. The lawsuit pre-emptively makes an argument against that, quoting another judgement:

If a speaker says, ‘In my opinion John Jones is a liar,’ he implies a knowledge of facts which lead to the conclusion that Jones told an unt ruth. Even if the speaker states the facts upon which he bases his opinion, if those facts are either incorrect or incomplete, or if his assessment of them is erroneous , the statement may still imply a false assertion of fact.” Milkovich v. Lorain Journal Co. 497 U.S. 1, 18 (1990)

Re: Prove it's true

[Brockmire]

Nice loophole.

Re: Prove it's true

[rahvin112]

Worse, they are gonna get anti-SLAPP'd in court and pay Bruce's legal fee's as well as their own. Not the smartest thing to do.

Re:Prove it's true

[SlaveToTheGrind]

What he said is "It is my strong opinion..." which I think stops what he says from being libel.

It depends on what follows the word "opinion." The complaint specifically addresses this in paragraph 37 -- I've included a bit more of the text from the Supreme Court case it cites since it directly speaks to your point:

“If a speaker says, ‘In my opinion John Jones is a liar,’ he implies a knowledge of facts which lead to the conclusion that Jones told an untruth. Even if the speaker states the facts upon which he bases his opinion, if those facts are either incorrect or incomplete, or if his assessment of them is erroneous, the statement may still imply a false assertion of fact. Simply couching such statements in terms of opinion does not dispel these implications; and the statement, 'in my opinion Jones is a liar,' can cause as much damage to reputation as the statement, 'Jones is a liar.' Milkovich v. Lorain Journal Co. 497 U.S. 1, 18 (1990)."

Re:Prove it's true

> It depends on what follows the word "opinion."

In this case, since Bruce wrote:

"It’s my strong opinion that your company should avoid the Grsecurity product sold at grsecurity.net because it presents a contributory infringement and breach of contract risk."

We can break that down:
1. your company should avoid the Grsecurity product
2. it represents a contributory infringement risk
3. it represents a breach of contract risk

Clearly 1. is pure opinion, he's making a recommendation and not stating a fact.

2. and 3. are arguably factual, but any evaluation of risk is open to subjective interpretation. Nevertheless if Grsecurity proves their product presents NO risk of contributory infringement or breach of contract, these statements would be unequivocally false.

Re: Prove it's true

[St.Creed]

I doubt they will get away with it. If I have a mortgage and the bank says "oh, if you don't give us an extra 400 dollar each month your house belongs to us" it's not "just a statement". Neither is this. It relates directly to the software, and as such is likely covered by the GPL. IANAL but given the ramifications if they can do this, I doubt it works like that.

Re:Prove it's true

I would suggest that they definitely know who Bruce Perens is, and that their legal counsel is simply a typical self-described type A who wants to fuck everything.

We all know who (((Bruce Perens))) is. Unfortunately. He wouldn't have it any other way.

Re:Prove it's true

[postbigbang]

His way is perhaps more ethical than just putting the patches into a nice torrent, and making sure they get noticed. If the GRSecurity patches are what they SAY they are, then a hardened kernel would therefore not be able to identified.

Oh, wait.....

Re:Prove it's true

[Khyber]

Second claim can be proven true as the GPL v2 has been tested and upheld in court as a valid contract. Grsecurity's actions - that I have witnessed in regards to their licensing - violates Section 6 of the GPL v2.

With the second statement AFAIK being true, the first statement is automatically true.

Re:Prove it's true

Second claim can be proven true as the GPL v2 has been tested and upheld in court as a valid contract.

Cite?

Re:Prove it's true

[Khyber]

You don't read /. much, do you? Progress Software v. MySQL, that was like a decade ago.

Re:Prove it's true

I heard about that case, but I don't recall it saying anything about GPL being a contract, valid or otherwise.

In fact, now that I Google it, it doesn't appear the judge issued any ruling on the validity of the GPL, although she regarded it as a valid license during the trial.

The Free Software Foundation (FSF) had hoped to turn the dispute between Sweden’s MySQL and NuSphere into a test case upholding the validity of the GPL. But Boston District Judge Patti B. Saris refused to even hear testimony on the issue.

Re:Prove it's true

[Aighearach]

Spoiler: contracts don't have to be ruled valid to be valid. They're valid when they're agreed, and the only legal review they're going to get is a ruling that they're NOT valid. If it is valid, you know it by nobody having gotten it declared invalid. If it didn't happen, it is valid. The only other thing they would be looking at is what some of the words mean if it is ambiguous.

The whole thing is just old FUD from the Microsoft anti-linux days, trying to raise a question that causes concern and won't ever be answered because it isn't a real question that will ever get addressed. It was only ever a lie to deceive people. I guess you fell for it, because MS stopped paying people to shill that shit decades ago.

Re: Prove it's true

Or perhaps their intention is to take customers' money and never release anything. That way their future infringement will never become actionable.

Re:Prove it's true

It's known as a self-fulfilling prophesy. In one statement Bruce managed to wipe out Brads business model; once the announcement had been made he could either try to get a judgement that the statement is false, or close down the business.

Re:Prove it's true

What are you talking about?

I was simply addressing Khyber's claim that "GPL v2 has been tested and upheld in court as a valid contract."

AFAICT the court case he mentioned did no such thing.

Re:Prove it's true

[Khyber]

And the person you just replied to explained why it is valid - contracts are held valid until ruled INVALID by a court ruling. Period. GPL got tested in court. It was not ruled invalid. Period. That means it is held as valid.

Do you not understand the legal system?

Re:Prove it's true

Uh.. okay. Where exactly was it "tested"?

There was NO discussion of the terms of the license (not contract) in the case.

Re:Prove it's true

[Khyber]

You very fucking obviously did NOT read the case, otherwise you'd have clearly seen:

"With respect to the General Public License ("GPL"), MYSQL has not demonstrated a substantial likelihood of success on the merits or irreparable harm. Affidavits submitted by the parties' experts raise a factual dispute concerning whether the Gemini program is a derivative or an independent and separate work under GPL "

This clearly demonstrates the court as looking at the GPL as a valid contract. Plain as fucking day.

Re:Prove it's true

> This clearly demonstrates the court as looking at the GPL as a valid contract. Plain as fucking day.

Except they don't use the word "contract." Plain as fucking day.

Re:Prove it's true

[Khyber]

A license is a recognized type of contract. Much like your license to drive is actually a contract.

But please, continue being obtuse for the sake of being a retard.

Re: Prove it's true

[GunJah]

our announcements were for future modules, which will not be gpl2. the acused told everyone they would be criminals by being our clients because we would release the new modules as gpl2, which we won't. hence he is disrupting our business. "

GRS does not have the right to release future modules that are not GPL2.
That's the whole point of friction in this issue.

Re:Prove it's true

License agreements are contracts; simple licenses are not. But please continue being confused.

Re:Prove it's true

[Khyber]

Hah! Try again. A license to drive, a license to operate heavy machinery, a license to fly, all are contracts (I should know, I have all three.) According to Black's Law, a contract is: "an agreement between two or more parties creating obligations that are enforceable or otherwise recognizable at law."

When you go to get your license, you agree that you will abide by all rules and restrictions placed within the range of your license. In return, the state agrees to grant you the ability to operate such machinery in the manner proscribed as long as you maintain your registration and follow the laws relevant to that license (in the cases where the state is the grantor of the license, at least, e.g. driver's license.) In a warehouse (forklift operator) you sign a contract when they license you for the specific facility you are operating at which states you will follow all safety rules relevant to that machinery, or else you face the risk of losing your license to operate that machinery or even lose your job.

That is a contract no matter how you or any court ruling might try to stretch otherwise.

Re:Prove it's true

[david_thornley]

2. and 3. are arguably factual, but any evaluation of risk is open to subjective interpretation. Nevertheless if Grsecurity proves their product presents NO risk of contributory infringement or breach of contract, these statements would be unequivocally false.

However, if the statements are false, but Bruce has reason to believe they're true, it's still not libel. US law is stringent about what constitutes libel, and it can be hard to prove it.

Re:Prove it's true

Read this Groklaw article

In particular this section:
"So when you read people say that the GPL is perhaps not enforceable because you don't sign it or click on a form, or because of a lack of privity, or because there is a lack of consideration, or some such, you'll understand that the person misunderstood and thought in terms of contract law."

That is exactly what happened in your example case.

Re:Prove it's true

[Thad+Boyd]

I'm neither a lawyer nor a Californian, but I read Popehat, and Ken White frequently describes California's anti-SLAPP statute as "robust".

Perens will, presumably, file for dismissal on the grounds that his remarks were protected opinion supported by cited facts.

Re:Prove it's true

[Khyber]

Prove your point by citation from the case itself - you can't.

Re:Prove it's true

[preflex]

US law is stringent about what constitutes libel, and it can be hard to prove it.

Yep. It's very hard to win a libel case in the US, and that's a good thing.

To win a libel case in the US, the plaintiff must show (to a preponderance):
1. The statement was false.
2. The defendant knew it was false.
3. The defendent's statement was malicious in intent or egregiously reckless.
4. There were actual quantifiable damages. Merely feeling insulted is not enough.

The high standards here are very intentional. It's to prevent jerks from screaming "libel!" to silence their critics, which would chill discussion on matters of great public interest.

(Note: the POTUS should go fuck himself for suggesting any changes. It ain't broke. Don't fix it.)
(Disclaimer: I am not a lawyer and this is not legal advice.)

Re:Prove it's true

[RockDoctor]

I would suggest that if that is their intention, they do not know Mr Perens very well, and have not done their homework.

Which would prompt all sorts of questions along the lines of "do they know a thing about OS?"

Which is an extremely bad question to be asking about a "security" provider - commercial or no.

Streisand Effect, big style.

Re:Prove it's true

> Prove your point by citation from the case itself - you can't.

That's right, I can't... because the judge didn't rule one way or the other on the validity of the GPL.

As I mentioned, terms of the license were NOT discussed in the case. Only whether the software constituted a derivative work in the context of the license.

"Grsecurity..." "...could invite legal trouble. "

Perens vindicated.

I'm happy the GRSecurity folks are doing this

I fully expect them to loose, the GPL is very clear that you cannot add additional restrictions, and they are doing exactly that.

The kernel folks have been dismissive of GRSecurity as having little importance, and not worth the hassle of involving the lawyers. But since GRSecurity is starting the lawsuits and the GPL needs to be defended in court, I expect a lot of high powered legal involvement to settle this.

Re:I'm happy the GRSecurity folks are doing this

That begs the question: is the meaning of idioms chaning?

Re:I'm happy the GRSecurity folks are doing this

Heh, 3 in 1, not bad.

Re: I'm happy the GRSecurity folks are doing this

I don't think this is SO clear-cut.

Of course the suing is intimidatory and that grsecurity folks should lose just for that but even that is not clear as Perens is a known lawyer that "should know better".

Unluckily, grsecurity's contract is more likely than not, enforceable as it says nothing about already distributed sources or binaries, which is all and only what the GPL is about, and only states conditions for a completely different service contract (the conditions under which they will provide FURTHER services or not).

In the end, I think Perens, the open source advocate, is right (you'd better don't do business with grsecurity as it's not a good company for your interests) but Perens, the lawyer, is wrong (no, their contracts are not a legal liability for you). That the former Perens is taking advantage of the fame of the latter may be indeed grounds for a lawsuit.

Re: I'm happy the GRSecurity folks are doing this

The penalty is based on a condition that is always attached to the *current* release. The actions one takes with the *current* release lead to the execution of the penalties, be they whatever.

Re:I'm happy the GRSecurity folks are doing this

[_merlin]

I don't think the GPL stops them doing this. They aren't stopping you from redistributing GPL software, they're just saying that if you redistribute the software, they won't give you future updates. GPL doesn't require supplying future updates, it just says that you must provide an offer of source with binaries, and can't restrict redistribution of source/binaries. It looks like they've found another way to follow the letter of the GPL without following the spirit of it.

So someone who buys some version of grsecurity can redistributes it, and the people they redistribute it from can also redistribute it. The vendor is free to refuse to do business with all these people. But it only takes one customer who no longer cares about receiving future updates to release all the versions they've received, or potentially one rogue employee who doesn't want their employer to receive future grsecurity updates.

Re:I'm happy the GRSecurity folks are doing this

> That begs the question: is the meaning of idioms chaning?

I could care more.

Re:I'm happy the GRSecurity folks are doing this

Could care less more

Re:I'm happy the GRSecurity folks are doing this

[drinkypoo]

GPL doesn't require supplying future updates, it just says that you must provide an offer of source with binaries, and can't restrict redistribution of source/binaries. It looks like they've found another way to follow the letter of the GPL without following the spirit of it.

They're actually trying to do an end run around the contract to which they've already agreed, which guarantees the right of redistribution. The question becomes whether grsecurity contains any GPL code to which they do not hold the copyright. If so, then they're risking losing the right to distribute that code.

Re:I'm happy the GRSecurity folks are doing this

[omnichad]

Or they only need at most one subscriber per version. The rest can have it redistributed.

Re:I'm happy the GRSecurity folks are doing this

[DRJlaw]

They're actually trying to do an end run around the contract to which they've already agreed, which guarantees the right of redistribution. The question becomes whether grsecurity contains any GPL code to which they do not hold the copyright. If so, then they're risking losing the right to distribute that code.

They may be complying with the terms of the GPL, whether you call it a contract or not. Their customers have the right to redistribute the software that they've received. GRsecurity is then saying that if they do, GRsecurity will not provide them with any future revisions to the code. There is nothing in the GPL that gives the recipient of a copy of code the right to future versions of that code or the right to distribute future versions of that code.

I've disgreed with Bruce on this specific issue and I still do. While GRsecurity may be in violation of GPLv2 sec. 6 ("You may not impose any further restrictions on the recipients' exercise of the rights granted herein. "), the idea that their customers may be liable for contributory infringement and breach of contract is off-the-wall crazy. Bruce's theory is directly contradicted by GPLv2 secs. 2, 4, and 6 -- the customers are free to use GRsecurity's product and there is no potential violation of the GPLv2 unless the customers themselves redestribute that code.

Re: I'm happy the GRSecurity folks are doing this

That's actually a risk for GRsecurity. If employees from their customers start releasing their software, GRsecurity reduce their number of customers. The bigger the customer, the more likely it will cause a leak (more employees) and the bigger the impact (they probably pay more). So the business plan looks pretty bad.

Re: I'm happy the GRSecurity folks are doing this

Perens stated this in the end of his article:

I am an intellectual property and technology specialist who advises attorneys, not an attorney. This is my opinion and is offered as advice to your attorney. Please show this to him or her. Under the law of most states, your attorney who is contracted to you is the only party who can provide you with legal advice.

He's requesting that you ask your lawyer, and stating that only your lawyer can give you legal advice.

I suspect he could win on just that sentence. This is a statement of his opinion, not a "statement of fact" as Grsecurity's patent lawyer claims.

Re:I'm happy the GRSecurity folks are doing this

[Zero__Kelvin]

IANAL, but I fail to see how grsecurity patches aren't derivative work by definition.

Re:I'm happy the GRSecurity folks are doing this

[OmniGeek]

I rather think that disallowing future revisions to paying customers contingent on their "exercise of the rights granted herein" IS a further restriction on their exercise of those rights. It certainly violates the spirit of the license, and it would not surprise me at all for a court to find that it also violates the letter.

I'm not familiar with the contributory-infringement issue, but it seems clear that GRSecurity has indeed violated the GPL in this way.

Re:I'm happy the GRSecurity folks are doing this

[DRJlaw]

I rather think that disallowing future revisions to paying customers contingent on their "exercise of the rights granted herein" IS a further restriction on their exercise of those rights.

"You may not impose any further restrictions on the recipients' exercise of the rights granted herein."

But the GPLv2 does not grant a right to obtain future revisions, whether you're a paying customer or otherwise. The GPLv2 does not require that the (re)licensor grant a right to distribute anything more than what has already been distributed to the recipient. Those are not "rights granted herein." The first is a right granted by grsecurity's paid support contracts -- contracts for services. The second is a right that is reserved and carved out from the first.

Tivoization violates the "spirit" of the GPLv2, but what matters is whether a licencee has violated the letter of the license. That violation is not as clear cut as you think.

Re:I'm happy the GRSecurity folks are doing this

Yes, there is a new Idioms thread on 4chan now, so it is clearly chaning

Re:I'm happy the GRSecurity folks are doing this

[whoever57]

Here is where I think GRSecurity's argument fails:

While the Company aims only to terminate access to the stable patches in the event of willful violation of the terms in this agreement, we reserve the right to revoke access to the stable patches and changelogs at any time for any reason. In the event of termination, the Company will at its own discretion refund payment for any remaining pre-paid period.

In other words, GRSecurity can terminate access and keep their client's money.

Re: I'm happy the GRSecurity folks are doing this

Perens is not a lawyer and never claims to be one. Z

Re:I'm happy the GRSecurity folks are doing this

less is more

Re:I'm happy the GRSecurity folks are doing this

[drinkypoo]

That violation is not as clear cut as you think.

What I think makes it clear cut is that they're issuing both licenses. They've given you the right to distribute by using that license. Then they want to take it away again, by depriving you of a service for which you have paid. I think that specifically is what is going to bite them. If they were providing service for someone else's software, which someone else had distributed, I think it would be a different story.

Since no lawyers have stepped in to comment (how unusually wise of them) this is all wild speculation, and we'll have to see what a court thinks before anyone has anything meaningful to say on the subject. But it sure is fun to speculate.

Re:I'm happy the GRSecurity folks are doing this

[DRJlaw]

Since no lawyers have stepped in to comment (how unusually wise of them) this is all wild speculation...

Keep telling yourself that...

Re:I'm happy the GRSecurity folks are doing this

[drinkypoo]

Keep telling yourself that...

Keep telling myself what? That no lawyers have been chiming in, because if actual lawyers had, they would have been peppering their commentary liberally with disclaimers about how it is not legal advice, like an intelligent lawyer would do? Oh wait, this is Slashdot, I forgot. If there's a lawyer here, he's probably a moron.

Re:I'm happy the GRSecurity folks are doing this

[phantomfive]

The question becomes whether grsecurity contains any GPL code to which they do not hold the copyright.

The answer is absolutely yes, it is a derivative work. It is a derivative work because there is no part of the patches that would exist without the Linux kernel: their entire purpose is to modify the kernel (and theoretically make it more secure). I would like to point out that at DEFCON last week, trixr4skids took a Point of Sale device with GRSecurity on it, and hacked it to run DOOM. The keyboard input on the device was not user friendly.

Re:I'm happy the GRSecurity folks are doing this

[DRJlaw]

That no lawyers have been chiming in, because if actual lawyers had, they would have been peppering their commentary liberally with disclaimers about how it is not legal advice, like an intelligent lawyer would do?

I find the biography statement to be sufficient.

Oh wait, this is Slashdot, I forgot. If there's a lawyer here, he's probably a moron.

Like someone who trivially ties their real world identity to a pseudonym while posting the dreck that you do?

Re:I'm happy the GRSecurity folks are doing this

[drinkypoo]

Like someone who trivially ties their real world identity to a pseudonym while posting the dreck that you do?

You mean, someone who is not a coward? Run along, frightened one. I tie my slashdot identity to my real identity because I have the courage of my convictions. You don't because... you don't. Feel free to make up bullshit excuses, though.

Re:I'm happy the GRSecurity folks are doing this

no one is risking any rights... you have the right to redistribute. i have the right to not develop future products. i'm telling you right now, if you redistribute, i won't develop future products.

you're all idiots.

Re:I'm happy the GRSecurity folks are doing this

[DRJlaw]

You mean, someone who is not a coward? Run along, frightened one. I tie my slashdot identity to my real identity because I have the courage of my convictions.

Some call it courage. Most call it ignorance. But freedom is the ability to trash your professional statute on social media whenever the bloody hell you want. And not.

Re:I'm happy the GRSecurity folks are doing this

[phantomfive]

Your thought in this thread isn't clear here. Are you talking about the violation of the GPL by GRSecurity, or potentially by their customers who also use the source under the GPL? The person you were replying to was talking about the violation by GRSecurity, so let's continue under that premise.

But the GPLv2 does not grant a right to obtain future revisions, whether you're a paying customer or otherwise.

You have echoed GRSecurity's argument. GRSecurity's argument is clearly against the spirit of the GPL, which is "to guarantee your freedom to share and change free software." I don't think you'll disagree here.

Let's move on to the actual letter of the law. GRSecurity is specifically threatening to punish people to prevent them from distributing the code. Is this controversial? Do you disagree with that point, or is that something we can agree on? The GPL specifically states:

You may not impose any further restrictions on the recipients' exercise of the rights granted herein

Again, GRSecurity has threatened to terminate services to any customer who distributes the source code. That is, if you distribute the code they have already given you, they will terminate services to you. GRSecurity wants to make it about future patches, but that's a red herring. Whether that service is future patches, or support, or web hosting, or cleaning your toilet, it doesn't matter: the intent is clearly to restrict their customers from distributing the code already given to them. Why else would they add such a clause to the contract?

Of course, such services are provided voluntarily, and GRSecurity can stop providing services for almost any reason, but there are some reasons that are invalid and illegal to use a reason to stop providing services. In this case, the threat of punishment they used violates the spirit of the GPL, and also the letter of the GPL unless they can argue that it is not a restriction.

Re:I'm happy the GRSecurity folks are doing this

[phantomfive]

fyi the guy you are replying to is a lawyer of some sort, check his user name.

Re:I'm happy the GRSecurity folks are doing this

[stephanruby]

I've disgreed with Bruce on this specific issue and I still do. While GRsecurity may be in violation of GPLv2 sec. 6 ("You may not impose any further restrictions on the recipients' exercise of the rights granted herein. "), the idea that their customers may be liable for contributory infringement and breach of contract is off-the-wall crazy. Bruce's theory is directly contradicted by GPLv2 secs. 2, 4, and 6 -- the customers are free to use GRsecurity's product and there is no potential violation of the GPLv2 unless the customers themselves redestribute that code.

"Yes, we're breaking the license. No, our customers can't be liable for our theft, only we can be." is not going to win them this court case.

Because as soon as they publicly admit that they broke the license and stole the code, then any customer who knowingly uses that code after that would be "liable for contributory infringement and breach of contract". In other words, the company is placing itself in an awkward legal position. It can't publicly admit that it broke the license.

And yet, the company must still prove that Bruce Perens, a non-lawyer, knowingly lied under the guise of giving his personal opinion. It's going to be an uphill battle for them. Plus, the Streisand effect is not going to help either. If you ask me, they should have just kept quiet and not called attention to themselves.

Re:I'm happy the GRSecurity folks are doing this

IANAL, but I fail to see how grsecurity patches aren't derivative work by definition.

Even though they might argue that the security fixes they introduce are entirely of their making and have no derivation from the linux sources, there is just one other problem for them: patch files, by their very nature, include the text of the lines being replaced by new source-code lines. This means that inevitably they include lines in their patchsets from the upstream source.

Unless they come up with a crazy custom patcher, they can't get around this.

Then say they do make a patcher that does something like identify the lines to be replaced by hashes so that they never distribute anything "tainted" by the upstream kernel.org sources. The question would then be whether they had ever distributed their patches in a traditional format in the interval between their adding the license restriction and their switching to the new patch utility. Since distribution in a traditional patch format would make their work a derivative of some other copyright holder's code, they would have been in out-and-out GPL violation for all that time.

Re: I'm happy the GRSecurity folks are doing this

[DRJlaw]

Because as soon as they publicly admit that they broke the license and stole the code, then any customer who knowingly uses that code after that would be "liable for contributory infringement and breach of contract".

No, because the customer has an independent license to use both the kernel and the modifications. Reread GPLv2 sections 2 and 4. They are not sublicensing from GRsecurity. They are not even redistributing the code with the "no updates" restriction. And under section 2, they can combine the kernel with any code they want - they only have to relicense the combination under the GPL if they publish or redistribute it.

Also, to have contributory infringement, you have to materially contribute to it, which the courts view require that you have the ability to control the direct infringer's infringement. Simply buying the product is not enough.

Finally, you do not become responsible for a breach of contract simply because you know of a dispute concerning a contract with a vendor. There are few more requirements for those sorts of claims.

Re: I'm happy the GRSecurity folks are doing this

The GPL does not allow this. So it doesn't matter what you think or want to happen.

Re:I'm happy the GRSecurity folks are doing this

[drinkypoo]

Some call it courage. Most call it ignorance. But freedom is the ability to trash your professional statute on social media whenever the bloody hell you want. And not.

My professional social media qualification is that any prospective employer who actually cares about such things and is competent* can look through my posting history and determine that I've never violated an NDA, and never brought the slightest trouble on any employer due to my online activities, in spite of consistently using my real name online for many years. A measurable percentage of the USENET and internet old guard knows my secrets because of the company I've kept over the years; I've shared none of their secrets, nor ever violated their trust, in spite of some occasionally significant personal disagreements.

* If they care and are incompetent, I don't want to work there.

Re:I'm happy the GRSecurity folks are doing this

[jeremyp]

I'm not sure it is as clear cut as you seem to think. They distribute the software to you under the GPL and ask you to sign a second contract if you also want support. The second contact has the restrictive clause.

Furthermore, the contract doesn't say "you can't redistribute this software", it says "we won't give you future versions of this software". I think they have a point, although I am not a lawyer.

As for whether Bruce Perens is committing libel by publishing an opinion that they are in breach of GPL, we'd better hope they find for the defendant, otherwise it would be impossible for anybody to argue a company is breaching a software licence (or any licence or contract or law) without being potentially a target for a libel suit.

Re:I'm happy the GRSecurity folks are doing this

[DRJlaw]

Your thought in this thread isn't clear here. Are you talking about the violation of the GPL by GRSecurity, or potentially by their customers who also use the source under the GPL?

This explains it. I am actually now leaning towards it being a violation by GRsecurity, but that turns entirely on what a court construes a "restriction[] on the recipients' exercise of the rights granted herein" to include. If I offer to pay you $20 if you do not redistribute the package for a year, is that a restriction? If we don't have a support contact and I say that I'll only give you future updates to my code if you don't redistribute it, is that a restriction? If we have a paid support contract that automatically terminates if you redistribute it, is that a restriction? The support contract is outside the scope of the GPL, and ordinarily a restriction is a "limitation which cannot be exceeded or rule which cannot be broken," not merely a disincentive in that you might lose some other right like continuing support.

GRSecurity's argument is clearly against the spirit of the GPL, which is "to guarantee your freedom to share and change free software." I don't think you'll disagree here.

Yes, I don't. But we don't enforce the "spirit" of contracts. We enforce the letter of the contracts, and tend to construe ambiguity against the drafter because if they meant that, then they could have put more effort into stating it clearly.

GRSecurity is specifically threatening to punish people to prevent them from distributing the code. Is this controversial? Do you disagree with that point, or is that something we can agree on?

See above. Why did you switch from "restrict" to "punish"? I'm leaning towards there being an issue in that courts hate terms that create forfeitures where a side has otherwise completed its performance of its obligations. Since GRsecurity is selling year-long subscriptions with patch access, their customers would have a good claim against them. I'm simply not as sure about it being a license violation.

Of course, such services are provided voluntarily, and GRSecurity can stop providing services for almost any reason, but there are some reasons that are invalid and illegal to use a reason to stop providing services.

Yes -- membership in protected classes involving race, sex, creed, etc., not the terms of the GPL. The GPL does not govern support services, or provide any right to future revisions of code. I think that their biggest problem is they are structuring this as a forfeiture of up to year of subscription support, rather than a decision not to renew a month-to-month agreement.

The "is GRsecurity violating the terms of the GPL" argument is messy and could go either way. Which is why I wrote "may be in violation" to begin with.

The argument that almost enrages me is Bruce's argument that GRsecurity's customers could be liable, and frankly that is the one that is far more interesting to me. The GPL was expressly structured so that downstream users were automatically licensed and were not affected by an upsteam distributor's violation of the GPL. Bruce is now not only denying that GPLv2 sections 4 and 6 preclude this, but throwing out concepts like "contributory infringement" without any analysis of what is required to be liable as a contributory infringer.

Re:I'm happy the GRSecurity folks are doing this

[phantomfive]

The argument that almost enrages me is Bruce's argument that GRsecurity's customers could be liable, and frankly that is the one that is far more interesting to me.

I don't think the customers could be liable, although I respect that there could be some unclarity there. This is my reasoning:

Suppose a Linux kernel copyright holder sues one of the customers. Following the Oracle vs Google appellate ruling, the court will apply the abstraction, filtration, comparison test to figure out what is being violated. After applying the filtration step, all that remains would be code that the copyright holder has already granted a license to.

The contrary argument is that, "GRsecurity's work is a derivative work and they lost their license therefore everyone who uses that derivative work also loses the license." But the abstraction, filtration, comparison test makes clear that the end user still has a right to use everything that was covered under the original license, because the parts of the derivative work that are owned by the original copyright owner have already been licensed.

The appellate court gave a solid ruling in Oracle vs Google. I am in awe of their knowledge, logic, and clarity of thought.

Re:I'm happy the GRSecurity folks are doing this

[WorBlux]

"One who knowingly induces, causes or materially contributes to copyright infringement, by another but who has not committed or participated in the infringing acts him or herself, may be held liable as a contributory infringer if he or she had knowledge, or reason to know, of the infringement. See, e.g., Metro-Goldwyn-Mayer Studios Inc. v. Grokster, Ltd., 545 U.S. 913 (2005); Sony Corp. v. Universal City Studios, Inc., 464 U.S. 417 (1984)."

There is no claim that customers directly infringed upon the kernel copyright or themselves breached the GPL. Only that they knew or should have Known grsecurities subscription agreement was contrary to the terms of the GPL and likely infringed on kernel copyright.

Re:I'm happy the GRSecurity folks are doing this

[WorBlux]

If the patch set were an original work you'd be correct. However the patch set is a derivative work of the kernel, and as such the grsecurity dudes are obligated not to put any additional terms upon copying, modifying, or distribution the software, whether that restriction is bundle in some service contract, or patent license.

Re:I'm happy the GRSecurity folks are doing this

[Aighearach]

Your whole argument is hung on the lie that anybody is talking about things in the future. We're talking about actions in the past, and rights in the present.

Re:I'm happy the GRSecurity folks are doing this

INAL but I agree with this interpretation.

They are not stopping a licensee from exercising GPL rights (distribute/modify GPL code) but rather saying 'if you do redistribute (as is your right) then we will not provide updates to FUTURE releases'.

Your rights as a licensee are 100% retained. Feel free to redistribute. But if you log into our web site for an updated version FROM US we will not give you the FUTURE release. The GPL has no 'forward looking' provisions that binds the copyright holder to future actions. The copyright holder only grants licensee a right now.... to read it any other way would mean that the copyright holder OWES you something, which they don't (other than source code).

Now it IS 100% GPL legal to charge for software, and even 100% legal to deny a customer access to your products. The GPL does not give you access to things you are not licensed for.

 

Re:I'm happy the GRSecurity folks are doing this

[DRJlaw]

"Only that they knew or should have Known grsecurities subscription agreement was contrary to the terms of the GPL and likely infringed on kernel copyright."

Now fit that into "knowingly induces, causes, or materially contributes" and you might have something. The problem being, all of those concepts require some ability to direct and control the act of infringement, not merely the purchase of an allegedly infringing product.

Re:I'm happy the GRSecurity folks are doing this

[WorBlux]

As you pointed out the subscription was not a mere purchase, but a contract that covered future releases, would could be seen as and inducement to re-offend. Some of the subscribers may subscribe for the competitive advantage of the secret sauce and would not have subscribed if not for the objectionable clause. It may not be a winner, but neither would I expect it to be dismissed before trial.

pissing contest..

[lkcl]

this is going to be interesting to watch. one of the world's best-informed advocates of software libre, who has studied the GPL for many years, versus some idiots who will have been ill-advised by some moron whose only saving grace is the indemnification insurance provided as a sop to corporate madness. for those people not familiar with what indemnification insurance is: it's where lawyers can basically get away with making fundamental errors, and the corporation to whom they give the advice can sue their company quite safely, *as long as they follow that advice*.

i really look forward to seeing how this turns out.

Re:pissing contest..

versus some idiots who will have been ill-advised by some moron whose only saving grace is the indemnification insurance provided as a sop to corporate madness.

They aren't necessarily ill-advised or idiots.
Capitalism makes corporation act in a way that can lead to profit (Not necessarily guaranteed, they are willing to take risks.) without regards to whether it is ethical or in good faith.

This means that if you know that 5% of you pulled-out-of-your-ass lawsuits will be settled it might be enough to make a profit if you throw a lot of them out. (This is what leads to copyright and patent trolls.)
If you intend to sell your company you might be able to boost the perceived value by going into a legal battle with a high profile target.
Anyone else with an interest in battling that target would then be willing to buy your company for more than it is worth. If for nothing else than at least for the ability to spread FUD.

In retrospect it might seem like I'm arguing against capitalism here. I'm not.
I just think that a completely unregulated market naturally leads to monopolies which ends all benefits of capitalism and with a regulated market it will be in corporations best interest to apply pressure on the regulating entity to gain unfair benefits.
This is what have given us laws that enables copyright and patent-trolling and market lock-ins like we see with internet providers.
The solution is to always work towards regulation that breaks up monopolies and tries to makes abuse unprofitable.

Unnamed defendants, the web host,

The nameserver that resolved the website, the font face the post used, everyone who read the post or a story about it (yep, me and you now).

Grsecurity should sue everyone!!

Stupid lawsuit, but useful

[bradley13]

This is a stupid lawsuit. According to the attorneys for the plaintiff company:

"Mr Perens has made false statements, claiming them to be facts, and based on those statements employed fear-mongering tactics to intentionally hurt Open Source Security Inc's business."

Perens actually wrote: "it's my opinion that..."

Opinion, not assertion of fact. This lawsuit will be thrown out almost immediately. However, it is useful in helping the community identify a company that we should never do business with. So thanks for that, at least...

Re:Stupid lawsuit, but useful

It's also useful as an example to argue for more anti SLAPP statutes.

Re:Stupid lawsuit, but useful

Maybe we'll get another one of these ("ACLU Brief on Behalf of John Oliver").

Opinions, too, are protected speech, and “[u]nder the First Amendment, there is no such thing as a false idea. However pernicious an opinion may seem, we depend for its correction not on the conscience of judges and juries but on the competition of other ideas.” Gertz v. Robert Welch, Inc., 418 U.S. 323, 339-40 (1974)

Re:Stupid lawsuit, but useful

To be fair, Bruce also made representations that he was basing his opinions on unnamed witnesses in an earlier story, although during that discussion others bought the same evidence to light.

There are no winners here - if grsecurity wins, it formalises a loophole that other companies have already used, if Bruce wins then it gives the impression that open source is a cancer that prevents you from charging for your work.

I'd err on the side of Bruce winning, but I don't think its anywhere as near as cut and dried as commenters here seem to think.

Re:Stupid lawsuit, but useful

I should add that I have previously released projects under the GPL. If it is ruled that the GPL prevents you from charging for work product on further development work, then I'm never going to go near it with a barge pole ever again. I suspect a lot of other companies and people will feel the same way. However, it will be interesting to see how this impacts the business model of companies like, say, Redhat.

Re: Stupid lawsuit, but useful

[SLi]

An assertion of a fact does not legally become an opinion merely by adding "in my opinion" or "I believe". For example, "I believe X molests his child" is actionable.

Re:Stupid lawsuit, but useful

[Chris+Mattern]

Uh, no, it doesn't work like that. "It's my opinion" is not a magic phrase that wards off all charges of defamation. If I say "It's my opinion that John Smith is a child rapist," John Smith can still sue me for defamation. Mind you, I think this is an utterly invalid suit, but not because Bruce Perens said "it's my opinion."

Re:Stupid lawsuit, but useful

[drinkypoo]

if Bruce wins then it gives the impression that open source is a cancer that prevents you from charging for your work.

If companies can't tell the difference between not being able to charge for code and not being able to charge for work then we don't need them

Re:Stupid lawsuit, but useful

You completely misunderstood what GrSecurity does.
They give people code that says in the license they can give it to others, but then they make them sign a contract forbidding them to do exactly that.
If you make your customers sign a contract for GPLv2 code at least in part NOT WRITTEN BY YOU that forbids them to give it to anyone else the you the hell should leave your hands from it.
It's not really relevant if its your own project where either nobody else contributed or they gave you a license to do whatever you want with it.

Re:Stupid lawsuit, but useful

you can change the license on code you have written with no problem

But when you accept other people's code, you have to comply with the license they specify.

So you cannot take GPL code that other people have written and change the license on the result. Derivative works must be licensed in a way that complies with the original works.

It's pretty hard to argue that patches to the kernel are not derived from the kernel, and the kernel is under GPLv2, so they must comply with the GPLv2

Arguing that they aren't adding additional restrictions when they say that if you exercise your rights under the GPLv2, they will terminate you as a customer (and keep your money) is going to get them laughed out of court.

Re: Stupid lawsuit, but useful

[drinkypoo]

An assertion of a fact does not legally become an opinion merely by adding "in my opinion" or "I believe". For example, "I believe X molests his child" is actionable.

Bruce is not a lawyer, so he's not giving legal advice, so he's allowed to have an opinion and express it. That right is explicitly legally (constitutionally!) protected! It's more likely that they are attacking not the part following "As a customer, it's my opinion" but other ancillary statements, since nobody looks good if they attack opinions. Surely they have something slightly more clever in the fire.

Re: Stupid lawsuit, but useful

What is that claim based on? If that were true, nobody could ever report anyone to the police unless they prove them guilty first, which is plain absurd.

Re:Stupid lawsuit, but useful

[bill_mcgonigle]

They filed in California where anti-SLAPP laws provide for heavy penalties? Oh, dear.

Bruce, do you need a gofundme?

Re:Stupid lawsuit, but useful

I agree with everything you say. However, do you truly believe that the GPL really prevents you from refusing to perform work for someone? If so, again, I do not want to touch that slavery contract with a barge pole.

Re: Stupid lawsuit, but useful

When you say the contract forbids.... does it not just say that if they redistribute the patch, Grsecurity will terminate their customer relationship, refuse to take further moneys from them, and refuse to send further updates to them?

Is there a legal right to be a customer that is being restricted here or are these just commercial terms? Grsecurity, like any other company or individual, is free to refuse further service to you at any time. For this reason or no reason at all.

This doesn't seem like a separate contract since nobody is taking away your rights to things you already paid for or penalizing you. It just sounds like Grsecurity explaining how they plan on enacting their freedom to conduct their business in the future.

Re: Stupid lawsuit, but useful

[Entrope]

The basic doctrine is called undisclosed defamatory facts. The statement is not "pure" opinion, of the kind that everyone can differ. Rather, it is an inference that is based on fact, without providing those facts so that a listener or reader may draw their own conclusions about whether the inference is sound.

Because Perens explained the parts of the GPL and the actions that he thinks violate the GPL that underlay his conclusions, I expect that the GRSecurity people will have a very hard time winning as a matter of law.

Re:Stupid lawsuit, but useful

>Perens actually wrote: "it's my opinion that..."
Opinion, not assertion of fact.

It's my opinion that bradley13 is a racist, pension-stealing, baby-raping deviant who cheats at cards. He is of low character. In my opinion, these are incontrovertible facts.

There, I've defamed you with nothing more than my opinion stated as fact. You actually do have grounds to sue me if you can show harm by my statement (at least in the US).

Attaching "In my opinion" to some libelous statement you wrote will not protect you from a defamation lawsuit.

Re:Stupid lawsuit, but useful

However, do you truly believe that the GPL really prevents you from refusing to perform work for someone?

Where do you even get this kind of shit from? Spent too much time at infowars and breitbart? Afraid the terrible Muslims are going to show up and cook you for dinner soon?

All the GPL stipulates is that

1. 1. If you distribute binaries licensed under the GPL you have to provide the sources too to the people you give/sell your binaries to.
2. 2.You are not allowed to add further restrictions on code licensed under the GPL which you didn't write yourself, and thus do not have any copyright for.

The point here is that the work of the "grsecurity" people are not stand-alone works, they are derivative works of the Linux kernel. And the kernel is licensed under the GPL - hence no further restrictions allowed, such as threatening with sanctions if they in turn redistribute said patches.

Slavery? GTFO.

Re: Stupid lawsuit, but useful

[Kjella]

What if the facts and/or inferences are absurd like #pizzagate? Is the genuine belief enough to stave off a defamation lawsuit?

Re: Stupid lawsuit, but useful

You could utter entirely truthful statements and still be sued for defamation if the purpose of your utterance is to purposely damage the reputation of the party involved. Bruce is nothing more than a shill and FUDmeister now. I eagerly await the moment when his master is unmasked in court. <cough>Red Hat<cough>

Re: Stupid lawsuit, but useful

You could argue that the contracts adds additional restricting terms on top of the license of the current patch though.

Re: Stupid lawsuit, but useful

[Entrope]

If the facts are accurate, and you don't omit any material facts, then saying what you infer from those facts is probably going to be protected speech. If the inference is underwear-on-head stupid, such as "... and so politicians are clearly running a child-prostitution ring from this pizzeria" (when the facts do not reasonably support that), then a reasonable reader will harshly judge the speaker rather than the politicians in question.

Re: Stupid lawsuit, but useful

[guruevi]

It's infringement from the GPLv2 point to even add those terms. They are adding terms to the GPLv2 license by modifying the code, and distributing the code with those new terms, that's breach of contract from GRSecurity's contract with the Linux community.

The GPLv2 explicitly tells you you cannot change the terms:
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.

To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.

Re:Stupid lawsuit, but useful

[arth1]

There are no winners here

Sure there are. I'm pretty sure that Grsecurity's lawyers don't work pro bono, and that any judges and other court officials involved get paid too.

Hell, even some web blogs that profit on advertising might post about this and make a small win...

Re: Stupid lawsuit, but useful

[Entrope]

Maybe in shitty jurisdictions, but in the US of A, truth is an absolute defense to defamation claims.

I could tell people how this guy named Jeffrey Dahmer did ... well, even just a few of the terrible things he did ... with the intent of damaging his reputation (rather than informing my listeners about what he did), and I would be protected by the First Amendment -- even if Dahmer were still alive, or the US legal system allowed suits over alleged defamation of dead people.

Re: Stupid lawsuit, but useful

Please keep the brits out of conversation of American law.

Re:Stupid lawsuit, but useful

Let me say up front that I don't like what grsecurity is doing, and they are a bunch of douchebags for doing it.

However, I can't see how distributing a work under GPL in any way promises or guarantees that you will distribute anything further in the future, which is what grsecurity is telling customers will happen.

I mean, what is a cut-off former customer going to do? Insist that grsecurity provide them with service? I can't see that holding up legally.

And if they claim the "restriction" is affecting the terms of the license, grsecurity will simply point out that the customer still has all the rights granted by the license.

Re:Stupid lawsuit, but useful

You can refuse to performing work for someone else, but not for the reason that your customer has exercised the right of the GPL licensed work; under penalty for loosing your rights to further distribute the work and it derivatives under the GPL license.

Your reason to refuse to perform work is important here. Often you could hide your reason, but in this case the contract clearly states that the reason is because the customer exercised its rights under the GPL licensed work.

It is very much like certain anti-racism laws which prevent you from refusing to perform work for someone, except those penalties can be a lot higher when you do.

Re:Stupid lawsuit, but useful

[drinkypoo]

Dont' worry about Bruce. He's getting well paid to spread FUD, IN MY OPINION.

Who are you?

Re: Stupid lawsuit, but useful

Your histrionics aside, the only "sanction" is to refuse to work for that person in the future. Your mistake is that you see grsecurity as some kind of product that continues to develop on its own, rather than as bespoke work only carried out at the behest of customers. So again, since you didn't answer, do you claim the GPL requires that they must perform future work for someone?

Re:Stupid lawsuit, but useful

[gnasher719]

Perens actually wrote: "it's my opinion that..."

I suppose if they could prove that this was not actually his opinion, but that he lied about it, they might be able to win.

Re: Stupid lawsuit, but useful

Is working for someone in the future a right provided under the GPL?

Re: Stupid lawsuit, but useful

If GPL required you to distribute, you would be right, but it doesn't - you can choose whether to distribute or not, for any reason.

Re: Stupid lawsuit, but useful

Well, he may not be offering legal advice, but he most certainly is offering advice to lawyers. On his blog he states he will discuss Open Source Securities licensing terms further with companies and their lawyers, under NDA, in his capacity as an expert. That goes quite a way further than "just personal opinion"

Re: Stupid lawsuit, but useful

[drinkypoo]

Well, he may not be offering legal advice, but he most certainly is offering advice to lawyers.

No, no he is in fact not doing so in this case. He is publicly sharing his opinion with everyone, as opposed to being paid to provide an expert opinion in a legal case. The two are absolutely not the same thing.

Re:Stupid lawsuit, but useful

[DRJlaw]

Perens actually wrote: "it's my opinion that..."

Opinion, not assertion of fact. This lawsuit will be thrown out almost immediately.

Prefacing things that you say with "in my opinion" does not automatically make them incapable of being false and a basis for a claim of defamation. Even the EFF doesn't fall into that trap.

The following are a couple of examples from California cases; note the law may vary from state to state. Libelous (when false):
*Charging someone with being a communist (in 1959)
*Calling an attorney a "crook"
*Describing a woman as a call girl
*Accusing a minister of unethical conduct
*Accusing a father of violating the confidence of son

Accusing a company of violating the GPLv2 and claiming that their customers are themselves potentially liabe as "contributory infringers" is perfectly in line with California's defamation precedents.

Personally I think that GRsecurity should amend its complaint to include a declaratory judgment count for non-infringement, which would be anti-SLAPP proof. Bruce is a kernel contributor and has published claims that the company is infringing. The company has a right to challenge that claim in court and obtain a judgment, even if Bruce can't bring himself to follow up on his claims with a copyright infringement suit.

Re: Stupid lawsuit, but useful

And if you were free to decide to distribute or not, then GRSecurity would be in the clear. But if they try to enforce an agreement to not distribute based on that clause they added to the license, then the GP is right and you are wrong.

And if they cannot and will not try to enforce that cause, why the fuck do they have it in there?

So either they're fucking morons or you are. Choose one.

Re: Stupid lawsuit, but useful

[arth1]

Bruce is not a lawyer, so he's not giving legal advice, so he's allowed to have an opinion and express it. That right is explicitly legally (constitutionally!) protected!

True, but he is also the CEO of Legal Engineering, "which specializes in resolving copyright infringement in relation to open source software" (Wikipedia). Unless he's clear about it being a personal opinion, his opinion could potentially be seen as a legal opinion, or gratis expert advice from Legal Engineering.

Either way, I don't think (as a private person) that this lawsuit has much merit, even in a common law system that doesn't pay much attention to the intent of contracts. But it must be an embuggerance all the same, tying up time and resources that could be better spent on other endeavors.

Re: Stupid lawsuit, but useful

[110010001000]

No it isn't. The point though is that you can't add additional contract terms to the GPL.

Re: Stupid lawsuit, but useful

You sincerely do not get it do you?

The GPL doesn't require you to work for someone, it says you have no right to apply any additional restrictions or conditions to the code or any derivatives which makes you out of compliance with the license.

IOW, you're perfectly within your rights to deny someone, but then the people who's work you are deriving from are perfectly within their rights to say "you're out of compliance with the license, and henceforth have NO rights at all to our code or any derivatives you might have".

You can't both have your cookie and eat it too, kid.

And btw, a subscription is definitely a product.

Re:Stupid lawsuit, but useful

It's pretty hard to argue that patches to the kernel are not derived from the kernel, and the kernel is under GPLv2, so they must comply with the GPLv2

Why do you think that a non GPLv2 patch isn't compliant with GPLv2?

If you never redistribute kernel code and only write patches that replaces kernel code without those lines being specifically based on the original except for variable/function names (Could be argued being part of the the API and Oracle America, Inc. v. Google, Inc. shows that using the same API isn't infringing.)
then your patch isn't really derived from kernel code and could be distributed with any license you want.

You might not be able to use a diff-compatible format for your patches since it contains lines that are part of the source it is supposed to be applied on, but there are other ways to manage patches.
Even if you are using diff it could be argued that those extra lines are there for commenting and criticizing on the original source and therefore covered under fair use. (A bit of a stretch but it is still up for argument.)

There is also the whole BSD-licensed code in GPL code issue to take into consideration.
Clearly dual-licensed code is possible but there is the question of compatibility.
How would we consider a license that allows the GPLv2-licensed parts to be redistributed as long as code covered by the other license are stripped out/replaced before redistribution?

Re: Stupid lawsuit, but useful

Law doesn't forbid you to kill people. It just tell what may happen if you do.

Re: Stupid lawsuit, but useful

The point is that GPL says you can't put further restrictions on the rights the license grants you.

Grsecurity are putting restrictions on things they do for customers which are NOT granted by the license, and you still have all the rights the license grants you.

I'm not saying that's legally correct or permissible, it's just what they are arguing.

Re: Stupid lawsuit, but useful

I don't know in the US but in most european countries, there's a law against refusing to sell to specific customers. With exceptions of course, and the contract is probably to be one of those exceptions. But by adding the contract, they add terms to discourage software distribution which is explicitely forbidden by the GPL.

Re: Stupid lawsuit, but useful

[Barsteward]

that should apply to armchair AC lawyers too

Re: Stupid lawsuit, but useful

If they rewrite a kernel from scratch, they can distribute it with the licence they want. If they distribute a parched linux kernel, they have to comply with its licence that is the GPL. Or get the agreement from any developer who produce a line of code still in use to change the licence.

They can use a dual-licence for new code but as long as they still have at least one GPLv2-only line of code, they can't change the licence they use to distribute.

Re: Stupid lawsuit, but useful

most reasonable post

Re: Stupid lawsuit, but useful

Well, he may not be offering legal advice, but he most certainly is offering advice to lawyers.

No, no he is in fact not doing so in this case. He is publicly sharing his opinion with everyone, as opposed to being paid to provide an expert opinion in a legal case. The two are absolutely not the same thing.

But the fact that he also charges for that exact type of opinion makes his statement much, much more than a personal opinion from a non-expert.

Bruce literally sells himself as an expert in this field.

Re: Stupid lawsuit, but useful

[arth1]

Law doesn't forbid you to kill people. It just tell what may happen if you do.

This is not the case, at least not in most places. Killing someone without explicit authorization goes under "malum in se", which is forbidden no matter what the penalties are or aren't.

Re: Stupid lawsuit, but useful

>Maybe in shitty jurisdictions, but in the US of A, truth is an absolute defense to defamation claims.

You mean shitty jurisdictions like Massachusetts and the US Court of Appeals 1st Circuit?

Noonan v. Staples Inc.

But even excluding that case, the courts have generally recognized that if the purpose of uttering damaging statements - even if truthful - about someone is intentionally malicious, or is at the paid behest of third-party to ruin that party's reputation and interfere with their ability to conduct business (restraint of trade), then that's not protected. It's a high hurdle for the plaintiff to prove, but its not insurmountable.

Re: Stupid lawsuit, but useful

Grsecurity are putting restrictions on things they do for customers which are NOT granted by the license, and you still have all the rights the license grants you.

And that for a start is not correct, since "what they do for customers" is a bunch of patches which are derived works of the kernel.

The real matter here though is that by adding a condition like "you must not redistribute", they are trying to turn their code into proprietary code and nullify the entire GPL. I don't think, even derivative work aside, you could place such a restriction on any GPL-code at all even if it was entirely your own code, since it's nonsense. The entire point of the GPL is to allow for maximal redistribution, "no-redistribution" isn't a copy-left concept at all. The proper legal way to enforce such restriction is by using some kind of proprietary license, but then the guise would be obvious and they would definitely be in violation of the GPL.

Re:Stupid lawsuit, but useful

I think you got Oracle v. Google wrong. The appeals court said use of an API could be infringing.

A patch is created by directly editing the work, which obviously creates a derivative work. The patch has no use other than combining again with the original work to reproduce the derivative that was previously created. Although it might be possible to create a patch that is an independent work by writing in the patch format directly, this particular patch is not independent of the kernel.

Re:Stupid lawsuit, but useful

That's not an opinion, it's an assertion.
You're in the shit.

Re: Stupid lawsuit, but useful

You are utterly wrong. To quote directly from his blog: "In the public interest, I am willing to discuss this issue with companies and their legal counsel, under NDA, without charge."

Sharing with everyone is the absolute opposite of an NDA. That he is not charging them for his private expert advice has no bearing on whether he presents himself as an expert or not. Remember, he runs the Legal Engineering consultancy, so it is related to his own business. I'm pretty sure he's an expert, and if Bruce were to pop his head up (which I'm sure given the circumstances he cannot do) I'd hope he would agree.

As for the rest of it, you don't make any sense and are just raising a red herring that on the surface appears related (experts, lawsuits). Unsurprisingly, experts exist outside of paid advice offered during lawsuits, and most certainly so do defamation laws.

Re:Stupid lawsuit, but useful

>That's not an opinion, it's an assertion.

That's just your opinion, man.

Re: Stupid lawsuit, but useful

Yeah, know-nothing armchair AC lawyers should not be allowed to post. Only know-nothing armchair Slashdot users with pseudonym userids should have that privilege.

Re: Stupid lawsuit, but useful

[Zero__Kelvin]

Working for someone in the future, or even today, is not a right, period.

Re: Stupid lawsuit, but useful

And merkins on any other countries' law system. For example, UK's libel laws, or China's censorship laws.

I had been OK since stating your opinion about some other country's law system was just your opinion and you're free to speak it here, but if you merkin morons decide that this is not allowed (so much for your freedom of speech...), then fair enough, we'll change our stance.

Oh, you want it both ways?

No, cupcake, this is not an option without it being an option for us to take too.

Re:Stupid lawsuit, but useful

No, it's my assertion.

Re: Stupid lawsuit, but useful

[drinkypoo]

You are utterly wrong. To quote directly from his blog: "In the public interest, I am willing to discuss this issue with companies and their legal counsel, under NDA, without charge."

Right, he's not doing that. He says that in the public interest, he is willing to do so. Posting his opinion publicly is not that discussion. Thanks for making my point for me.

Re: Stupid lawsuit, but useful

[Zero__Kelvin]

If it is a fact that "X" is molesting his child, then no, it isn't. Your honor, I object to the defendant saying I have been molesting my daughter, because he is right. I ask for the maximum penalty! No problem; you've got it. I'd be happy to grant that. Case dismissed.

Re:Stupid lawsuit, but useful

dimwit.

Opinion:
a view or judgment formed about something, not necessarily based on fact or knowledge.

Assertion:
a positive statement or declaration, often without support or reason

A statement of an opinion, even positively declared, is still an opinion.

Re: Stupid lawsuit, but useful

He's not doing what he says he's doing? Riiiight......

Re: Stupid lawsuit, but useful

[drinkypoo]

Unless he's clear about it being a personal opinion, his opinion could potentially be seen as a legal opinion,

No, no it cannot. Because he is not a lawyer, he cannot give legal advice. And unless he explicitly claims that he is giving legal advice, he's not giving legal advice, because he is not a lawyer. It works coming and going. Only lawyers have to give disclaimers about each little thing not being legal advice, because only lawyers can give legal advice.

or gratis expert advice from Legal Engineering.

He said he was willing to discuss the issue with companies under NDA, but this is just something he said in the public sphere, so he has not created any expectation that his public commentary will be considered expert advice.

Re: Stupid lawsuit, but useful

[drinkypoo]

He's not doing what he says he's doing? Riiiight......

He's not doing what he said he would be willing to do. The difference is substantial, and if you cannot see it, you need to go order liberally from the Scholastic catalog, and work on learning to read. Legal cases are decided on even more apparently trivial points than this.

Re:Stupid lawsuit, but useful

However, do you truly believe that the GPL really prevents you from refusing to perform work for someone?

No, of course it doesn't. What the idiots backing Perens here don't realize is the GPL is about to get an important clause struck out. Courts generally interpret contracts as narrowly as possible. By using an undefined term as "further restrictions" in the GPL, the court is going to rule that the term is too broad and like violates Grsecurities civil rights.

Re: Stupid lawsuit, but useful

[drinkypoo]

If GPL required you to distribute, you would be right, but it doesn't - you can choose whether to distribute or not, for any reason.

GPL requires you to grant the right of distribution. Having granted that right, it is doubtful that they can then create another contract which contradicts it without one of the contracts being deemed invalid, or being modified. But the GPL can't be modified, they agreed to those terms when they chose to distribute under the GPL, so they'd have to modify their other contract.

Re: Stupid lawsuit, but useful

Having granted that right, it is doubtful that they can then create another contract which contradicts it

But their whole position hinges on the fact that it doesn't contradict it, i.e. you still have the right to distribute - they just don't want to do business with you if you do.

Perens is basing his argument on the assumption that customers will not want to cease doing business with Grsecurity, and it will harm them if they break the terms of the contract by distributing.

It stinks, but AFAIK there is no legal basis for saying you can't offer a contract which requires you to waive rights you otherwise have. Grsecurity is correct that they don't have an obligation to distribute a damn thing to you if they choose not to, and they can set the terms on how they want to sell/give you GPL'd software.

Re: Stupid lawsuit, but useful

[drinkypoo]

But their whole position hinges on the fact that it doesn't contradict it, i.e. you still have the right to distribute - they just don't want to do business with you if you do.

There's no material difference! One contract says you may do something, the other contract says that you may not do it or you will be punished.

It stinks, but AFAIK there is no legal basis for saying you can't offer a contract which requires you to waive rights you otherwise have.

Well, of course there is, you can't sign away your actual rights. NDAs only work because you don't have a right to give away someone else's information, and because you're getting something (a look at the thing) in exchange for something (agreeing to remain quiet about the thing for a time.)

The situation is a lot more complicated when it comes to contradictory contracts, and even more complicated when it's not actually clear if contracts contradict one another. This is why it was popcorn time even before they sued Bruce for sharing his opinion. It could conceivably turn out in a variety of different ways.

Re: Stupid lawsuit, but useful

There's no material difference! One contract says you may do something, the other contract says that you may not do it or you will be punished.

There may well be a significant legal difference. You can agree not to do something you have a right to do, even under penalty. Look at any NDA which curtails your free speech rights.

Well, of course there is, you can't sign away your actual rights.

No, but you can agree in a contract not to exercise them, which is what this case clearly is about. Nobody is forcing you to sign their agreement, and nothing legally entitles you to get software from them - short of a contract saying they will provide it.

The situation is a lot more complicated when it comes to contradictory contracts

Very likely. However, I disagree with court opinions saying GPL is a contract; it's only a license since it doesn't require you to do anything and there is no consideration on the software author's side.

Re: Stupid lawsuit, but useful

[drinkypoo]

Very likely. However, I disagree with court opinions saying GPL is a contract;

Your disagreement is immaterial; The GPL has been shown to be a contract which one agrees to by distributing under it.

it's only a license since it doesn't require you to do anything and there is no consideration on the software author's side.

What? That's nonsense. It's a contract, which you enter into when you distribute the code. It doesn't require you to do anything unless you distribute it. And what you get in exchange for carrying the license forward is the right to distribute. There is a clear exchange here, which is what makes it a contract. Without the contract, you do not have the right to distribute the code. It's not yours, that's violation of copyright. So clearly you're getting something.

Re: Stupid lawsuit, but useful

Your disagreement is immaterial; The GPL has been shown to be a contract which one agrees to by distributing under it.

No, you have permission to distribute under certain terms. If you distribute it legally implies that you accept those terms, but you don't need to agree to DO anything to use it.

What? That's nonsense. It's a contract, which you enter into when you distribute the code. It doesn't require you to do anything unless you distribute it.

It doesn't require you to do anything EVEN IF you distribute. It only specifies the things you are permitted to do, under no terms are you required to distribute anything.

Without the contract, you do not have the right to distribute the code.

You need permission to distribute someone else's code, and GPL grants that permission conditionally. That is what a license is, and you don't need to sign any "license agreement" to get those permissions. All you need to do is abide by the terms. I'm surprised the courts ever said otherwise.

Re: Stupid lawsuit, but useful

[drinkypoo]

Your disagreement is immaterial; The GPL has been shown to be a contract which one agrees to by distributing under it.

No, you have permission to distribute under certain terms. If you distribute it legally implies that you accept those terms, but you don't need to agree to DO anything to use it.

False. You are agreeing to include the license. Otherwise, that's what I just said. You fail both at understanding the license, and at understanding English.

You need permission to distribute someone else's code, and GPL grants that permission conditionally.

Yes, just like I said, it's contingent on including the unmodified license. You get to distribute the code, but you have to include the unmodified license. Quid pro quo and violates no rights (in fact it grants them, contingent upon acceptance and following the terms of the contract) and thus it's a valid contract. That's what the court said, and it clearly agrees with the law, therefore nobody cares what you think about that decision.

Re: Stupid lawsuit, but useful

> False. You are agreeing to include the license.

Nothing implies that. You are allowed to distribute with the license included; you are not allowed to distribute without it. That is a term of permission.

> You get to distribute the code, but you have to include the unmodified license.

You MAY distribute the code IF you include the license. Difference.

Re: Stupid lawsuit, but useful

[drinkypoo]

You get to distribute the code, but you have to include the unmodified license.

You MAY distribute the code IF you include the license. Difference.

I think if you open a dictionary and figure out how to use it, that you will learn that those two statements can mean precisely the same thing.

Re: Stupid lawsuit, but useful

On the contrary, a license condition is not something you need to agree to. The terms are set by the author and you don't have to accept it; however, you will otherwise have no permission to distribute.

If what you're claiming is true, there would be a provision in the GPL for me to say "I agree to distribute this software with a copy of the license included." There simply is no place in the GPL where I can agree to include anything, or distribute anything. I can do what the license permits, or not. I don't have to make any arrangements with the author or with the person who gave me a copy of the software. I make no promises and have no obligations.

That's why it is a license and not a contract.

Re: Stupid lawsuit, but useful

[AJWM]

The GPL is not a contract, it is a license.

Without that license, if you distribute someone else's GPL'd code, you are violating their copyright. You can't distribute something somebody else has a copyright on without a license from them.

Now, in other cases, a contract may grant a license. But a contract is not itself a license, and vice versa. Only the owner of a copyright has the right to distribute that work. Everyone else requires a license. The license does not confer a right, it grants permission.

(It's also possible to transfer a copyright, in which case the transferor loses that right. That requires paperwork to be registered with the Copyright Office.)

Re:Stupid lawsuit, but useful

If you want to see an idiot, look in the mirror.

What the court find is that there is a valid contract, the GPL, and you follow it. If you don't you have no rights at all. This is already settled, see Artifex vs Hancom.

Besides, the entire idea that you could pick and chose what terms in a contract you'd like to obey by having those you don't like thrown out is utterly ridiculous and made out of wishful thinking on your part. What would happen in that case would be that the court would say, "congratulations, you've successfully voided the GPL, now you have no rights at all, and thus are guilty of copyright infringement. HAND.

Re:Stupid lawsuit, but useful

[AJWM]

Courts generally interpret contracts as narrowly as possible.

Good thing the GPL isn't a contract, then. It's a license that grants permission to distribute somebody else's copyright code.

court is going to rule that the term is too broad and like violates Grsecurities civil rights.

Grsecurity has no right to distribute anyone else's code. If they don't like that term in the license, they don't have permission to violate the Linux copyright holders' rights. Grsecurity's civil rights are not affected at all.

Geez, this same stupid argument every time someone tries to violate the GPL. Sooner or later it sinks in that if they do manage to get the GPL struck down in court, they'll have to shut down their business or face a massive copyright infringement suit. At which point they usually settle.

Re: Stupid lawsuit, but useful

The point is that any such discussions would have taken place under NDA, so you absolutely cannot say that they have not, any more than I can say they certainly have. I'd imagine this is the kind of thing that comes out during discovery. Oh, and ad-hominems too? You're a regular fallacy menagerie today.

Re:Stupid lawsuit, but useful

[phantomfive]

Perens actually wrote: "it's my opinion that..." Opinion, not assertion of fact. This lawsuit will be thrown out almost immediately.

FWIW the lawsuit deals specifically with your point, by quoting another case:

“If a speaker says, ‘In my opinion John Jones is a liar,’ he implies a knowledge of facts which lead to the conclusion that Jones told an untruth. Even if the speaker states the facts upon which he bases his opinion, if those facts are either incorrect or incomplete, or if his assessment of them is erroneous, the statement may still imply a false assertion of fact.” Milkovich v. Lorain Journal Co. 497 U.S. 1, 18 (1990)

There are two quotes from Bruce that the lawsuit specifically states as false:

[Customers] should avoid the Grsecurity product sold at grsecurity.net because it presents a contributory infringement and breach of contract risk.”

Defendants further stated that Plaintiff was in violation of the GPLv2, and thus “[a]s a customer, ... [Plaintiff’s clients] would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity.”

Re:Stupid lawsuit, but useful

What the court find is that there is a valid contract, the GPL, and you follow it. If you don't you have no rights at all. This is already settled, see Artifex vs Hancom.

Actually if you look at the context in Artifex vs. Hancom, all the Magistrate was really saying was that Hancom's argument that no contract existed because they didn't sign anything, doesn't get them out of their obligations under GPL. It wasn't a pronouncement on the absolute contract-vs-license status of GPL, but an acknowledgment that for the purposes of that case, whether Hancom had a valid license could be treated as a contract dispute.

Artifex said Hancom was distributing in a way that required a commercial license (i.e. binary-only with no source and no GPL included). Hancom said, "we don't have any mutual assent (contract) with you because we are using the GPL version."

At that point, it should have been a simple case of copyright infringement, but the case was about unpaid royalties for the commercial use of the software, so they couldn't really rule on the GPL violation.

Re:Stupid lawsuit, but useful

Bruce's attorneys, if they follow the normal procedure, will not allow him to make public comments regarding the lawsuit. You might try contacting him privately.

Re:Stupid lawsuit, but useful

[phantomfive]

Personally I think that GRsecurity should amend its complaint to include a declaratory judgment count for non-infringement

I would entirely bet that Bruce would be happy with that. He wants the case to center around the GPL, because he (rightly or wrongly) believes the GPL will support him. He doesn't care particularly about GRSecurity as a company, he wants to prevent them keeping their code secret. For Bruce, the entire thing centers around the GPL.

Interestingly, if GRsecurity did include a declaratory judgement count for non-infringement, I don't know who would bring counter-claim. I don't think Bruce Perens is actually a contributor to the Linux kernel (he's done plenty of other good free software). I've never heard him described as a kernel developer, and searching through the kernel commit logs, I can't find his name or email.

Re:Stupid lawsuit, but useful

It wasn't a pronouncement on the absolute contract-vs-license status of GPL, but an acknowledgment that for the purposes of that case, whether Hancom had a valid license could be treated as a contract dispute.

That's kind of beside the point though. The point was to show, that even if the court decided to look at the GPL as a contract then there is a precedent for that. It didn't end well for the defendant. Also, at best, if all your dreams come true, you're leaning on an invalid contract at that point to protect you from copyright claims. Not a good place to be.

At that point, it should have been a simple case of copyright infringement, but the case was about unpaid royalties for the commercial use of the software, so they couldn't really rule on the GPL violation.

That's a slight mischaracterization of the case. The case was about distribution in unauthorized forms. If Hancom had followed the stipulations of the GPL, there wouldn't have been a case. They didn't, so Artifex sued them for the more profitable option.

Re: Stupid lawsuit, but useful

[DRJlaw]

Part of the problem is that the git repository only goes back to 2011-ish? I'm thinking of his work with UserLinux and Debian, but I may have misinterpreted that.

Re: Stupid lawsuit, but useful

I suspect an estate with a revenue stream could still come after you for defamation of the deceased if it had material impact on the estate.

Re: Stupid lawsuit, but useful

I think the last time Bruce worked on a kernel, was when the 68040 was considered a high-end workstation CPU...

Re:Stupid lawsuit, but useful

[SlaveToTheGrind]

Opinion, not assertion of fact. This lawsuit will be thrown out almost immediately.

I wouldn't bet on it. Paragraph 37 of the complaint cites this Supreme Court case that clearly explains that wrapping the words "in my opinion" around language that's otherwise libelous doesn't save you:

“If a speaker says, ‘In my opinion John Jones is a liar,’ he implies a knowledge of facts which lead to the conclusion that Jones told an untruth. Even if the speaker states the facts upon which he bases his opinion, if those facts are either incorrect or incomplete, or if his assessment of them is erroneous, the statement may still imply a false assertion of fact. Simply couching such statements in terms of opinion does not dispel these implications; and the statement, 'in my opinion Jones is a liar,' can cause as much damage to reputation as the statement, 'Jones is a liar.' " Milkovich v. Lorain Journal Co. 497 U.S. 1, 18 (1990).

Re: Stupid lawsuit, but useful

[phantomfive]

That's a good question, I just checked and the git history goes back to 2005. There are older repositories, but they are probably not authoritative since Linus was merging patches by hand. Bruce also did some good work with BusyBox, but I can't remember ever hearing him described as a kernel developer. I always thought of him as a userland developer. Google doesn't particularly help here since every search "Perens kernel" just returns a bunch of links to this story.

Re: Stupid lawsuit, but useful

Yes, that is where it gets tricky, but in the end any kind of contractual restriction is just that you have negative consequences, it doesn't make it impossible to do. I think there is a good argument it is a restriction no matter how they formulate the consequences.
By what others quoted, there is no promise to pay back any money pre-paid for support, so I would claim threatening to not supply updates in this case even has a clear threat of a financial penalty, i.e. their terms are very similar to a tradition "breach of contract" clause.
There are also other issues like that suddenly stopping updates might cause serious issues to customers (suddenly no access to security fixes) and is not just a "bening" "we might not want you as a customer in the future". There might be ways to implement a "loophole" like this, but what I have seen so far I think is far too much like "if you make use of your GPLv2 rights, we'll keep your money and cause you trouble" to work IMHO.

Re: Stupid lawsuit, but useful

For some reason I read your first paragraph as if it were spoken by Mojo Jojo.

Re: Stupid lawsuit, but useful

[david_thornley]

Sure. However, offering your services to the general public except for "those people" is potentially infringing a right.

Re: Stupid lawsuit, but useful

[david_thornley]

You can agree not to do something you have a right to do, even under penalty. Look at any NDA which curtails your free speech rights.

Sure. However, the GPL appears to forbid such agreements relating to GPLed software. The contract isn't automatically illegal (like a contract giving an employer rights to stuff an employee does on his or her own time and resources in this state), but it appears to me to violate the GPL. After all, I can generally offer any legal contract, but I can be in an agreement where I can't offer a specific one.

However, I disagree with court opinions saying GPL is a contract; it's only a license since it doesn't require you to do anything and there is no consideration on the software author's side.

Your disagreement with the court is immaterial here, and doesn't actually change anything. If GRsecurity violated its license, then it doesn't have a license, and all the copies made and distributed are unlicensed, and that's good for a substantial amount of statutory damages (courtesy of the MAFIAA).

Re:Stupid lawsuit, but useful

[david_thornley]

What the idiots backing Perens here don't realize is the GPL is about to get an important clause struck out.

I don't remember a severability clause in GPLv2, so the court has the choice between holding the license to be legally valid or legally invalid, nothing in between. If ruled as invalid, then GRSecurity had no license to distribute in the first place.

The GPL points out that you don't have to accept the GPL, but in that case you don't have a license, and may not copy, change, or redistribute the software.

Courts generally interpret contracts as narrowly as possible.

However, they tend not to declare the contracts invalid. They tend to interpret the clauses in a restrictive way. If the court absolutely disagreed with Perens' interpretation, the court could rule that "further restrictions" does not clearly apply to what GRsecurity is doing, and hence GRsecurity is in the clear on their actions.

Of course, GRsecurity would have to prove not only that Perens was wrong, but that he had no good reason to think he was right, to win their lawsuit.

Re:Stupid lawsuit, but useful

[david_thornley]

(Could be argued being part of the the API and Oracle America, Inc. v. Google, Inc. [wikipedia.org] shows that using the same API isn't infringing.)

As I understand it, not being a lawyer, the ruling was that APIs can be copyrighted, since they are creative works in fixed form.

However, copyrights can't prevent you from doing something other than very specific actions, and so if you use an API to write a program or library you have to use that API, it isn't infringing.

The question after that was whether Google's use of the Java API was legitimate. Oracle was arguing that it wasn't to create a Java program or library, since Android programs were not designed to interoperate with standard Java programs, and therefore Google was using it only because it was a well-known API.

Re: Stupid lawsuit, but useful

[david_thornley]

According to Wikipedia, Noonan vs. Staples is not a valid precedent. The validity of the Massachusetts law was untested, as both parties assumed it was valid and neither challenged it. Any relevant further case could challenge the Constitutional validity of the law.

Re: Stupid lawsuit, but useful

[Zero__Kelvin]

He doesn't offer services for anyone. He works in his hobby project, and you can see the initial USENET posting if you doubt me.

Re: Stupid lawsuit, but useful

your a doosh

Comment removed

[account_deleted]

Comment removed based on user account deletion

Web host first, Web browser next

Next they'll try to sue you for reading someone's opinion on the Internet. Where will this madness stop?

Why their patches were not integrated...

If anyone was still wondering why their patches never made it in the kernel...
It shows a lot about their attitude and delusions, there are good reasons not to want code from people not able to objectively judge their own work, especially when they are asses on top...

Perens is obviously right

So what else are they going to do? Intimidating him is their only option if they can't argue the point and don't want to just give in.

Grsecurity pure garbage.

[molnarcs]

Linus Torvalds called grsecurity patches garbage earlier this year. https://www.theregister.co.uk/...

Re:Grsecurity pure garbage.

[jon3k]

I wish Linus would come out publicly and say "I wouldn't do business with them if I were you because I'm going to find a way to modify the kernel to break their business" even if it's impossible and he has no plans to do that. Just to scare off customers.

Re:Grsecurity pure garbage.

"You called us clowns? That's defamation! Lawyer up, Linus!"

Re:Grsecurity pure garbage.

Wow, between that and Poettering the GPL world really is filled with histrionic scum and assholes, isn't it? BSD, here I come.

Re:Grsecurity pure garbage.

[gravewax]

such a statement would make him an easy target for a lawsuit and it would be a slamdunk win for them

Re:Grsecurity pure garbage.

Linus called OpenBSD developers "basturbating monkeys".
Also, we are talking about Linus, his (and his trusted clique) security skill lack severly and can be easily identified in the kernel code.
Otherwise there would be no point to have a grsecurity project that can actually turn to profit.

Re:Grsecurity pure garbage.

I wish Linus would come out publicly and say "I wouldn't do business with them if I were you because I'm going to find a way to modify the kernel to break their business" even if it's impossible and he has no plans to do that.

Uhm.. It is pretty clear he has plans to do that.
The work to make the kernel more secure by removing buffer overflows and bugs is always ongoing.
It is still up for grabs if it is possible to write such a large project that is free from exploits, but it isn't like they aren't trying.

Re:Grsecurity pure garbage.

Nobody's forcing you to use Linux. Please feel free to use any BSD system that makes you happy.

Re:Grsecurity pure garbage.

[iggymanz]

Linus already has done that; he put it under the GPL

Re:Grsecurity pure garbage.

Also nobody's forcing you to read comments on slashdot. We have had enough of that arrogance for decades with all those windows pricks.

Re:Grsecurity pure garbage.

[Zero__Kelvin]

One is under no obligation to facilitate profit for others with their free efforts, so you couldn't be more wrong.

Re:Grsecurity pure garbage.

I've actually look at their code.
Some of it's okay, but some of it is really strange shit.

Re:Grsecurity pure garbage.

[jon3k]

What would they sue him for?

Re:Grsecurity pure garbage.

[munch117]

Tortious interference.

I'm not saying they would win, but there's no reason for Linus to stir up that kind of trouble.

Re:Grsecurity pure garbage.

[phantomfive]

At DEFCON last week, a hacker pwned a box running GRSecurity. So there's that.

Re:Grsecurity pure garbage.

you have a link? Nothing jumped out at the defcon site.

Re:Grsecurity pure garbage.

Wow, between that and Poettering the GPL world really is filled with histrionic scum and assholes, isn't it?

Not really, no. But you have made up your mind in this regard already, so there is no point discussing it with you.

BSD, here I come.

You will not be missed.

That said, I have deep respect for the *BSD people. I hope you will behave better in their company, or they will kick you out, and rightly so.

I like Linux (several distros), several *BSD variants, the GPL (2 and 3 both have their reasons to exist), the various BSD licenses, the Apache and MIT ones, and several more. They all have their place and uses.

This "us" and "them" nonsense really can't fuck off soon enough.

Luckily, it's a (loud) minority, including people like you, that makes most of the noise. The rest of us actually get along quite well.

So yeah. Take care, bro.

Re:Grsecurity pure garbage.

[phantomfive]

Saturday talk by trixr4skids. He actually got the pos system to run Doom.

Re:Grsecurity pure garbage.

[gravewax]

he is under no obligation to facilitate profit, but he is under an obligation not to interfere with the profits of another business, especially through actions or statements that explicitly are designed to undermine that companies profits.

Re:Grsecurity pure garbage.

https://en.wikipedia.org/wiki/... , with such a public statement they could take him to the cleaners and he would have no fucking chance. You cannot make statements or do anything with the intent to damage someones business.

Re:Grsecurity pure garbage.

they would win and win easily if he made such a public statement as it would be blatant proof of his intent. He might get away with it if he said nothing and made some changes that broke them but he had a reason for the changes (that wasn't about screwing them over).

Re:Grsecurity pure garbage.

[Zero__Kelvin]

Let's see if that holds water. Paparazzi make money taking pictures of celebrities, and celebrities often make it quite clear that their intent is to stop them from doing that. Nope. It turns out you just WANT your claim to be true, but it isn't.

Re:Grsecurity pure garbage.

[gravewax]

LOL do you have any fucking clue what you are talking about. hint go search the term "Tortious interference", and no your paparazzi example is NOT similar as them saying they want them to stop has absolutely no impact on their ability to profit.

Re:Grsecurity pure garbage.

[Zero__Kelvin]

You need to get an education. There must be lack of privilege on the part of the third party to induce such a breach, and Linus has full privilege to do whatever he wants with the Linux kernel. The paparazzi example is perfect as nobody is talking about speech, but action. The celebrity closes their blinds to stop them from making money, but it isn't tortious interference because, like Linus, they have full privilege to do so. Now seriously, you are the one with no clue WTF you are talking about, so go spend your time getting an education instead of making yourself look like an idiot here.

Re: Grsecurity pure garbage.

I can see mention of the talk, but no mention of the method or grsecurity. Do you have a link to further information? (different AC here, but genuinely interested)

Re: Grsecurity pure garbage.

[phantomfive]

You might have to wait until the talks are available online, then listen to it.

Re:Grsecurity pure garbage.

[gravewax]

you are the one in desperate need of an education. You CANNOT perform actions or make statements with the explicit intent of damaging someones business. You really have no fucking clue.

Re:Grsecurity pure garbage.

linus does not have full privilege in the legal sense at all, he has no privilege in the contractual relationships from a legal perspective and to make a statement that damages the business where his intent is to affect their business would be classified as Tortious interference and would open him up to a very large legal and liability bill.

Re:Grsecurity pure garbage.

you are misunderstanding what privilege means, privilege has nothing to do with his rights to make decisions on the Linux Kernel. privilege is about his right to be able to compete freely, it has nothing to do with his rights to make decisions over the Kernel and certainly provides ZERO defence for interfering in a business relationship.

Re:Grsecurity pure garbage.

[Zero__Kelvin]

You are one stupid motherfucker. Off you go now little troll turd ...

Re:Grsecurity pure garbage.

[gravewax]

ignorance is bliss I guess, continue on. hopefully Linus is smart enough not to take advise from dumb cunts like you.

Re:Grsecurity pure garbage.

[Zero__Kelvin]

You must be one blissful motherfucker to not get that both Kim Kardashian and Linus Torvolds have no obligation to comply with the wishes of a third party. In other news, if someone is selling my trash they can't sue me for bringing it directly to the landfill to stop them from profiting. Tortious Interference is not hard to understand, but you have to have a passing familiarity with logic, which alas, you lack.

lol

Looks like the dumbass plaintiffs dragged themselves into court to answer for the fact that they're violating a legal contract. Idiots

Re:How stupid can they be?

Only if you actually like Bruce Perens; I thought he was a reasonable guy right up until the point he compared Brad Spengler to a convicted murderer (Hans Reiser), now I just think he's a dick. I also think that Open Source Security are idiots for bringing this case, but I can see they were backed into a corner and had no remaining choices.

There's a lot of sound and fury here on Slashdot, signifying nothing. As with all court cases, "wait and see" is the correct approach, preferably with popcorn.

lesson 1, streisand effect

How to kill your society in two steps: doing publicly something stupid, twice.

It is that clear cut

If version A says you can't distribute this without losing rights to version B, then either

you just get version B and then distribute THAT and "lose rights" to distribute version C and so on and so on

OR

you lose rights to GET version B because of a violation of a term on the same GPL software (version A) which is either illegal to do because

a) a license for B can't be contingent on a license for another bit of software, copyright does not give you that right at all
b) the license addition is to both A and B, therefore explicitly against the clause Bruce mentioned, hence GRSecurity has no license for their code and are "pirates"

Re:How stupid can they be?

[prefec2]

Why? I do not need to like Bruce Perens to read his opinion and evaluate whether I agree with him or disagree. By concept it should even be irrelevant for my evaluation how sane his previous comments were. Linus Torvalds can also be a 'dick', but still is competent regarding the topic of Linux kernel development.

Re:"Grsecurity..." "...could invite legal trouble.

It's defamation to claim we're likely to launch a spurious lawsuit! ...

We're suing!

How is it a cancer?

It does not prevent you from charging for your work. Charge for it all you want. You can't put more restrictions on the work than you agreed to before you got the base software you used in YOUR work.

It's LESS of a cancer than, say, MS licenses, where you lose all right to distribute, comment or derive future benefit if MS think that you should lose the license. AND you get audited by the BSA and MS's audit teams at your expense.

If you think that GPL is a cancer and you should be able to slap your own license on code you have added to, try getting source for an MS application or their OS, adding in some stuff, then selling it under BSD, with source. See if MS think that you deserve the right to change the license on the combined work because some of it is "yours".

Re:How stupid can they be?

I did not say whether I agreed or disagreed with him at all, and certainly did not link that to my opinion of him, nice strawman.

I will now throw your question back at you. Why? So why the shitstorm? The controversy regarding their licensing is already out there, this adds nothing further that does not already exist in the public eye. The only thing that has changed is that they are suing Bruce Perens, so any "shitstorm" regarding this must come down to your personal like or dislike of him and his camp.

I'll just leave this right here...

https://en.wikipedia.org/wiki/Obsidian_Finance_Group,_LLC_v._Cox

Looks like Perens comments are coming true

They just proved it themselves.

Anti-SLAPP

In California, SLAPP stops all discovery and requires the plaintiff to pay the defendant's expenses if they lose.

Perens will not have to prove his assertions

Perens will not have to prove his assertions. The next move you will see is that he brings an anti-SLAPP motion. This will mean no discovery in the case and that the plaintiff will pay all of his expenses if they lose. At that point if the plaintiff has a thread of sanity they will back out, they failed to intimidate him, the posting is still on his web site, they can't win the case, they can only pile up big bills and they have to pay for Perens lawyer, a big, competent, law firm rather than the one-man patent attorney firm Grsecurity is using.

If the case goes on, Perens will prove that he has a right to state his opinion. And the case ends there. Perens is not making an "assertion of fact" as the patent lawyer states in his complaint and will win on 1st amendment grounds.

There will be no litigation of whether Grsecurity has the right to use its patch access agreement in contravention of the GPL, because there is a much simpler way to end the case.

That said, I suggest that any of us who are competent to work on the kernel do everything possible to make Grsecurity obsolete.

Re:Perens will not have to prove his assertions

The next move you will see is that he brings an anti-SLAPP motion

It's likely, although it will be shameful, as I do not believe that this is a SLAPP. Generally speaking, a SLAPP is a frivilous suit by someone with ample resources who knows they can burn through their opponents funding without breaking a sweat. In this case, Bruce appears to have vastly more resources and funds available to him than Brad does. Also, it appears that both Brad and his attorney believe that they have a valid case that they can win, however misguided this seems to the commenters here.

That said, I suggest that any of us who are competent to work on the kernel do everything possible to make Grsecurity obsolete.

If only they were also competent to do work on security, you might have had a chance! Good luck!

In all seriousness, I applaud the sentiment of wishing to see strong security in the kernel, but also recognise that it isn't going to happen, at least not under the current kernel politics.

This whole sordid episode has been an eye-opener for me, and has really soured me to the Linux "community" in general, who I now see as no different to the braying sheep from Animal Farm. I don't mean Brad, or even Bruce, both of whom see themselves in the right and defending something. I mean the commenters here who are screaming to see blood rather than an amicable solution. You are the real problem.

Kernel developers can obsolete Grsecurity

The kernel developers can make Grsecurity obsolete in two ways: if they want to use Grsecurity's own patch, they can take the last GPL one they have and break it up into acceptable patches (which Grsecurity refused to do). These can be submitted in the normal manner. The other way is to submit their own patches that do all of the functionality of Grsecurity without breaking the other things in the kernel that it is said to break. Either way, they will have rid themselves of this nonsense for future kernel versions.

Re:Kernel developers can obsolete Grsecurity

The problem with this is that you wrongly assume that kernel developers are also security experts. I don't mean "aware of security", I mean real bono-fide experts, of which there are very few indeed.

Attempts to do just as you suggest, that is to take an existing patch and break it up, have been criticised due to their missing important points or changing something in such a way as to make it ineffective. Basically, unless you understand what you are doing, you are going to make some mistakes.

This applies to not just to any initial merge, but also for ongoing development. It's not enough to merge and say "job done", because future work will almost certainly introduce new problems or break existing protections. Security is not a product.

Either security experts are onboard with ongoing kernel development work, or they're not. At the moment, they're not.

Re:Kernel developers can obsolete Grsecurity

lol k, there is a little problem with your logic when you say that it is all or nothing with security experts just because they are on the outs with Grsecurity because...

Grsecurity =/= all security experts

Re:Kernel developers can obsolete Grsecurity

Kernel programmers are well aware of how security issues happen to their kernels and how to stop them. They are better than the usual trained "security expert" because they understand how the actual system works, rather than having been taught a cookbook and tested upon it. I'd take a kernel programmer over the typical "security expert" any day. I further submit that if they can't write and debug kernel code, and understand hardware exploits like rowhammer at the level of the effected electronics, they aren't really security experts at all.

Re: Kernel developers can obsolete Grsecurity

The constant stream of whole classes of kernel exploits disagree with you. Now, I know; that's not fair, all code has bugs. However, consider this: if the kernel had a proper handle on security then grsecurity and similar projects would never exist in the first place. The kernel has had more than long enough now to get its act together. Quite frankly it's reached the point of embarrassment, unfortunately perpetuated by attitudes such as yours that believe that writing kernel level code makes one an automatic expert in all fields. If only it were so; the field is so narrow because we are looking for people with an overlap of exceptional kernel and security skills, neither of which are especially common to begin with.

Re: Kernel developers can obsolete Grsecurity

Maybe if companies like grsecurity would CONTRIBUTE to the kernel, instead of attempting to exploit fud to line their own pocket with cash, there would be fewer kernel exploits.

Re: Kernel developers can obsolete Grsecurity

That is an old argument. The counterpoint is that existing kernel maintainers have shown time and again that they don't want any substansive security measures in the kernel; always rating other priorities higher. Until that attitude changes, it's not going to happen. I do agree with you that grsecurity seemed too eager to charge rather than try to get stuff in, but given the animosity and resistance to change at least I can understand why they went down that path.

Re:Kernel developers can obsolete Grsecurity

I did not make that assumption. At the moment, security experts are not on board with ongoing kernel development work.

Have they not heard of the Streisand Effect?

Like really...

GPLv2, section 6 says:

Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

(emphasis added)

So, is it a restriction on the right to distribute that Grsecurity will drop you as a client?
If they drop you as a client, you can still distribute that patch set as much as you like, and they can't do a damn thing.
Grsecurity certainly has no obligation (except perhaps a moral one) to keep you as a customer. Some customers are difficult, and sometimes all the trouble they fuzz up make them too expensive to sell to.
Is the license for the code (which clearly must be GPLv2, or compatible) a separate matter from any possible business relation with Grsecurity?

Just a question: the patch set that Grsecurity sells. Does it have any subtle customer-identifying metadata in it?

And a follow-up question: off all the clients Grsecurity has, how many have distributed the patch set? And how many customers do they think they have they lost, because the patch set is publicly available? In my experience, people who need this sort of stuff don't mind paying for it. Because it most likely ends up being cheaper just to pay straight up for the service, than hunt the web for patch sets (that you might end up downloading from less reliable websites -that anyways turn out to being aliases for git.nsa.gov or git.fsb.ru- with who knows what backdoors added).

A tale of two law firms

Bruce Peren's has retained O'Melveny & Myers for his defense.
https://en.wikipedia.org/wiki/O%27Melveny_%26_Myers

O’Melveny & Myers LLP is a prominent international law firm founded in Los Angeles, California in 1885. The firm employs over 700 lawyers and has offices in California, Washington, D.C., New York City, Beijing, Brussels, Hong Kong, London, Seoul, Shanghai, Singapore, and Tokyo.
O'Melveny is one of the most prestigious and selective firms in the world, and it is widely considered to be one of the best law firms to work for.[1] Notable practice areas include securities litigation, white-collar defense, corporate, antitrust, appellate litigation, international trade, private equity, and entertainment law.[2] With regards to compensation, O'Melveny is among the highest paying law firms in the United States.[3]

Whoowee, that's some heavy-hitter lawfirm. Bruce must be really raking in some pricey consultation fees to afford that kind of legal firepower. Of course, maybe Bruce has a benefactor with deep pockets helping him out. Sorta like Hulk Hogan had with Peter Thiel. Maybe.

Let's see who Grsecurity got.
Grsecurity has retained CHHABRA LAW FIRM PC.

Here's their Wikipedia page:
https://en.wikipedia.org/wiki/Special:Search?search=CHHABRA+LAW+FIRM+PC

he page "CHHABRA LAW FIRM PC" does not exist. You can ask for it to be created, but consider checking the search results below to see whether the topic is already covered.

Hmm. Ok, well here's their Manta page
https://www.manta.com/c/mhw0bd5/chhabra-law-firm-pc

Chhabra Law Firm Pc is a privately held company in Mountain View, CA and is a Single Location business.
Categorized under Law Firms and Law Offices. Current estimates show this company has an annual revenue of 132707 and employs a staff of approximately 3.

Re: A tale of two law firms

[Brockmire]

Bruce is going to "Denny Crane" the shit out of them.

I don't think you have that right.

By using the code that no longer has license, it is possible for them to be guilty of secondary infringement. But besides all that, users using the work can be sued by GRSecurity if they try to use the rights the GPL gives them. They can be sued if the distribute with the same clause the code from GRSecurity because they're doing the same thing.

So even if you were to contend that secondary infringement cannot apply here (and we need more than just your say-so), they're still open to being sued by GRSecurity for no good reason (after all if they're this clueless about the rights and responsibilities of copyright licensing, how do you know that what you think you can do with it is what they think you can?) or for doing the same thing.

And if the customer distributes without that GRSecurity addition and just the plain GPL, that means they're sued by GRSecurity, and if they distribute with it, they're breaking the GPL themselves.

Pretty simple.

Re:I don't think you have that right.

[DRJlaw]

By using the code that no longer has license, it is possible for them to be guilty of secondary infringement.

"The code" meaning?
The user still has a license to the Linux kernel:
    1. GPLv2 sec 6 says that "Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions."
    2. GPLv2 sec 4 says that "Parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance."
    3. GPLv2 sec 2 says "You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program...," and sec 2.b. only applies if you distribute or publish the result.

And the user has an express license from GRsecurity for GRsecurity's potion of the code under the GPLv2.

But besides all that, users using the work can be sued by GRSecurity if they try to use the rights the GPL gives them.

No. GRsecurity granted a license under the GPLv2.

They can be sued if the distribute with the same clause the code from GRSecurity because they're doing the same thing.

Nope. GRsecurity granted a license under the GPLv2. GRsecurity uses a separate Stable Patch Access Agreement with the supposed restriction, and that agreement is between GRsecurity and the individual customer, not the customer and any other recipient. That agreement also explicitly says that "The User has all rights and obligations granted by grsecurity's software license, version 2 of the GNU GPL," so the user would not be doing the same thing.

they're still open to being sued by GRSecurity for no good reason

Strawman.

or for doing the same thing

False premise. There's no basis to assert that the customer would be distributing the code with that restriction themselves.

And if the customer distributes without that GRSecurity addition and just the plain GPL, that means they're sued by GRSecurity, and if they distribute with it, they're breaking the GPL themselves.

No and no.

Pretty simple.

Everything is simple if you make no effort to understand reality and merely use your own assumptions.

Re:I don't think you have that right.

By using the code that no longer has license, it is possible for them to be guilty of secondary infringement.

Very unlikely. Downstream recipients are likewise required comply with the terms of the GPL, regardless of any violation upstream.

"Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License."

https://www.gnu.org/licenses/gpl-3.0.en.html#section8

They can be sued if the distribute with the same clause the code from GRSecurity because they're doing the same thing.

Correct. They have no more right to add restrictions to the license than the upstream distributor does, and if they violate the terms of the GPL their license is subject to termination.

Re:I don't think you have that right.

[nnet]

Everything is simple if you make no effort to understand reality and merely use your own assumptions.

You refute other posters assertions, but you don't explain yours. I'm truly curious, on what are you basing your own assertions?

Re:I don't think you have that right.

[DRJlaw]

You refute other posters assertions, but you don't explain yours.

The part of the post that you omitted, with quotes from the GPL, is not an explanation?

I'm truly curious, on what are you basing your own assertions?

The cited sections and quoted language of the GPL, along with the linked copy of the Stable Patch Access Agreement and quoted language. You know, 85% of the content of the post, which you cut out.

Re:I don't think you have that right.

[david_thornley]

No. GRsecurity granted a license under the GPLv2.

GRSecurity cannot grant a license to the Linux kernel if GRSecurity doesn't have a valid license. If they have violated the GPL, then they don't have a valid license. These licenses aren't free-floating; legally, they have to be granted. (The question of what you do when you violate the GPL and lose your license can get rather involved, and GPLv3 provided for automatic reinstatement of the license under certain conditions - however, Linux is GPLv2 only, and is not distributed under GPLv3.)

GRsecurity uses a separate Stable Patch Access Agreement [perens.com] with the supposed restriction, and that agreement is between GRsecurity and the individual customer, not the customer and any other recipient. That agreement also explicitly says that "The User has all rights and obligations granted by grsecurity's software license, version 2 of the GNU GPL," so the user would not be doing the same thing.

That sounds an awful lot like adding terms to the GPL, which is not permitted by the GPL.

Therefore, I'm claiming the following things about reality. GRsecurity may be violating GPLv2 (I'm not taking a definite position on that). If so, GRsecurity doesn't have a valid license for the Linux kernel, and is forbidden to change or further copy it. If GRsecurity doesn't have a valid license, GRsecurity can't grant a license, and therefore their customers are running unlicensed copies of software. We know from the MAFIAA and lawsuits that illegitimate copies of copyrighted works can cost a whole lot of money. The Linux kernel does not operate under a copyright-assignment principle, so there's a large number of people with copyrighted code in the kernel, and I believe any of them could sue.

Hence, it looks legally risky to me to rely on a kernel supplied from GRsecurity.

Re:I don't think you have that right.

[DRJlaw]

m claiming the following things about reality. GRsecurity may be violating GPLv2 (I'm not taking a definite position on that). If so, GRsecurity doesn't have a valid license for the Linux kernel, and is forbidden to change or further copy it. If GRsecurity doesn't have a valid license, GRsecurity can't grant a license, and therefore their customers are running unlicensed copies of software.

And reality disagrees with you. Per the GPLv2:

"4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance."

"6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License."

From the SFLC:

This is GPLv2's "automatic downstream licensing" provision. Each time you redistribute a GPL'd program, the recipient automatically receives a license from each original licensor to copy, distribute or modify the program subject to the conditions of the license. There is no requirement to take any action to ensure the downstream recipient's acceptance of the license terms, see above. This places every copyright holder in the chain of descent of the code in legal privity, or direct relationship, with every downstream redistributor. Two legal effects follow. First, as sec. 6 says, parties themselves remaining in compliance have valid permissions for all actions including modification and redistribution even if their immediate upstream supplier of the software has been terminated for license violation. Their licensed rights are not dependent on compliance of their upstream, because their licenses issue directly from the copyright holder. Second, automatic termination cannot be cured by obtaining additional copies from an alternate supplier: the license permissions emanate only from the original licensors, and if they have automatically terminated permission, no act by any intermediate license holder can restore those terminated rights.

It also follows, as sec. 6 makes clear, that licensors are in no way responsible for enforcing compliance by third party recipients or distributors. Every licensee gains or loses permissions from each original licensor solely on the basis of its own conduct .

We know from the MAFIAA and lawsuits that illegitimate copies of copyrighted works can cost a whole lot of money. The Linux kernel does not operate under a copyright-assignment principle, so there's a large number of people with copyrighted code in the kernel, and I believe any of them could sue.

But they are all bound by sections 4 and 6 of the GPL as "original licensors" of their contributions, they've automatically granted licenses to GRsecurity's customers by the terms of section 6, and those licenses were not terminated by GRsecutiy's alleged violation of the terms of section 4.

Hence, it looks legally risky to me to rely on a kernel supplied from GRsecurity.

Wrong.

Re:I don't think you have that right.

[david_thornley]

The first GPL clause says that you lose your license under certain conditions, but everyone who already has a license is fine. The second one could be construed as applying to legal distribution only. The SFLC quote, while more definite, is the SFLC's interpretation, and the SFLC does not represent all Linux contributors. I don't think there's any case law here (and would be fascinated to be corrected).

Therefore, it's very possible that GRsecurity is violating the GPL and hence does not have a valid license, and the courts might rule that they can't transfer a license (disagreeing with the SFLC), and there's any number of people who could sue for statutory damages, so I'd say there's a risk. I'm not a lawyer, and this isn't even illegal advice, so if this matters to you please consult a real lawyer.

Re:I don't think you have that right.

[DRJlaw]

The first GPL clause says that you lose your license under certain conditions, but everyone who already has a license is fine.

No it doesn't. It says "However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance." You're rewording it, e.g., "However, parties who have already received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance." There is no qualification upon time included in the anti-termination provision.

The second one could be construed as applying to legal distribution only.

No, it can't. It says "Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions." There's no condition on the automatic grant of a license from the original licensor to the recipient, and there's no required grant of license from the distributor. There is no termination of the recipient's rights under even a particular instance of license under the GPLv2 -- see the statement that it "will automatically terminate your rights under this License" in addition to the above-quoted "However..." clarification.

the courts might rule that they can't transfer a license (disagreeing with the SFLC)

They don't have to transfer a license. The recipient is an intended third party beneficiary of a direct license from the original licensor under GPLv2 sec. 6, and the third party beneficiaries' rights are not terminated under GPLv2 sec. 4, both by the terms of actual termination clause and the subsequent "However" clarification.

Even if you argue that the GPLv2 is not a contract with third party beneficiaries, sec. 6 creates a promissory estoppel with respect to the recipients. Sec. 6 is not conditioned on the distributor's compliance with secs. 2 and 3, is automatic, and is not terminated by sec. 4.

The SFLC quote, while more definite, is the SFLC's interpretation, and the SFLC does not represent all Linux contributors.

Irrelevant. The SFLC is a group of lawyers who have expertise concerning this license. Without a coutervailing analysis from a lawyer, or any indication that any Linux kernal contributor even holds such an opinion, this is merely FUD.

I don't think there's any case law here (and would be fascinated to be corrected).

Your wish is granted. Skip down to "The use of GPLv2-licensed code is authorized for compliant users, even if they receive the code from a non-compliant licensee."

Re:I don't think you have that right.

[david_thornley]

Your wish is granted [informit.com]. Skip down to "The use of GPLv2-licensed code is authorized for compliant users, even if they receive the code from a non-compliant licensee."

Thank you. Very interesting.

Key word in the post nullifies the suit

[Khyber]

The key word/phrase is "it's my opinion".

Grsecurity needs to be hit with a SLAPP countersuit.

Re:Key word in the post nullifies the suit

There's an old running gag on the British TV show "Have I Got News For You?" that putting "allegedly" at the end of any statement protects you from being taken to court for slander. It's a gag because when you grow up, you'll find that the real world doesn't work that way.

Op

IMHO (lol) Perens could be crowd sourcing reaction to facts he was paid to provide. Why does he offer to discuss his opinion free of charge under NDA? It seems he wants additional artifacts to provide his paying clientele that his opinion is indeed fact.

Good way to make yourself look even worse...

[XSportSeeker]

Streissand effect. Grsecurity should hire another lawyer, if they survive this one.
Not only what Perens wrote is always reason for precaution, even if it wasn't, he repeatedly states in his blog post that this is his opinion, and that furthermore, he's open to discussion and that he's not a lawyer.
https://perens.com/blog/2017/0...

Lawsuit won't pass because it has no grounds. Courts can't define opinions as "false statements", he explicitly claimed several times that this is his opinion, and it's a huge stretch to call it "fearmongering".
Issues with licensing have always been part of the Linux community worries, and there's nothing in his post that could be classified as fearmongering. It's advice pure and simple with strong basis to boot.

If stuff like this was enough for a company to sue an individual, we'd effectively have businesses dictating censorship as they pleased, and a whole ton of democratic instruments to go against big corporations wouldn't exist.

The whole thing will be dismissed and it'll only serve as more reason to suspect Grsecurity. Why don't they go ahead and also try suing Torwalds for calling their patches garbage? Go out with a bang.

Re:Good way to make yourself look even worse...

[david_thornley]

There's no evidence that Grsecurity's lawyer thought the lawsuit a good idea, and therefore this might not be fixed with another lawyer.

Opinions of factual matters can be true or false. In the US, it isn't libel or defamation if the speaker (Perens in this case) had good reason to believe his opinions were valid. Given that Slashdot hasn't clearly debunked his claim, Perens' opinion would appear to be a reasonable one to hold, and that, in the US is a defense.

Re:How stupid can they be?

[drinkypoo]

The only thing that has changed is that they are suing Bruce Perens, so any "shitstorm" regarding this must come down to your personal like or dislike of him and his camp.

That's a stupid thing to say. You can also be against lawsuits designed to stifle public speech, which is to say, you can be pro-constitution or pro-rights or just pro-speech. There may have formerly been a shitstorm, but there was not an actual case.

Wonder if GRS can patch Streisand

[future+assassin]

so it has no effect.

Those Slimey Sacks of Shit!

[WorBlux]

And I don't Title this post just to flamebait.

The subscription agreement they use is definitely against the spirit of the GPL, but could be within the letter if they were distributing a completely original work, for which they held all copyrights and had the correct sort of patent licenses to distribute code that way. But the question naturally arises why the hell wouldn't they just outright pick a restrictive license if they just outright held all rights to an original work and wanted to restrict redistribution.

The answer is that the lawyers at GrSecurity believe their patch set would likely be found to be a derivative work of the Linux kerne should the question arise in court. Additionally I speculate they may be taking advantage of patent license that are more liberal with OSS licensees. In fact in the legal complaint, GrSecurity does not counter or otherwise address Bruce's assertion that the patch set is a derived work of the Linux kernel.

On the grsecurity's home page, they describe their product as being primarily "an extensive security enhancement to the Linux kernel". This strengthens and reflects Bruce's claim that the grsecurity patch set is a derived work of the Linux kernel.

In the actual complaint, there's a lot of slime in paragraphs 14,18, and 19 are particularly flawed. The GPL does not merely cover the patches once distributed, but also the original distribution because they are a derived work of the Linux kernel and as such may only be distributed in compliance with the terms of the GPL or a compatible license. Thus Paragraph 14 is false. Paragraph 18 is also false in so far as future version will almost surely be derived from a GPLv2 licenses Linux and subject to GPL terms upon the first distribution.

  While it's true the subscription agreement only sets out an explicit limit of future access, it's clearly and plainly designed to limit the actual and current exercise of rights granted under the the kernel's GPLv2 license. There is a conflation of simple "exercise" and "ability to exercise", which are not the same thing. They way it is written and the way that it is intended is that for works under the GPL, only the GPL may restrict copying, modification and redistribution.

This is a no-brainer

Section 6 of the GPLv2 states:

6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

GRSecurity is clearly imposing a restriction on the recipients' exercise of the right of redistribution. Whether or not they limit future access to the source code of the Program (as defined by the GPLv2) is irrelevant.

When GRSecurity loses (and they will) they may face a restriction of their own in the form of Section 4 of the GPL"

4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

Let's assume that a court finds that GRSecurity is attempting to modify the GPLv2 license by adding a restriction. In doing so, they are denying the rights of Linux kernel devs to distribute their code as licensed. In other words, they are denying redistribution of source code that other people wrote to their own customers. If I were a kernel developer, I would consider invoking Section 4 to terminate GRSecurity's rights to the Linux kernel.

Re:This is a no-brainer

GRSecurity is clearly imposing a restriction on the recipients' exercise of the right of redistribution.

This is the heart of the complaint, and unfortunately it's NOT clear, or they wouldn't need a courtroom to decide.

Is offering a service agreement "imposing" on customers? If they can still redistribute per the terms of the GPL, how is that a restriction? The consequence of redistributing is to lose the benefit of updates from Grsecurity--which is not a right "granted herein" by GPL, so the license really has no hold over that.

It's a mess, but I hope it will set a good precedent for the future.

Lesson to companies: if you don't plan to share your source code, DON'T USE GPL in your project.

Re: This is a no-brainer

Your argument is the equivalent of claiming there is no restriction on killing someone, you just go to prison (or worse) afterwards.
That is not how anyone ever uses the word "restriction".

Re: This is a no-brainer

No, it's the equivalent of claiming there's no restriction on killing someone, you just don't get no ice cream if you do.

I mean, as long as we're straining analogies...

So I have a plan....

[Kernel+Kurtz]

Their customers have the right to redistribute the software that they've received. GRsecurity is then saying that if they do, GRsecurity will not provide them with any future revisions to the code. There is nothing in the GPL that gives the recipient of a copy of code the right to future versions of that code or the right to distribute future versions of that code.

I'll buy a copy, and redistribute it freely and widely. They won't sell me the next version because of that, so someone else here will have to buy a copy, and redistribute it freely and widely.

Ideally in the end they will have one customer for each release, who will all be part of my plan........

Re:the code is the code that has been licensed

[DRJlaw]

dumbass.

Ad hominem.

" and that agreement is between GRsecurity and the individual customer,"

And that customer cannot be forced to give up the rights of the GPL by it.

The GPL does not give the customer any rights to future revisions. The customer is not forced to give up the right to redistribute the current version -- they can choose to or not.

"GRsecurity granted a license under the GPLv2."

And that license allows the customer to redistribute. Which makes their agreement null and void.

No. The GPL does not give the customer any rights to future revisions. The customer is not forced to give up the right to redistribute the current version -- they can choose to or not.

"Strawman."

Wrong. That was not a strawman since it was my own argument. My argument cannot be a strawman for my own argument, dumbfuck.

"A straw man is a common form of argument and is an informal fallacy based on giving the impression of refuting an opponent's argument, while refuting an argument that was not presented by that opponent."

You wrote:
"So even if you were to contend that secondary infringement cannot apply here (and we need more than just your say-so), they're still open to being sued by GRSecurity for no good reason (after all if they're this clueless about the rights and responsibilities of copyright licensing, how do you know that what you think you can do with it is what they think you can?) or for doing the same thing."

Definitional strawman. Followed by another ad hominem.

"False premise."

False claim.

Sorry, you claimed that they would be doing the same thing. They would not, therefore false premise.

"No and no."

Both wrong.

Glad that you admit that both your points were wrong.

"Everything is simple if you make no effort to understand reality and merely use your own assumptions."

And THAT there is a strawman. Did I claim EVERYTHING was simple? No. Therefore this claim of yours, asspulled as it is, is a fallacy and irrelevant.

You claimed that this was pretty simple, yet made no effort to provide an analysis based on the text of the actual licenses.

It's also perfectly fine argument style for others, and not a fallacy.

It's time to overturn GPL...

GPL served its purpose once, but today it is unworkable. Today, GPL is akin to licensing air. It creates an undue burden by its very nature and therefore should be abolished.

Re:It's time to overturn GPL...

I disagree. The GPL is more like licensing cancer.

I'll bet Bruce Perens is delighted

I've never known of him to run away from free publicity. Or any publicity.

Will future versions continue to be distributed un

If so, then the "agreement" MAY be a notice of (conditional) intent to violate the GPLv2 license that allows grsecurity to use the GPLv2 licensed kernel code.

If grsecurity limits their contributions to loadable kernel modules that do not access GPL-only kernel symbols, then they may have an argument.

If they patch the kernel itself or use GPL only kernel symbols, then their code may be a derivative work and thereby covered by GPLv2. In this case, as soon as they exercise the "right" to which they have granted themselves, they may find themselves in violation of the GPL and automatically lose the privilege of distributing the kernel and/or derivative works thereof.

I believe that the intent of Perens' warning is to let people know that he believes using future versions of grsecurity's product may make users liable for contributing to grsecurity's violation of the GPL (per the notice they provided), and that if users distribute the patches and/or a patched kernel, they may find themselves in direct violation of the GPL, as the kernel and/or grsecurity's (potential) derivative works may not be licensed at all, meaning there is no legal means of conveying a copy.

Remember that the GPL is a license (the L in "GPL" and not a contract), and that unlicensed works are not "public domain"; a copyright license is the only thing that provides the right to make (and/or distribute) copies.

It's a potentially thorny issue, which is why consultation with a good copyright lawyer would be well-advised; I'm not sure that it may be advisable to consult just any lawyer, just as it may not be advisable to seek a general internist for heart surgery...

Re:How stupid can they be?

Only if you actually like Bruce Perens; I thought he was a reasonable guy right up until the point he compared Brad Spengler to a convicted murderer (Hans Reiser), now I just think he's a dick. I also think that Open Source Security are idiots for bringing this case, but I can see they were backed into a corner and had no remaining choices.

There's a lot of sound and fury here on Slashdot, signifying nothing. As with all court cases, "wait and see" is the correct approach, preferably with popcorn.

A lot of sound & fury signifying nothing?

Well, before this I thought that grsecurity were skating the boundaries of GPL, where they maybe had found a legal, if not quite moral, way to support their business model. Given how hard it is to stay afloat I was willing to give them the benefit of the doubt & might have done business with them if positioned to do so.

Here's the quote again:

As a customer, it's my opinion that you would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity

Although IANAL, in my opinion Mr Perens has a valid point. I could happily be a customer of Grsecurity if I never redistributed the software modified with their patches, but if I were to use their patches in a product that I then redistributed (e.g. sold an appliance) then I would be forced by the GPL to redistribute that code (& thus would breach the contract with Grsecurity). This seems like a no-brainer.

Regardless, I think the lawsuit is a dick move. Now, I'd be very reluctant to do business with Grsecurity, even if in a position to do so. (So "signifying nothing" ==> just lost a potential customer forever.)

Anyway, IMO Grsecurity should target & facilitate customers who want to use their product without redistributing it - not attack someone who is pointing out a legitimate issue with their business model.

Re:Will future versions continue to be distributed

[DRJlaw]

as the kernel and/or grsecurity's (potential) derivative works may not be licensed at all, meaning there is no legal means of conveying a copy.

Neither Bruce nor you have provided a satisfactory explanation of how the derivative work would not be licensed at all vis-a-vis the customer.

The GPLv2 secs. 4 and 6 grant the customer a license from each licensor -- not merely from the upstream distributor -- and state that the customer's license is not terminated by termination of the upstream distributor's license.

The GPLv2 sec. 2 permits the customer to make derivative works using any type of code. That code must only be licensed or relicensed under the GPLv2 if the customer publishes or distributes it to third parties.

The customer has the Linux kernel under the GPLv2 and the grsecurity contribution under the GPLv2, and NEITHER party can terminate the customer's license without a breach by the customer. The customer can even distribute the code since both parts are licensed under the GPLv2 and are ipso facto compatibly licensed as a combination under the GPLv2.

Remember that the GPL is a license (the L in "GPL" and not a contract), and that unlicensed works are not "public domain"; a copyright license is the only thing that provides the right to make (and/or distribute) copies

Both works are licensed. The right to make the combination is licensed. There is no "public domain" issue involved.