Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Thursday July 06 2017, @11:39AM   Printer-friendly
from the to-hell-with-gpl dept.

Bruce Perens warns of potential contributory infringement and breach of contract risk for customers of GRSecurity:

Grsecurity is a patch for the Linux kernel which, it is claimed, improves its security. It is a derivative work of the Linux kernel which touches the kernel internals in many different places. It is inseparable from Linux and can not work without it. it would fail a fair-use test (obviously, ask offline if you don’t understand). Because of its strongly derivative nature of the kernel, it must be under the GPL version 2 license, or a license compatible with the GPL and with terms no more restrictive than the GPL. Earlier versions were distributed under GPL version 2.

Currently, Grsecurity is a commercial product and is distributed only to paying customers. My understanding from several reliable sources is that customers are verbally or otherwise warned that if they redistribute the Grsecurity patch, as would be their right under the GPL, that they will be assessed a penalty: they will no longer be allowed to be customers, and will not be granted access to any further versions of Grsecurity. GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition.

By operating under their policy of terminating customer relations upon distribution of their GPL-licensed software, Open Source Security Inc., the owner of Grsecurity, creates an expectation that the customer’s business will be damaged by losing access to support and later versions of the product, if that customer exercises their re-distribution right under the GPL license. This is tantamount to the addition of a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms. Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kernel, terminates, and the copyright of the Linux Kernel is infringed. The contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Thursday July 06 2017, @06:04PM (1 child)

    by Anonymous Coward on Thursday July 06 2017, @06:04PM (#535806)

    https://pastebin.ca/3838883 [pastebin.ca]

    Here's a "Quick" rundown
    (Not quick...)

    ------------------------
    Some Legal Analysis:
    ------------------------
    The GRSecurity patch snakes through almost the entire kernel; it really touches everywhere
    (and Brad Spengler etc have publicly attested to this as a bullet point as it doesn't only
    add features but fixes various in-place security errors); and not even as a monolithic block,
    it puts a paw here, and there, and there (so on and so on for 8MBs), with the deft agility of a cat,
    and the dexterity of a vine wrapped every which-way around the many branches of a bush:
    it is a non-separable derivative work.

    A counter example would be the Nvidia GFX driver: a portion of that driver works across platforms.
    That portion which works on Linux, Windows, etc is a separable work and thus can be argued
    to be standalone before a court. Furthermore, in the Nvidia case, that portion was likely
    developed on another platform and the wrapper was then built to conform to it.

    The wrapper itself that interfaces with linux is licensed under the same terms as linux.

    Other drivers can be written in a similar way.

    With GRSecurity, on the other-hand, that is absolutely impossible. GRSecurity exists
    only to give the linux kernel "self protection" (their words IIRC). They do this
    by going in with a scalpel to thousands of areas in the kernel and making small
    but important* edits and additions, as-well as by writing some new routines to then
    use throughout the kernel.

    Unlike a plug-in; their derivative work does not and cannot stand alone.

    The Anime-Subs cases reaffirmed somewhat recently that a derivative work
    that cannot stand alone and is not authorized is an infringing work.

    (Ex: You're a fan, you listen to the Anime Girl cartoon in Japanese,
    you write down what they say, you distribute that: that text is a
    derivative work and not a standalone one: it required the existence
    of the cartoon to itself exist or have any meaning).

    I think the situations are very different thusly and that a court
    would find GRSecurity to be infringing. If the GRSecurity patch is not
    a derivative work then nothing in the realm of source-code is.

    To Brad Spengler I'm referred to as a "troll" (months, perhaps a year later
    in a discussion I was not involved in), for engaging with RMS on the issue earlier
    (something which remains in Mr Spengler's mind:

    http://www.openwall.com/lists/kernel-hardening/2017/06/04/24 [openwall.com]
    >... It has been nearly 4 months now and despite repeated follow-ups, I still
    >haven't received anything back more than an automated reply. Likewise
    >regarding some supposed claims by RMS which were published last year by
    >internet troll mikeeusa -- I have been trying since June 3rd of last
    >year to get any response from him, but have been unable to. So when you ...

    (RMS' opinion can be seen here:
    (*7) https://lists.debian.org/debian-user/2016/06/msg00020.html [debian.org] )

    As for making modifications: To create the patch Brad Spengler modified the
    linux-kernel over the course of 15 years, and to continue continually producing
    new patches he continually modifies the linux-kernel even more. Without
    permission of the license he has no right to modify the kernel. The mechanical
    modification that is done by patching is a red-herring in this case since it's
    not needed to argue infringement on Mr Spengler's part once he has been found
    to have added an additional term to the agreement between him and further
    distributees of the derivative work. Once he has done that, he has violated
    the license grant, and he no-longer has a right to distribute the work, nor
    to distribute derivative works, nor to modify the work in-order to create
    future derivative works.

    ------------------------
    Correction to common
    programmer's misunderstanding
    ------------------------

    They don't have to add a term to the GPL per-se as the GPL is not a party to the agreement, it is "merely" the (not-fully integrated) writing describing the license that the rights-holders have granted GRSecurity et al.

    That is: the GPL in-part describes the license grant that the linux rights-holders have extended.
    (There may be other parts described elsewhere, even verbally or through a course of business dealings or relationship)
    (Copyright law, being quite bare on it's own, often borrows much from contract law)

    Licensees must extend the same grant to Distributees, they cannot add an additional term to that relationship.
    GRSecurity has added such a term.

    They did not pen it into the text of the GPL.
    But, according to existing testimony they did make it clear that redistribution will not be tolerated.
    It is unknown if an electronic or hard copy of this additional term controlling the relationship exists,
    or whether it was a verbal agreement, or even some implicit understanding. Any which way: it is a forbidden additional
    term.

  • (Score: 0) by Anonymous Coward on Thursday July 06 2017, @06:09PM

    by Anonymous Coward on Thursday July 06 2017, @06:09PM (#535808)

    ------------------------
    Background:
    ------------------------

    GRSecurity goes full commercial, no more free testing patches, threatens programmer trying to port.

    (*1) https://lwn.net/Articles/723169/ [lwn.net]
    (*2) https://www.phoronix.com/forums/forum/software/general-linux-open-source/948623-grsecurity-kernel-patches-will-no-longer-be-free-to-the-public?page=1 [phoronix.com]
    (*3) https://www.embedded-linux.de/18-news/886-grsecurity-nicht-mehr-kostenlos-verfuegbar [embedded-linux.de]
    (*4) https://www.theregister.co.uk/2017/04/26/grsecurity_linux_kernel_freeloaders/ [theregister.co.uk]

    GRSecurity removes public testing patch - goes full commercial.

    (*5) http://www.openwall.com/lists/kernel-hardening/2017/06/04/24 [openwall.com]

    >"Don't worry about it, there's nothing for a "grateful" user like yourself
    >to download anymore. Boy, if I had more "grateful" users like yourself
    >obsessed with harrassing us on Twitter, Reddit, and IRC so that they
    >can go around and paint themselves as some kind of victim, I wouldn't
    >know what to do with myself.
    >
    >-Brad"

    Brad Spengler prevents a private purchaser from redistributing the sourcecode via contract clauses between him and they: thus willfully frustrating the purpose of the license HE was granted by the linux kernel rightsholders. This is another reason a court may find him in violation of the license grant of the GPL. As we discussed previously. (See: ****)

    Also Brad Spengler threatens others with lawsuit in a nearly transparent attempt to get them to stop porting over the work:

    >" This stops *now* or I'm sending lawyers after you and

    (*6) http://www.openwall.com/lists/kernel-hardening/2017/06/03/14 [openwall.com]

    >Guys, this is your *last warning*. This stops *now* or I'm sending lawyers
    >after you and the companies paying you to plagiarize our work and violate
    >our *registered* copyright (which for the record entitles us to punitive
    >damages which now are very easily provable). It's time to get serious
    >about attribution -- what you are doing is completely unacceptable. I'm
    >already in contact with lawyers to prepare for the next time this happens.
    >If any of this plagiarized and misattributed code actually made it into
    >the Linux kernel, you'd all be in a world of pain.

    Here Brad Spengler threatens a copyright infringement lawsuit regarding his non-original wholly-derivative work.
    (An original work stands alone). This while he threatens those paying customers who might redistribute the work (see: **** below).

    Note: Copyright licenses (like any license to use the property of another (copyright is freely alienable in the same way real property is)) are freely revocable unless barred by estoppel. The GPL v2 lacks a no-revocation clause thus estoppel would be more difficult to argue (additonally none of the "agreeing parties" have ever met each other).

    Note2: GrSecurity is a derivative work of the linux kernel, it is non-seperable: it wholly relies on the linux kernel source code to work.
    Courts in both the US and Germany have reaffirmed that if a work based on another work cannot stand alone it is clearly a derivative work.
    (See the Anime Subtitles case from a few years ago) (See page 6 of the phoronix discussion at *2 for a review)

    Note3:The linux kernel is not under joint copyright, it is simply a collection of derivative work upon derivative work.

    A simple solution is for one or many of the rightsholders to the code GRSecurity is derived from/ modifies to rescind Brad Spengler's license to use or modify their code.

    Additionally copyright violation claims can be filed as Brad Spengler has reportedly attempted to frustrate the purpose of the agreement that allows him to modify the linux kernel in the first place; placing additional restrictions to prevent redistribution of the sourcecode (a court would not be fooled by such a scheme).

    (Addionally there were third parties who contributed to the GRSecurity code base when it was publically distributed.)

    Other snippets from (*5) include Mr Spengler's unhappiness with the publication of his scheme and RMS's opinion of it:
    >... It has been nearly 4 months now and despite repeated follow-ups, I still
    >haven't received anything back more than an automated reply. Likewise
    >regarding some supposed claims by RMS which were published last year by
    >internet troll mikeeusa -- I have been trying since June 3rd of last
    >year to get any response from him, but have been unable to. So when you ...

    RMS' opinion can be seen here:
    (*7) https://lists.debian.org/debian-user/2016/06/msg00020.html [debian.org]

    >Re: GRsecurity is preventing others from employing their rights under version 2 the GPL to redistribute source code
    >Richard Stallman (May 31 2016 10:27 PM)
    >
    >[[[ To any NSA and FBI agents reading my email: please consider ]]]
    >[[[ whether defending the US Constitution against all enemies, ]]]
    >[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
    >
    >If I understand right, this is a matter of GPL 2 on the Linux patches.
    >Is that right? If so, I think GRsecurity is violating the GPL on
    >Linux.
    >
    >--
    >Dr Richard Stallman
    >President, Free Software Foundation (gnu.org, fsf.org)
    >Internet Hall-of-Famer (internethalloffame.org)
    >Skype: No way! See stallman.org/skype.html.

    (****)
    GRsecurity is preventing others from employing their rights under version 2 the GPL to redistribute
    (by threatening them with a non-renewal of a contract to recive this patch to the linux kernel.)
    (GRsecurity is a derivative work of the linux kernel (it is a patch))

    People who have dealt with them have attested to this fact:
    https://www.reddit.com/r/KotakuInAction/comments/4grdtb/censorship_linux_developer_steals_page_from_ [reddit.com]
    andi
    "You will also lose the access to the patches in the form of grsec not renewing the contract.
    Also they've asked us (a Russian hosting company) for $17000+ a year for access their stable
    patches. $17k is quite a lot for us. A question about negotiating a lower price was completely
    ignored. Twice." -- fbt2lurker

    And it is suggested to be the case here aswell:
    https://www.reddit.com/r/linux/comments/4gxdlh/after_15_years_of_research_grsecuritys_rap_is_here [reddit.com]
    "Do you work for some company that pays for Grsecurity? If so then would you kindly excersise the
    rights given to you by GPL and send me a tarball of all the latest patches and releases?" --
    lolidaisuki
    "sadly (for this case) no, i work in a human rights organization where we get the patches by a
    friendly and richer 3rd party of the same field. we made the compromise to that 3rd party to not
    distribute the patches outside and as we deal with some critical situations i cannot afford to
    compromise that even for the sake of gpl :/
    the "dumber" version for unstable patches will make a big problem for several projects, i would
    keep an eye on them. this situation cannot be hold for a long time" -- disturbio