back to article Linux kernel hardeners Grsecurity sue open source's Bruce Perens

In late June, noted open-source programmer Bruce Perens warned that using Grsecurity's Linux kernel security could invite legal trouble. "As a customer, it's my opinion that you would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no- …

  1. Anonymous Coward
    Anonymous Coward

    Ah you don't get this sort of trouble with Windows...

    1. anonymous boring coward Silver badge

      "Ah you don't get this sort of trouble with Windows..."

      He, he. Good one!

    2. JLV

      >Ah

      True but the average Windows user does get to worry about compliance with their general, end-user, customer agreement if you have the temerity to want to launch a guest VM Windows using the same license as your current, host, Windows. Or the impact of hardware changes depending on the flavor of license, like OEM, you might have purchased. That's a darn sight more applicable to the real world of average users than a GPL spat wrt grsecs' shady practices.

      Nice try tho ;-)

      1. big_D Silver badge
        Facepalm

        Re: >Ah

        Looks like a few people had a sense of humour bypass or haven't had their morning coffee...

        1. Thrudd

          Re: >Ah

          80 proof irish coffee per chance

          1. Destroy All Monsters Silver badge

            Re: >Ah

            That's pretty good coffee in a healthy celtic environment.

        2. Astara

          Re: >Ah - much truth is claimed to be said in "jest"....

          While I agree w/the bit of humor that started this, problem is that such humor can also be take as a pointed-barb by some. At the same time, some can intend a pointed-barb post, that after getting sufficient "heat", is later recharacterized as "humor" or "jest" to avoid further heat.

          It's all a crappy, nobody wins area. I'm a WinLinguista, running both @ home w/Windesktop and Lin server (something both sides don't like very well)... and I, for another just wish we'd all be able to get

          along... *sigh* ;^/... (including for the sake of my home network!)...

    3. Joe User

      "Ah you don't get this sort of trouble with Windows..."

      Seeing as you have NO redistribution rights with Windows, it's a non-issue.

    4. Flocke Kroes Silver badge

      Use the wrong search engine and you will not find such trouble with Windows

      I can remember plenty of examples of legal trouble from Microsoft. When I tried to search for them, nothing came back. When I asked Google, I found them quickly. It is almost as if search engines related to Microsoft are burying news that embarrasses their sponsor.

    5. Anonymous Coward
      Anonymous Coward

      Please

      if we want to stop the penguinistas commenting on stories about Microsoft (and my word do we wish they'd shut their traps) we shouldn't comment about the playground antics of the penguin community

      Play nice.

      1. Kiwi
        Linux

        if we want to stop the penguinistas commenting on stories about Microsoft

        You could try having a secure, user-friendly, user-data-NOT-stealing pile of garbageware - that would stop us pointing and laughing at your shopping-trolley-full-of-visible-to-all-possessions each time the wheels come off.

  2. Lee D Silver badge

    Ah, finally, the guy shows his true colours.

    Suing someone's webhost for assisting in defamation, because said someone provided an interpretation of an open source licence.

    This is perfect.

    Now, NOBODY will touch grsecurity patches. I mean, who wants to do business with people who do stuff like that?

    Good programmer with good ideas, completely destroyed by his attitude, lack of co-operation, "I'm always right" attitude, and now suing people who disagree.

    Hopefully, this is the last nail in the coffin of the project and people dealing with this guy.

    1. Anonymous Coward
      Anonymous Coward

      Well, you know.

      "gruff security"

      (as provided by muscular members of definite balkan ethnicity etc.)

    2. AdamWill

      Optional

      Yup. I don't know whose interpretation of the law is correct, but I feel comfortable saying the party that thought suing for defamation was a great way to deal with a difference of opinion is behaving extremely crappily.

    3. This post has been deleted by its author

    4. I ain't Spartacus Gold badge

      I mean, who wants to do business with people who do stuff like that?

      I don't know. Lots of people do business with Oracle.

      OK admittedly you did say, "<bold>wants</bold> to do business with"...

      See also: Apple, Microsoft etc.

      This is the kind of thing you can get away with if you're a dominant player, or customers are locked into your stuff. I can't see it going down too well in open source land, and from a non-dominant company though.

      1. TheVogon

        "I don't know. Lots of people do business with Oracle."

        And how many of those are prisoners to support of legacy systems?

    5. CrazyOldCatMan Silver badge

      Good programmer with good ideas, completely destroyed by his attitude, lack of co-operation, "I'm always right" attitude

      Now where have we seen that before?

      1. Anonymous Coward
        Anonymous Coward

        > Now where have we seen that before?

        I don't know but we can probably patch it into systemd.

    6. Fatman
      FAIL

      RE: "attitude"

      <quote>...completely destroyed by his attitude, lack of co-operation, "I'm always right" attitude, and now suing people who disagree.</quote>

      One could throw the systemd backers into that pool. Check this out:

      https://www.theregister.co.uk/2017/07/05/linux_systemd_grants_root_to_invalid_user_accounts/

      The money part:

      <quote>The issue was raised through a GitHub Issues submission a week ago, but Lennart Poettering, one of the lead maintainers of systemd, insisted the software is working as intended and declined to implement changes.

      "I don't think there's anything to fix in systemd here," he wrote. "I understand this is annoying, but still: The username is clearly not valid."

      Yet with forty down-votes on his response, it's evident that not everyone in the Linux community agrees there's nothing to be done.</quote>

      (emphasis mine)

  3. anonymous boring coward Silver badge

    What is "hardners"?

    1. Destroy All Monsters Silver badge

      The opposite of "softners"?

    2. diodesign (Written by Reg staff) Silver badge

      Re: boring

      They harden-up the kernel.

      C.

      1. choleric

        Re: boring

        Making it a tough nut to crack.

      2. Number6

        Re: boring

        I just recompile the kernel with #DEFINE VIAGRA for the same effect.

        1. LaeMing
          Boffin

          Re: #DEFINE VIAGRA

          Trouble with that option is that you shouldn't keep your 'system' 'up' for more than 4 hours or damage could result!

          1. Doctor Syntax Silver badge

            Re: #DEFINE VIAGRA

            I knew diodesign was asking for trouble with that answer.

        2. Don Dumb
          Coat

          #DEFINE VIAGRA

          Problem is that it almost encourages the spread of viruses

      3. CrazyOldCatMan Silver badge

        Re: boring

        They harden-up the kernel.

        Do you have to be over 18 to view the patches?

  4. Seaners
    Linux

    Seems fine to me

    "According to Perens, "GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition.""

    But the GPL only mentions " You may not impose any further restrictions on the recipients' exercise of the rights granted herein." This means Grsecurity cannot prevent anyone from redistributing code. So if someone exercises their right to do so against Grsecurity's wishes, Grsecurity cannot really do anything about it. If the agreement is only limited to preventing release of future versions, isn't refusing future service within Grsecurity's rights since any business can refuse future service to anyone for any reason?

    1. Destroy All Monsters Silver badge
      Windows

      Re: Seems fine to me

      Objection, your honor! The Jesuitism of the plaintiff is exceeding all bounds of rational discourse.

    2. Anonymous Coward
      Anonymous Coward

      Re: Seems fine to me

      If the agreement is only limited to preventing release of future versions, isn't refusing future service within Grsecurity's rights since any business can refuse future service to anyone for any reason?

      Yes, that is right. Whatever side of the argument one is on, one has to admit that it's an imaginative idea.

      Everyone wants future patches. Given that GRSecurity aren't actually obliged to tell anyone that they might refuse to distribute future yet-to-be-written code to them, one could possibly argue that GRSecurity are giving fair warning and going beyond what is required...

      This was an outcome that was always possible under the terms of any conceivable copyleft license, and represents a fundamental limitation on the strength of any such in a license. The more ardent GPL-istas are probably as much annoyed about not having thought of it first, rather than the present outcome.

      From the Article

      Linus Torvalds, who oversees the Linux kernel, has called Grsecurity's patches "garbage."

      Well he would say that, wouldn't he. Saying that Grsecurity's patches are good would be one hell of an admission of the poor state of the generic kernel. It's not as is the CVE list of Linux has zero entries, so there's certainly something for someone else's patch set to do.

      1. Teiwaz

        Re: Seems fine to me

        isn't refusing future service within Grsecurity's rights since any business can refuse future service to anyone for any reason?

        Well...supposedly, but when the 'reason' is some form of religious fundamentalism or other prejudice then the business is on legally shaky ground.

        Linus Torvalds, who oversees the Linux kernel, has called Grsecurity's patches "garbage."

        Well he would say that, wouldn't he. Saying that Grsecurity's patches are good would be one hell of an admission of the poor state of the generic kernel. It's not as is the CVE list of Linux has zero entries, so there's certainly something for someone else's patch set to do.

        Linus only seems to launch these 'nuclear' descriptions around when he's all 'riled up' - I think the chances of him getting politic for marketing drama are unlikely.

    3. Doctor Syntax Silver badge

      Re: Seems fine to me

      "If the agreement is only limited to preventing release of future versions, isn't refusing future service within Grsecurity's rights since any business can refuse future service to anyone for any reason?"

      I guess this is what they're depending on and probably have a legal opinion to back it up. But this action means that theory gets examined in court to determine whether this is a restriction of rights under GPL2 and what happens in court isn't always what you expect. The risk they run is that the court agrees with Perens and that they then get hit with a suit by a kernel dev.

      1. Sproggit

        Re: Seems fine to me

        I think I sort-of agree with you. If I understand Bruce's argument, what he is saying is that the GRSecurity patches simply cannot run without the Linux Kernel. Therefore, if GRSecurity apply restrictions to their software, then the moment their software is linked to a kernel, those restrictions apply to the kernel too [because post-link, the software is inextricably tied together].

        So Bruce's argument is that whether they realise it or not, GRSecurity's restrictions are being de-facto applied to the kernel, whether GRSecurity realise or not.

        Having read through the materials, it looks as though GRSecurity are arguing that their restrictions apply to their code only, but Bruce is saying, "That's not technically possible, because of the way that your code works..."

        But then, I'm neither a kernel programmer nor a lawyer, so you likely shouldn't pay much attention to me !!!

    4. Eugene Crosser
      Boffin

      Re: Seems fine to me

      >isn't refusing future service within Grsecurity's rights since any business can refuse future service to anyone for any reason?

      IANAL, but it looks to me that when they make non-redistribution the condition of continued business, they do impose restrictions to the redistribution rights. By giving a "fair warning", they make it obvious. If they stopped the service without warning, the client would have to prove that denial to continue service was a response to re-distribution, and that would be the evidence of additional restrictions.

      In my eyes, this is not much different from, for example, a state saying: "you have the right to free speech, but if you execute this right, you will be denied of health service in the future".

      1. tom dial Silver badge

        Re: Seems fine to me

        The analogy between a private contract issue and state action is badly flawed.

        GRSecurity's contract does not restrict their customers' right under GPLv2 to redistribute the patches. Nothing in GPLv2 appears to require GRSecurity to distribute any patch to anyone unless they put such a requirement into their support contract. They do not, instead including a provision that terminates distribution of future patches to someone who redistributes current or prior ones. This does not limit their customers' right to do the distribution no matter how much it may influence them; it is their choice to distribute or not and to whom, just as it is GRSecuritiy's.

        I also am not a lawyer, but a look at Bruce Perens' post, the Open Source Security filing, and summaries of the cases the filing cites suggests the suit may not go very far.

      2. Anonymous Coward
        Anonymous Coward

        Re: Seems fine to me

        > "In my eyes, this is not much different from, for example, a state saying: "you have the right

        > to free speech, but if you execute this right, you will be denied of health service in the future".

        "You have the right to vote republican, but if you execute this right, you will be denied of health service in the future".

        FTFY

  5. Destroy All Monsters Silver badge
    Windows

    I see!

    Grsecurity's agreement, the lawsuit states, only applies to future patches, which have yet to be developed.

    Is this like Quantitative Easing 7 Wealth Transfer, the negative economic consequences of which only apply to future taxpayers, which have yet to be born?

  6. sisk

    By my understanding of the GPLv2 Grsecurity is completely without a legal leg to stand on here. They're illegally tacking conditions onto existing code which MUST be licensed under the GPL (as all Linux kernel patches must be thanks to the copyleft nature of the GPL). In short, either GPLv2 is valid or Grsecurity will lose.

    1. AdamWill

      Well, it doesn't seem that cut and dried, in either case, because there's what seems like a reasonable difference of opinion about whether this really *is* adding a restriction to the rights granted by the license. GR's position is that the license applies to the current code that actually exists, so a clause that adds a restriction that would only apply to future code which hasn't been written yet (and which the user certainly hasn't been given a license to yet) is OK.

      But that's not really the point here. The point is that it's a complete dick move to sue someone for defamation merely because they stated their opinion about the license interpretation, *clearly marked as* a personal opinion. It doesn't really _matter_ whose interpretation is correct, that's still a crappy thing to do.

      1. Anonymous Coward
        Anonymous Coward

        "The point is that it's a complete dick move to sue someone for defamation merely because they stated their opinion about the license interpretation, *clearly marked as* a personal opinion. It doesn't really _matter_ whose interpretation is correct, that's still a crappy thing to do."

        IANAL, but I'd have thought that marking it as personal opinion in a public online forum is only go to clearly define the target for GRSecurity's lawyers and the judge.

        Marking oneself as a target never seems wise to me.

        Perens may have sought legal advice before making the post(s), but legal advice is not the same as a judgement handed down by a judge sat in his/her court. A lawyer's advice is simply their own personal opinion drawn from experience, whilst a judge's decision has much more finality and actual consequences.

        Well, the dice have been cast, and we shall see the outcome in due course. Personally speaking I'd prefer it if people could just get on. I much prefer the attitude taken the the FreeBSD guys; they basically say "do whatever you want, we honestly don't care". Very generous indeed.

        Harsh World

        Given the nature of GRSecurity's business, their being seen to be compliant with GPL2 is important. Perens alludes to this point too. A lot of people think that they're not going along with the spirit of GPL2 and the established norms of the kernel community, but that is utterly irrelevant to the courts and, more importantly, to GRSecurity's customers. All they need to know that they can use the patches without leaving themselves exposed to GPL2 violation law suits. Being compliant with the letter, if not the spirit, of GPL2 is the only thing they really need.

        So whatever one think's of the appropriateness of the move to sue Perens, it was always inevitable that they would do so in response to such a public post. They (and their customers) have no choice.

        It can be argued that demanding something extra of someone when the license they've been given doesn't actually say they should is, well, illogical. If a form of words that describes what is actually intended is not in the license because it cannot be made to fit within law, tough luck. That should be a hint; law is the only set of rules that actually matter.

        It's a harsh world, but livings have to be made, and no judge is ever going to deny someone the opportunity to do so if they're sticking wholly to the letter of licensing arrangement they've entered into.

        Anyway, it looks like we're about to find out one way or the other. Having read GPL2, I can't really see exactly how Perens' assertion stands up (at least not to judge-proof quality). GPL2 is all about the here and now: "The program" is a phrase widely used through the license. GRSecurity's stable patch access agreement is effectively all about the future, a "Potential, future, different program, if it ever exists". They're clearly different things.

        Also the GPL2 clause 2 says one may modify a program (no restrictions), and then if one wishes to one may distribute the mod (but with conditions about notices and not altering the license), but it doesn't say that you must distribute the mod to all and sundry. All you are obliged to do is, if you give someone a copy of your binary, offer them the source code on physical media for a reasonable fee.

        If Perens wins, then effectively anyone doing their own kernel hacks is in breach of GPL2 if they don't publish their hack freely. That would, ironically, include the entire kernel community for the time between when they save a source code file they've altered and when they push it back up to some public GIT repo. That would be absurd.

        Wider Issues

        There's a few cases running at the moment which seem to boil down to the definition of "fair use".

        Google vs Oracle has dragged on now for a long time, depressingly so. However, Google's only possible avenue of argument now is that re-use of the Java API was "fair use" (the copyright breach argument is long since done and dusted in Oracle's favour). There are some schools of thought that, if Google finally win, that will make it hard to enforce GPL's license terms.

        1. Hans 1
          Facepalm

          Venerable AC, I think you have completely missed the point, here!

          If Perens wins, then effectively anyone doing their own kernel hacks is in breach of GPL2 if they don't publish their hack freely.

          Nope, you do not get it. Only those that sell/distribute derivative works have to, they have always had to, BTW.

          From https://grsecurity.net/agree/agreement.php (Perens has a PDF: http://perens.com/wp-content/uploads/2017/06/grsecstablepatchaccessagreement_additionalterms.pdf):

          Notwithstanding these rights and obligations, the User acknowledges that

          redistribution of the provided stable patches or changelogs outside of the explicit

          obligations under the GPL to User's customers will result in termination of access

          to future updates of grsecurity stable patches and changelogs.

          So, in clear, the GPL says I can redistribute the code to all and sundry AND explicitly prohibits the addition of limitation to the contract. GRSecurity says: if you exercise that right, you are no longer a customer. Clearly in breach of GPL, it no longer applies to GRSecurity, they have no leg to stand on, they are now selling Linux kernel patches without a GPL. Linus, and a bazillion other poeple, can sue them to hell and back ... and Perens can only win. This future code debate is mute, if I redistribute the code freely, I will be sanctioned -> clearly against the GPL.

          You have to understand that their whole business model relies on Linux kernel patches, that the Linux kernel was created by a great many people, that it could not exist without a license like the GPL ... great to see them contribute, sad to see them trying to milk ... Listen, GRSecurity, the kernel is NOT YOURS, consider yourself lucky to be able to make some money on the back of it!

          1. Steve the Cynic

            Fussy: the GR text you cite specifically allows you to distribute the patches as you are obliged to under the GPL. It restricts your ability to publish the patches themselves just for themselves. And it doesn't even say that you cannot distribute them. It says that GR won't give you any more patches if you do.

            There's wiggle room in that distinction for them to argue that they are OK, that they have complied with the *letter* of the contract, even if they have trampled the *spirit* of the contract underfoot. It's the sort of wiggle room that lawyers find Ferraris in, but there you are.

            On the other hand, someone trying to argue against GR could just as easily argue that a person's obligations under the GPL effectively require them to be able to publish the patches independently of distribution of a build of a patched kernel, thus spiking GR's legal cannon. (That is, that GR's language does not override the GPL - it even says it doesn't - and that therefore GR is in the wrong if it uses that wording to terminate the contract for such and such an act.)

            Again, enough wiggle room to hide several Ferraris, and I think that's the key thing to remember in all this.

          2. John G Imrie

            Notwithstanding these rights and obligations, the User acknowledges that redistribution of the provided stable patches or changelogs outside of the explicit obligations under the GPL to User's customers will result in termination of access to future updates of grsecurity stable patches and changelogs.

            I would say that the part I have highlighted is adding a restriction as to who I can redistribute the code to, as it creates two categories of people, those I can distribute the code to and continue to receive patches and those I can't.

            1. Vic

              I would say that the part I have highlighted is adding a restriction as to who I can redistribute the code to, as it creates two categories of people, those I can distribute the code to and continue to receive patches and those I can't.

              And, by virtue of that, it restricts redistribution to Section 3(a), whereas 3(b) is far more usual. That's a restriction, and therefore causes non-compliance.

              Vic.

        2. Doctor Syntax Silver badge

          "Perens may have sought legal advice before making the post(s), but legal advice is not the same as a judgement handed down by a judge sat in his/her court."

          That cuts both ways. GR may also have sought legal advice on their T&Cs. It'll now come down to an arm-wrestling match between two lots of legal advice. I wouldn't bet on the judgement but then I'm not a gambler.

        3. styx-tdo

          "If Perens wins, then effectively anyone doing their own kernel hacks is in breach of GPL2 if they don't publish their hack freely. That would, ironically, include the entire kernel community for the time between when they save a source code file they've altered and when they push it back up to some public GIT repo. That would be absurd."

          ? i am confused. Where is any clause that requires you to publish anything, even less for all to access? GPL does not, to my knowledge, limit _any_ modifications you do in your back chamber. And it requires you to re-license under GPL and add source code to binaries _that you distribute_ - so if you modify source code without compiling it, you can do with it whatever you want - keep it, share it with some people, share it with the world,.. - it just needs to contain source code and must be gplv2 licensed. There is no clause in the GPL to force you to make your code publically available, but if you do, it has to be GPL'd code w/ source.. and that includes the right to re-distribute without any limitations

          1. James Loughner

            You can hack the kernel all you want and keep it a secret but if you then distribute it then you must follow the GPL and make your code available to those you distribute it to and that code must follow GPL giving those your distribute to the same rights.

        4. Anonymous Coward
          Anonymous Coward

          "All you are obliged to do is, if you give someone a copy of your binary, offer them the source code on physical media for a reasonable fee."

          This is not quite accurate. If you give someone a copy of your binary, you can include the source code _with_ the binary. If you didn't include the source in your binary distribution, then your offer to to make code available on media at cost price or less must be to everyone, not just to the people you gave the binary to.

        5. AdamWill

          "So whatever one think's of the appropriateness of the move to sue Perens, it was always inevitable that they would do so in response to such a public post. They (and their customers) have no choice."

          I think it's important to point out that this is, quite clearly, *absolute* claptrap. They most certainly did have a choice, and they made a terrible one. All your verbiage does nothing to change this.

          Most of your other assertions are equally ridiculous. Perens will not have to 'defend his interpretation in court', because that's not what defamation is. He only has to prove he didn't defame anyone. He can do that perfectly well even if his interpretation is wrong.

      2. Anonymous Coward
        Anonymous Coward

        it's a complete dick move to sue someone for defamation merely because they stated their opinion about the license interpretation, *clearly marked as* a personal opinion. It doesn't really _matter_ whose interpretation is correct, that's still a crappy an incredibly stupid thing to do.

        FIFY :)

        1. AdamWill

          It can be *two* things. :P

      3. SorenUK

        I'm with Perens on this one. Since the kernel and GR's patches must be licensed as GPLv2 (and there is no reasonable expectation that this is likely to change in the future) this will mean that these yet-to-be-developed future patches will also have to be licensed as GPLv2. By trying to introduce additional conditions on the distribution of these future patches now, they will then still be in violation of the GPLv2.

        I.e. If they currently release patches version X, with additional conditions for patches version X+1 - then they have a huge problem should they ever attempt to release patches version X+1: Since they have already put additional distribution conditions on such patches they cannot be GPLv2 - thus, they cannot release X+1 patches without violating GPLv2.

      4. DuncanLarge Silver badge

        I think you will find a paradox here. The added restrictions to the code that does not yet exist will cease to exist once the code in fact exists.

        Thus the restriction never existed in the first place and requires double think to think it did.

        Its the same as saying "You are forbidden from spending any pocket money, while you have no pocket money".

        Or saying to a court that when your code had a bug and said "if(2+2 < 3) then exit else give loads of money to user" it excludes you from paying that user as you expected the users computer to not execute the code.

    2. Anonymous Coward
      Anonymous Coward

      By my understanding of the GPLv2 Grsecurity is completely without a legal leg to stand on here. They're illegally tacking conditions onto existing code which MUST be licensed under the GPL (as all Linux kernel patches must be thanks to the copyleft nature of the GPL).

      It's not a condition that GRSecurity are applying to the code which the distributee has received. It's merely a statement along the lines that the distrbutee won't be receiving any future code if they upset GRSecurity.

      Basically it's exploiting the fact that everyone wants to be receiving a steady, continuous stream of patches both now and into the future. Literally no one wants unsupportable code (apart from, seemingly, most IoT manufacturers, most Android manufacturers, etc).

      I think Perens is on slippy territority here, and now he's going to have to justify his assertion in court. IANAL so I don't know what the burden of argument needs to be either way, but I won't be betting on him winning.

      1. Doctor Syntax Silver badge

        "I think Perens is on slippy territority here, and now he's going to have to justify his assertion in court. IANAL so I don't know what the burden of argument needs to be either way, but I won't be betting on him winning."

        If the burden of argument in the US is the same as English law than it would be balance of probabilities. I wouldn't like to bet on either side although if it were to go up the courts system through appeals whoever has the deeper pockets stands the better chance. There'll be support for Perens through the FOSS movement. Is anyone bankrolling GR?

        1. Glen Turner 666

          "If the burden of argument in the US is the same as English law than it would be balance of probabilities". That applies to issues of fact, but the meaning of that clause of the GPLv2 is an issue of law. So the court will determine that matter of law, and if Perens is correct in his assessment of the license then he has a defence of truth for the claim of defamation.

          1. asdf

            >If the burden of argument in the US is the same as English law

            Not an ambulance chaser myself but from what I understand libel/defamation/slander laws are much weaker in the US than the UK (ie burden very high). Tie tends to go the runner(1st amendment).

            1. asdf

              Caveat on above comment being at least pre Darth Cheeto. The world's biggest snowflake and his butthurt thin skin threatened to change the law but pretty obvious to all how effective he is at getting laws passed or changed.

            2. Doctor Syntax Silver badge

              "Tie tends to go the runner(1st amendment)."

              Good point.

          2. Doctor Syntax Silver badge

            "That applies to issues of fact, but the meaning of that clause of the GPLv2 is an issue of law."

            I don't know if US law has the same complication but I can remember issues of mixed fact and law turning up in an IR35 case long ago. As far as I can remember, the line ran like this:

            - The judge* decided on the law in interpreting a contract

            - The interpretation became a fact in the case

            - It then became impossible to challenge the judge's interpretation on appeal because it was now a fact and the appeal couldn't redetermine facts.

            * At that sort of tribunal the actual title might not have been "Judge" but the function was essentially that.

            1. dajames

              Not quite how it works ...

              - The judge* decided on the law in interpreting a contract

              - The interpretation became a fact in the case

              - It then became impossible to challenge the judge's interpretation on appeal because it was now a fact and the appeal couldn't redetermine facts.

              I am not a lawyer, but this is not quite how it works, as I understand things (in the UK).

              Once a judge makes a ruling on a point of law (such as the correct interpretation of a contract term) that sets a precedent in law. Other judges judging cases in the same court (that is: at the same level) will defer to that judgement.

              However, a judge in a higher court (an appeal court) CAN overturn the original judgement -- that's the point of the appeal court. Judges with more seniority and experience get to reexamine the decisions made by more junior judges in lower courts and either uphold or overturn them. It's a legal "second opinion".

      2. TheVogon

        "It's merely a statement along the lines that the distrbutee won't be receiving any future code if they upset GRSecurity."

        Sure sounds like a term / condition to me...

      3. a_yank_lurker

        In the US, defamation requires proof Perens intended to harm GRSecurity. A difference of opinion about the interpretation of a license or contract is not defamation. This suit might run afoul of SLAPP legislation with Perens winning effectively a default judgement. Given Perens' involvement with FOSS licensing and that many agree with his interpretation I doubt this suit will get far.

        1. Anonymous Coward
          Anonymous Coward

          In the US, defamation requires proof Perens intended to harm GRSecurity.

          Well let's see. His blog is titled,

          Warning: Grsecurity: Potential contributory infringement and breach of contract risk for customers

          He's clearly issuing a warning (which may be false) to GRSecurity's customer base. That's getting right to the very core of GR's business.

          Given his role as expert witness in other cases he can be expected to know what he is talking about. That means if anything he publicly states in such directed terms is found to be incorrect, it can't be anything other than deliberate.

          He cannot assert that his opinion has zero weight in the murky world of How Licenses Are Interpreted By Courts, or claim to not realise what impact this blog would have. He is a businessman himself, and indeed runs a consultancy specialising in these matters.

          So pleading no intent to defame (if his opinion is found to be incorrect) would be a difficult sell. He is not an untutored commentard like you and me. He would be trying to persuade a judge that all his prior involvement in FOSS court cases and indeed his own business are of no consequence when his words in this blog are interpreted.

          In fact if he loses this one then there might be a queue of people looking to reopen previous court cases in which he gave expert testimony against them. And a lot of his own clients might start wondering why they bothered seeking his services...

          That's a high risk strategy for Perens.

          As it happens I think the kind of people who are likely to be GR's customers are going to be very wary and will have previously engaged lawyers to advise them as to the "safety" of using GR's product. That is not at all unusual when a business is seeking to incorporate GPL code into their project. The fact that GR has customers at all suggests to me that an awful lot of lawyer time has already gone into this, and that they're pretty confident about it.

          Don't bet on Perens winning this one.

          1. GrumbleBoy

            I think Perens has no real worries here, because of the word "Potential".

            Facts are things that have either happened, or things that have not happened. Things that may or may not happen in the future are speculations, not facts. At present (August 2017), Perens is speculating that using Grsecurities product opens the potential for liability. Perens is speculating. Grsecurity disagrees, and they are speculating. The potential liability won't become a fact until sometime in the future when a Grsecurity customer gets sued and the matter is decided in court. In the meantime, this is an opinion, not a fact. Opinions enjoy legal protections in the US.

            1. Zolko Silver badge

              The potential liability won't become a fact until sometime in the future when a Grsecurity customer gets sued

              so ... now that GRsecurity did sue Perens, doesn't that prove that dealing with GRsecurity can indeed bring legal trouble ?

        2. Adam 52 Silver badge

          "In the US, defamation requires proof [----] intended to harm "

          No it doesn't. It just requires negligence. There are additional rules for public figures that require maliciousness or negligence, but they still don't necessarily require intent and in any event aren't relevant here.

      4. Anonymous Coward
        Anonymous Coward

        I think Perens is on slippy territority here, and now he's going to have to justify his assertion in court. IANAL so I don't know what the burden of argument needs to be either way, but I won't be betting on him winning.

        I disagree - you are allowed to have an opinion and express it. The burden on GRsecurity is to prove wilful malicious intent to a very high standard, which Perens' various offers to assist over time have effectively defanged.

        GRsecurity would have a case if Perens had been stating his post as fact, but he very explicitly has not. If GRsecurity's interpretation of the law were correct it would be the end of product reviews and newspapers, and unless Perens' lawyer is asleep in court he ought to win this.

  7. razorfishsl

    Sorry , he was expressing an "opinion" how can you be sued for expressing an opinion, we also note they don't go after Linus, who is obviously a bigger fish.

    1. InNY
      Pint

      This is the post-Brexit vote Trumpian world where opinions are "facts" and facts are... facts are...

      irrelevant, unnecessary and obviously not facts.

      and that's a fact!

      sorry, couldn't resist :D

      Have one of these on me! --->

      1. This post has been deleted by its author

      2. Bernardo Sviso
        Pint

        >

        > This is the post-Brexit vote Trumpian world where opinions are "facts" and facts are... facts are...

        >

        > irrelevant, unnecessary and obviously not facts.

        >

        > and that's a fact!

        >

        Ummm,..

        Would that be an "alt-fact", or a "fact-fact"?

    2. Adam 52 Silver badge

      'an "opinion" how can you be sued for expressing an opinion'

      It's called defamation. If your opinion is wrong, hurts and makes a reader think less of someone/something, and is unreasonable for someone in your position to make then you're liable.

      Lots and lots of El Reg commentards don't like or accept this, but it doesn't make it any less true.

      There are subtleties. So Fred ranting on in the pub on a subject which he knows little about and nobody takes him seriously isn't (actionable) slander. But a well known open source expert writing in public on open source licences, well people might well take him seriously.

      1. SImon Hobson Bronze badge
        Headmaster

        If your opinion is wrong ...

        Actually, under English law you can be in the wrong even if your statement is factually correct.

        For example, a newspaper prints an article stating that Mr Yokel of Wurzel Street is in court charged with (something) - which may be perfectly correct. However, if that Mr Yokel lives at No 5, the other Mr Yokel living at no 23 has standing to sue the paper for defamation - because although the statement is 100% correct, it incorrectly leads readers to believe that Mr Yokel of no 23 has been charged with criminal offences when he hasn't. So by not making it clear that they are specifically referring to the Mr Yokel at no 5 they have left themselves open to action.

      2. Kiwi

        'an "opinion" how can you be sued for expressing an opinion'

        It's called defamation. If your opinion is wrong, hurts and makes a reader think less of someone/something, and is unreasonable for someone in your position to make then you're liable.

        So are GRSecurity about to turn around and sue their own lawyers? Or themselves? After all, their lawyers gave them advice, and on the basis of that opinion they effectively published stuff that makes most readers "think less of" them.

        If your interpretation was true, than MS, Pottything, a great many bands, all sorts of companies from small to big would be after me and a whole lot of other people. Every single time someone says "What would be my best option for a new computer" and I say "Linux Mint" I am expressing an opinion that harms MS, Ubuntu's maker (can't quite remember the spelling), Red Hat, any who sell *BSD, Google (Chromebooks) and so on - I'm potentially stopping them getting a sale.

        And that would be more so if I was to recommend a MS product, as it would be quite "unreasonable" for me to promote them! ;)

    3. yossarianuk

      Linus didn't accuse them of breaking a license.

      He just accused them of writing joke code (i.e what their entire business is about).... which should have been worse.

      I hope open source (a term he originally helped coin) companies fund Peren's legal costs against these uber dicks.

      https://en.wikipedia.org/wiki/The_Open_Source_Definition

      1. Comments are attributed to your handle

        Hell, where's the Kickstarter? I'll throw in $50. Grsecurity are a bunch of combative asshats.

  8. Anonymous Coward
    Anonymous Coward

    I was in general agreement that it was probably GPLv2 compliant until I saw grsecurity sells on subscriptions. I don't see how they could claim to be in compliance with selling a subscription without providing all patches or a refund for the term; keeping the money and not providing patches would seem to be adding a requirement to the GPL. I think they'd be on much firmer ground if they were selling patches one-off, and just refused to do business once a distributor was identified.

    Anon because lawsuit...

  9. DownUndaRob

    To quote Shakespeare

    GRSecurity doth complain to much, methinks.

  10. Anonymous Coward
    Anonymous Coward

    This is a defamation lawsuit, not a copyright infringement lawsuit. The only thing that will be litigated is whether Mr. Perens has a right to express his opinion. And he did. If expressing an opinion about a legal matter was defamation, then all complaints in lawsuits would be defamation too. The complaint in this lawsuit just can't win.

    So, you will not learn whether Grsecurity had a right to do what they are doing from this suit. That is a copyright matter and just can't be litigated in a defamation lawsuit. This suit will only determine that Mr. Perens had a right to make his statement.

    This is obviously a matter for the SLAPP law, which prevents deep-pockets entities from bringing spurious defamation lawsuits just to keep someone from expressing their opinion publicly. This sort of case is literally why the SLAPP law was made. Thus, it's obvious that Peren's law firm will make a SLAPP filing next, which will mean a swift conclusion to the case, and Open Source Security, Inc. will end up having to pay all of Mr. Peren's legal expenses.

    Note that Perens is using a world-class law firm that can handle any sort of issue, and a lead attorney who wrote a book about Open Source licensing. In contrast, Open Source Security Inc. is using a one-man law firm and all of their online reviews are about their patent filings. It sounds like Mr. Patent Attorney might have been naive to file this case, and his customer ill-advised. Open Source Security Inc. joins the list of litigious turkeys.

    1. Anonymous Coward
      Anonymous Coward

      In contrast, Open Source Security Inc. is using a one-man law firm and all of their online reviews are about their patent filings. It sounds like Mr. Patent Attorney might have been naive to file this case, and his customer ill-advised. Open Source Security Inc. joins the list of litigious turkeys.

      Well, looking at the name. "Rohit Chhabra, founder of the Chhabra Law Firm", I suspect they're outsourcing their legal support to India.

      1. Don Dumb
        Facepalm

        @AC - "Well, looking at the name"

        How nice of you to clarify up front that you're being a completely racist shit

        1. David Roberts
          IT Angle

          Racist?

          Or just a well crafted dig at IT firms outsourcing important work to other continents?

          1. Don Dumb

            Re: Racist?

            @David Roberts - Let me spell it out for you, "going by the name" suggests that someone with that surname is based in India, based only on his name. Because of course, assuming someone with that name isn't American or based in America is just straight up racism.

            I can get behind digs at outsourcing but assuming someone with an Indian name isn't in America, is shit behavior.

            1. Anonymous Coward
              Anonymous Coward

              Re: Racist?

              "assuming someone with that name isn't American or based in America is just straight up racism."

              OK

              "assuming someone with an Indian name isn't in America, is shit behavior."

              OK.

              Now, is it OK, or is it not OK, for the pro-tem President of the USA to do both of the above e.g. a travel ban based on names?

              If it's OK for the President to do that... well, you work it out.

            2. chiggsy

              Re: Racist?

              @Don Dumb - Not "straight up racism." People keep using the same word for different things, it's annoying. Nationalism is what it is. Why do you think there is a racial element? Outsourcing jobs is a byproduct of globalism. That's not to say the issue does not become tangled up with race,it sure does, but if it were the Germans who were doing the IT jobs for cheap the issues would be the same.

              I completely see your point, here, but he did not say the person was unqualified or unsuitable because of his name or potential location, nor did he suggest some other kind of person would be better suited for the task. There is traffic between the tech sectors of India and North America, much of it from the subcontinent to the USA. Grsecurity seems to be the villain here, and it would be funny if they did actually outsource the legal case to India. It would make them cartoonishly evil in the eyes of the Free Software crowd, as well as the legal people.

              Where we are headed with this approach is a moral code of conduct as strict as the Puritans, absent the idea of a loving God. I've grown uncomfortable with the indiscriminate shaming, because it ;'presupposes a population of utopians, who's shame will force them into acting the "right way." This is coercive, regardless of how good the intentions are. Not everybody is consciously racist, or sexist or whatever. You want to make sure they are before you accuse them having such a nasty character trait, in my opinion, because it alienates people who might not be totally opposed to your cause.

              I kind of think we should aim to be better ourselves.

    2. Hans 1
      Coat

      This is a defamation lawsuit, not a copyright infringement lawsuit.

      Well, this is the prelude, the copyright infringement lawsuit will follow, and since, imho, GRSecurity have no leg to stand on, they will be on the receiving end of this unwinnable copyright infringement lawsuit.

      Consider them out of business already.

    3. Doctor Syntax Silver badge

      "This is a defamation lawsuit, not a copyright infringement lawsuit. ...So, you will not learn whether Grsecurity had a right to do what they are doing from this suit. That is a copyright matter and just can't be litigated in a defamation lawsuit."

      AFAICS the whole thing turns on Perens making a comment on whether the GR T&Cs infringe the GPL2 T&Cs. Although you're right in that copyright infringement can't be litigated in the defamation lawsuit the defamation lawsuit will have to be decided on whether GR's T&Cs do infringe. If that decision goes against GR then it makes a copyright suit a bit easier and maybe more likely.

      1. Doctor Syntax Silver badge

        "the defamation lawsuit will have to be decided on whether GR's T&Cs do infringe."

        Having thought about this a little more it now seems to me a little more nuanced than that. The court doesn't need to decide whether it infringes. It needs to decide what would probably* happen if infringement proceedings were brought in a copyright case.

        ISTM that the plaintiff has to prove that:

        1. The article was wrong. If the article was right it becomes a very difficult task to try to argue defamation.

        2. It has to prove defamation. There may be a whole lot of issues in both directions here - should Perens, as an expert, be held to higher standards than the man in the Clapham omnibus? as an expert does he have a duty to warn others? Is he protected by freedom of speech? does this SLAPP thing protect him?

        The defence only has to defeat one of these issues.

        * Balance of probabilities applies.

  11. EveryTime

    Perens has two shots at winning.

    This is a defamation lawsuit. Perens can either show this was an opinion protected by the 1st amendment, or show that he was right. In court he can argue both, and win on either.

    The standard for defamation might be arguable on the margins, but this case is in the well-trodden middle. It was stated as an opinion, and wasn't clearly or knowingly false. The latter is easily shown by the disagreement above.

    The judge will likely take the easy way out and simply rule that the statements were protected opinion. But this case could become truly interesting if the judge goes further and rules that Bruce was correct.

    But we won't need to wait until the trial for grsecurity to lose. Developers and users that care deeply about freedom will reject and replace grsecurity. Users that don't care one bit about the philosophy will quickly figure out that grsecurity is a dead end path.

    In my experience, most developers and users are pragmatic. They don't let the desire for perfection and purity be the enemy of good-and-getting-better. They'll ignore a little bit of sketchy behavior and license bending, to a point. But once the issue hits the breaking point, opinion shifts suddenly and permanently. The transition from Bitkeeper to Git happened in the blink of an eye, and it was irreversible.

    1. Anonymous Coward
      Anonymous Coward

      Re: Perens has two shots at winning.

      The standard for defamation might be arguable on the margins, but this case is in the well-trodden middle. It was stated as an opinion, and wasn't clearly or knowingly false.

      I disagree. Perens has been an expert witness on such matters in other court cases, and indeed runs a consultancy specialising in such matters. Expert witnesses don't have opinions in court, they give authoritative statements of fact under oath. That status does not, and indeed cannot, wash off when they leave court.

      If Perens were an untutored commentard like me then yes, this would be a middle ground defamation case. But because he's placed himself high up above such a level by being an expert witness and running a business covering such matters, this surely elevates this defamation case quite a lot.

      But we won't need to wait until the trial for grsecurity to lose. Developers and users that care deeply about freedom will reject and replace grsecurity.

      Don't count on it. I strongly suspect that most of their customers will previously have got lawyers to give the situation the once over before becoming GRSecurity customers. They're not going to be casual users, they're going to be quite large businesses not easily swayed by public opinion. The fact they have customers at all suggests that a ton of lawyer time has already gone into this.

      And replace it with what? The generic Linux kernel?

      1. Cody

        Re: Perens has two shots at winning.

        Whether he has testified as expert witness makes no difference. He has still carefully stated it as his opinion, and qualified that to say that its his opinion as a customer. If an attorney were asked by a journalist whether he thought Perens was right on the law, and he explained that his view of the law was the same as Perens', do you think he would be open to a defamation suit? Of course he would not be!

        There is no obligation on us to be right. There is an obligation on us to be responsible in our public statements. One sign of that is that you give the grounds for your opinions, which he has done.

      2. Doctor Syntax Silver badge

        Re: Perens has two shots at winning.

        "Expert witnesses don't have opinions in court, they give authoritative statements of fact under oath."

        I used to give evidence as an expert witness, albeit in a different field. As an expert I had access to a body of factual information that a lay witness might not (e.g. tables of blood group frequencies) but essentially what I offered was an opinion. The court would accept that as evidence where it wouldn't accept a non-expert's opinion. Experts can offer contradictory opinions in which case, as with any other witness, the jury has to make up its own mind.

        Nevertheless a court might well hold Perens more responsible for his opinions that the man down the pub.

      3. nijam Silver badge

        Re: Perens has two shots at winning.

        > And replace it with what? The generic Linux kernel?

        Not all informed opinion agrees that the generic kernel would be less secure, AFAICT.

      4. the spectacularly refined chap

        Re: Perens has two shots at winning.

        Expert witnesses don't have opinions in court, they give authoritative statements of fact under oath.

        No, expert witnesses are in fact the only type allowed to express, the courts recognise that judgement is a key factor in many skilled occupations. For many areas of key importance to cases, psychology for example, there are no such things as facts, opinions are all you get. The courts recognise that which is the very reason they have expert witnesses. Someone dealing purely in fact is simply a witness, no matter how much expertise they have in the area.

        No comment on the merits of the case, however. It raises a couple of interesting questions and it strikes me that those adopting vehement positions one way or the other are basing them on things other than the specifics of the case.

  12. David Roberts
    Alert

    Stand up and be counted!

    Lot of long and complex arguments here by AC posters.

    Then again, posting in your ID of "second hand knicker elastic" or similar is not very likely to have the Feds (or your neighbours) immediately kicking your door down.

    Always puzzles me when people post as "AC because" when most posters are anonymous by handle anyway. Plus the handle can be changed if you aren't desperately badge hunting.

    1. Kiwi
      Boffin

      Re: Stand up and be counted!

      Always puzzles me when people post as "AC because" when most posters are anonymous by handle anyway.

      Thing is, over time we give away many details - some even may have stated exactly where/who they work for.

      A view of my posting history will tell you what city I live in, some of the industries I've worked in, and a number of other things. If I had a LI profile, there could well be enough stuff in my posts to have a fair chance of ID'ing me from that, and if you can ID me you can ID my firm.

      Most of us don't post enough to say who we are, but what if El Reg gets hacked and the handle/email address data gets published? If I registered using my company email (as I suspect a number of people here have done) then again you have me, and who I work for. What if none of this happens, but the company lawyers or managers are simply nervous about stuff being published that COULD be taken in a bad way, breach of confidentiality/NDA etc etc? While a hack could show that AC posting at 16:45 on 12/12/20121 was in fact "Kiwi", unless and until someone publishes that data there is no way to be sure. Posting style, other comments around the same time etc might indicate a certain poster but they are not proof.

      HTH

      1 Timestamp produced by the normal process in which statistical numbers are derived, ie I used the first number that popped into my head that sounds plausible.

    2. Zolko Silver badge

      Re: Stand up and be counted!

      Lot of long and complex arguments here by AC posters.

      yes ... and all with the same visual effects (bold for quotes) and all defending GRsecurity. Strange, isn't it ?

  13. Cody

    Statement of opinion

    This has no chance of succeeding, whether he is right or wrong. He is careful to say that it is his opinion, and to give the grounds for it. He has carefully avoided simply asserting it as fact. Given that, its a non-starter and will probably never end up in court. The plaintiffs will lose expensively.

    In the US also to win defamation suits you have to prove 'actual malice', which is very hard. You have to be making assertions which you know or could readily have ascertained were false, and you have to be doing it with intention to harm. The UK test does something very similar. This is a non starter.

    That is my own opinion, anyway!

  14. szaromano
    WTF?

    Well, first of all. About one of the authors of GrSecurity/PAX:

    "Meanwhile, the lifetime achievement award went to pipacs. "Microsoft today has announced a challenge, giving out $200,000 for work very similar to that that has been done and given away for free by pipacs, a decade ago," said judge Dai Zovi. "All of the operating systems that we use today that have protections against memory trespasses, all of these protection mechanisms can be traced back to the work of pipacs." Microsoft's recently announced prize money for enhancing Windows security, he said, is an extension of the work begun by pipacs, who is perhaps best known for inventing address space layout randomization (ASLR)."

    And some background info. Yeah, Grsecurity is so garbage that Intel/Windriver tend to steal their patches, integrate it into routers, whine for help in the support forums and give back zero bucks. Also KSPP plagiarizes the GRSec source, and after all, a bunch of nobodies just say the whole shebang is snakeoil. Now, when they ask for money for their well earned work, they try to discredit/kill them. This means the product is great, working, so go and use it.

    Footnore: Linus is a prick, big time.

    1. Lee D Silver badge

      Er...

      Nobody questions that grsecurity does some good techy work.

      However, stuff like KSPP plagiarising it is really spurious. Is there really a problem if you plagiarise a GPL work? Not really. That's kind of the point of the licence. It positively encourages you to. Legally speaking, they could pick up grsecurity and stick it in the core kernel and there's NOTHING they can do about.

      Why don't they? Because although it WORKS, it interferes with every single subsystem with no care for whether it breaks working things. Linus has said basically those exact words. The guy has absolutely NO interest in submitting the patches properly and expects the world to just pick up his software in a lump, throw it into the kernel without checking on the basis of his sign-off, and then "fix it up" later. That's not how the kernel has ever, or could ever, work. To expect so is sheer, absolute arrogance. A trait that the grsecurity guy basically personifies.

      And because he hasn't got his way, and because many people have tried and failed to work with him, he's basically cut off from the mainstream kernel and now trying to sell his own port (99% of the work he does relies on the kernel that he didn't write, which is GPLv2, and most of that he doesn't really care about - whereas Linux developers do. He's put some security checks into a MASSIVE base of code, and then acting like he runs the world), refuse service to people who show that GPLv2 derived code to others, and now sue people for saying "You can't do that".

      Nobody doubts that he's talented. But that talent is NOT in working with other people. In fact, he's a bit of a prat. You can often find him on mailing lists and places like LWN.net. Basically, I've never once seen him ever say that someone else was right, in even the smallest way possible (e.g. "Well, yes, that is a concern, but..."). As such, after MANY years of such things, he's been sidelined.

      Unfortunately, he now thinks he can sell access to code that's based on other's work (99% of a grsecurity kernel is NOT his, even if he only distributes a patch to it), ignoring the underlying licensing, and suing anyone who disagrees (and their web host). That's got superiority complex written all over it.

    2. Vic

      Footnore

      Nice of you to join our community just so you could post that...

      Vic.

    3. nijam Silver badge

      > Footnore

      Footgnaw? Just asking.

  15. stephanh
    Trollface

    I got convicted for murder...

    now I am suing the judge for defamation!

    (Note: downvoters will be sued for defamation too.)

  16. Anonymal coward

    Hmm...

    Here's what Chhabra says in the footnote:

    "No court of law has ever established that a statement implying a false assertion of fact is constitutionally protected speech..."

    They're going after Perens by implying that an opinion about a future event (which may or may not happen) is "a false assertion of fact", nothing to do with the GPL in and of itself. So that's any opinion about anything in the future that suddenly has become a false assertion if you don't like it. Is it me or is that really thin ice he's walking on?

    1. GrumpenKraut

      Re: Hmm...

      > Is it me or is that really thin ice he's walking on?

      That's quite an understatement IMHO. I expect the court's response to be along the lines "You stupid?".

      Now even IF (by a dozen of weirdest miracles) he wins the case, he'll have screwed his standing pretty much forever.

  17. M man

    So thiers nothing three contracts here.

    the GPLv2, the modified GRSEC patch contract and the Gr sec supply contract.

    The issue is the supply contract is supplied with the caveat that it will end WHEN you distribute the patch.

    But it cannot end before then, if you say im going to take this patch and distribute it, they STILL have to give it to you. So the patch contract does not prevent you distributing it.

    If the supply contract works otherwise, it inhibits GPLv2

    Of course you could argue that the fact you have a contract with and end date. that can be cancelled before hand is an inhibiting factor.

    Think this may come down to what the definition of future business.

    Are contracted but unfulfilled future patches classed as future business? im pretty sure its not ,being agreed in the past.

    I take it nobody is distibuting these patched kernels? cant see that being possible under the two agreements.

  18. CFWhitman

    GRSecuity is pretty clearly in the wrong about their conditions on redistribution. Basically, making any statement about what they will do if you redistribute code is placing a restriction on redistribution of code. That's clearly a violation of the GPL. Any other interpretation amounts to "fancy lawyer tricks" (that's generally a euphemism for "lies that you could get away with," by the way).

    As to Linus' statement that GRSecurity's patches are "garbage," he is speaking about how they comply with kernel policies as to not violating rules for maintainability. More than one of their patches has been re-implemented by someone who did follow the rules and added to the kernel. GRSecurity likes to jury-rig patches for the kernel and then gets mad when someone notices the jury-rigging and replaces it with actual repairs.

  19. Arach

    "The agreement says that customers who redistribute the code – a right under the GPLv2 license – will no longer be customers and will lose the right to distribute subsequent versions of the software.""

    This isn't accurate, to say the least. Where that right comes from in the first place? GPL doesn't cover any future related works nor does it oblige the authors of the previous versions to release any further ones to the public, their clients or to anyone else. There's Afero GPL that exists to enforce public availability of all modifications and derivative works, and it's a totally independent license, incompatible with GPL.

    And even though the article includes the comment from Grsecuriry's attorney, it's still unbalanced, if not mostly one-sided.

    1.

    First of all, it doens't mention (though it does provide a link) why public access to Grsecurity patches were removed in the first place: https://grsecurity.net/announce.php

    TL;DR: continuous GPL violation and trademark abuse by several large corporations. Where were bruce perenses of the world?

    That after the patches were available to anyone absolutely for free for many years, even regardless of the fact that Grsecurity had few sponsors who were paying for development of the stable patches. So maybe one should take that into account before jumping to conclusions that Grsecurity developers just want more money and are trying to silence the good people, or something like that, as seen in the comment section here and pretty much everywhere.

    2. Perens' attitude is criticized by some Free Software activists, such as Bradley Kuhn:

    https://lists.debian.org/debian-user/2017/07/msg00811.html

    Quote:

    "Bruce, if you haven't looked at the Principles of of Community-Oriented Enforcement <https://sfconservancy.org/copyleft-compliance/principles.html>, which were co-published by Conservancy and the FSF, and endorsed by a wide range of other organizations, including FSF Europe and the OSI, you should definitely do so.

    The most relevant principle regarding your public post referenced in this thread is: "Confidentiality can increase receptiveness and responsiveness." You don't indicate in your blog post that you put in efforts to resolve this matter confidentially and sought compliance in a collaborative and friendly way first. That's a mistake, in my opinion.

    Conservancy often spends years of friendly negotiations, attempting to resolve a GPL enforcement matter before making public statements about it. We have found in our extensive experience of enforcing the GPL that early public statements sometimes thwarts not just our enforcement efforts, but the enforcement efforts of others."

    3.

    > Linus Torvalds, who oversees the Linux kernel, has called Grsecurity's patches "garbage."

    What a nice informative statement, even with a link! So here's another link for the readers:

    http://seclists.org/oss-sec/2017/q2/586

    Let me quote Brad Spengler, one of the Grsecurity developers:

    "Are you delusional? Sorry, you don't get to weasel your way out of calling us clowns, that our code is garbage, with this weak reply where you can pretend you didn't just say those things and now would love for us to provide our "garbage" code directly. Also you might be in confusion as to the extent to which KSPP is "cleaning up" parts of our code -- they're definitely introducing bugs and renaming variables. Other than that, they have a tendency to misrepresent the source of their ideas, so I can understand the cause of your confusion. This, for instance: http://www.openwall.com/lists/kernel-hardening/2017/06/20/34 was simply someone realizing we had updated the code they previously copy+pasted, and copy+pasted the newer version. He is being funded to do this. He even emailed me for help figuring out the code he was being paid to copy+paste."

    1. GrumpenKraut
      Stop

      Created an account just for saying this? A bit down in the thread quoted by you, in a message from Linus:

      "Quite frankly, I'd much rather see *you* actually send in patches that are acceptable for inclusion, something you've never done."

      1. Arach

        "Created an account just for saying this?"

        Yes, why not.

        "A bit down in the thread quoted by you, in a message from Linus:

        "Quite frankly, I'd much rather see *you* actually send in patches that are acceptable for inclusion, something you've never done.""

        Since your comment has 5 thumbs up, could you clarify, please, what did you mean by quoting those Linus' words? Because it seems I did miss something.

        1. GrumpenKraut

          > could you clarify, please, what did you mean by quoting those Linus' words?

          The quote supports my observation that GRSec does not make a reasonable attempt to contribute to the kernel. They may offer a mega-patch that will never get accepted, as anyone who even occasionally follows Linux kernel development should know, as in "patches that are acceptable for inclusion".

          The lawsuit will sink GRSec for all practical purposes.

          Btw. I am aware of Windriver's nasty behavior, not sure El Reg ever had an article on that.

          1. Arach

            "The quote supports my observation that GRSec does not make a reasonable attempt to contribute to the kernel. They may offer a mega-patch that will never get accepted, as anyone who even occasionally follows Linux kernel development should know, as in "patches that are acceptable for inclusion"."

            But speaking of Linus calling Grsecurity patches garbage, why is that even relevant?

            My point is that Linus can't *reasonably* call Grsecurity "pure garbage" or anything like that, *especially in the context in which he did so* (in reply to that luto's question), and, at the same time, allow KSPP to copypaste code from those "pure garbage" patches, even though (!) the developers who do that don't understand the "garbage" code to full extent. It is a contradiction or a hypocrisy, either or both.

            Now going back to Andy Lutomirski's question: “Has anyone checked how grsecurity deals with this? I think they have a large stack guard gap.” - that exactly to what Linus replied with his "pure garbage" words (pun intended). I wonder how many commentators realize - or even care to try - that "pure garbage" code from Grsecurity that fixed this problem was correct from the start and for 7 years since 2010, while Linus' code was wrong (even after several attempts to fix it), has broken compatibility with some applications (some Java VMs, probably something else) and in the end turned out to be not enough as a solution. For everyone interested to know, rather than just trust and guess, I suggest reading this, at least: https://grsecurity.net/an_ancient_kernel_hole_is_not_closed.php - to get familiar with the other side of the story.

            "The lawsuit will sink GRSec for all practical purposes."

            One thing about Grsecurity that many don't realize is that it's a project run by enthusiasts, who won't stop their work, even if their attempts at monetizing its result will fail.

    2. SImon Hobson Bronze badge

      This isn't accurate, to say the least.

      ...

      GPL doesn't cover any future related works nor does it oblige the authors of the previous versions to release any further ones to the public, their clients or to anyone else.

      You are correct that the GPL says nothing about anyone having to distribute to any particular person - so yes, GRS can pick and choose who they deal with.

      But they are freely admitting that "we are selling you this GPL2 code, you have the right to redistribute it, but if you exercise that right then we'll do something to you (in this case, withhold future versions)". That IS putting a constraint on you exercising your rights under the GPL2.

      Just like "free elections" where you can vote for anyone, but don't expect to find more than a pile of ash where your home was if you vote for anyone but "the official candidate", are not free elections. Just like all those business owners were quite free to accept or reject an offer of insurance from the local mafia/whatever.

      Now, is this case about defamation or about the GPL ? Well the case depends on whether BP was correct in his assessment. If he's correct then the case should fail, if he's wrong then he could lose. So before the judge can decide how to rule, he can't avoid determining if BP is correct. SO I suspect that this will see the argument tested properly in court.

      1. EveryTime

        "Now, is this case about defamation or about the GPL ?"

        The case is about defamation.

        The plaintiff must show that the statement was both defamatory and untrue.

        The judge can decide either point in the defendants favor and the case is over.

        In my view, there was no defamation. That's an easy call.

        In my view, the additional conditions GRSecurity adds does not conform to the GPLv2 license. But that is a much closer call, one that fancy lawyerrin' and big words can sway.

        Most judges are going to look at this case, see the easy decision, and skip ruling on the close call about the GPL.

      2. Arach

        First of all, this part of the article:

        "customers and will lose the right to distribute subsequent versions of the software"

        ...contains a GPL interpretation mistake made by the author of the article, that Perens nor OSS Inc. has nothing to do with. I just wanted to correct him, and that's what AGPL reference with the rest of the text of that paragraph is for.

        "But they are freely admitting that "we are selling you this GPL2 code, you have the right to redistribute it, but if you exercise that right then we'll do something to you (in this case, withhold future versions)". That IS putting a constraint on you exercising your rights under the GPL2."

        IANAL, but here I disagree. OSS Inc. has the right to stop doing business with anyone, for any reason. That right isn't covered by nor does arise from the GPL and thus exists independently, being guaranteed by law. And I don't see how stating the fact that this right may be exercised, both conditionally or not, - and doing it in advance or not - is putting a constraint. In other words, "mind that you may exercise your right, but I may exercise my right". Court might disagree, but nonetheless, that's my opinion.

        1. anonymous boring coward Silver badge

          "IANAL, but here I disagree. OSS Inc. has the right to stop doing business with anyone, for any reason. "

          If the reason is the redistribution of GPLed source code that OSS Inc themselves have used, then they have violated the GPL and do not have the right to use that GPLed source themselves.

          Besides, don't these companies using GPLed source code have a duty, according to the GPL, to distribute the GPLed source code to ANYONE asking for it -not just their customers?

          1. GrumpenKraut

            > Besides, don't these companies using GPLed source code have a duty, according to the GPL, to distribute the GPLed source code to ANYONE asking for it -not just their customers?

            You only have to make the code available to parties you give the binary to ("available" could mean you have to ask by snail mail, btw.).

            > ANYONE

            No, certainly not.

            In practice everyone with two working brain cells will put the code online, though some only open to paying customers.

            1. Vic

              You only have to make the code available to parties you give the binary to ("available" could mean you have to ask by snail mail, btw.).

              Absolutely and completely wrong. Section 3(b) of GPLv2 says exactly the opposite.

              > ANYONE

              No, certainly not.

              Yes, anyone, if you're redistributing under Section 3(b) - which just about everyone does.

              Please read the licence. You are propagating complete untruths.

              Vic.

          2. Vic

            Besides, don't these companies using GPLed source code have a duty, according to the GPL, to distribute the GPLed source code to ANYONE asking for it -not just their customers?

            Not *always*.

            It is possible to redistribute under Section 3(a), where you distribute source *alongside* the binary. You must perform this form of distribution to every person to whom you distribute the binary. This rarely happens. But by definition, you only distribute source to your own customers - they, however, can redistribute that as they see fit, subject to the terms of the GPL.

            More commonly, Section 3(b) is used, where the source is promised separately from the binary. In this case, the source must be made available to anyone who asks for it.

            Vic.

          3. Arach

            "If the reason is the redistribution of GPLed source code that OSS Inc themselves have used, then they have violated the GPL and do not have the right to use that GPLed source themselves."

            For now, that's just an opinion. Just repeating it over and over again won't make it the truth, even though Goebbles might disagree with me about that. ;)

            "Besides, don't these companies using GPLed source code have a duty, according to the GPL, to distribute the GPLed source code to ANYONE asking for it -not just their customers?"

            No, they don't. Again, there's Afero GPL for enforcing that kind of obligations exactly, which isn't GPLv2 and isn't even compatible with it.

    3. Vic

      it's still unbalanced, if not mostly one-sided.

      I'm always very suspicious of new registrations with a single topic to bash.

      Do you, perhaps, have a commercial interest you'd like to disclose?

      Vic.

      1. Arach

        "Do you, perhaps, have a commercial interest you'd like to disclose?"

        No, I only have a professional and an ethical interest, being a security-conscious system engineer and an informed long-time (~9 years) Grsecurity user. And I just don't feel like silently observing how people that have my deepest respect for their work, as well as for the values it's driven by, are having their names trampled into the mud for no good reason.

        Now speaking of this:

        "More commonly, Section 3(b) is used, where the source is promised separately from the binary. In this case, the source must be made available to anyone who asks for it."

        Even though I understand that you don't imply that distribution of Grsecurity patches is covered by GPLv2 section 3, I'd still like to make it clear that it is covered by GPLv2 sections 1 and 2, which don't oblige OSS Inc. to make the patches available to anyone.

  20. richsmith

    gphoto2 ain't part of linux sources

    gphoto2 isn't part of the linux kernel.

    Screenshot not appropriate!

    1. diodesign (Written by Reg staff) Silver badge

      Re: gphoto2 ain't part of linux sources

      It's an artist's impression of what open-source source code may look like in happier times.

      C.

  21. Anonymous Coward
    Anonymous Coward

    Confusion between patches and code

    I think there's a big confusion between patches and code. The GPL requires that you give the code and allows the receiver to redistribute it. It doesn't make mentions of patches, changelogs, drafts or even copies of design discussions, all of which are part of the development process. From what I've read from various posts, the grsec contract restricts redistribution of the patches and changelogs and claims no extra limitation beyond the GPL's obligations. This means the recipient is perfectly allowed to redistribute the source code (patched kernel) as per the GPL, and whoever receives it can rebuild a jumbo patch by diffing this kernel against the mainline kernel.

    It's just true that nowadays, a few decades after the GPL was invented, we value git patches and their full changelogs a lot because they contain the justification for the change, which is very important in the security area. We must just not confuse code and changelogs. And eventhough I really hate what they're doing, I think they're in their right and people are misreading their contract.

    If I were a customer, I'd rather argue that this restriction significantly reduces the code's exposure to peer reviews and making it much less trustable for security applications. Security must be the most open possible, and Spender has been arguing about this for as long as he's been working on grsec. So in my opinion grsec has lost its main value now, it's sad.

  22. frobnicate

    Only righteous is protected.

    "No court of law has ever established that a statement implying a false assertion of fact is constitutionally protected speech".

    And I naïvely thought that shouting "Goldbach's conjecture is false!" in a crowded theatre is perfectly legal.

  23. John Savard

    Interesting

    Obviously the next version of the GPL will have to be rewritten so that Linus Torvalds or perhaps even Richard Stallman could, at the stroke of a pen, take away Grsecurity's right to use, modify, or redistribute Linux in return for having the temerity to file such a lawsuit.

    Of course, as long as the controversial clause in Grsecurity's agreement has not been tested in court, such a lawsuit is possible. Since the penalty for redistributing Grsecurity's code is simply termination of a relationship with Grsecurity, it could indeed be argued that they can get away with what they're doing, even if it's contrary to the spirit of the GPL. It might not contradict the letter of the GPL.

  24. aaaa
    Unhappy

    Missing the point

    We continue to see the great coders behind the software we are all using going without cash for their work - even though their work is being heavily commercialised. e.g.: OpenSSL.

    GRSecurity has just tried to work out some method to get paid. He's still contributing GPL code - which is arguably more than many people commenting have done.

    I personally have contributed quite a few thousand lines of open source code, plus paid staff over $1M to write open source code that had over 1.4M downloads in a year, plus made financial contributions to FSF and individual open source projects. But I'm now of the opinion that OSS is dead. Without a way to financially compensate those that do the work, programmers would rather spend their time writing for iOS or something, anything that has half a chance of paying the rent.

    Back in the day it was OK - individuals and companies liberally gave money to support these projects, or your employer paid you to work on it - now - not so much, and when you hit upon some 'subscription' contract that customers are happy with - this guy decides to use his power and influence to scare your customers off.

    He could have just left GRSecurity alone and let the people who wanted to pay to pay, and those who didn't want to didn't have to.

    More coders are going to see this and think 'write for open source? yeaaaah riiiiight.'.

    1. anonymous boring coward Silver badge

      Re: Missing the point

      "GRSecurity has just tried to work out some method to get paid. "

      They did it wrong.

      And if they, in addition, can't tolerate someone pointing this our, they might as well go away forever from this business, as far as I'm concerned. Total d*cks.

      BTW: Lot's of people contribute for free and will continue to do so. That your personal circumstances and motivations have changed doesn't mean that this is true for all programmers.

  25. anonymous boring coward Silver badge

    https://www.gnu.org/licenses/gpl-2.0.html

    GPLv2 section 6:

    6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

    Adding additional conditions would violate this GPL, and thus anyone tacking on threats of consequences if actions compliant with the GPL are taken (such as redistributing the source code), is clearly not adhering to the GPL. In other words: The restrictions cannot be altered by anyone using the GPL.

    If you are actually claming to redistribute works falling under the GPLv2 but not following the terms of the GPL you should probably stop doing so.

  26. Adrian Midgley 1

    That company is not in

    the open source community I am in.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like