Wait, the company is called "Open Source Security" but their kernel patches are not actually open source? Somebody should sue them for false advertising.
Open Source Security hit with bill for defamation claim
Open Source Security, maker of the grsecurity Linux kernel patches, has been directed to pay Bruce Perens and his legal team almost $260,000 following a failed defamation claim. The security biz, and its president Brad Spengler, sued Perens last year over a blog post, alleging defamation. Perens, one of the early leaders in …
COMMENTS
-
-
Monday 11th June 2018 22:29 GMT keithzg
The source is "Open", but the rights to redistribute them are lacking. This is the sort of dilution of terminology that's why hardliners still say "Free" or "Libre" rather than "Open".
Frankly, any time a person or entity refers to it as "Open Source" rather than "Free Software" it's worth being at least a bit suspicious if they actually believe in the principles or are just in it for themselves---take a careful look at the details.
-
Monday 11th June 2018 23:13 GMT GIRZiM
re: the rights to redistribute them are lacking
As I remember it, it was reported in El Reg (in the last couple of years or so) that the reason for that was that companies/businesses were including it in their software/firmware and charging for it, which wasn't part of the licence from OSS.
I think there might also have been something that was going on that OSS felt was harmful to their reputation - something like that anyway.
-
-
Wednesday 13th June 2018 20:43 GMT GIRZiM
Re: re: the rights to redistribute them are lacking
No idea - haven't looked into it, it's just something I vaguely remember reading about here in the last couple of years.
It could equally be that vendors were modifying it and distributing it with their kit/solutions and not including the proper accreditation and/or source and/or not contributing the modifications back upstream - dunno, as I said, I didn't look into it, just noted it and I have no idea what the specific licence breach was, just recall that it had something to do with the licencing.
-
-
-
Tuesday 12th June 2018 07:29 GMT Anonymous Coward
Open Source Security Inc. Doesn't Make Open Source
The rules for Open Source are at https://opensource.org/osd
Right at #1 is "Free Redistribution". Now, take a look at the Grsecurity Stable Patch Access Agreement at https://grsecurity.net/agree/agreement.php and tell me that's "Free Redistribution".
Open Source, Free Software, and Libre refer to the same thing. A long time ago there was someone who tried to drive a wedge between them. I haven't heard from him lately, have you?
-
Wednesday 13th June 2018 09:16 GMT ForthIsNotDead
Re: Open Source Security Inc. Doesn't Make Open Source
From the GR Security web site (emphasis added by me):
The rights and obligations under the GPLv2 are listed at http://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html. You may use, copy, modify, and distribute any Linux kernel modified by combination with grsecurity patches under the terms of GPLv2.
What's the issue? I note that they changed the page on 7 June. Maybe they've acquiesced?
-
Wednesday 13th June 2018 14:32 GMT SImon Hobson
Re: Open Source Security Inc. Doesn't Make Open Source
You may use, copy, modify, and distribute any Linux kernel modified by combination with grsecurity patches under the terms of GPLv2.
What's the issue?
What about redistributing the source for that modified kernel ? GPLv2 says that if you modify and distribute a piece of GPLv2 code, then you are required to provide the source if asked for it.
AIUI, grsecurity also allow you to redistribute the patched source - but if you do will terminate your contract with them. That's not exactly allowing you to redistribute in accordance with GPL - it's basically saying that you can't redistribute if you want to carry on getting their patches in future. That's what Bruce Peren's opinion was about.
-
-
Wednesday 13th June 2018 19:53 GMT Anonymous Coward
Re: Open Source Security Inc. Doesn't Make Open Source
To ForthIsNotDead, the text of the Grsecurity agreement which Mr. Perens objected to is in Exhibit B at this link: http://perens.com/static/OSS_Spenger_v_Perens/3_17-cv-04002-LB/doc1/pdf/01-1.pdf
This is submitted by Grsecurity and (like all case documents) publicly archived by Perens.
The relevant text is:
Notwithstanding these rights and obligations, the User acknowledges that redistribution of the provided stable patches or changelogs outside of the explicit obligations under the GPL to User's customers will result in termination of access to future updates of grsecurity stable patches and changelogs.
-
-
-
-
Tuesday 12th June 2018 10:25 GMT DropBear
Re: No Trademark
Bullshit. I've seen many examples over the years which were labelled "Open Source" with the source accessible in some manner for which you still had zero rights outside of looking at it. I don't give a crap that's not some people mean when _they_ talk about OS, the point is that many clearly mean something wholly non-open by it, which is why a distinction is necessary and still very much useful. To date, I have seen ZERO software claiming to be "libre" except chained seven ways to hell.
-
-
-
Monday 11th June 2018 20:14 GMT Anonymous Coward
Waiting for the other shoe to drop
And of course the real fun will be when OSS can't afford the bill and they are made bankrupt and Bruce Perens becomes the new owner of the copyright of OSS's code; shortly followed by said code being open sourced just like it should have been in the first place. *grin*
-
Monday 11th June 2018 21:03 GMT Anonymous Coward
OSS deserves everything coming to them!
I've read the blog post and it even started with "in my opinion...." yet OSS still tried to bully this guy into taking it down. They deserve everything coming to them in my opinion.
I also hope this whole case will backfire making more companies and people alike pull out of this mess called grsecurity. No, I'm not bashing. It's just logical reasoning: one of the pillar stones in computer and online security is transparency; sharing information. When a backdoor or vulnerability is found it's usually in the best people's interests to share that information so that others can prepare themselves for it.
So here we have a security company who tried to take down a blog post where someone merely shared their personal opinion. Making me wonder: what would happen if somewhat decided to share something they perceived to be facts about backdoors within the grsecurity project?
Do you really think that this company would allow for that to happen? If this is how they treat an opinionated blogger, then I think they'll treat a mid cart security source which posts controversial material about their project even worse.
And when a security firm tries to shut someone up I always have to wonder: how many more people did they try to hassle and what for?
Would you really put your trust into a dominating dictatorial bunch like that? I sure wouldn't!
-
Tuesday 12th June 2018 10:35 GMT DropBear
Re: OSS deserves everything coming to them!
The only thing that saddens me about this is that OSS will probably _not_ get well and truly bankrupted by the judgement. They absolutely should be obliterated, with extreme prejudice. Handling costs of such trivial litigation as a routine cost of doing business should not be possible - any company engaging in such practices should face the likely prospect of a fine ten times their entire worth. Maybe that would make them less touchy and think twice before "getting offended".
-
-