back to article Linux kernel hardeners Grsecurity sue open source's Bruce Perens

In late June, noted open-source programmer Bruce Perens warned that using Grsecurity's Linux kernel security could invite legal trouble. "As a customer, it's my opinion that you would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no- …

Page:

  1. Anonymous Coward
    Anonymous Coward

    Ah you don't get this sort of trouble with Windows...

    1. anonymous boring coward Silver badge

      "Ah you don't get this sort of trouble with Windows..."

      He, he. Good one!

    2. JLV

      >Ah

      True but the average Windows user does get to worry about compliance with their general, end-user, customer agreement if you have the temerity to want to launch a guest VM Windows using the same license as your current, host, Windows. Or the impact of hardware changes depending on the flavor of license, like OEM, you might have purchased. That's a darn sight more applicable to the real world of average users than a GPL spat wrt grsecs' shady practices.

      Nice try tho ;-)

      1. big_D Silver badge
        Facepalm

        Re: >Ah

        Looks like a few people had a sense of humour bypass or haven't had their morning coffee...

        1. Thrudd

          Re: >Ah

          80 proof irish coffee per chance

          1. Destroy All Monsters Silver badge

            Re: >Ah

            That's pretty good coffee in a healthy celtic environment.

        2. Astara

          Re: >Ah - much truth is claimed to be said in "jest"....

          While I agree w/the bit of humor that started this, problem is that such humor can also be take as a pointed-barb by some. At the same time, some can intend a pointed-barb post, that after getting sufficient "heat", is later recharacterized as "humor" or "jest" to avoid further heat.

          It's all a crappy, nobody wins area. I'm a WinLinguista, running both @ home w/Windesktop and Lin server (something both sides don't like very well)... and I, for another just wish we'd all be able to get

          along... *sigh* ;^/... (including for the sake of my home network!)...

    3. Joe User

      "Ah you don't get this sort of trouble with Windows..."

      Seeing as you have NO redistribution rights with Windows, it's a non-issue.

    4. Flocke Kroes Silver badge

      Use the wrong search engine and you will not find such trouble with Windows

      I can remember plenty of examples of legal trouble from Microsoft. When I tried to search for them, nothing came back. When I asked Google, I found them quickly. It is almost as if search engines related to Microsoft are burying news that embarrasses their sponsor.

    5. Anonymous Coward
      Anonymous Coward

      Please

      if we want to stop the penguinistas commenting on stories about Microsoft (and my word do we wish they'd shut their traps) we shouldn't comment about the playground antics of the penguin community

      Play nice.

      1. Kiwi
        Linux

        if we want to stop the penguinistas commenting on stories about Microsoft

        You could try having a secure, user-friendly, user-data-NOT-stealing pile of garbageware - that would stop us pointing and laughing at your shopping-trolley-full-of-visible-to-all-possessions each time the wheels come off.

  2. Lee D Silver badge

    Ah, finally, the guy shows his true colours.

    Suing someone's webhost for assisting in defamation, because said someone provided an interpretation of an open source licence.

    This is perfect.

    Now, NOBODY will touch grsecurity patches. I mean, who wants to do business with people who do stuff like that?

    Good programmer with good ideas, completely destroyed by his attitude, lack of co-operation, "I'm always right" attitude, and now suing people who disagree.

    Hopefully, this is the last nail in the coffin of the project and people dealing with this guy.

    1. Anonymous Coward
      Anonymous Coward

      Well, you know.

      "gruff security"

      (as provided by muscular members of definite balkan ethnicity etc.)

    2. AdamWill

      Optional

      Yup. I don't know whose interpretation of the law is correct, but I feel comfortable saying the party that thought suing for defamation was a great way to deal with a difference of opinion is behaving extremely crappily.

    3. This post has been deleted by its author

    4. I ain't Spartacus Gold badge

      I mean, who wants to do business with people who do stuff like that?

      I don't know. Lots of people do business with Oracle.

      OK admittedly you did say, "<bold>wants</bold> to do business with"...

      See also: Apple, Microsoft etc.

      This is the kind of thing you can get away with if you're a dominant player, or customers are locked into your stuff. I can't see it going down too well in open source land, and from a non-dominant company though.

      1. TheVogon

        "I don't know. Lots of people do business with Oracle."

        And how many of those are prisoners to support of legacy systems?

    5. CrazyOldCatMan Silver badge

      Good programmer with good ideas, completely destroyed by his attitude, lack of co-operation, "I'm always right" attitude

      Now where have we seen that before?

      1. Anonymous Coward
        Anonymous Coward

        > Now where have we seen that before?

        I don't know but we can probably patch it into systemd.

    6. Fatman
      FAIL

      RE: "attitude"

      <quote>...completely destroyed by his attitude, lack of co-operation, "I'm always right" attitude, and now suing people who disagree.</quote>

      One could throw the systemd backers into that pool. Check this out:

      https://www.theregister.co.uk/2017/07/05/linux_systemd_grants_root_to_invalid_user_accounts/

      The money part:

      <quote>The issue was raised through a GitHub Issues submission a week ago, but Lennart Poettering, one of the lead maintainers of systemd, insisted the software is working as intended and declined to implement changes.

      "I don't think there's anything to fix in systemd here," he wrote. "I understand this is annoying, but still: The username is clearly not valid."

      Yet with forty down-votes on his response, it's evident that not everyone in the Linux community agrees there's nothing to be done.</quote>

      (emphasis mine)

  3. anonymous boring coward Silver badge

    What is "hardners"?

    1. Destroy All Monsters Silver badge

      The opposite of "softners"?

    2. diodesign (Written by Reg staff) Silver badge

      Re: boring

      They harden-up the kernel.

      C.

      1. choleric

        Re: boring

        Making it a tough nut to crack.

      2. Number6

        Re: boring

        I just recompile the kernel with #DEFINE VIAGRA for the same effect.

        1. LaeMing
          Boffin

          Re: #DEFINE VIAGRA

          Trouble with that option is that you shouldn't keep your 'system' 'up' for more than 4 hours or damage could result!

          1. Doctor Syntax Silver badge

            Re: #DEFINE VIAGRA

            I knew diodesign was asking for trouble with that answer.

        2. Don Dumb
          Coat

          #DEFINE VIAGRA

          Problem is that it almost encourages the spread of viruses

      3. CrazyOldCatMan Silver badge

        Re: boring

        They harden-up the kernel.

        Do you have to be over 18 to view the patches?

  4. Seaners
    Linux

    Seems fine to me

    "According to Perens, "GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition.""

    But the GPL only mentions " You may not impose any further restrictions on the recipients' exercise of the rights granted herein." This means Grsecurity cannot prevent anyone from redistributing code. So if someone exercises their right to do so against Grsecurity's wishes, Grsecurity cannot really do anything about it. If the agreement is only limited to preventing release of future versions, isn't refusing future service within Grsecurity's rights since any business can refuse future service to anyone for any reason?

    1. Destroy All Monsters Silver badge
      Windows

      Re: Seems fine to me

      Objection, your honor! The Jesuitism of the plaintiff is exceeding all bounds of rational discourse.

    2. Anonymous Coward
      Anonymous Coward

      Re: Seems fine to me

      If the agreement is only limited to preventing release of future versions, isn't refusing future service within Grsecurity's rights since any business can refuse future service to anyone for any reason?

      Yes, that is right. Whatever side of the argument one is on, one has to admit that it's an imaginative idea.

      Everyone wants future patches. Given that GRSecurity aren't actually obliged to tell anyone that they might refuse to distribute future yet-to-be-written code to them, one could possibly argue that GRSecurity are giving fair warning and going beyond what is required...

      This was an outcome that was always possible under the terms of any conceivable copyleft license, and represents a fundamental limitation on the strength of any such in a license. The more ardent GPL-istas are probably as much annoyed about not having thought of it first, rather than the present outcome.

      From the Article

      Linus Torvalds, who oversees the Linux kernel, has called Grsecurity's patches "garbage."

      Well he would say that, wouldn't he. Saying that Grsecurity's patches are good would be one hell of an admission of the poor state of the generic kernel. It's not as is the CVE list of Linux has zero entries, so there's certainly something for someone else's patch set to do.

      1. Teiwaz

        Re: Seems fine to me

        isn't refusing future service within Grsecurity's rights since any business can refuse future service to anyone for any reason?

        Well...supposedly, but when the 'reason' is some form of religious fundamentalism or other prejudice then the business is on legally shaky ground.

        Linus Torvalds, who oversees the Linux kernel, has called Grsecurity's patches "garbage."

        Well he would say that, wouldn't he. Saying that Grsecurity's patches are good would be one hell of an admission of the poor state of the generic kernel. It's not as is the CVE list of Linux has zero entries, so there's certainly something for someone else's patch set to do.

        Linus only seems to launch these 'nuclear' descriptions around when he's all 'riled up' - I think the chances of him getting politic for marketing drama are unlikely.

    3. Doctor Syntax Silver badge

      Re: Seems fine to me

      "If the agreement is only limited to preventing release of future versions, isn't refusing future service within Grsecurity's rights since any business can refuse future service to anyone for any reason?"

      I guess this is what they're depending on and probably have a legal opinion to back it up. But this action means that theory gets examined in court to determine whether this is a restriction of rights under GPL2 and what happens in court isn't always what you expect. The risk they run is that the court agrees with Perens and that they then get hit with a suit by a kernel dev.

      1. Sproggit

        Re: Seems fine to me

        I think I sort-of agree with you. If I understand Bruce's argument, what he is saying is that the GRSecurity patches simply cannot run without the Linux Kernel. Therefore, if GRSecurity apply restrictions to their software, then the moment their software is linked to a kernel, those restrictions apply to the kernel too [because post-link, the software is inextricably tied together].

        So Bruce's argument is that whether they realise it or not, GRSecurity's restrictions are being de-facto applied to the kernel, whether GRSecurity realise or not.

        Having read through the materials, it looks as though GRSecurity are arguing that their restrictions apply to their code only, but Bruce is saying, "That's not technically possible, because of the way that your code works..."

        But then, I'm neither a kernel programmer nor a lawyer, so you likely shouldn't pay much attention to me !!!

    4. Eugene Crosser
      Boffin

      Re: Seems fine to me

      >isn't refusing future service within Grsecurity's rights since any business can refuse future service to anyone for any reason?

      IANAL, but it looks to me that when they make non-redistribution the condition of continued business, they do impose restrictions to the redistribution rights. By giving a "fair warning", they make it obvious. If they stopped the service without warning, the client would have to prove that denial to continue service was a response to re-distribution, and that would be the evidence of additional restrictions.

      In my eyes, this is not much different from, for example, a state saying: "you have the right to free speech, but if you execute this right, you will be denied of health service in the future".

      1. tom dial Silver badge

        Re: Seems fine to me

        The analogy between a private contract issue and state action is badly flawed.

        GRSecurity's contract does not restrict their customers' right under GPLv2 to redistribute the patches. Nothing in GPLv2 appears to require GRSecurity to distribute any patch to anyone unless they put such a requirement into their support contract. They do not, instead including a provision that terminates distribution of future patches to someone who redistributes current or prior ones. This does not limit their customers' right to do the distribution no matter how much it may influence them; it is their choice to distribute or not and to whom, just as it is GRSecuritiy's.

        I also am not a lawyer, but a look at Bruce Perens' post, the Open Source Security filing, and summaries of the cases the filing cites suggests the suit may not go very far.

      2. Anonymous Coward
        Anonymous Coward

        Re: Seems fine to me

        > "In my eyes, this is not much different from, for example, a state saying: "you have the right

        > to free speech, but if you execute this right, you will be denied of health service in the future".

        "You have the right to vote republican, but if you execute this right, you will be denied of health service in the future".

        FTFY

  5. Destroy All Monsters Silver badge
    Windows

    I see!

    Grsecurity's agreement, the lawsuit states, only applies to future patches, which have yet to be developed.

    Is this like Quantitative Easing 7 Wealth Transfer, the negative economic consequences of which only apply to future taxpayers, which have yet to be born?

  6. sisk

    By my understanding of the GPLv2 Grsecurity is completely without a legal leg to stand on here. They're illegally tacking conditions onto existing code which MUST be licensed under the GPL (as all Linux kernel patches must be thanks to the copyleft nature of the GPL). In short, either GPLv2 is valid or Grsecurity will lose.

    1. AdamWill

      Well, it doesn't seem that cut and dried, in either case, because there's what seems like a reasonable difference of opinion about whether this really *is* adding a restriction to the rights granted by the license. GR's position is that the license applies to the current code that actually exists, so a clause that adds a restriction that would only apply to future code which hasn't been written yet (and which the user certainly hasn't been given a license to yet) is OK.

      But that's not really the point here. The point is that it's a complete dick move to sue someone for defamation merely because they stated their opinion about the license interpretation, *clearly marked as* a personal opinion. It doesn't really _matter_ whose interpretation is correct, that's still a crappy thing to do.

      1. Anonymous Coward
        Anonymous Coward

        "The point is that it's a complete dick move to sue someone for defamation merely because they stated their opinion about the license interpretation, *clearly marked as* a personal opinion. It doesn't really _matter_ whose interpretation is correct, that's still a crappy thing to do."

        IANAL, but I'd have thought that marking it as personal opinion in a public online forum is only go to clearly define the target for GRSecurity's lawyers and the judge.

        Marking oneself as a target never seems wise to me.

        Perens may have sought legal advice before making the post(s), but legal advice is not the same as a judgement handed down by a judge sat in his/her court. A lawyer's advice is simply their own personal opinion drawn from experience, whilst a judge's decision has much more finality and actual consequences.

        Well, the dice have been cast, and we shall see the outcome in due course. Personally speaking I'd prefer it if people could just get on. I much prefer the attitude taken the the FreeBSD guys; they basically say "do whatever you want, we honestly don't care". Very generous indeed.

        Harsh World

        Given the nature of GRSecurity's business, their being seen to be compliant with GPL2 is important. Perens alludes to this point too. A lot of people think that they're not going along with the spirit of GPL2 and the established norms of the kernel community, but that is utterly irrelevant to the courts and, more importantly, to GRSecurity's customers. All they need to know that they can use the patches without leaving themselves exposed to GPL2 violation law suits. Being compliant with the letter, if not the spirit, of GPL2 is the only thing they really need.

        So whatever one think's of the appropriateness of the move to sue Perens, it was always inevitable that they would do so in response to such a public post. They (and their customers) have no choice.

        It can be argued that demanding something extra of someone when the license they've been given doesn't actually say they should is, well, illogical. If a form of words that describes what is actually intended is not in the license because it cannot be made to fit within law, tough luck. That should be a hint; law is the only set of rules that actually matter.

        It's a harsh world, but livings have to be made, and no judge is ever going to deny someone the opportunity to do so if they're sticking wholly to the letter of licensing arrangement they've entered into.

        Anyway, it looks like we're about to find out one way or the other. Having read GPL2, I can't really see exactly how Perens' assertion stands up (at least not to judge-proof quality). GPL2 is all about the here and now: "The program" is a phrase widely used through the license. GRSecurity's stable patch access agreement is effectively all about the future, a "Potential, future, different program, if it ever exists". They're clearly different things.

        Also the GPL2 clause 2 says one may modify a program (no restrictions), and then if one wishes to one may distribute the mod (but with conditions about notices and not altering the license), but it doesn't say that you must distribute the mod to all and sundry. All you are obliged to do is, if you give someone a copy of your binary, offer them the source code on physical media for a reasonable fee.

        If Perens wins, then effectively anyone doing their own kernel hacks is in breach of GPL2 if they don't publish their hack freely. That would, ironically, include the entire kernel community for the time between when they save a source code file they've altered and when they push it back up to some public GIT repo. That would be absurd.

        Wider Issues

        There's a few cases running at the moment which seem to boil down to the definition of "fair use".

        Google vs Oracle has dragged on now for a long time, depressingly so. However, Google's only possible avenue of argument now is that re-use of the Java API was "fair use" (the copyright breach argument is long since done and dusted in Oracle's favour). There are some schools of thought that, if Google finally win, that will make it hard to enforce GPL's license terms.

        1. Hans 1
          Facepalm

          Venerable AC, I think you have completely missed the point, here!

          If Perens wins, then effectively anyone doing their own kernel hacks is in breach of GPL2 if they don't publish their hack freely.

          Nope, you do not get it. Only those that sell/distribute derivative works have to, they have always had to, BTW.

          From https://grsecurity.net/agree/agreement.php (Perens has a PDF: http://perens.com/wp-content/uploads/2017/06/grsecstablepatchaccessagreement_additionalterms.pdf):

          Notwithstanding these rights and obligations, the User acknowledges that

          redistribution of the provided stable patches or changelogs outside of the explicit

          obligations under the GPL to User's customers will result in termination of access

          to future updates of grsecurity stable patches and changelogs.

          So, in clear, the GPL says I can redistribute the code to all and sundry AND explicitly prohibits the addition of limitation to the contract. GRSecurity says: if you exercise that right, you are no longer a customer. Clearly in breach of GPL, it no longer applies to GRSecurity, they have no leg to stand on, they are now selling Linux kernel patches without a GPL. Linus, and a bazillion other poeple, can sue them to hell and back ... and Perens can only win. This future code debate is mute, if I redistribute the code freely, I will be sanctioned -> clearly against the GPL.

          You have to understand that their whole business model relies on Linux kernel patches, that the Linux kernel was created by a great many people, that it could not exist without a license like the GPL ... great to see them contribute, sad to see them trying to milk ... Listen, GRSecurity, the kernel is NOT YOURS, consider yourself lucky to be able to make some money on the back of it!

          1. Steve the Cynic

            Fussy: the GR text you cite specifically allows you to distribute the patches as you are obliged to under the GPL. It restricts your ability to publish the patches themselves just for themselves. And it doesn't even say that you cannot distribute them. It says that GR won't give you any more patches if you do.

            There's wiggle room in that distinction for them to argue that they are OK, that they have complied with the *letter* of the contract, even if they have trampled the *spirit* of the contract underfoot. It's the sort of wiggle room that lawyers find Ferraris in, but there you are.

            On the other hand, someone trying to argue against GR could just as easily argue that a person's obligations under the GPL effectively require them to be able to publish the patches independently of distribution of a build of a patched kernel, thus spiking GR's legal cannon. (That is, that GR's language does not override the GPL - it even says it doesn't - and that therefore GR is in the wrong if it uses that wording to terminate the contract for such and such an act.)

            Again, enough wiggle room to hide several Ferraris, and I think that's the key thing to remember in all this.

          2. John G Imrie

            Notwithstanding these rights and obligations, the User acknowledges that redistribution of the provided stable patches or changelogs outside of the explicit obligations under the GPL to User's customers will result in termination of access to future updates of grsecurity stable patches and changelogs.

            I would say that the part I have highlighted is adding a restriction as to who I can redistribute the code to, as it creates two categories of people, those I can distribute the code to and continue to receive patches and those I can't.

            1. Vic

              I would say that the part I have highlighted is adding a restriction as to who I can redistribute the code to, as it creates two categories of people, those I can distribute the code to and continue to receive patches and those I can't.

              And, by virtue of that, it restricts redistribution to Section 3(a), whereas 3(b) is far more usual. That's a restriction, and therefore causes non-compliance.

              Vic.

        2. Doctor Syntax Silver badge

          "Perens may have sought legal advice before making the post(s), but legal advice is not the same as a judgement handed down by a judge sat in his/her court."

          That cuts both ways. GR may also have sought legal advice on their T&Cs. It'll now come down to an arm-wrestling match between two lots of legal advice. I wouldn't bet on the judgement but then I'm not a gambler.

        3. styx-tdo

          "If Perens wins, then effectively anyone doing their own kernel hacks is in breach of GPL2 if they don't publish their hack freely. That would, ironically, include the entire kernel community for the time between when they save a source code file they've altered and when they push it back up to some public GIT repo. That would be absurd."

          ? i am confused. Where is any clause that requires you to publish anything, even less for all to access? GPL does not, to my knowledge, limit _any_ modifications you do in your back chamber. And it requires you to re-license under GPL and add source code to binaries _that you distribute_ - so if you modify source code without compiling it, you can do with it whatever you want - keep it, share it with some people, share it with the world,.. - it just needs to contain source code and must be gplv2 licensed. There is no clause in the GPL to force you to make your code publically available, but if you do, it has to be GPL'd code w/ source.. and that includes the right to re-distribute without any limitations

          1. James Loughner

            You can hack the kernel all you want and keep it a secret but if you then distribute it then you must follow the GPL and make your code available to those you distribute it to and that code must follow GPL giving those your distribute to the same rights.

        4. Anonymous Coward
          Anonymous Coward

          "All you are obliged to do is, if you give someone a copy of your binary, offer them the source code on physical media for a reasonable fee."

          This is not quite accurate. If you give someone a copy of your binary, you can include the source code _with_ the binary. If you didn't include the source in your binary distribution, then your offer to to make code available on media at cost price or less must be to everyone, not just to the people you gave the binary to.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like