Linux Kernel Hardeners Grsecurity Sue Open Source's Bruce Perens

An anonymous reader shares a report from The Register: In late June, noted open-source programmer Bruce Perens [a longtime Slashdot reader] warned that using Grsecurity's Linux kernel security could invite legal trouble. "As a customer, it's my opinion that you would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity," Perens wrote on his blog. The following month, Perens was invited to court. Grsecurity sued the open-source doyen, his web host, and as-yet-unidentified defendants who may have helped him draft that post, for defamation and business interference. Grsecurity offers Linux kernel security patches on a paid-for subscription basis. The software hardens kernel defenses through checks for common errors like memory overflows. Perens, meanwhile, is known for using the Debian Free Software Guidelines to draft the Open Source Definition, with the help of others.

Grsecurity used to allow others to redistribute its patches, but the biz ended that practice for stable releases two years ago and for test patches in April this year. It offers its GPLv2 licensed software through a subscription agreement. The agreement says that customers who redistribute the code -- a right under the GPLv2 license -- will no longer be customers and will lose the right to distribute subsequent versions of the software. According to Perens, "GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition." A legal complaint (PDF) filed on behalf of Grsecurity in San Francisco, California, insists the company's software complies with the GPLv2. Grsecurity's agreement, the lawsuit states, only applies to future patches, which have yet to be developed. Perens isn't arguing that the GPLv2 applies to unreleased software. Rather, he asserts the GPLv2, under section 6, specifically forbids the addition of contractual terms.

pissing contest..

[lkcl]

this is going to be interesting to watch. one of the world's best-informed advocates of software libre, who has studied the GPL for many years, versus some idiots who will have been ill-advised by some moron whose only saving grace is the indemnification insurance provided as a sop to corporate madness. for those people not familiar with what indemnification insurance is: it's where lawyers can basically get away with making fundamental errors, and the corporation to whom they give the advice can sue their company quite safely, *as long as they follow that advice*.

i really look forward to seeing how this turns out.

Re:Stupid lawsuit, but useful

Maybe we'll get another one of these ("ACLU Brief on Behalf of John Oliver").

Opinions, too, are protected speech, and “[u]nder the First Amendment, there is no such thing as a false idea. However pernicious an opinion may seem, we depend for its correction not on the conscience of judges and juries but on the competition of other ideas.” Gertz v. Robert Welch, Inc., 418 U.S. 323, 339-40 (1974)

Re:Stupid lawsuit, but useful

You completely misunderstood what GrSecurity does.
They give people code that says in the license they can give it to others, but then they make them sign a contract forbidding them to do exactly that.
If you make your customers sign a contract for GPLv2 code at least in part NOT WRITTEN BY YOU that forbids them to give it to anyone else the you the hell should leave your hands from it.
It's not really relevant if its your own project where either nobody else contributed or they gave you a license to do whatever you want with it.

Re:How stupid can they be?

[prefec2]

Why? I do not need to like Bruce Perens to read his opinion and evaluate whether I agree with him or disagree. By concept it should even be irrelevant for my evaluation how sane his previous comments were. Linus Torvalds can also be a 'dick', but still is competent regarding the topic of Linux kernel development.

Re:I'm happy the GRSecurity folks are doing this

[drinkypoo]

GPL doesn't require supplying future updates, it just says that you must provide an offer of source with binaries, and can't restrict redistribution of source/binaries. It looks like they've found another way to follow the letter of the GPL without following the spirit of it.

They're actually trying to do an end run around the contract to which they've already agreed, which guarantees the right of redistribution. The question becomes whether grsecurity contains any GPL code to which they do not hold the copyright. If so, then they're risking losing the right to distribute that code.

Re:I'm happy the GRSecurity folks are doing this

[DRJlaw]

They're actually trying to do an end run around the contract to which they've already agreed, which guarantees the right of redistribution. The question becomes whether grsecurity contains any GPL code to which they do not hold the copyright. If so, then they're risking losing the right to distribute that code.

They may be complying with the terms of the GPL, whether you call it a contract or not. Their customers have the right to redistribute the software that they've received. GRsecurity is then saying that if they do, GRsecurity will not provide them with any future revisions to the code. There is nothing in the GPL that gives the recipient of a copy of code the right to future versions of that code or the right to distribute future versions of that code.

I've disgreed with Bruce on this specific issue and I still do. While GRsecurity may be in violation of GPLv2 sec. 6 ("You may not impose any further restrictions on the recipients' exercise of the rights granted herein. "), the idea that their customers may be liable for contributory infringement and breach of contract is off-the-wall crazy. Bruce's theory is directly contradicted by GPLv2 secs. 2, 4, and 6 -- the customers are free to use GRsecurity's product and there is no potential violation of the GPLv2 unless the customers themselves redestribute that code.

Re:Prove it's true

Their legal counsel is a one-man firm, and if you read his online reviews, they are all about his patent filings. It sounds like he is in over his head.

Perens is using a big firm that has lawyers for every sort of legal issue, and his lead attorney wrote a book on Open Source licensing. If she has built expertise in Open Source, she and Perens would have worked together before.

Re:Kernel developers can obsolete Grsecurity

The problem with this is that you wrongly assume that kernel developers are also security experts. I don't mean "aware of security", I mean real bono-fide experts, of which there are very few indeed.

Attempts to do just as you suggest, that is to take an existing patch and break it up, have been criticised due to their missing important points or changing something in such a way as to make it ineffective. Basically, unless you understand what you are doing, you are going to make some mistakes.

This applies to not just to any initial merge, but also for ongoing development. It's not enough to merge and say "job done", because future work will almost certainly introduce new problems or break existing protections. Security is not a product.

Either security experts are onboard with ongoing kernel development work, or they're not. At the moment, they're not.

Re:I'm happy the GRSecurity folks are doing this

[DRJlaw]

I rather think that disallowing future revisions to paying customers contingent on their "exercise of the rights granted herein" IS a further restriction on their exercise of those rights.

"You may not impose any further restrictions on the recipients' exercise of the rights granted herein."

But the GPLv2 does not grant a right to obtain future revisions, whether you're a paying customer or otherwise. The GPLv2 does not require that the (re)licensor grant a right to distribute anything more than what has already been distributed to the recipient. Those are not "rights granted herein." The first is a right granted by grsecurity's paid support contracts -- contracts for services. The second is a right that is reserved and carved out from the first.

Tivoization violates the "spirit" of the GPLv2, but what matters is whether a licencee has violated the letter of the license. That violation is not as clear cut as you think.

Re:I'm happy the GRSecurity folks are doing this

[phantomfive]

The question becomes whether grsecurity contains any GPL code to which they do not hold the copyright.

The answer is absolutely yes, it is a derivative work. It is a derivative work because there is no part of the patches that would exist without the Linux kernel: their entire purpose is to modify the kernel (and theoretically make it more secure). I would like to point out that at DEFCON last week, trixr4skids took a Point of Sale device with GRSecurity on it, and hacked it to run DOOM. The keyboard input on the device was not user friendly.

Re:I'm happy the GRSecurity folks are doing this

[jeremyp]

I'm not sure it is as clear cut as you seem to think. They distribute the software to you under the GPL and ask you to sign a second contract if you also want support. The second contact has the restrictive clause.

Furthermore, the contract doesn't say "you can't redistribute this software", it says "we won't give you future versions of this software". I think they have a point, although I am not a lawyer.

As for whether Bruce Perens is committing libel by publishing an opinion that they are in breach of GPL, we'd better hope they find for the defendant, otherwise it would be impossible for anybody to argue a company is breaching a software licence (or any licence or contract or law) without being potentially a target for a libel suit.