SoylentNews is people
SoylentNews
Grsecurity is a patch for the Linux kernel which, it is claimed, improves its security. It is a derivative work of the Linux kernel which touches the kernel internals in many different places. It is inseparable from Linux and can not work without it. it would fail a fair-use test (obviously, ask offline if you don’t understand). Because of its strongly derivative nature of the kernel, it must be under the GPL version 2 license, or a license compatible with the GPL and with terms no more restrictive than the GPL. Earlier versions were distributed under GPL version 2.
Currently, Grsecurity is a commercial product and is distributed only to paying customers. My understanding from several reliable sources is that customers are verbally or otherwise warned that if they redistribute the Grsecurity patch, as would be their right under the GPL, that they will be assessed a penalty: they will no longer be allowed to be customers, and will not be granted access to any further versions of Grsecurity. GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition.
By operating under their policy of terminating customer relations upon distribution of their GPL-licensed software, Open Source Security Inc., the owner of Grsecurity, creates an expectation that the customer’s business will be damaged by losing access to support and later versions of the product, if that customer exercises their re-distribution right under the GPL license. This is tantamount to the addition of a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms. Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kernel, terminates, and the copyright of the Linux Kernel is infringed. The contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached.
(Score: 5, Insightful) by Thexalon on Thursday July 06 2017, @12:31PM (23 children)
They know full well at this point that they're blatantly violating the GPL. What they are trying to do is test the willingness of someone with copyright on the Linux kernel to go after them: If nobody goes after them then they're scot-free. If they go to court then they'll try to confuse the judge and maximize the costs of the suit until the plaintiffs give up.
It's important to know that a not-totally uncommon business strategy is to put yourself in a position where you can get sued, and simply hope that the other party won't bother. I had to deal with one of those: He would simply never pay any kind of bill, ever, unless somebody sued him. Last I checked, he owed something like $270K to various creditors, including a major bank, the city he lived in (he'd never paid taxes), his dentist, about 12 different contract developers, and his office cleaners.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 5, Touché) by requerdanos on Thursday July 06 2017, @01:35PM (8 children)
The Grsecurity folks seem very mature and experienced in their kernel security measures, but alarmingly less so in other ways: Their argument is not that they simply refuse to comply on general principle--it's a very specific principle that "those who do the work should be getting paid for it." Their stand appears to be based on doing what they believe is right, not on trying to get away with doing wrong.
They complain that they made some GPL'd software, and then they got frustrated and decided to stop publicly distributing that software when other people built upon it and profited from that. This represents at a minimum a serious misunderstanding of the GPL.
They argued that they were putting in the work to make the patches, paying hosting on the servers to put the patches up for download, and doing all the really hard things, and other people who were not paying them money, were taking their software and using it and packaging it usefully and doing other profitable (but sometimes dodgy) things with it in a way that did not make them any money--and that because they put in the work to make the product, they should be getting the money.
I believe it's important to note, about their principled stand for what they believe is right, that in their talking about who put in all the hard work to build their product and who therefore should get paid, they didn't mention the estimated three billion dollars [blogspot.com] worth of labor that went into the Linux kernel itself, which their product is a nifty but relatively minor derivative of in terms of SLOC in Linux vs. their patches, nor did they mention any payments they made because of these heartfelt beliefs to, say, the Linux Foundation [linuxfoundation.org].
Science fiction writer Murray Leinster wrote [google.com] along these lines in the 1950s:
They certainly have every right to stop paying for hosting to assist other people who are profiting from their hard work, but under the GPL they don't have the right to forbid others from doing so.
(Score: 2) by kaszz on Thursday July 06 2017, @01:57PM
Which leaves the question as to when someone will sue Grsecurity? And who will do it? Who funds it?
If they aren't nice we can offer to send poettering to "help" .. :p
(Score: 0) by Anonymous Coward on Thursday July 06 2017, @02:17PM
" Their argument is not that they simply refuse to comply on general principle--it's a very specific principle that "those who do the work should be getting paid for it." Their stand appears to be based on doing what they believe is right, not on trying to get away with doing wrong."
Then they should not be touching GPL'ed software. End of story.
(Score: 3, Insightful) by Thexalon on Thursday July 06 2017, @05:55PM (5 children)
If they want to do that, they can make their own proprietary stuff. They can't take GPL'd stuff and redistribute it in the way they're doing.
I've noticed, as a general habit, that principles often follow self-interest. In GRSecurity's case, I have to think that Upton Sinclair's Law might have something to do with it: "It is extremely difficult to get a man to understand something when his salary depends on his not understanding it."
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by requerdanos on Thursday July 06 2017, @06:33PM
Or make really hardened, security-filled BSD kernels.
(Score: 0) by Anonymous Coward on Thursday July 06 2017, @07:17PM (3 children)
1. You're arguing a practical & moral position ("those who do the work should be getting paid for it") against a legal polemic (under the terms of the GPL...). If violating the GPL means more devs get paid fairly for their work, then so be it. After all, the copyright law the GPL hacks around just to get some collaborative work done is inherently flawed so the GPL can't be expected to work perfectly for everything and everybody.
2. For companies like Red Hat that control the mainlining process, there's far more money to be made from keeping the kernel insecure and on a Microsoft-esque continues service&maintenance patch-cycle then actually addressing security issues at the design level in a constructive way. They have, and they will reject mainlining attempts of features that compete against their own off-tree patches. So, GRSec going away simply means a bigger company will take over and will have even more power and influence then GRSec to keep things the way they are. And if they can't keep the patches off-tree, they'll shim them with some modular design just like nVidia did for graphics so they can sell special security blobs to their private clients.
GRSec are like private security: Making them illegal won't miraculously make the police less corrupt and useless. But fixing the police will drive most private security firms out-of-business.
(Score: 4, Interesting) by Thexalon on Thursday July 06 2017, @08:14PM (2 children)
The GPL has a practical and moral position, as well as the law, behind it. It goes like this: "Software can be duplicated nearly for free, so it is best viewed not as a product but as a public body of knowledge. When you make a new discovery, it is your responsibility to put it out to the public so the body of public knowledge expands and becomes more useful."
Nonsense. Devs get paid to work on GPL'd software all the time. Some examples:
- People that work for Red Hat and IBM and such and get paid to work on improving Linux.
- People who are employed as developers or admins for a company who have to dig into a problem, find and make the fix, and contribute a patch or documentation upstream so everyone else that has the same problem doesn't have to duplicate the work. They got paid by their company.
- People who get short-term contracts to add a feature to a GPL'd package that wasn't there before but is useful to their client, who then contributes the new feature upstream.
All those devs got paid for their work. None of them did what GRSecurity did, of taking but refusing to give back. As a sibling poster pointed out, if GRSecurity wanted to play by the rules, they could have done so with BSD.
Red Hat does not control the "mainlining" process. Linus Torvalds does, and he works for the Linux Foundation. I don't know where you got the impression that Red Hat has veto power, but they've never had veto power over what goes into the mainline Linux kernel.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Thursday July 06 2017, @09:42PM
Redhat does not have such direct power over kernel. But tries, over and over, and goes with as much indirect control as it gets. Userspace is becoming more and more RH controlled, as discussed in a recent story. https://soylentnews.org/article.pl?sid=17/07/03/1232216 [soylentnews.org]
With kernel, the minions tried to push kdbus. https://igurublog.wordpress.com/2015/05/04/kdbus-systemds-kid-cousin-come-to-stay/ [wordpress.com] (outdated article, but "photo" of how it was two years ago)
Linus disliked how it was done and said no. Other kernel devs also raised multiple tech points. And so far it seems the kdbus is sleeping, or more probably dead just like HAL. Now the plan is bus1. https://en.wikipedia.org/wiki/D-Bus#KDBUS [wikipedia.org] It seems RH has plans half done for when the current one fails. https://github.com/bus1/bus1/blob/master/ipc/bus1/main.c [github.com] "Copyright (C) 2013-2016 Red Hat, Inc."
RH, putting the C of Corporate in FOSS. Don't worry, sooner or later it will have a C. And probably no F.
(Score: 3, Informative) by Arik on Thursday July 06 2017, @09:47PM
However they do clearly have tremendous influence, and it's not being used for good.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by Grishnakh on Thursday July 06 2017, @04:10PM (9 children)
I had to deal with one of those: He would simply never pay any kind of bill, ever, unless somebody sued him. Last I checked, he owed something like $270K to various creditors, including a major bank, the city he lived in (he'd never paid taxes), his dentist, about 12 different contract developers, and his office cleaners.
How does someone like that manage to get anywhere in American society these days? That's a recipe for disaster. For one thing, someone like that would have a horrible credit rating, so they wouldn't ever be able to buy a house or car without cash. A lot of jobs will also check your credit rating, so he'd be ineligible for those too (esp. anything where they do a background check, or need a security clearance). Not paying your city taxes is really bad: they don't have to sue you, they can just seize your property and evict you. The dentist, cleaners, and other people are generally screwed though since they have to sue him. You can only get away with that kind of behavior so long; if you're poor and have a shithole place, you can do it a certain amount but you're never going to making much money because of the poor credit rating. But not paying your taxes will get you in really hot water sooner or later; you can screw over other people a certain amount, but trying to screw over the government is never a good idea.
(Score: 0) by Anonymous Coward on Thursday July 06 2017, @05:33PM (5 children)
It's easy to get by that way. It helps to be tall, attractive, have a nice, white smile, a firm handshake, and a lot of enthusiasm about how much money you'll be making the person you're scamming who is providing you with a service you don't intend to pay for.
Sociopathy is simply playing the game by the rules. The game doesn't have nearly the rules you've been brainwashed from kindergarten on to believe it does, and the consequences for breaking the rules are subject to the same slick tactics.
Being taken to court is all part of the game, and the game continues in the courthouse. Their property won't get seized until after a lengthy appeals process that will drag on for years and years, and there's a chance they may get off on a technicality all together.
That is why sociopaths need to be put behind bars. All of them. Permanently. If that's too expensive for the rest of us, we should just kill them once we figure out they're a sociopath.
(Score: 2) by frojack on Thursday July 06 2017, @05:43PM (1 child)
You mean all those things Mrs Wilson said she was going to add to my permanent record from the 4th grade are gone?
Free at last!!.
No, you are mistaken. I've always had this sig.
(Score: 2) by fido_dogstoyevsky on Thursday July 06 2017, @11:31PM
You wish! [xkcd.com]
It's NOT a conspiracy... it's a plot.
(Score: 0) by Anonymous Coward on Thursday July 06 2017, @05:59PM
Prison is an utter waste. With these types already winning every office, public and private, the future doesn't look to bright. There really is only one cure [soylentnews.org] if you care about the future of the species.
(Score: 2) by Arik on Thursday July 06 2017, @08:00PM (1 child)
The problem is that Congress would never vote to put themselves behind bars and you know it.
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Friday July 07 2017, @05:55AM
Hey, I found a sociopath.
(Score: 4, Interesting) by frojack on Thursday July 06 2017, @05:37PM (2 children)
I assure you it is far more common than you think.
They pay (cash mostly) for critical things like food, fuel, electricity. They stiff arm anyone dumb enough to grant them any credit.
I know this guy (lives down the street), who purchased a brand new house, committing only a small down payment. At that time he (somehow) had enough credit (or enough fake papers) to get the bank loan.
He never paid a dime on that house, until sheriffs showed up. He then paid two or three payments, knowing just how many he had to pay to extinguish the lender's seizure papers, then he went right back to not making any payments. The lenders had to start the long paper-work train all over again to begin seizure.
He spent a weekend in jail once when he ignored a Judge's order to appear. Not jailed for the debts he owed, but simply because he pissed off the wrong judge by ignoring the order. He confused the issue, (he thought the condo association had him thrown in jail - which is almost impossible in the US) and always paid that creditor from then on.
It took 12 years to get him out of that house. He had all of his house pre-packed and ready to go when the Sheriffs arrived to give him 4 hours to be out. (He knew they were coming somehow). Of course he left all the furnishings, (also unpaid for), skipped out on the rest of his condo dues, and the last few months of power, gas, water bills.
He only drove junkers. He made sure he had nothing worth seizing, but a a neighbor saw him pull into a nearby national park in a huge motor home on a couple different occasions (same vehicle), which he also never paid for, but kept well hidden).
He was employed, but insisted on getting paid in cash money, and would move to a different job as soon as garnishment papers were filed. He actually did good work, I believe he was a brick layer or plumber with reasonable skills.
To him it was a game. He knew the rules very well.
There are lots of them around.
No, you are mistaken. I've always had this sig.
(Score: 3, Interesting) by Grishnakh on Thursday July 06 2017, @08:59PM (1 child)
Wow, that sure sounds like a lousy way to lead your life, not just because of the basic morality issue of ripping people off, but the sheer pain-in-the-ass factor of spending all your mental energy figuring out how to game the system like that. This guy sounds like someone who likely has no friends and is forever single.
(Score: 2) by Immerman on Friday July 07 2017, @12:08AM
Personally I agree. But how much effort is it, really, compared to the amount of effort required to do the work to actually pay for the same lifestyle?
(Score: 0) by Anonymous Coward on Thursday July 06 2017, @06:00PM
For some reason they seem to have moved their corporation from Virginia (right next to D.C.) to Pennsylvania.
Are there few or no intellectual property lawyers registered to the Pennsylvania State Bar?
(A suit is usually heard in a court in the defendant's district)
(Score: 2) by wirelessduck on Friday July 07 2017, @02:31AM
Check some of Bruce's posts to the Devuan DNG mailing list. He's quite convinced that he, as an expert witness, would have no trouble convincing a judge of the licence violation. I don't have time to find them all, but here's a relevant one. The rest are easily searchable on Google.
https://lists.dyne.org/lurker/message/20170701.230508.cc795b98.en.html [dyne.org]
(Score: 2) by Wootery on Friday July 07 2017, @08:55AM (1 child)
I'm guessing he doesn't care if his credit rating ends up in the sewer? Good luck to him with the IRS. Bit of a dangerous strategy.
(Score: 0) by Anonymous Coward on Saturday July 08 2017, @01:49PM
I think this creeps morally rotten position is but a logical conclusion of the current state of affairs: law is only there if you can afford it. And even if you pay your way into a courthouse it's still something of a coin flip. And these sad facts is what blood sucking vermins like this guy literally bank on.
Justice definitely should be there for everybody, even for those broke and penniless.