back to article Linux's Grsecurity dev team takes blog 'libel' fight to higher court

Open Source Security, Inc., the maker of the Grsecurity Linux kernel patches, suffered a setback last month when San Francisco magistrate judge Laurel Beeler granted a motion by defendant Bruce Perens to dismiss the company's defamation claim, with the proviso that the tossed legal challenge could be amended. The code biz and …

  1. Anonymous Coward
    FAIL

    Way to damage your own credibility

    So much for GRSecurity's credibility, in my opinion this moves them right down into the regions of the patent trolls and other nasties which can't win a disagreement using arguments and therefor need to stoop as low as lawsuits. The lawsuit alone makes me side with Mr. Perens on this one by the way.

    For the simple reason that this is how his blog posts opens (I quote and emphasized an important detail): "It’s my strong opinion that your company should avoid the Grsecurity product sold at grsecurity.net because it presents a contributory infringement and breach of contract risk.".

    SO basically these (in my opinion): scammers are trying to prevent someone from sharing his opinion. That's the bottom line here. Whatever happened to freedom of speech?

    But worse yet: if a security firm tries to prevent someone from sharing their opinion then what else are they trying to cover up? That would be my immediate follow up question. You see, within the field of security (and security breaches) it's a very common (but not very ethical) practice not to disclose any security issues and to try and hush them up. All in the name of "best interests" of course, even though sharing the whole thing is usually 1) more honest towards customers or other directly involved parties and 2) might even help others to protect themselves more efficiently.

    As such my conspiracy theory: what else have those grsecurity dudes tried to cover up like this?

    What guarantee do I have that they haven't tried to force someone to take down a post which tried to warn people about major backdoors being present in GRSecurity?

    Hear me out: If this is how they treat someone who makes it very clear that he's only sharing an opinion, then seriously: how would they respond to someone who claims to be sharing facts, the kind which could seriously damage their reputation?

    I honestly wouldn't touch GRSecurity with a ten foot pole anymore, let alone put any trust in it to keep my stuff safe. Not after reading about this ordeal (and confirming it for myself).

    1. MacroRodent

      Re: Way to damage your own credibility

      Yes, disappointing. Many years ago, I even sent the project a small donation, as I was using their patch, and they appeared to be good guys. I wonder what happened?

      1. bazza Silver badge

        Re: Way to damage your own credibility

        What happened was that loads of people didn't send them any money and / or ripped off theirs trademarks and company name. This behavior included quite large outfits such as (reportedly) Intel.

        So it's not surprising that they got fed up that.

      2. Kabukiwookie

        Re: Way to damage your own credibility

        I wonder what happened?

        They probably started rolling in the MBAs once they became a 'thing'.

        Grsecurity now only reminds me of SCO and are as dead to me.

    2. bazza Silver badge

      Re: Way to damage your own credibility

      Whatever happened to freedom of speech?

      Nothing. What the US constitution does not guarantee is a lack of consequences arising from what one has said.

      A factor that is also often overlooked by the commentariat is that Perens is not just some random commentard. He's been an expert witness in court cases involving open source license disputes. So it is reasonable to consider his opinion to be rather more weighty, regardless of whether it's right or wrong. That might cost him dearly.

      1. DeKrow

        Re: Way to damage your own credibility

        Freedom of speech except if you're actually an expert on said topic?

        That sounds a lot like what the US would be aiming at.

      2. Michael Wojcik Silver badge

        Re: Way to damage your own credibility

        He's been an expert witness in court cases involving open source license disputes. So it is reasonable to consider his opinion to be rather more weighty, regardless of whether it's right or wrong.

        Why do you think that has bearing on a libel complaint, under California law?

    3. Anonymous Coward
      Gimp

      Re: Way to damage your own credibility

      This sort of idiocy is why people choose to run Windows. You always know where you are with Microsoft - face down, biting the pillow.

  2. E 2

    Grsec used to be opensource, you could down load it and patch one of the supported kernels and go to town.

    Now you cannot. I wanted to use grsec for a server last spring, and the only way it is available now is for-pay.

    So what exactly is the problem with Perens' remarks?

    1. John Riddoch

      Well - from some of the commentary on Wikipedia (I know it's not a great source, but...):

      - Grsecurity distribute patches to the kernel, these are governed by GPLv2

      - Grsecurity only sell these (not distribute for free), but as well as the GPLv2 license, they attach use conditions, basically saying "if you distribute these as per GPLv2 you don't get any future releases"

      Grsecurity claim this means they're abiding by GPLv2, Perens says it breaks GPLv2. I suspect Perens is right, but the IP lawyers will have a bun fight over it in court.

      1. Lee D Silver badge

        It seems incredibly like imposing further conditions on the distribution, which is prohibited under the GPLv2: "You may not impose any further restrictions on the recipients' exercise of the rights granted herein."

        It seems quite clear to me that making people pay for the software, and then denying them future updates in perpetuity should they EVER exercise any of their distribution rights under the GPLv2, is quite a bit more than "imposing further restrictions".

        That's pretty moot, however, because you'd have to be an idiot to want to do business with this guy at all anyway.

      2. bazza Silver badge

        Grsecurity claim this means they're abiding by GPLv2, Perens says it breaks GPLv2. I suspect Perens is right, but the IP lawyers will have a bun fight over it in court.

        I'm not so sure. There is no mention anywhere whatsoever in GPL2 about future releases. You don't even have to distribute the source of the binaries you have distributed after 3 years, and you certainly don't have to put it on the Internet open to all.

    2. Anonymous Coward
      Anonymous Coward

      So what exactly is the problem with Perens' remarks?

      That's for the 9th circuit to discuss. Allegedly.

  3. Anonymous Coward
    Anonymous Coward

    Lawyers and Catfish

    "In a court filing on Thursday, he asked the judge to dismiss the case because the company does not intend to amend its claim.

    ...

    Chhabra said the further details about Open Source Security's argument will be available once the appeal is filed."

    So let me get this right: they are asking for the current case to be closed because the company doesn't have any additional arguments to present. But at appeal, they *will* present new arguments.

    What sort of legal nonsense is this?

    1. Lee D Silver badge

      Re: Lawyers and Catfish

      The judge said that the current case can't proceed as is without being amended.

      They don't want to amend.

      So what they are saying is "the judge made the wrong decision" and appealing the case. Which first requires the case to be dismissed.

      It's pretty much certain they're on to a loser at this point, as they're literally saying "NO! YOU'RE WRONG!" to the judge, who was quite clear and didn't have to do much interpretation to come to the conclusion they did (i.e. it is an opinion, and you can't be libellous unless what you're saying is provably false). They can't prove the statements false, hence they can't continue with the libel claim, but they want some "different" answer.

      The best bit is at the bottom, though... no matter whether the case is dismissed or the complaint amended, there is a court-sanctioned avenue of suing them back under an anti-harassment law, with positive encouragement from the judge as to the likely success of such an action.

      Not only are they onto a loser with their original suit, they're onto a loser with the appeal, and in the process they can be counter-sued almost automatically no matter what. This is not just losing... this is M&S losing...

    2. Doctor Syntax Silver badge

      Re: Lawyers and Catfish

      "What sort of legal nonsense is this?"

      US legal nonsense?

  4. Lee D Silver badge

    GRSecurity / Brad Spengler

    This couldn't happen to a nicer fella.

    Finally his big-headedness has caught up to him.

    And, never forget, he has to publicly declare certain things to work on tiny little government contracts:

    https://www.collierreporting.com/company/open-source-security-inc-lancaster-pa

    Quote: "Estimated Number of Employees: 1

    Estimated Annual Receipts: $140,000

    Business Start Date: 2015"

    No matter what he says, he's been a tiny one-man operation for years. How he can afford a lawsuit, I can't fathom.

    1. Doctor Syntax Silver badge

      Re: GRSecurity / Brad Spengler

      "How he can afford a lawsuit, I can't fathom."

      You raise a very interesting point. Perhaps his lawyers are working on spec. or somebody's funding him, in which case who?

  5. Alistair
    Windows

    GRSec.

    Ahhhhhh ICK.

    "So sad, my friend that it has finally come to this"

    "I've seen ...... .... time to die"

    And variations of this. At one point Spengler's work was marvellous and free and actually had a rational point. It may still have a point, and I understand that there is in his eyes some need to be rewarded financially for the efforts, but it is sad to see him tied to this judicial pot of boiling garbage. I honestly hope that somehow there is (eventually) a morally, legally and rationally effective solution to the situation he finds himself in at this moment.

    Yes, on the surface it seems he's an utter dick. I suspect that some of the dickishness is him and some of it a lawyer or legal advisor without common sense.

    Perens's opinion is one I happen to share. And have shared. (Historically) I was the initial SA deploying linux at an enterprise and there was some push at *that* time to pull in GRSec patches, however the conflict between the GRSec agreement and the RH agreement at the *legal* level at the time was already a substantial issue. It was made worse by the "pay only" model that Spengler took on ...

    1. bazza Silver badge

      Re: GRSec.

      At one point Spengler's work was marvellous and free and actually had a rational point.

      I would not be entirely surprised if opinions differed. I'm not saying that the mainstream kernel community's approach to the immense CVE list is invalid; it's perfectly acceptable in a normal, open society. But it's not one that everyone wants. And opinion shouldn't be allowed to stop someone else doing something about it, even if most people think that what they've done is crazy.

      Perens's opinion is one I happen to share. And have shared. (Historically) I was the initial SA deploying linux at an enterprise and there was some push at *that* time to pull in GRSec patches, however the conflict between the GRSec agreement and the RH agreement at the *legal* level at the time was already a substantial issue. It was made worse by the "pay only" model that Spengler took on...

      What I do find objectionable about this whole situation is the use of public opinion to sway public perceptions of what the license actually says. Contrary to what most people think, there is no obligation under GPL2 to do anything more than sending source on a CD-R in the post, on request. Even punched paper tape is, technically speaking, acceptable. There is no obligation to do even that after three years. There is no obligation to distribute the source to the entire population of the planet, only to people you have given a binary to. There is no obligation to send the source code again simply because some of it has changed. Clause 6 mentions "The Program"; not any other program, or future versions of it, and applies only if you actually choose to distribute it to some one. There is no obligation to onward distribute source code you have acquired, unless you distribute a binary built from it (just as well, otherwise we'd all be in trouble).

      We Don't Want to be in a World Where License Terms Can be Changed Retrospectively

      The role of public opinion in this is important. Most people are of the firm opinion that open source always means "I can download it from some server whenever I like". Some licenses are like that. GPL2 really is not.

      However, if a court eventually caves in to the weight public opinion stoked up by people like Perens and forces a re-interpretation of the GPL2 to include terms like making it available on a web server to all and sundry, then a very important thing will have happened:

      The source code would have been forcibly released under a different license terms by a court not acting at the request of or with the consent of the author(s).

      That would be an atrocious precedent to set. It seriously threatens the certainty of all software licenses. It would mean that all GPL2 code everywhere was now fair game. And if GPL2, why not some more proprietary licenses?

      That would cost us all dearly, in the end.

      There's enough of a problem brewing with Google resorting to claiming "Fair Use" in its dispute with Oracle over Java. If Google ultimately win that one (it's still rumbling along), and Peren's firm opinion gets adopted as a precedent by some court somewhere, then as far as I can tell all bets are off, source code (either proprietary or free) can no longer be adequately defended by copyright law.

      And it's copyright law that licenses such as GPL2, GPL3, etc utterly rely on.

      So I'm annoyed with Perens for stirring up the pot. Is the Linux source code licensing situation ideal for what most contributors want? No, frankly it's crap. But it's nearly 30 years too, too late to correct that. Are the actions of GR legal? Probably yes. Are they in any way significant to what the rest of the Linux world does? Completely not. Could this all turn into a clusterfsck for the rest of us? Quite easily. Why risk that? Leave sleeping hornets nests alone I say.

      Inevitable

      Situations such as this were always kind of inevitable with the GPLs. Their copyleft nature is their very own weakness; any flaw in their terms is unrecoverable. Fixing the perceived flaws by stretching the copyright laws that the licenses rely on is going to weaken the licenses in other ways.

      Personally speaking I think that GPL has not been of significant benefit to Linux or other projects when compared to, say, the BSD license. FreeBSD is even more freely licensed than GPL2, and that's not done FreeBSD any harm at all (in terms of community activity, code quality, etc).

      GPL2 has also been a significant barrier to getting useful freely available code into Linux (ZFS, DTRACE, device drivers, etc). Getting stoked up by people like Perens about GPL2 adherence simply raises the barriers to becoming more accepting of other licenses, which brings its own problems.

      To get around some of these legal barriers and issues we see projects like Google's Project Treble emerging. That stands a very good chance of fixing device driver issues on Android (and thence everywhere else), but it will then be significantly different to the mainstream. Fragmentation is a bad thing; it dilutes effort.

      1. Crypto Monad Silver badge

        Re: GRSec.

        > Contrary to what most people think, there is no obligation under GPL2 to do anything more than sending source on a CD-R in the post, on request.

        That is correct.

        However, once you have the source in your hand, the GPL says you are also *free to distribute it further* under the same terms, and GRSecurity didn't like that. They want to keep their patches secret.

        Once you have a Linux kernel, and you apply the GRSecurity patches, the combined work is still GPL2 and so you are free to distribute it. BUT: GRSecurity say that if you exercise this right, they will cut off their business relationship with you, withdraw your right to use GRSecurity and never give you any future updated patches.

        Basically, they are trying to make Contract Law trump the GPL. "I will give you this source code which is GPL but only if you agree to be bound by this additional contract which reduces your GPL rights"

        1. bazza Silver badge

          Re: GRSec.

          It can only be a matter of contract law if it's actually in a contract. However if GR security spot you leaking their code, exercising one's GPL2 rights, all they need to do is refuse future purchase orders from you. There doesn't actually need to be anything written down anywhere at all in any contract whatsoever, and they don't need to have told you in advance. I'm guessing that's how they've done it, and they've just relied on word getting around the industry. Law cannot ordinarily make you sell something you don't want to sell.

          Sneaky? Certainly. Illegal? Probably not.

          If they have written it into their contract, that would be very bold indeed, and certainly much more challengeable, but certainly still not a slam-dunk gonna lose in court document. I think that we should presume that it doesn't exist and that GR has actually got a position far stronger than most people think.

          I come back to my point about disturbing a hornet's nest. If this does ever come to court, and GR win (which I think they will), then where does that leave everyone else? What's worse, a GPL2 license of doubtful but untested strength, or a GPL2 license that is confirmed broken by a court case. If GR win then anyone else can take GPL2 licensed code (not just the Linux kernel), sell it with unwritten constraints, and there'd be nothing that anyone can do about it from that point onwards. How about if, purely hypothetically, RedHat decided to follow suit? Not that I can ever see RedHat doing such a thing of course.

          The ultimate solution to all this is to relicense Linux to satisfactorily reflect what the kernel community generally actually wants in this modern era. That is going to be difficult; some of the contributors are dead, and their code would have be expunged / re-written. The longer this is left, the worse this problem with GPL2 not really being fit for purpose will get.

      2. JLV

        Re: GRSec.

        The question is however not whether GPL or BSD is better. Nor whether a developer or company deserves remuneration for what they do, even in an open source context.

        The issue is that GR should abide by the rules of the license it has chosen to operate under, GPL2 in this case. Well, they haven't "chosen GPL", but they chose to work on a product that is under GPL.

        It seems pretty clear that they are not following the spirit, if even the letter, of that license and Perens is not being libelous in voicing his opinion about it and he's not voicing anything demonstrably false or malicious.

        The Streisand Effect is strong with you, dear GR.

  6. sloshnmosh
    Pint

    "I've seen ...... .... time to die"

    One of my favorite scenes in one of my favorite movies,

    (not to fond of the remake however)

    Have an upvote!

    https://en.wikipedia.org/wiki/Tears_in_rain_monologue

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like