Linux Kernel Hardeners Grsecurity Sue Open Source's Bruce Perens

An anonymous reader shares a report from The Register: In late June, noted open-source programmer Bruce Perens [a longtime Slashdot reader] warned that using Grsecurity's Linux kernel security could invite legal trouble. "As a customer, it's my opinion that you would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity," Perens wrote on his blog. The following month, Perens was invited to court. Grsecurity sued the open-source doyen, his web host, and as-yet-unidentified defendants who may have helped him draft that post, for defamation and business interference. Grsecurity offers Linux kernel security patches on a paid-for subscription basis. The software hardens kernel defenses through checks for common errors like memory overflows. Perens, meanwhile, is known for using the Debian Free Software Guidelines to draft the Open Source Definition, with the help of others.

Grsecurity used to allow others to redistribute its patches, but the biz ended that practice for stable releases two years ago and for test patches in April this year. It offers its GPLv2 licensed software through a subscription agreement. The agreement says that customers who redistribute the code -- a right under the GPLv2 license -- will no longer be customers and will lose the right to distribute subsequent versions of the software. According to Perens, "GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition." A legal complaint (PDF) filed on behalf of Grsecurity in San Francisco, California, insists the company's software complies with the GPLv2. Grsecurity's agreement, the lawsuit states, only applies to future patches, which have yet to be developed. Perens isn't arguing that the GPLv2 applies to unreleased software. Rather, he asserts the GPLv2, under section 6, specifically forbids the addition of contractual terms.

Prove it's true

That would put a full stop to Gr's suit.
But besides that, it's pretty clear this is an intimidation move because it would be relatively trivial to just show you're not doing it.

Re:Prove it's true

Yeah, suing the god damned web hoster as well is a sure sign they want to discourage this kind of talk in future.

Re:Prove it's true

[thesupraman]

I would suggest that if that is their intention, they do not know Mr Perens very well, and have not done their homework.
I suspect they are currently experiencing bit of a surprise in the reaction to their attempted strong-arming..
I also suspect they are rather wet-behind-the-ears (at least their decision makers) in the area of kernel security, to try such a play.

They are trying to play a legal-loophole game, when never goes down very well with the kernel maintainers, to say the least.
And they have quite possibly forgotten the fact that the maintainers could make their lives a LOT harder basically at well, by making their patches unworkable in subsequent releases..

Or they could just say sorry, and hope that they get some forgiveness - I am betting they wont..

Re: Prove it's true

[SLi]

How would it be trivial to show? They assert what they do is legal; Bruce asserts it is not. It's mostly a dispute of law, not of facts.

Re:Prove it's true

This demand proves Perens' point about dealing with Grsecurity stuff inviting legal trouble.

Either way from GPL violations or from a litigious company like this case.

Re:Prove it's true

[FooAtWFU]

Proving it's true would not put a full stop to the suit; it would be a thing that you prove in the suit itself. This is expensive because it means you're paying lawyers lots of money. The thing that's supposed to put a full stop to the suit is an anti-SLAPP motion, because this appears to be a Strategic Lawsuit Against Public Participation; among other things, this typically stays all discovery, saving much expense,

Unfortunately I'm not up to speed on California-specific anti-SLAPP statutes.

Re: Prove it's true

[guruevi]

Even so, regardless of the facts on the matter, Bruce is entitled to his opinion, even if he ends up being wrong. GRSecurity just shot themselves again in the other foot with this.

Re:Prove it's true

And they have quite possibly forgotten the fact that the maintainers could make their lives a LOT harder basically at well, by making their patches unworkable in subsequent releases..

That isn't really a viable solution.
Writing kernel code specifically to make it incompatible rather than to get the best solution will cause all sorts of problems.

They could release new code under a non-GPL license that is mostly identical with GPL but prohibits usage together with grsecurities software, but I'm not sure such a license will hold up in court and it is a bit against the free software mindset.
(OK, BSD is a bit more along the lines of "You can do whatever you want, even if you use the code for things I don't like" than GPL, but the idea is still to be in that direction.)

No, the only viable path I see is to defend yourself in court and then counter-sue for your costs.

Re: Prove it's true

[MrMr]

Readinb the first part of the complaint they appear to claim that their future versions of the linux kernel will violate the gpl2 license. I guess that would make it a declaration of intent rather than an outright breach of contrzct...

Re:Prove it's true

[gnasher719]

Proving it's true would not put a full stop to the suit; it would be a thing that you prove in the suit itself. This is expensive because it means you're paying lawyers lots of money.

Bruce Perens' councel is Heather Meeker of Oâ(TM)Melveny and Meyers, author of a book about use of Open Source software in the enterprise. I wouldn't be surprised if she gives him a good deal for representation in court if needed. (I thought Bruce Perens is a lawyer as well, but probably respects the old saying "a man who represents himself in court has a fool for a lawyer and a fool for a client").

What he said is "It is my strong opinion..." which I think stops what he says from being libel. GrSecurity could have replied "It is our strong opinion that Bruce Perens is incompetent and has no idea what he is talking about", which would probably not be libel for the same reason, being an opinion and not declared to be fact. Suing him has no chance of winning, and the huge risk that a court might agree that Bruce Perens' opinion is actually correct. That's most likely something that he would argue, in addition to the 100% winner argument "I said it was just my opinion".

Re:Prove it's true

[drinkypoo]

I would suggest that if that is their intention, they do not know Mr Perens very well, and have not done their homework.

I would suggest that they definitely know who Bruce Perens is, and that their legal counsel is simply a typical self-described type A who wants to fuck everything.

Re:Prove it's true

[jenningsthecat]

Bruce Perens' councel is Heather Meeker of Oâ(TM)Melveny and Meyers...

I suspect Perens and Ms Meeker will also have some assistance from the EFF. The potential chilling effects of this suit, and its blatant misuse of judicial process, are too important for the EFF to remain on the sidelines for long.

Re:Prove it's true

Their legal counsel is a one-man firm, and if you read his online reviews, they are all about his patent filings. It sounds like he is in over his head.

Perens is using a big firm that has lawyers for every sort of legal issue, and his lead attorney wrote a book on Open Source licensing. If she has built expertise in Open Source, she and Perens would have worked together before.

Re:Prove it's true

Perens stated in his web site article on Grsecurity that he is not an attorney, but an intellectual property expert who advises attorneys. And then he went on to say that this article was advice to your attorney, who is the only person who can give you legal advice. It sounds like he covered his 6 about not giving legal advice in a more graceful way than "IANAL". And by doing so he probably cemented that this was opinion. He'd win the case.

Re:Prove it's true

[arth1]

While he's not an attorney at law, he knows a few things about it, and I'm sure he'll use lawyers quite well.

And I also suspect that he won't be posting here, but will follow the generally sound advice that when hit with a lawsuit, do not comment on it except through lawyers. Anything said is potential ammunition or intel for your adversaries, neither of which helps your case.

Re: Prove it's true

[arth1]

GRSecurity just shot themselves again in the other foot with this.

Only four more feet to go, then.

Re:Prove it's true

Claiming opinion is not a 100% defense to libel. As was shown in the case cited in the complaint itself, you can still be liable if what you said isn't legally an opinion. For example, "It is my opinion that Bob killed Janet," is not an opinion, but a "statement of verifiable fact" that is dressed up to look like an opinion. In this case, there is a very good argument that at least some of the language he used is a verifiable fact, although it probably isn't up to the level of damages they are looking for. Most of the big statements he uses are actual opinions.

Re:Prove it's true

[drinkypoo]

And I also suspect that he won't be posting here, but will follow the generally sound advice that when hit with a lawsuit, do not comment on it except through lawyers.

I suspect that there will be a public statement, because cases in the public interest are won partly in the public sphere. I further suspect that Bruce himself will let us know about it when it happens, but that he won't engage in [much] commentary in the story, and that any he does engage in will be cleared through his lawyer. But that costs money, so he won't do any more of it than is absolutely necessary.

Re:Prove it's true

[phantomfive]

GRSecurity is demanding a jury trial, which means the emotional power of the lawyers on each side will play an important part, which means they are trying to make it as painful as possible for Bruce, even if they lose.

Re:Prove it's true

[phantomfive]

I thought Bruce Perens is a lawyer as well, but probably respects the old saying "a man who represents himself in court has a fool for a lawyer and a fool for a client"

He is not. In this situation he has consistently presented himself as an expert witness.

The problem here is that GRSecurity grants their customers patches under the GPL2, but then explicitly states that if the customers redistribute the patches to other people, then GRSecurity will punish them by not giving them any more patches in the future. This obviously contrary to the spirit of the GPL, but GRSecurity claims the exact wording of the GPL, "You may not impose any further restrictions on the recipients' exercise of the rights granted herein", is not contradicted by threatening to punish customers in this way.

This issue is now being brought up directly to be tested in court. I think there is absolutely nothing that could make Bruce happier in this situation. He got exactly what he wanted. The only tricky part is the jury trial, but the facts are obvious enough here, that can be circumvented with a summary judgement.

Re:Prove it's true

[phantomfive]

These are the two quotes GRSecurity singled out as being false. If they can be trivially proven true, then GRSecurity will be thrown out of court:

Defendants, in the Posting, stated that "[Customers] should avoid the Grsecurity product sold at grsecurity.net because it presents a contributory infringement and breach of contract risk.”

Defendants further stated that Plaintiff was in violation of the GPLv2, and thus “[a]s a customer, ... [Plaintiff’s clients] would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity.”

Re: Prove it's true

[nazsco]

from the summary, their attack will be "our current modules can be distributed, that's why we made them gpl2. our announcements were for future modules, which will not be gpl2. the acused told everyone they would be criminals by being our clients because we would release the new modules as gpl2, which we won't. hence he is disrupting our business. "

  to help the truth come out, everyone here who is their clients and never distributed the current modules because everyone knows that is what they were saying to beging with, do file an amicus brief! now! ...well, monday.

cheers!

Re:Prove it's true

[phantomfive]

What he said is "It is my strong opinion..." which I think stops what he says from being libel.

No, merely stating "this is my opinion" is not enough to stop a statement from being libel. The lawsuit pre-emptively makes an argument against that, quoting another judgement:

If a speaker says, ‘In my opinion John Jones is a liar,’ he implies a knowledge of facts which lead to the conclusion that Jones told an unt ruth. Even if the speaker states the facts upon which he bases his opinion, if those facts are either incorrect or incomplete, or if his assessment of them is erroneous , the statement may still imply a false assertion of fact.” Milkovich v. Lorain Journal Co. 497 U.S. 1, 18 (1990)

Re: Prove it's true

[Brockmire]

Nice loophole.

Re: Prove it's true

[rahvin112]

Worse, they are gonna get anti-SLAPP'd in court and pay Bruce's legal fee's as well as their own. Not the smartest thing to do.

Re:Prove it's true

[SlaveToTheGrind]

What he said is "It is my strong opinion..." which I think stops what he says from being libel.

It depends on what follows the word "opinion." The complaint specifically addresses this in paragraph 37 -- I've included a bit more of the text from the Supreme Court case it cites since it directly speaks to your point:

“If a speaker says, ‘In my opinion John Jones is a liar,’ he implies a knowledge of facts which lead to the conclusion that Jones told an untruth. Even if the speaker states the facts upon which he bases his opinion, if those facts are either incorrect or incomplete, or if his assessment of them is erroneous, the statement may still imply a false assertion of fact. Simply couching such statements in terms of opinion does not dispel these implications; and the statement, 'in my opinion Jones is a liar,' can cause as much damage to reputation as the statement, 'Jones is a liar.' Milkovich v. Lorain Journal Co. 497 U.S. 1, 18 (1990)."

Re: Prove it's true

[St.Creed]

I doubt they will get away with it. If I have a mortgage and the bank says "oh, if you don't give us an extra 400 dollar each month your house belongs to us" it's not "just a statement". Neither is this. It relates directly to the software, and as such is likely covered by the GPL. IANAL but given the ramifications if they can do this, I doubt it works like that.

Re:Prove it's true

[postbigbang]

His way is perhaps more ethical than just putting the patches into a nice torrent, and making sure they get noticed. If the GRSecurity patches are what they SAY they are, then a hardened kernel would therefore not be able to identified.

Oh, wait.....

Re:Prove it's true

[Khyber]

Second claim can be proven true as the GPL v2 has been tested and upheld in court as a valid contract. Grsecurity's actions - that I have witnessed in regards to their licensing - violates Section 6 of the GPL v2.

With the second statement AFAIK being true, the first statement is automatically true.

Re:Prove it's true

[Khyber]

You don't read /. much, do you? Progress Software v. MySQL, that was like a decade ago.

Re:Prove it's true

[Aighearach]

Spoiler: contracts don't have to be ruled valid to be valid. They're valid when they're agreed, and the only legal review they're going to get is a ruling that they're NOT valid. If it is valid, you know it by nobody having gotten it declared invalid. If it didn't happen, it is valid. The only other thing they would be looking at is what some of the words mean if it is ambiguous.

The whole thing is just old FUD from the Microsoft anti-linux days, trying to raise a question that causes concern and won't ever be answered because it isn't a real question that will ever get addressed. It was only ever a lie to deceive people. I guess you fell for it, because MS stopped paying people to shill that shit decades ago.

Re:Prove it's true

[Khyber]

And the person you just replied to explained why it is valid - contracts are held valid until ruled INVALID by a court ruling. Period. GPL got tested in court. It was not ruled invalid. Period. That means it is held as valid.

Do you not understand the legal system?

Re:Prove it's true

[Khyber]

You very fucking obviously did NOT read the case, otherwise you'd have clearly seen:

"With respect to the General Public License ("GPL"), MYSQL has not demonstrated a substantial likelihood of success on the merits or irreparable harm. Affidavits submitted by the parties' experts raise a factual dispute concerning whether the Gemini program is a derivative or an independent and separate work under GPL "

This clearly demonstrates the court as looking at the GPL as a valid contract. Plain as fucking day.

Re:Prove it's true

[Khyber]

A license is a recognized type of contract. Much like your license to drive is actually a contract.

But please, continue being obtuse for the sake of being a retard.

Re: Prove it's true

[GunJah]

our announcements were for future modules, which will not be gpl2. the acused told everyone they would be criminals by being our clients because we would release the new modules as gpl2, which we won't. hence he is disrupting our business. "

GRS does not have the right to release future modules that are not GPL2.
That's the whole point of friction in this issue.

Re:Prove it's true

[Khyber]

Hah! Try again. A license to drive, a license to operate heavy machinery, a license to fly, all are contracts (I should know, I have all three.) According to Black's Law, a contract is: "an agreement between two or more parties creating obligations that are enforceable or otherwise recognizable at law."

When you go to get your license, you agree that you will abide by all rules and restrictions placed within the range of your license. In return, the state agrees to grant you the ability to operate such machinery in the manner proscribed as long as you maintain your registration and follow the laws relevant to that license (in the cases where the state is the grantor of the license, at least, e.g. driver's license.) In a warehouse (forklift operator) you sign a contract when they license you for the specific facility you are operating at which states you will follow all safety rules relevant to that machinery, or else you face the risk of losing your license to operate that machinery or even lose your job.

That is a contract no matter how you or any court ruling might try to stretch otherwise.

Re:Prove it's true

[david_thornley]

2. and 3. are arguably factual, but any evaluation of risk is open to subjective interpretation. Nevertheless if Grsecurity proves their product presents NO risk of contributory infringement or breach of contract, these statements would be unequivocally false.

However, if the statements are false, but Bruce has reason to believe they're true, it's still not libel. US law is stringent about what constitutes libel, and it can be hard to prove it.

Re:Prove it's true

[Thad+Boyd]

I'm neither a lawyer nor a Californian, but I read Popehat, and Ken White frequently describes California's anti-SLAPP statute as "robust".

Perens will, presumably, file for dismissal on the grounds that his remarks were protected opinion supported by cited facts.

Re:Prove it's true

[Khyber]

Prove your point by citation from the case itself - you can't.

Re:Prove it's true

[preflex]

US law is stringent about what constitutes libel, and it can be hard to prove it.

Yep. It's very hard to win a libel case in the US, and that's a good thing.

To win a libel case in the US, the plaintiff must show (to a preponderance):
1. The statement was false.
2. The defendant knew it was false.
3. The defendent's statement was malicious in intent or egregiously reckless.
4. There were actual quantifiable damages. Merely feeling insulted is not enough.

The high standards here are very intentional. It's to prevent jerks from screaming "libel!" to silence their critics, which would chill discussion on matters of great public interest.

(Note: the POTUS should go fuck himself for suggesting any changes. It ain't broke. Don't fix it.)
(Disclaimer: I am not a lawyer and this is not legal advice.)

Re:Prove it's true

[RockDoctor]

I would suggest that if that is their intention, they do not know Mr Perens very well, and have not done their homework.

Which would prompt all sorts of questions along the lines of "do they know a thing about OS?"

Which is an extremely bad question to be asking about a "security" provider - commercial or no.

Streisand Effect, big style.

"Grsecurity..." "...could invite legal trouble. "

Perens vindicated.

I'm happy the GRSecurity folks are doing this

I fully expect them to loose, the GPL is very clear that you cannot add additional restrictions, and they are doing exactly that.

The kernel folks have been dismissive of GRSecurity as having little importance, and not worth the hassle of involving the lawyers. But since GRSecurity is starting the lawsuits and the GPL needs to be defended in court, I expect a lot of high powered legal involvement to settle this.

Re:I'm happy the GRSecurity folks are doing this

[_merlin]

I don't think the GPL stops them doing this. They aren't stopping you from redistributing GPL software, they're just saying that if you redistribute the software, they won't give you future updates. GPL doesn't require supplying future updates, it just says that you must provide an offer of source with binaries, and can't restrict redistribution of source/binaries. It looks like they've found another way to follow the letter of the GPL without following the spirit of it.

So someone who buys some version of grsecurity can redistributes it, and the people they redistribute it from can also redistribute it. The vendor is free to refuse to do business with all these people. But it only takes one customer who no longer cares about receiving future updates to release all the versions they've received, or potentially one rogue employee who doesn't want their employer to receive future grsecurity updates.

Re:I'm happy the GRSecurity folks are doing this

[drinkypoo]

GPL doesn't require supplying future updates, it just says that you must provide an offer of source with binaries, and can't restrict redistribution of source/binaries. It looks like they've found another way to follow the letter of the GPL without following the spirit of it.

They're actually trying to do an end run around the contract to which they've already agreed, which guarantees the right of redistribution. The question becomes whether grsecurity contains any GPL code to which they do not hold the copyright. If so, then they're risking losing the right to distribute that code.

Re:I'm happy the GRSecurity folks are doing this

[omnichad]

Or they only need at most one subscriber per version. The rest can have it redistributed.

Re:I'm happy the GRSecurity folks are doing this

[DRJlaw]

They're actually trying to do an end run around the contract to which they've already agreed, which guarantees the right of redistribution. The question becomes whether grsecurity contains any GPL code to which they do not hold the copyright. If so, then they're risking losing the right to distribute that code.

They may be complying with the terms of the GPL, whether you call it a contract or not. Their customers have the right to redistribute the software that they've received. GRsecurity is then saying that if they do, GRsecurity will not provide them with any future revisions to the code. There is nothing in the GPL that gives the recipient of a copy of code the right to future versions of that code or the right to distribute future versions of that code.

I've disgreed with Bruce on this specific issue and I still do. While GRsecurity may be in violation of GPLv2 sec. 6 ("You may not impose any further restrictions on the recipients' exercise of the rights granted herein. "), the idea that their customers may be liable for contributory infringement and breach of contract is off-the-wall crazy. Bruce's theory is directly contradicted by GPLv2 secs. 2, 4, and 6 -- the customers are free to use GRsecurity's product and there is no potential violation of the GPLv2 unless the customers themselves redestribute that code.

Re: I'm happy the GRSecurity folks are doing this

Perens stated this in the end of his article:

I am an intellectual property and technology specialist who advises attorneys, not an attorney. This is my opinion and is offered as advice to your attorney. Please show this to him or her. Under the law of most states, your attorney who is contracted to you is the only party who can provide you with legal advice.

He's requesting that you ask your lawyer, and stating that only your lawyer can give you legal advice.

I suspect he could win on just that sentence. This is a statement of his opinion, not a "statement of fact" as Grsecurity's patent lawyer claims.

Re:I'm happy the GRSecurity folks are doing this

[Zero__Kelvin]

IANAL, but I fail to see how grsecurity patches aren't derivative work by definition.

Re:I'm happy the GRSecurity folks are doing this

[OmniGeek]

I rather think that disallowing future revisions to paying customers contingent on their "exercise of the rights granted herein" IS a further restriction on their exercise of those rights. It certainly violates the spirit of the license, and it would not surprise me at all for a court to find that it also violates the letter.

I'm not familiar with the contributory-infringement issue, but it seems clear that GRSecurity has indeed violated the GPL in this way.

Re:I'm happy the GRSecurity folks are doing this

[DRJlaw]

I rather think that disallowing future revisions to paying customers contingent on their "exercise of the rights granted herein" IS a further restriction on their exercise of those rights.

"You may not impose any further restrictions on the recipients' exercise of the rights granted herein."

But the GPLv2 does not grant a right to obtain future revisions, whether you're a paying customer or otherwise. The GPLv2 does not require that the (re)licensor grant a right to distribute anything more than what has already been distributed to the recipient. Those are not "rights granted herein." The first is a right granted by grsecurity's paid support contracts -- contracts for services. The second is a right that is reserved and carved out from the first.

Tivoization violates the "spirit" of the GPLv2, but what matters is whether a licencee has violated the letter of the license. That violation is not as clear cut as you think.

Re:I'm happy the GRSecurity folks are doing this

[whoever57]

Here is where I think GRSecurity's argument fails:

While the Company aims only to terminate access to the stable patches in the event of willful violation of the terms in this agreement, we reserve the right to revoke access to the stable patches and changelogs at any time for any reason. In the event of termination, the Company will at its own discretion refund payment for any remaining pre-paid period.

In other words, GRSecurity can terminate access and keep their client's money.

Re:I'm happy the GRSecurity folks are doing this

[drinkypoo]

That violation is not as clear cut as you think.

What I think makes it clear cut is that they're issuing both licenses. They've given you the right to distribute by using that license. Then they want to take it away again, by depriving you of a service for which you have paid. I think that specifically is what is going to bite them. If they were providing service for someone else's software, which someone else had distributed, I think it would be a different story.

Since no lawyers have stepped in to comment (how unusually wise of them) this is all wild speculation, and we'll have to see what a court thinks before anyone has anything meaningful to say on the subject. But it sure is fun to speculate.

Re:I'm happy the GRSecurity folks are doing this

[DRJlaw]

Since no lawyers have stepped in to comment (how unusually wise of them) this is all wild speculation...

Keep telling yourself that...

Re:I'm happy the GRSecurity folks are doing this

[phantomfive]

The question becomes whether grsecurity contains any GPL code to which they do not hold the copyright.

The answer is absolutely yes, it is a derivative work. It is a derivative work because there is no part of the patches that would exist without the Linux kernel: their entire purpose is to modify the kernel (and theoretically make it more secure). I would like to point out that at DEFCON last week, trixr4skids took a Point of Sale device with GRSecurity on it, and hacked it to run DOOM. The keyboard input on the device was not user friendly.

Re:I'm happy the GRSecurity folks are doing this

[DRJlaw]

That no lawyers have been chiming in, because if actual lawyers had, they would have been peppering their commentary liberally with disclaimers about how it is not legal advice, like an intelligent lawyer would do?

I find the biography statement to be sufficient.

Oh wait, this is Slashdot, I forgot. If there's a lawyer here, he's probably a moron.

Like someone who trivially ties their real world identity to a pseudonym while posting the dreck that you do?

Re:I'm happy the GRSecurity folks are doing this

[drinkypoo]

Like someone who trivially ties their real world identity to a pseudonym while posting the dreck that you do?

You mean, someone who is not a coward? Run along, frightened one. I tie my slashdot identity to my real identity because I have the courage of my convictions. You don't because... you don't. Feel free to make up bullshit excuses, though.

Re:I'm happy the GRSecurity folks are doing this

[DRJlaw]

You mean, someone who is not a coward? Run along, frightened one. I tie my slashdot identity to my real identity because I have the courage of my convictions.

Some call it courage. Most call it ignorance. But freedom is the ability to trash your professional statute on social media whenever the bloody hell you want. And not.

Re:I'm happy the GRSecurity folks are doing this

[phantomfive]

Your thought in this thread isn't clear here. Are you talking about the violation of the GPL by GRSecurity, or potentially by their customers who also use the source under the GPL? The person you were replying to was talking about the violation by GRSecurity, so let's continue under that premise.

But the GPLv2 does not grant a right to obtain future revisions, whether you're a paying customer or otherwise.

You have echoed GRSecurity's argument. GRSecurity's argument is clearly against the spirit of the GPL, which is "to guarantee your freedom to share and change free software." I don't think you'll disagree here.

Let's move on to the actual letter of the law. GRSecurity is specifically threatening to punish people to prevent them from distributing the code. Is this controversial? Do you disagree with that point, or is that something we can agree on? The GPL specifically states:

You may not impose any further restrictions on the recipients' exercise of the rights granted herein

Again, GRSecurity has threatened to terminate services to any customer who distributes the source code. That is, if you distribute the code they have already given you, they will terminate services to you. GRSecurity wants to make it about future patches, but that's a red herring. Whether that service is future patches, or support, or web hosting, or cleaning your toilet, it doesn't matter: the intent is clearly to restrict their customers from distributing the code already given to them. Why else would they add such a clause to the contract?

Of course, such services are provided voluntarily, and GRSecurity can stop providing services for almost any reason, but there are some reasons that are invalid and illegal to use a reason to stop providing services. In this case, the threat of punishment they used violates the spirit of the GPL, and also the letter of the GPL unless they can argue that it is not a restriction.

Re:I'm happy the GRSecurity folks are doing this

[phantomfive]

fyi the guy you are replying to is a lawyer of some sort, check his user name.

Re:I'm happy the GRSecurity folks are doing this

[stephanruby]

I've disgreed with Bruce on this specific issue and I still do. While GRsecurity may be in violation of GPLv2 sec. 6 ("You may not impose any further restrictions on the recipients' exercise of the rights granted herein. "), the idea that their customers may be liable for contributory infringement and breach of contract is off-the-wall crazy. Bruce's theory is directly contradicted by GPLv2 secs. 2, 4, and 6 -- the customers are free to use GRsecurity's product and there is no potential violation of the GPLv2 unless the customers themselves redestribute that code.

"Yes, we're breaking the license. No, our customers can't be liable for our theft, only we can be." is not going to win them this court case.

Because as soon as they publicly admit that they broke the license and stole the code, then any customer who knowingly uses that code after that would be "liable for contributory infringement and breach of contract". In other words, the company is placing itself in an awkward legal position. It can't publicly admit that it broke the license.

And yet, the company must still prove that Bruce Perens, a non-lawyer, knowingly lied under the guise of giving his personal opinion. It's going to be an uphill battle for them. Plus, the Streisand effect is not going to help either. If you ask me, they should have just kept quiet and not called attention to themselves.

Re: I'm happy the GRSecurity folks are doing this

[DRJlaw]

Because as soon as they publicly admit that they broke the license and stole the code, then any customer who knowingly uses that code after that would be "liable for contributory infringement and breach of contract".

No, because the customer has an independent license to use both the kernel and the modifications. Reread GPLv2 sections 2 and 4. They are not sublicensing from GRsecurity. They are not even redistributing the code with the "no updates" restriction. And under section 2, they can combine the kernel with any code they want - they only have to relicense the combination under the GPL if they publish or redistribute it.

Also, to have contributory infringement, you have to materially contribute to it, which the courts view require that you have the ability to control the direct infringer's infringement. Simply buying the product is not enough.

Finally, you do not become responsible for a breach of contract simply because you know of a dispute concerning a contract with a vendor. There are few more requirements for those sorts of claims.

Re:I'm happy the GRSecurity folks are doing this

[drinkypoo]

Some call it courage. Most call it ignorance. But freedom is the ability to trash your professional statute on social media whenever the bloody hell you want. And not.

My professional social media qualification is that any prospective employer who actually cares about such things and is competent* can look through my posting history and determine that I've never violated an NDA, and never brought the slightest trouble on any employer due to my online activities, in spite of consistently using my real name online for many years. A measurable percentage of the USENET and internet old guard knows my secrets because of the company I've kept over the years; I've shared none of their secrets, nor ever violated their trust, in spite of some occasionally significant personal disagreements.

* If they care and are incompetent, I don't want to work there.

Re:I'm happy the GRSecurity folks are doing this

[jeremyp]

I'm not sure it is as clear cut as you seem to think. They distribute the software to you under the GPL and ask you to sign a second contract if you also want support. The second contact has the restrictive clause.

Furthermore, the contract doesn't say "you can't redistribute this software", it says "we won't give you future versions of this software". I think they have a point, although I am not a lawyer.

As for whether Bruce Perens is committing libel by publishing an opinion that they are in breach of GPL, we'd better hope they find for the defendant, otherwise it would be impossible for anybody to argue a company is breaching a software licence (or any licence or contract or law) without being potentially a target for a libel suit.

Re:I'm happy the GRSecurity folks are doing this

[DRJlaw]

Your thought in this thread isn't clear here. Are you talking about the violation of the GPL by GRSecurity, or potentially by their customers who also use the source under the GPL?

This explains it. I am actually now leaning towards it being a violation by GRsecurity, but that turns entirely on what a court construes a "restriction[] on the recipients' exercise of the rights granted herein" to include. If I offer to pay you $20 if you do not redistribute the package for a year, is that a restriction? If we don't have a support contact and I say that I'll only give you future updates to my code if you don't redistribute it, is that a restriction? If we have a paid support contract that automatically terminates if you redistribute it, is that a restriction? The support contract is outside the scope of the GPL, and ordinarily a restriction is a "limitation which cannot be exceeded or rule which cannot be broken," not merely a disincentive in that you might lose some other right like continuing support.

GRSecurity's argument is clearly against the spirit of the GPL, which is "to guarantee your freedom to share and change free software." I don't think you'll disagree here.

Yes, I don't. But we don't enforce the "spirit" of contracts. We enforce the letter of the contracts, and tend to construe ambiguity against the drafter because if they meant that, then they could have put more effort into stating it clearly.

GRSecurity is specifically threatening to punish people to prevent them from distributing the code. Is this controversial? Do you disagree with that point, or is that something we can agree on?

See above. Why did you switch from "restrict" to "punish"? I'm leaning towards there being an issue in that courts hate terms that create forfeitures where a side has otherwise completed its performance of its obligations. Since GRsecurity is selling year-long subscriptions with patch access, their customers would have a good claim against them. I'm simply not as sure about it being a license violation.

Of course, such services are provided voluntarily, and GRSecurity can stop providing services for almost any reason, but there are some reasons that are invalid and illegal to use a reason to stop providing services.

Yes -- membership in protected classes involving race, sex, creed, etc., not the terms of the GPL. The GPL does not govern support services, or provide any right to future revisions of code. I think that their biggest problem is they are structuring this as a forfeiture of up to year of subscription support, rather than a decision not to renew a month-to-month agreement.

The "is GRsecurity violating the terms of the GPL" argument is messy and could go either way. Which is why I wrote "may be in violation" to begin with.

The argument that almost enrages me is Bruce's argument that GRsecurity's customers could be liable, and frankly that is the one that is far more interesting to me. The GPL was expressly structured so that downstream users were automatically licensed and were not affected by an upsteam distributor's violation of the GPL. Bruce is now not only denying that GPLv2 sections 4 and 6 preclude this, but throwing out concepts like "contributory infringement" without any analysis of what is required to be liable as a contributory infringer.

Re:I'm happy the GRSecurity folks are doing this

[phantomfive]

The argument that almost enrages me is Bruce's argument that GRsecurity's customers could be liable, and frankly that is the one that is far more interesting to me.

I don't think the customers could be liable, although I respect that there could be some unclarity there. This is my reasoning:

Suppose a Linux kernel copyright holder sues one of the customers. Following the Oracle vs Google appellate ruling, the court will apply the abstraction, filtration, comparison test to figure out what is being violated. After applying the filtration step, all that remains would be code that the copyright holder has already granted a license to.

The contrary argument is that, "GRsecurity's work is a derivative work and they lost their license therefore everyone who uses that derivative work also loses the license." But the abstraction, filtration, comparison test makes clear that the end user still has a right to use everything that was covered under the original license, because the parts of the derivative work that are owned by the original copyright owner have already been licensed.

The appellate court gave a solid ruling in Oracle vs Google. I am in awe of their knowledge, logic, and clarity of thought.

Re:I'm happy the GRSecurity folks are doing this

[WorBlux]

"One who knowingly induces, causes or materially contributes to copyright infringement, by another but who has not committed or participated in the infringing acts him or herself, may be held liable as a contributory infringer if he or she had knowledge, or reason to know, of the infringement. See, e.g., Metro-Goldwyn-Mayer Studios Inc. v. Grokster, Ltd., 545 U.S. 913 (2005); Sony Corp. v. Universal City Studios, Inc., 464 U.S. 417 (1984)."

There is no claim that customers directly infringed upon the kernel copyright or themselves breached the GPL. Only that they knew or should have Known grsecurities subscription agreement was contrary to the terms of the GPL and likely infringed on kernel copyright.

Re:I'm happy the GRSecurity folks are doing this

[WorBlux]

If the patch set were an original work you'd be correct. However the patch set is a derivative work of the kernel, and as such the grsecurity dudes are obligated not to put any additional terms upon copying, modifying, or distribution the software, whether that restriction is bundle in some service contract, or patent license.

Re:I'm happy the GRSecurity folks are doing this

[Aighearach]

Your whole argument is hung on the lie that anybody is talking about things in the future. We're talking about actions in the past, and rights in the present.

Re:I'm happy the GRSecurity folks are doing this

[DRJlaw]

"Only that they knew or should have Known grsecurities subscription agreement was contrary to the terms of the GPL and likely infringed on kernel copyright."

Now fit that into "knowingly induces, causes, or materially contributes" and you might have something. The problem being, all of those concepts require some ability to direct and control the act of infringement, not merely the purchase of an allegedly infringing product.

Re:I'm happy the GRSecurity folks are doing this

[WorBlux]

As you pointed out the subscription was not a mere purchase, but a contract that covered future releases, would could be seen as and inducement to re-offend. Some of the subscribers may subscribe for the competitive advantage of the secret sauce and would not have subscribed if not for the objectionable clause. It may not be a winner, but neither would I expect it to be dismissed before trial.

pissing contest..

[lkcl]

this is going to be interesting to watch. one of the world's best-informed advocates of software libre, who has studied the GPL for many years, versus some idiots who will have been ill-advised by some moron whose only saving grace is the indemnification insurance provided as a sop to corporate madness. for those people not familiar with what indemnification insurance is: it's where lawyers can basically get away with making fundamental errors, and the corporation to whom they give the advice can sue their company quite safely, *as long as they follow that advice*.

i really look forward to seeing how this turns out.

Stupid lawsuit, but useful

[bradley13]

This is a stupid lawsuit. According to the attorneys for the plaintiff company:

"Mr Perens has made false statements, claiming them to be facts, and based on those statements employed fear-mongering tactics to intentionally hurt Open Source Security Inc's business."

Perens actually wrote: "it's my opinion that..."

Opinion, not assertion of fact. This lawsuit will be thrown out almost immediately. However, it is useful in helping the community identify a company that we should never do business with. So thanks for that, at least...

Re:Stupid lawsuit, but useful

Maybe we'll get another one of these ("ACLU Brief on Behalf of John Oliver").

Opinions, too, are protected speech, and “[u]nder the First Amendment, there is no such thing as a false idea. However pernicious an opinion may seem, we depend for its correction not on the conscience of judges and juries but on the competition of other ideas.” Gertz v. Robert Welch, Inc., 418 U.S. 323, 339-40 (1974)

Re:Stupid lawsuit, but useful

To be fair, Bruce also made representations that he was basing his opinions on unnamed witnesses in an earlier story, although during that discussion others bought the same evidence to light.

There are no winners here - if grsecurity wins, it formalises a loophole that other companies have already used, if Bruce wins then it gives the impression that open source is a cancer that prevents you from charging for your work.

I'd err on the side of Bruce winning, but I don't think its anywhere as near as cut and dried as commenters here seem to think.

Re: Stupid lawsuit, but useful

[SLi]

An assertion of a fact does not legally become an opinion merely by adding "in my opinion" or "I believe". For example, "I believe X molests his child" is actionable.

Re:Stupid lawsuit, but useful

[Chris+Mattern]

Uh, no, it doesn't work like that. "It's my opinion" is not a magic phrase that wards off all charges of defamation. If I say "It's my opinion that John Smith is a child rapist," John Smith can still sue me for defamation. Mind you, I think this is an utterly invalid suit, but not because Bruce Perens said "it's my opinion."

Re:Stupid lawsuit, but useful

[drinkypoo]

if Bruce wins then it gives the impression that open source is a cancer that prevents you from charging for your work.

If companies can't tell the difference between not being able to charge for code and not being able to charge for work then we don't need them

Re:Stupid lawsuit, but useful

You completely misunderstood what GrSecurity does.
They give people code that says in the license they can give it to others, but then they make them sign a contract forbidding them to do exactly that.
If you make your customers sign a contract for GPLv2 code at least in part NOT WRITTEN BY YOU that forbids them to give it to anyone else the you the hell should leave your hands from it.
It's not really relevant if its your own project where either nobody else contributed or they gave you a license to do whatever you want with it.

Re:Stupid lawsuit, but useful

you can change the license on code you have written with no problem

But when you accept other people's code, you have to comply with the license they specify.

So you cannot take GPL code that other people have written and change the license on the result. Derivative works must be licensed in a way that complies with the original works.

It's pretty hard to argue that patches to the kernel are not derived from the kernel, and the kernel is under GPLv2, so they must comply with the GPLv2

Arguing that they aren't adding additional restrictions when they say that if you exercise your rights under the GPLv2, they will terminate you as a customer (and keep your money) is going to get them laughed out of court.

Re: Stupid lawsuit, but useful

[drinkypoo]

An assertion of a fact does not legally become an opinion merely by adding "in my opinion" or "I believe". For example, "I believe X molests his child" is actionable.

Bruce is not a lawyer, so he's not giving legal advice, so he's allowed to have an opinion and express it. That right is explicitly legally (constitutionally!) protected! It's more likely that they are attacking not the part following "As a customer, it's my opinion" but other ancillary statements, since nobody looks good if they attack opinions. Surely they have something slightly more clever in the fire.

Re:Stupid lawsuit, but useful

[bill_mcgonigle]

They filed in California where anti-SLAPP laws provide for heavy penalties? Oh, dear.

Bruce, do you need a gofundme?

Re: Stupid lawsuit, but useful

[Entrope]

The basic doctrine is called undisclosed defamatory facts. The statement is not "pure" opinion, of the kind that everyone can differ. Rather, it is an inference that is based on fact, without providing those facts so that a listener or reader may draw their own conclusions about whether the inference is sound.

Because Perens explained the parts of the GPL and the actions that he thinks violate the GPL that underlay his conclusions, I expect that the GRSecurity people will have a very hard time winning as a matter of law.

Re:Stupid lawsuit, but useful

However, do you truly believe that the GPL really prevents you from refusing to perform work for someone?

Where do you even get this kind of shit from? Spent too much time at infowars and breitbart? Afraid the terrible Muslims are going to show up and cook you for dinner soon?

All the GPL stipulates is that

1. 1. If you distribute binaries licensed under the GPL you have to provide the sources too to the people you give/sell your binaries to.
2. 2.You are not allowed to add further restrictions on code licensed under the GPL which you didn't write yourself, and thus do not have any copyright for.

The point here is that the work of the "grsecurity" people are not stand-alone works, they are derivative works of the Linux kernel. And the kernel is licensed under the GPL - hence no further restrictions allowed, such as threatening with sanctions if they in turn redistribute said patches.

Slavery? GTFO.

Re: Stupid lawsuit, but useful

[Kjella]

What if the facts and/or inferences are absurd like #pizzagate? Is the genuine belief enough to stave off a defamation lawsuit?

Re: Stupid lawsuit, but useful

[Entrope]

If the facts are accurate, and you don't omit any material facts, then saying what you infer from those facts is probably going to be protected speech. If the inference is underwear-on-head stupid, such as "... and so politicians are clearly running a child-prostitution ring from this pizzeria" (when the facts do not reasonably support that), then a reasonable reader will harshly judge the speaker rather than the politicians in question.

Re: Stupid lawsuit, but useful

[guruevi]

It's infringement from the GPLv2 point to even add those terms. They are adding terms to the GPLv2 license by modifying the code, and distributing the code with those new terms, that's breach of contract from GRSecurity's contract with the Linux community.

The GPLv2 explicitly tells you you cannot change the terms:
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.

To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.

Re:Stupid lawsuit, but useful

[arth1]

There are no winners here

Sure there are. I'm pretty sure that Grsecurity's lawyers don't work pro bono, and that any judges and other court officials involved get paid too.

Hell, even some web blogs that profit on advertising might post about this and make a small win...

Re: Stupid lawsuit, but useful

[Entrope]

Maybe in shitty jurisdictions, but in the US of A, truth is an absolute defense to defamation claims.

I could tell people how this guy named Jeffrey Dahmer did ... well, even just a few of the terrible things he did ... with the intent of damaging his reputation (rather than informing my listeners about what he did), and I would be protected by the First Amendment -- even if Dahmer were still alive, or the US legal system allowed suits over alleged defamation of dead people.

Re:Stupid lawsuit, but useful

You can refuse to performing work for someone else, but not for the reason that your customer has exercised the right of the GPL licensed work; under penalty for loosing your rights to further distribute the work and it derivatives under the GPL license.

Your reason to refuse to perform work is important here. Often you could hide your reason, but in this case the contract clearly states that the reason is because the customer exercised its rights under the GPL licensed work.

It is very much like certain anti-racism laws which prevent you from refusing to perform work for someone, except those penalties can be a lot higher when you do.

Re:Stupid lawsuit, but useful

[drinkypoo]

Dont' worry about Bruce. He's getting well paid to spread FUD, IN MY OPINION.

Who are you?

Re:Stupid lawsuit, but useful

[gnasher719]

Perens actually wrote: "it's my opinion that..."

I suppose if they could prove that this was not actually his opinion, but that he lied about it, they might be able to win.

Re: Stupid lawsuit, but useful

[drinkypoo]

Well, he may not be offering legal advice, but he most certainly is offering advice to lawyers.

No, no he is in fact not doing so in this case. He is publicly sharing his opinion with everyone, as opposed to being paid to provide an expert opinion in a legal case. The two are absolutely not the same thing.

Re: Stupid lawsuit, but useful

[arth1]

Bruce is not a lawyer, so he's not giving legal advice, so he's allowed to have an opinion and express it. That right is explicitly legally (constitutionally!) protected!

True, but he is also the CEO of Legal Engineering, "which specializes in resolving copyright infringement in relation to open source software" (Wikipedia). Unless he's clear about it being a personal opinion, his opinion could potentially be seen as a legal opinion, or gratis expert advice from Legal Engineering.

Either way, I don't think (as a private person) that this lawsuit has much merit, even in a common law system that doesn't pay much attention to the intent of contracts. But it must be an embuggerance all the same, tying up time and resources that could be better spent on other endeavors.

Re: Stupid lawsuit, but useful

[110010001000]

No it isn't. The point though is that you can't add additional contract terms to the GPL.

Re: Stupid lawsuit, but useful

The point is that GPL says you can't put further restrictions on the rights the license grants you.

Grsecurity are putting restrictions on things they do for customers which are NOT granted by the license, and you still have all the rights the license grants you.

I'm not saying that's legally correct or permissible, it's just what they are arguing.

Re: Stupid lawsuit, but useful

[Barsteward]

that should apply to armchair AC lawyers too

Re: Stupid lawsuit, but useful

If they rewrite a kernel from scratch, they can distribute it with the licence they want. If they distribute a parched linux kernel, they have to comply with its licence that is the GPL. Or get the agreement from any developer who produce a line of code still in use to change the licence.

They can use a dual-licence for new code but as long as they still have at least one GPLv2-only line of code, they can't change the licence they use to distribute.

Re: Stupid lawsuit, but useful

[arth1]

Law doesn't forbid you to kill people. It just tell what may happen if you do.

This is not the case, at least not in most places. Killing someone without explicit authorization goes under "malum in se", which is forbidden no matter what the penalties are or aren't.

Re: Stupid lawsuit, but useful

[Zero__Kelvin]

Working for someone in the future, or even today, is not a right, period.

Re: Stupid lawsuit, but useful

[drinkypoo]

You are utterly wrong. To quote directly from his blog: "In the public interest, I am willing to discuss this issue with companies and their legal counsel, under NDA, without charge."

Right, he's not doing that. He says that in the public interest, he is willing to do so. Posting his opinion publicly is not that discussion. Thanks for making my point for me.

Re: Stupid lawsuit, but useful

[Zero__Kelvin]

If it is a fact that "X" is molesting his child, then no, it isn't. Your honor, I object to the defendant saying I have been molesting my daughter, because he is right. I ask for the maximum penalty! No problem; you've got it. I'd be happy to grant that. Case dismissed.

Re: Stupid lawsuit, but useful

[drinkypoo]

Unless he's clear about it being a personal opinion, his opinion could potentially be seen as a legal opinion,

No, no it cannot. Because he is not a lawyer, he cannot give legal advice. And unless he explicitly claims that he is giving legal advice, he's not giving legal advice, because he is not a lawyer. It works coming and going. Only lawyers have to give disclaimers about each little thing not being legal advice, because only lawyers can give legal advice.

or gratis expert advice from Legal Engineering.

He said he was willing to discuss the issue with companies under NDA, but this is just something he said in the public sphere, so he has not created any expectation that his public commentary will be considered expert advice.

Re: Stupid lawsuit, but useful

[drinkypoo]

He's not doing what he says he's doing? Riiiight......

He's not doing what he said he would be willing to do. The difference is substantial, and if you cannot see it, you need to go order liberally from the Scholastic catalog, and work on learning to read. Legal cases are decided on even more apparently trivial points than this.

Re: Stupid lawsuit, but useful

[drinkypoo]

If GPL required you to distribute, you would be right, but it doesn't - you can choose whether to distribute or not, for any reason.

GPL requires you to grant the right of distribution. Having granted that right, it is doubtful that they can then create another contract which contradicts it without one of the contracts being deemed invalid, or being modified. But the GPL can't be modified, they agreed to those terms when they chose to distribute under the GPL, so they'd have to modify their other contract.

Re: Stupid lawsuit, but useful

[drinkypoo]

But their whole position hinges on the fact that it doesn't contradict it, i.e. you still have the right to distribute - they just don't want to do business with you if you do.

There's no material difference! One contract says you may do something, the other contract says that you may not do it or you will be punished.

It stinks, but AFAIK there is no legal basis for saying you can't offer a contract which requires you to waive rights you otherwise have.

Well, of course there is, you can't sign away your actual rights. NDAs only work because you don't have a right to give away someone else's information, and because you're getting something (a look at the thing) in exchange for something (agreeing to remain quiet about the thing for a time.)

The situation is a lot more complicated when it comes to contradictory contracts, and even more complicated when it's not actually clear if contracts contradict one another. This is why it was popcorn time even before they sued Bruce for sharing his opinion. It could conceivably turn out in a variety of different ways.

Re: Stupid lawsuit, but useful

[drinkypoo]

Very likely. However, I disagree with court opinions saying GPL is a contract;

Your disagreement is immaterial; The GPL has been shown to be a contract which one agrees to by distributing under it.

it's only a license since it doesn't require you to do anything and there is no consideration on the software author's side.

What? That's nonsense. It's a contract, which you enter into when you distribute the code. It doesn't require you to do anything unless you distribute it. And what you get in exchange for carrying the license forward is the right to distribute. There is a clear exchange here, which is what makes it a contract. Without the contract, you do not have the right to distribute the code. It's not yours, that's violation of copyright. So clearly you're getting something.

Re: Stupid lawsuit, but useful

[drinkypoo]

Your disagreement is immaterial; The GPL has been shown to be a contract which one agrees to by distributing under it.

No, you have permission to distribute under certain terms. If you distribute it legally implies that you accept those terms, but you don't need to agree to DO anything to use it.

False. You are agreeing to include the license. Otherwise, that's what I just said. You fail both at understanding the license, and at understanding English.

You need permission to distribute someone else's code, and GPL grants that permission conditionally.

Yes, just like I said, it's contingent on including the unmodified license. You get to distribute the code, but you have to include the unmodified license. Quid pro quo and violates no rights (in fact it grants them, contingent upon acceptance and following the terms of the contract) and thus it's a valid contract. That's what the court said, and it clearly agrees with the law, therefore nobody cares what you think about that decision.

Re: Stupid lawsuit, but useful

[drinkypoo]

You get to distribute the code, but you have to include the unmodified license.

You MAY distribute the code IF you include the license. Difference.

I think if you open a dictionary and figure out how to use it, that you will learn that those two statements can mean precisely the same thing.

Re: Stupid lawsuit, but useful

[AJWM]

The GPL is not a contract, it is a license.

Without that license, if you distribute someone else's GPL'd code, you are violating their copyright. You can't distribute something somebody else has a copyright on without a license from them.

Now, in other cases, a contract may grant a license. But a contract is not itself a license, and vice versa. Only the owner of a copyright has the right to distribute that work. Everyone else requires a license. The license does not confer a right, it grants permission.

(It's also possible to transfer a copyright, in which case the transferor loses that right. That requires paperwork to be registered with the Copyright Office.)

Re:Stupid lawsuit, but useful

[AJWM]

Courts generally interpret contracts as narrowly as possible.

Good thing the GPL isn't a contract, then. It's a license that grants permission to distribute somebody else's copyright code.

court is going to rule that the term is too broad and like violates Grsecurities civil rights.

Grsecurity has no right to distribute anyone else's code. If they don't like that term in the license, they don't have permission to violate the Linux copyright holders' rights. Grsecurity's civil rights are not affected at all.

Geez, this same stupid argument every time someone tries to violate the GPL. Sooner or later it sinks in that if they do manage to get the GPL struck down in court, they'll have to shut down their business or face a massive copyright infringement suit. At which point they usually settle.

Re:Stupid lawsuit, but useful

[phantomfive]

Perens actually wrote: "it's my opinion that..." Opinion, not assertion of fact. This lawsuit will be thrown out almost immediately.

FWIW the lawsuit deals specifically with your point, by quoting another case:

“If a speaker says, ‘In my opinion John Jones is a liar,’ he implies a knowledge of facts which lead to the conclusion that Jones told an untruth. Even if the speaker states the facts upon which he bases his opinion, if those facts are either incorrect or incomplete, or if his assessment of them is erroneous, the statement may still imply a false assertion of fact.” Milkovich v. Lorain Journal Co. 497 U.S. 1, 18 (1990)

There are two quotes from Bruce that the lawsuit specifically states as false:

[Customers] should avoid the Grsecurity product sold at grsecurity.net because it presents a contributory infringement and breach of contract risk.”

Defendants further stated that Plaintiff was in violation of the GPLv2, and thus “[a]s a customer, ... [Plaintiff’s clients] would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity.”

Re:Stupid lawsuit, but useful

[phantomfive]

Personally I think that GRsecurity should amend its complaint to include a declaratory judgment count for non-infringement

I would entirely bet that Bruce would be happy with that. He wants the case to center around the GPL, because he (rightly or wrongly) believes the GPL will support him. He doesn't care particularly about GRSecurity as a company, he wants to prevent them keeping their code secret. For Bruce, the entire thing centers around the GPL.

Interestingly, if GRsecurity did include a declaratory judgement count for non-infringement, I don't know who would bring counter-claim. I don't think Bruce Perens is actually a contributor to the Linux kernel (he's done plenty of other good free software). I've never heard him described as a kernel developer, and searching through the kernel commit logs, I can't find his name or email.

Re: Stupid lawsuit, but useful

[DRJlaw]

Part of the problem is that the git repository only goes back to 2011-ish? I'm thinking of his work with UserLinux and Debian, but I may have misinterpreted that.

Re:Stupid lawsuit, but useful

[SlaveToTheGrind]

Opinion, not assertion of fact. This lawsuit will be thrown out almost immediately.

I wouldn't bet on it. Paragraph 37 of the complaint cites this Supreme Court case that clearly explains that wrapping the words "in my opinion" around language that's otherwise libelous doesn't save you:

“If a speaker says, ‘In my opinion John Jones is a liar,’ he implies a knowledge of facts which lead to the conclusion that Jones told an untruth. Even if the speaker states the facts upon which he bases his opinion, if those facts are either incorrect or incomplete, or if his assessment of them is erroneous, the statement may still imply a false assertion of fact. Simply couching such statements in terms of opinion does not dispel these implications; and the statement, 'in my opinion Jones is a liar,' can cause as much damage to reputation as the statement, 'Jones is a liar.' " Milkovich v. Lorain Journal Co. 497 U.S. 1, 18 (1990).

Re: Stupid lawsuit, but useful

[phantomfive]

That's a good question, I just checked and the git history goes back to 2005. There are older repositories, but they are probably not authoritative since Linus was merging patches by hand. Bruce also did some good work with BusyBox, but I can't remember ever hearing him described as a kernel developer. I always thought of him as a userland developer. Google doesn't particularly help here since every search "Perens kernel" just returns a bunch of links to this story.

Re: Stupid lawsuit, but useful

[david_thornley]

Sure. However, offering your services to the general public except for "those people" is potentially infringing a right.

Re: Stupid lawsuit, but useful

[david_thornley]

You can agree not to do something you have a right to do, even under penalty. Look at any NDA which curtails your free speech rights.

Sure. However, the GPL appears to forbid such agreements relating to GPLed software. The contract isn't automatically illegal (like a contract giving an employer rights to stuff an employee does on his or her own time and resources in this state), but it appears to me to violate the GPL. After all, I can generally offer any legal contract, but I can be in an agreement where I can't offer a specific one.

However, I disagree with court opinions saying GPL is a contract; it's only a license since it doesn't require you to do anything and there is no consideration on the software author's side.

Your disagreement with the court is immaterial here, and doesn't actually change anything. If GRsecurity violated its license, then it doesn't have a license, and all the copies made and distributed are unlicensed, and that's good for a substantial amount of statutory damages (courtesy of the MAFIAA).

Re:Stupid lawsuit, but useful

[david_thornley]

What the idiots backing Perens here don't realize is the GPL is about to get an important clause struck out.

I don't remember a severability clause in GPLv2, so the court has the choice between holding the license to be legally valid or legally invalid, nothing in between. If ruled as invalid, then GRSecurity had no license to distribute in the first place.

The GPL points out that you don't have to accept the GPL, but in that case you don't have a license, and may not copy, change, or redistribute the software.

Courts generally interpret contracts as narrowly as possible.

However, they tend not to declare the contracts invalid. They tend to interpret the clauses in a restrictive way. If the court absolutely disagreed with Perens' interpretation, the court could rule that "further restrictions" does not clearly apply to what GRsecurity is doing, and hence GRsecurity is in the clear on their actions.

Of course, GRsecurity would have to prove not only that Perens was wrong, but that he had no good reason to think he was right, to win their lawsuit.

Re:Stupid lawsuit, but useful

[david_thornley]

(Could be argued being part of the the API and Oracle America, Inc. v. Google, Inc. [wikipedia.org] shows that using the same API isn't infringing.)

As I understand it, not being a lawyer, the ruling was that APIs can be copyrighted, since they are creative works in fixed form.

However, copyrights can't prevent you from doing something other than very specific actions, and so if you use an API to write a program or library you have to use that API, it isn't infringing.

The question after that was whether Google's use of the Java API was legitimate. Oracle was arguing that it wasn't to create a Java program or library, since Android programs were not designed to interoperate with standard Java programs, and therefore Google was using it only because it was a well-known API.

Re: Stupid lawsuit, but useful

[david_thornley]

According to Wikipedia, Noonan vs. Staples is not a valid precedent. The validity of the Massachusetts law was untested, as both parties assumed it was valid and neither challenged it. Any relevant further case could challenge the Constitutional validity of the law.

Re: Stupid lawsuit, but useful

[Zero__Kelvin]

He doesn't offer services for anyone. He works in his hobby project, and you can see the initial USENET posting if you doubt me.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Why their patches were not integrated...

If anyone was still wondering why their patches never made it in the kernel...
It shows a lot about their attitude and delusions, there are good reasons not to want code from people not able to objectively judge their own work, especially when they are asses on top...

Grsecurity pure garbage.

[molnarcs]

Linus Torvalds called grsecurity patches garbage earlier this year. https://www.theregister.co.uk/...

Re:Grsecurity pure garbage.

[jon3k]

I wish Linus would come out publicly and say "I wouldn't do business with them if I were you because I'm going to find a way to modify the kernel to break their business" even if it's impossible and he has no plans to do that. Just to scare off customers.

Re:Grsecurity pure garbage.

[gravewax]

such a statement would make him an easy target for a lawsuit and it would be a slamdunk win for them

Re:Grsecurity pure garbage.

[iggymanz]

Linus already has done that; he put it under the GPL

Re:Grsecurity pure garbage.

[Zero__Kelvin]

One is under no obligation to facilitate profit for others with their free efforts, so you couldn't be more wrong.

Re:Grsecurity pure garbage.

[jon3k]

What would they sue him for?

Re:Grsecurity pure garbage.

[munch117]

Tortious interference.

I'm not saying they would win, but there's no reason for Linus to stir up that kind of trouble.

Re:Grsecurity pure garbage.

[phantomfive]

At DEFCON last week, a hacker pwned a box running GRSecurity. So there's that.

Re:Grsecurity pure garbage.

[phantomfive]

Saturday talk by trixr4skids. He actually got the pos system to run Doom.

Re:Grsecurity pure garbage.

[gravewax]

he is under no obligation to facilitate profit, but he is under an obligation not to interfere with the profits of another business, especially through actions or statements that explicitly are designed to undermine that companies profits.

Re:Grsecurity pure garbage.

[Zero__Kelvin]

Let's see if that holds water. Paparazzi make money taking pictures of celebrities, and celebrities often make it quite clear that their intent is to stop them from doing that. Nope. It turns out you just WANT your claim to be true, but it isn't.

Re:Grsecurity pure garbage.

[gravewax]

LOL do you have any fucking clue what you are talking about. hint go search the term "Tortious interference", and no your paparazzi example is NOT similar as them saying they want them to stop has absolutely no impact on their ability to profit.

Re:Grsecurity pure garbage.

[Zero__Kelvin]

You need to get an education. There must be lack of privilege on the part of the third party to induce such a breach, and Linus has full privilege to do whatever he wants with the Linux kernel. The paparazzi example is perfect as nobody is talking about speech, but action. The celebrity closes their blinds to stop them from making money, but it isn't tortious interference because, like Linus, they have full privilege to do so. Now seriously, you are the one with no clue WTF you are talking about, so go spend your time getting an education instead of making yourself look like an idiot here.

Re: Grsecurity pure garbage.

[phantomfive]

You might have to wait until the talks are available online, then listen to it.

Re:Grsecurity pure garbage.

[gravewax]

you are the one in desperate need of an education. You CANNOT perform actions or make statements with the explicit intent of damaging someones business. You really have no fucking clue.

Re:Grsecurity pure garbage.

[gravewax]

ignorance is bliss I guess, continue on. hopefully Linus is smart enough not to take advise from dumb cunts like you.

Re:Grsecurity pure garbage.

[Zero__Kelvin]

You must be one blissful motherfucker to not get that both Kim Kardashian and Linus Torvolds have no obligation to comply with the wishes of a third party. In other news, if someone is selling my trash they can't sue me for bringing it directly to the landfill to stop them from profiting. Tortious Interference is not hard to understand, but you have to have a passing familiarity with logic, which alas, you lack.

It is that clear cut

If version A says you can't distribute this without losing rights to version B, then either

you just get version B and then distribute THAT and "lose rights" to distribute version C and so on and so on

OR

you lose rights to GET version B because of a violation of a term on the same GPL software (version A) which is either illegal to do because

a) a license for B can't be contingent on a license for another bit of software, copyright does not give you that right at all
b) the license addition is to both A and B, therefore explicitly against the clause Bruce mentioned, hence GRSecurity has no license for their code and are "pirates"

Re:How stupid can they be?

[prefec2]

Why? I do not need to like Bruce Perens to read his opinion and evaluate whether I agree with him or disagree. By concept it should even be irrelevant for my evaluation how sane his previous comments were. Linus Torvalds can also be a 'dick', but still is competent regarding the topic of Linux kernel development.

Re:"Grsecurity..." "...could invite legal trouble.

It's defamation to claim we're likely to launch a spurious lawsuit! ...

We're suing!

How is it a cancer?

It does not prevent you from charging for your work. Charge for it all you want. You can't put more restrictions on the work than you agreed to before you got the base software you used in YOUR work.

It's LESS of a cancer than, say, MS licenses, where you lose all right to distribute, comment or derive future benefit if MS think that you should lose the license. AND you get audited by the BSA and MS's audit teams at your expense.

If you think that GPL is a cancer and you should be able to slap your own license on code you have added to, try getting source for an MS application or their OS, adding in some stuff, then selling it under BSD, with source. See if MS think that you deserve the right to change the license on the combined work because some of it is "yours".

Anti-SLAPP

In California, SLAPP stops all discovery and requires the plaintiff to pay the defendant's expenses if they lose.

Perens will not have to prove his assertions

Perens will not have to prove his assertions. The next move you will see is that he brings an anti-SLAPP motion. This will mean no discovery in the case and that the plaintiff will pay all of his expenses if they lose. At that point if the plaintiff has a thread of sanity they will back out, they failed to intimidate him, the posting is still on his web site, they can't win the case, they can only pile up big bills and they have to pay for Perens lawyer, a big, competent, law firm rather than the one-man patent attorney firm Grsecurity is using.

If the case goes on, Perens will prove that he has a right to state his opinion. And the case ends there. Perens is not making an "assertion of fact" as the patent lawyer states in his complaint and will win on 1st amendment grounds.

There will be no litigation of whether Grsecurity has the right to use its patch access agreement in contravention of the GPL, because there is a much simpler way to end the case.

That said, I suggest that any of us who are competent to work on the kernel do everything possible to make Grsecurity obsolete.

Re:Kernel developers can obsolete Grsecurity

The problem with this is that you wrongly assume that kernel developers are also security experts. I don't mean "aware of security", I mean real bono-fide experts, of which there are very few indeed.

Attempts to do just as you suggest, that is to take an existing patch and break it up, have been criticised due to their missing important points or changing something in such a way as to make it ineffective. Basically, unless you understand what you are doing, you are going to make some mistakes.

This applies to not just to any initial merge, but also for ongoing development. It's not enough to merge and say "job done", because future work will almost certainly introduce new problems or break existing protections. Security is not a product.

Either security experts are onboard with ongoing kernel development work, or they're not. At the moment, they're not.

Re:I don't think you have that right.

[DRJlaw]

By using the code that no longer has license, it is possible for them to be guilty of secondary infringement.

"The code" meaning?
The user still has a license to the Linux kernel:
    1. GPLv2 sec 6 says that "Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions."
    2. GPLv2 sec 4 says that "Parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance."
    3. GPLv2 sec 2 says "You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program...," and sec 2.b. only applies if you distribute or publish the result.

And the user has an express license from GRsecurity for GRsecurity's potion of the code under the GPLv2.

But besides all that, users using the work can be sued by GRSecurity if they try to use the rights the GPL gives them.

No. GRsecurity granted a license under the GPLv2.

They can be sued if the distribute with the same clause the code from GRSecurity because they're doing the same thing.

Nope. GRsecurity granted a license under the GPLv2. GRsecurity uses a separate Stable Patch Access Agreement with the supposed restriction, and that agreement is between GRsecurity and the individual customer, not the customer and any other recipient. That agreement also explicitly says that "The User has all rights and obligations granted by grsecurity's software license, version 2 of the GNU GPL," so the user would not be doing the same thing.

they're still open to being sued by GRSecurity for no good reason

Strawman.

or for doing the same thing

False premise. There's no basis to assert that the customer would be distributing the code with that restriction themselves.

And if the customer distributes without that GRSecurity addition and just the plain GPL, that means they're sued by GRSecurity, and if they distribute with it, they're breaking the GPL themselves.

No and no.

Pretty simple.

Everything is simple if you make no effort to understand reality and merely use your own assumptions.

Re:I don't think you have that right.

By using the code that no longer has license, it is possible for them to be guilty of secondary infringement.

Very unlikely. Downstream recipients are likewise required comply with the terms of the GPL, regardless of any violation upstream.

"Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License."

https://www.gnu.org/licenses/gpl-3.0.en.html#section8

They can be sued if the distribute with the same clause the code from GRSecurity because they're doing the same thing.

Correct. They have no more right to add restrictions to the license than the upstream distributor does, and if they violate the terms of the GPL their license is subject to termination.

Key word in the post nullifies the suit

[Khyber]

The key word/phrase is "it's my opinion".

Grsecurity needs to be hit with a SLAPP countersuit.

Re:Key word in the post nullifies the suit

There's an old running gag on the British TV show "Have I Got News For You?" that putting "allegedly" at the end of any statement protects you from being taken to court for slander. It's a gag because when you grow up, you'll find that the real world doesn't work that way.

Good way to make yourself look even worse...

[XSportSeeker]

Streissand effect. Grsecurity should hire another lawyer, if they survive this one.
Not only what Perens wrote is always reason for precaution, even if it wasn't, he repeatedly states in his blog post that this is his opinion, and that furthermore, he's open to discussion and that he's not a lawyer.
https://perens.com/blog/2017/0...

Lawsuit won't pass because it has no grounds. Courts can't define opinions as "false statements", he explicitly claimed several times that this is his opinion, and it's a huge stretch to call it "fearmongering".
Issues with licensing have always been part of the Linux community worries, and there's nothing in his post that could be classified as fearmongering. It's advice pure and simple with strong basis to boot.

If stuff like this was enough for a company to sue an individual, we'd effectively have businesses dictating censorship as they pleased, and a whole ton of democratic instruments to go against big corporations wouldn't exist.

The whole thing will be dismissed and it'll only serve as more reason to suspect Grsecurity. Why don't they go ahead and also try suing Torwalds for calling their patches garbage? Go out with a bang.

Re:Good way to make yourself look even worse...

[david_thornley]

There's no evidence that Grsecurity's lawyer thought the lawsuit a good idea, and therefore this might not be fixed with another lawyer.

Opinions of factual matters can be true or false. In the US, it isn't libel or defamation if the speaker (Perens in this case) had good reason to believe his opinions were valid. Given that Slashdot hasn't clearly debunked his claim, Perens' opinion would appear to be a reasonable one to hold, and that, in the US is a defense.

Re:How stupid can they be?

[drinkypoo]

The only thing that has changed is that they are suing Bruce Perens, so any "shitstorm" regarding this must come down to your personal like or dislike of him and his camp.

That's a stupid thing to say. You can also be against lawsuits designed to stifle public speech, which is to say, you can be pro-constitution or pro-rights or just pro-speech. There may have formerly been a shitstorm, but there was not an actual case.

Wonder if GRS can patch Streisand

[future+assassin]

so it has no effect.

Re:I don't think you have that right.

[DRJlaw]

You refute other posters assertions, but you don't explain yours.

The part of the post that you omitted, with quotes from the GPL, is not an explanation?

I'm truly curious, on what are you basing your own assertions?

The cited sections and quoted language of the GPL, along with the linked copy of the Stable Patch Access Agreement and quoted language. You know, 85% of the content of the post, which you cut out.

Those Slimey Sacks of Shit!

[WorBlux]

And I don't Title this post just to flamebait.

The subscription agreement they use is definitely against the spirit of the GPL, but could be within the letter if they were distributing a completely original work, for which they held all copyrights and had the correct sort of patent licenses to distribute code that way. But the question naturally arises why the hell wouldn't they just outright pick a restrictive license if they just outright held all rights to an original work and wanted to restrict redistribution.

The answer is that the lawyers at GrSecurity believe their patch set would likely be found to be a derivative work of the Linux kerne should the question arise in court. Additionally I speculate they may be taking advantage of patent license that are more liberal with OSS licensees. In fact in the legal complaint, GrSecurity does not counter or otherwise address Bruce's assertion that the patch set is a derived work of the Linux kernel.

On the grsecurity's home page, they describe their product as being primarily "an extensive security enhancement to the Linux kernel". This strengthens and reflects Bruce's claim that the grsecurity patch set is a derived work of the Linux kernel.

In the actual complaint, there's a lot of slime in paragraphs 14,18, and 19 are particularly flawed. The GPL does not merely cover the patches once distributed, but also the original distribution because they are a derived work of the Linux kernel and as such may only be distributed in compliance with the terms of the GPL or a compatible license. Thus Paragraph 14 is false. Paragraph 18 is also false in so far as future version will almost surely be derived from a GPLv2 licenses Linux and subject to GPL terms upon the first distribution.

  While it's true the subscription agreement only sets out an explicit limit of future access, it's clearly and plainly designed to limit the actual and current exercise of rights granted under the the kernel's GPLv2 license. There is a conflation of simple "exercise" and "ability to exercise", which are not the same thing. They way it is written and the way that it is intended is that for works under the GPL, only the GPL may restrict copying, modification and redistribution.

So I have a plan....

[Kernel+Kurtz]

Their customers have the right to redistribute the software that they've received. GRsecurity is then saying that if they do, GRsecurity will not provide them with any future revisions to the code. There is nothing in the GPL that gives the recipient of a copy of code the right to future versions of that code or the right to distribute future versions of that code.

I'll buy a copy, and redistribute it freely and widely. They won't sell me the next version because of that, so someone else here will have to buy a copy, and redistribute it freely and widely.

Ideally in the end they will have one customer for each release, who will all be part of my plan........

Re:the code is the code that has been licensed

[DRJlaw]

dumbass.

Ad hominem.

" and that agreement is between GRsecurity and the individual customer,"

And that customer cannot be forced to give up the rights of the GPL by it.

The GPL does not give the customer any rights to future revisions. The customer is not forced to give up the right to redistribute the current version -- they can choose to or not.

"GRsecurity granted a license under the GPLv2."

And that license allows the customer to redistribute. Which makes their agreement null and void.

No. The GPL does not give the customer any rights to future revisions. The customer is not forced to give up the right to redistribute the current version -- they can choose to or not.

"Strawman."

Wrong. That was not a strawman since it was my own argument. My argument cannot be a strawman for my own argument, dumbfuck.

"A straw man is a common form of argument and is an informal fallacy based on giving the impression of refuting an opponent's argument, while refuting an argument that was not presented by that opponent."

You wrote:
"So even if you were to contend that secondary infringement cannot apply here (and we need more than just your say-so), they're still open to being sued by GRSecurity for no good reason (after all if they're this clueless about the rights and responsibilities of copyright licensing, how do you know that what you think you can do with it is what they think you can?) or for doing the same thing."

Definitional strawman. Followed by another ad hominem.

"False premise."

False claim.

Sorry, you claimed that they would be doing the same thing. They would not, therefore false premise.

"No and no."

Both wrong.

Glad that you admit that both your points were wrong.

"Everything is simple if you make no effort to understand reality and merely use your own assumptions."

And THAT there is a strawman. Did I claim EVERYTHING was simple? No. Therefore this claim of yours, asspulled as it is, is a fallacy and irrelevant.

You claimed that this was pretty simple, yet made no effort to provide an analysis based on the text of the actual licenses.

It's also perfectly fine argument style for others, and not a fallacy.

Re: A tale of two law firms

[Brockmire]

Bruce is going to "Denny Crane" the shit out of them.

Re:Will future versions continue to be distributed

[DRJlaw]

as the kernel and/or grsecurity's (potential) derivative works may not be licensed at all, meaning there is no legal means of conveying a copy.

Neither Bruce nor you have provided a satisfactory explanation of how the derivative work would not be licensed at all vis-a-vis the customer.

The GPLv2 secs. 4 and 6 grant the customer a license from each licensor -- not merely from the upstream distributor -- and state that the customer's license is not terminated by termination of the upstream distributor's license.

The GPLv2 sec. 2 permits the customer to make derivative works using any type of code. That code must only be licensed or relicensed under the GPLv2 if the customer publishes or distributes it to third parties.

The customer has the Linux kernel under the GPLv2 and the grsecurity contribution under the GPLv2, and NEITHER party can terminate the customer's license without a breach by the customer. The customer can even distribute the code since both parts are licensed under the GPLv2 and are ipso facto compatibly licensed as a combination under the GPLv2.

Remember that the GPL is a license (the L in "GPL" and not a contract), and that unlicensed works are not "public domain"; a copyright license is the only thing that provides the right to make (and/or distribute) copies

Both works are licensed. The right to make the combination is licensed. There is no "public domain" issue involved.

Re:I don't think you have that right.

[david_thornley]

No. GRsecurity granted a license under the GPLv2.

GRSecurity cannot grant a license to the Linux kernel if GRSecurity doesn't have a valid license. If they have violated the GPL, then they don't have a valid license. These licenses aren't free-floating; legally, they have to be granted. (The question of what you do when you violate the GPL and lose your license can get rather involved, and GPLv3 provided for automatic reinstatement of the license under certain conditions - however, Linux is GPLv2 only, and is not distributed under GPLv3.)

GRsecurity uses a separate Stable Patch Access Agreement [perens.com] with the supposed restriction, and that agreement is between GRsecurity and the individual customer, not the customer and any other recipient. That agreement also explicitly says that "The User has all rights and obligations granted by grsecurity's software license, version 2 of the GNU GPL," so the user would not be doing the same thing.

That sounds an awful lot like adding terms to the GPL, which is not permitted by the GPL.

Therefore, I'm claiming the following things about reality. GRsecurity may be violating GPLv2 (I'm not taking a definite position on that). If so, GRsecurity doesn't have a valid license for the Linux kernel, and is forbidden to change or further copy it. If GRsecurity doesn't have a valid license, GRsecurity can't grant a license, and therefore their customers are running unlicensed copies of software. We know from the MAFIAA and lawsuits that illegitimate copies of copyrighted works can cost a whole lot of money. The Linux kernel does not operate under a copyright-assignment principle, so there's a large number of people with copyrighted code in the kernel, and I believe any of them could sue.

Hence, it looks legally risky to me to rely on a kernel supplied from GRsecurity.

Re:I don't think you have that right.

[DRJlaw]

m claiming the following things about reality. GRsecurity may be violating GPLv2 (I'm not taking a definite position on that). If so, GRsecurity doesn't have a valid license for the Linux kernel, and is forbidden to change or further copy it. If GRsecurity doesn't have a valid license, GRsecurity can't grant a license, and therefore their customers are running unlicensed copies of software.

And reality disagrees with you. Per the GPLv2:

"4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance."

"6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License."

From the SFLC:

This is GPLv2's "automatic downstream licensing" provision. Each time you redistribute a GPL'd program, the recipient automatically receives a license from each original licensor to copy, distribute or modify the program subject to the conditions of the license. There is no requirement to take any action to ensure the downstream recipient's acceptance of the license terms, see above. This places every copyright holder in the chain of descent of the code in legal privity, or direct relationship, with every downstream redistributor. Two legal effects follow. First, as sec. 6 says, parties themselves remaining in compliance have valid permissions for all actions including modification and redistribution even if their immediate upstream supplier of the software has been terminated for license violation. Their licensed rights are not dependent on compliance of their upstream, because their licenses issue directly from the copyright holder. Second, automatic termination cannot be cured by obtaining additional copies from an alternate supplier: the license permissions emanate only from the original licensors, and if they have automatically terminated permission, no act by any intermediate license holder can restore those terminated rights.

It also follows, as sec. 6 makes clear, that licensors are in no way responsible for enforcing compliance by third party recipients or distributors. Every licensee gains or loses permissions from each original licensor solely on the basis of its own conduct .

We know from the MAFIAA and lawsuits that illegitimate copies of copyrighted works can cost a whole lot of money. The Linux kernel does not operate under a copyright-assignment principle, so there's a large number of people with copyrighted code in the kernel, and I believe any of them could sue.

But they are all bound by sections 4 and 6 of the GPL as "original licensors" of their contributions, they've automatically granted licenses to GRsecurity's customers by the terms of section 6, and those licenses were not terminated by GRsecutiy's alleged violation of the terms of section 4.

Hence, it looks legally risky to me to rely on a kernel supplied from GRsecurity.

Wrong.

Re:I don't think you have that right.

[david_thornley]

The first GPL clause says that you lose your license under certain conditions, but everyone who already has a license is fine. The second one could be construed as applying to legal distribution only. The SFLC quote, while more definite, is the SFLC's interpretation, and the SFLC does not represent all Linux contributors. I don't think there's any case law here (and would be fascinated to be corrected).

Therefore, it's very possible that GRsecurity is violating the GPL and hence does not have a valid license, and the courts might rule that they can't transfer a license (disagreeing with the SFLC), and there's any number of people who could sue for statutory damages, so I'd say there's a risk. I'm not a lawyer, and this isn't even illegal advice, so if this matters to you please consult a real lawyer.

Re:I don't think you have that right.

[DRJlaw]

The first GPL clause says that you lose your license under certain conditions, but everyone who already has a license is fine.

No it doesn't. It says "However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance." You're rewording it, e.g., "However, parties who have already received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance." There is no qualification upon time included in the anti-termination provision.

The second one could be construed as applying to legal distribution only.

No, it can't. It says "Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions." There's no condition on the automatic grant of a license from the original licensor to the recipient, and there's no required grant of license from the distributor. There is no termination of the recipient's rights under even a particular instance of license under the GPLv2 -- see the statement that it "will automatically terminate your rights under this License" in addition to the above-quoted "However..." clarification.

the courts might rule that they can't transfer a license (disagreeing with the SFLC)

They don't have to transfer a license. The recipient is an intended third party beneficiary of a direct license from the original licensor under GPLv2 sec. 6, and the third party beneficiaries' rights are not terminated under GPLv2 sec. 4, both by the terms of actual termination clause and the subsequent "However" clarification.

Even if you argue that the GPLv2 is not a contract with third party beneficiaries, sec. 6 creates a promissory estoppel with respect to the recipients. Sec. 6 is not conditioned on the distributor's compliance with secs. 2 and 3, is automatic, and is not terminated by sec. 4.

The SFLC quote, while more definite, is the SFLC's interpretation, and the SFLC does not represent all Linux contributors.

Irrelevant. The SFLC is a group of lawyers who have expertise concerning this license. Without a coutervailing analysis from a lawyer, or any indication that any Linux kernal contributor even holds such an opinion, this is merely FUD.

I don't think there's any case law here (and would be fascinated to be corrected).

Your wish is granted. Skip down to "The use of GPLv2-licensed code is authorized for compliant users, even if they receive the code from a non-compliant licensee."

Re:I don't think you have that right.

[david_thornley]

Your wish is granted [informit.com]. Skip down to "The use of GPLv2-licensed code is authorized for compliant users, even if they receive the code from a non-compliant licensee."

Thank you. Very interesting.