Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday February 16 2020, @02:22PM   Printer-friendly
from the no-way-out dept.

https://www.itwire.com/open-source/linux-kernel-patch-maker-says-court-case-was-only-way-out.html

The head of security firm Open Source Security, Brad Spengler, says he had little option but to file a lawsuit against open source advocate Bruce Perens, who alleged back in 2017 that security patches issued for the Linux kernel by OSS violated the licence under which the kernel is distributed.

The case ended last week with Perens coming out on the right side of things; after some back and forth, a court doubled down on its earlier decision that OSS must pay Perens' legal costs as awarded in June 2018.

The remainder of the article is an interview with Brad Spengler about the case and the issue.

iTWire contacted Spengler soon after the case ended, as he had promised to speak at length about the issue once all legal issues were done and dusted. Queries submitted by iTWire along with Spengler's answers in full are given below:

Previously:
Court Orders Payment of $259,900.50 to Bruce Perens' Attorneys


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Redundant) by barbara hudson on Sunday February 16 2020, @07:54PM (17 children)

    by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Sunday February 16 2020, @07:54PM (#958874) Journal
    And you still don't get it. I am free to waive any and all rights granted by copyright law, AND any license that uses copyright law. For example,, I can waive my right to read a book I but, or a movie. There is nothing in copyright law that prevents me from entering into an agreement to waive any of my rights.

    For example, I might acquire a mint condition never unsealed collectors edition of a book from someone on the condition that I keep it in it's pristine unread state, because we're both serious collectors and that is the last known copy in such a state. Copyright law allows me to waive my right to read it. We can even spell out financial penalties if I should afterworlds choose to read the book, destroying its pristine condition, and those penalties would be enforceable; that copyright law allows me to read the book is no defence for breech of contract.

    Copyright hasn't been waived - just my rights, voluntarily, by me.

    Copyright doesn't require I take measures to preserve a work of art, I'm free to burn it if I wish. However, the seller can impose as a condition of lending or selling the work of art to a museum that thee museum takes steps to preserve it, and even restrictions on whether it can be shown to the public. There are plenty of such cases where the acquiring museum agrees to restrict viewing to scholars only, under restrictions, as part of the agreement to acquire the art, object, or artifacts.

    And this applies to artifacts in the public domain as well. Think ancient scrolls as one example. The donor requires such restrictions, you either agree to them or you don't get the artifact. If the agreement says you can't photograph, copy, or otherwise reproduce them, even if they're old enough that copyright law says they're in the public domain, then you can't do any of those things.

    Copyright is like other rights - you can waive your rights under copyright and no third party can contest it. The GPL can't stop two people from entering into a contract where one party waived some of their rights - no license has that power.

    --
    SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
    Starting Score:    1  point
    Moderation   -1  
       Redundant=1, Total=1
    Extra 'Redundant' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   1  
  • (Score: 3, Insightful) by Arik on Sunday February 16 2020, @08:11PM (11 children)

    by Arik (4543) on Sunday February 16 2020, @08:11PM (#958877) Journal
    "The GPL can't stop two people from entering into a contract where one party waived some of their rights - no license has that power."

    Can't and doesn't try to.

    It just sets the terms on which you may, if you choose, modify and distribute works based on it.

    If you aren't willing to abide the terms, then your license is revoked.

    You can enter all the contracts with end users you want, they can't give you any right to modify and distribute linux without the GPL.
    --
    If laughter is the best medicine, who are the best doctors?
    • (Score: 2) by barbara hudson on Sunday February 16 2020, @10:25PM (10 children)

      by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Sunday February 16 2020, @10:25PM (#958916) Journal
      But there is nothing requiring the RECIPIENT to not waive their rights to receive the source. And if a recipient waived the right to receive the source , the person doing the distribution is not in breech - after all, they are not the ones who waived the recipients rights. And if the distributor of the program has a waiver from the recipient, the recipient can't legally claim that the distributor breeched the gpl, even if the recipient later demands a copy of the source. The distributor can just say "sue me because it's you, not me, who are in breech of contract."

      The judge will look at the contract and the license and rule that you waived your rights under the license. Pay damages. The judge will also rule that the gpl was not breeched because the vendor isn't the one who refused to distribute initially and only did so after the recipient waived their rights.

      --
      SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
      • (Score: 0) by Anonymous Coward on Sunday February 16 2020, @10:46PM (9 children)

        by Anonymous Coward on Sunday February 16 2020, @10:46PM (#958926)

        The GPL also states that you can either redistribute the program by giving the recipient the full rights of the GPL, or you have to refrain to redistribute at all. So it's the *distributor* that cannot enter a contract where the recipient waived their rights.

        • (Score: 2) by barbara hudson on Monday February 17 2020, @12:22AM (8 children)

          by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Monday February 17 2020, @12:22AM (#958947) Journal
          Until the recipient asks for a copy of the source, the distributor is in full compliance. That's what nobody here seems to get - it's only when the recipient asks for the source that the distributor is potentially in non- compliance. If the distributor has a waiver from the recipient that revokes the license and requires them to delete the software that a problem arises. And since the recipient knows they don't have a valid license any more, they can't try to enforce the terms of the license. How can they, they don't have a license?

          At that point, the recipient can either stfu or delete the software: the software was distributed with no warranty whatsoever, same as other open source programs.

          And the distributor can argue away the whole thing as being de minimus, and as such non-justiciable. After all, where's the hardship on the original author? D ir any copyrights holders? Are they able to prove any financial losses? Harm to reputation? Nope. It was of so little financial value as is that people were able to sell fixes. It could be argued that availability of such fixes enhanced the value of the original. Weakening the GPL would probably result in more innovation. Certainly it hasn't improved with age.

          After all, it's companies and products that have been able to construct walled gardens around Linux that are successful. Compare the various open source not-quite-phones with Android. Linux on laptops with Chromebooks. Linux on the desktop with FreeBSD and Quartz from Apple.

          BTW, just checked and there's no LICENSE.txt or even a README.txt for Linux on my distro. A newb would assume that ift was free as in FreeBSD.

          --
          SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
          • (Score: 0) by Anonymous Coward on Monday February 17 2020, @01:53AM (5 children)

            by Anonymous Coward on Monday February 17 2020, @01:53AM (#958975)

            It is a kernel patch. The product IS the source.

            • (Score: 2) by barbara hudson on Monday February 17 2020, @02:09AM (4 children)

              by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Monday February 17 2020, @02:09AM (#958984) Journal
              Cripes, what is wrong with people nowadays. I used to patch binaries directly, no source needed. There's no need for the source to patch a binary sitting on a machine. There were plenty of programs that would patch binaries directly from patch files consisting of instructions for the patch program of code offsets to cut out, binary code to overwrite with binary patches, etc. Why distribute source if it opens the door to problems?
              --
              SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
              • (Score: 0) by Anonymous Coward on Monday February 17 2020, @03:03AM (3 children)

                by Anonymous Coward on Monday February 17 2020, @03:03AM (#959002)

                To do binary patches, everyone has to have the same binaries. The second I add in or cut out a different module, change my defaults, add my own source patches, use different compile options, etc. that binary changes.

                And there is also the fact that if you actually looked at their downloads page or docs, you'd quickly realize that they are literally distributing GNU patch formatted files to be run against the extracted source tarball obtained from upstream.

                • (Score: 2) by barbara hudson on Monday February 17 2020, @03:58AM (2 children)

                  by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Monday February 17 2020, @03:58AM (#959013) Journal
                  There used to be patch programs that could handle different but similar binaries. As to them distributing patches to apply to source code, that is risky and stupid. Just hack the binary directly. It's not like the Russians, North Koreans, Iranians, and various crooks haven't been able to hack binaries of commercial software for around 40 years. No source code needed. No recompiling needed.
                  --
                  SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                  • (Score: 0) by Anonymous Coward on Tuesday February 18 2020, @03:20PM (1 child)

                    by Anonymous Coward on Tuesday February 18 2020, @03:20PM (#959538)

                    Patching the binaries is a derivative work too, you fucking moron.

                    • (Score: 0) by Anonymous Coward on Tuesday February 18 2020, @08:20PM

                      by Anonymous Coward on Tuesday February 18 2020, @08:20PM (#959648)

                      Not only that, but do you really think anyone who is so paranoid that they think the default Linux kernel is not secure enough is going to run a fuzzy or conditional patcher on their kernel? This goes double when you realize all the minor changes that different compilers, flags, and CONFIGs can make in the final compiled product. Yep, lets run this untested, unauditable binary patch on our production system that requires a higher security level than the default or distro kernels.

          • (Score: 3, Touché) by Runaway1956 on Monday February 17 2020, @06:02AM

            by Runaway1956 (2926) Subscriber Badge on Monday February 17 2020, @06:02AM (#959050) Journal

            You're aware that a contract signed under duress and/or coercion is null and void?

            Spengler's sales pitch is much like this: "I have something valuable, which you can't live without. I'll allow you to use it, if and only if, you waive your rights under the GPL." It's bullshit, plain and simple. You also have rights, Hudson. You have the right to stop defending some greedy-ass fuckwit who doesn't understand the GPL.

          • (Score: 2) by mobydisk on Tuesday February 18 2020, @09:20PM

            by mobydisk (5472) on Tuesday February 18 2020, @09:20PM (#959664)

            Until the recipient asks for a copy of the source, the distributor is in full compliance.... it's only when the recipient asks for the source that the distributor is potentially in non- compliance

            I don't think so. The GPL is invoked at the time of distribution, not at the time the recipient asks for the source. So as soon as the GRSecurity tells the recipient "I won't give you this unless you agree to not distribute it" then GRSecurity is no longer in compliance. This happens even before the recipient gets the software. At that point GRSecurity no longer has the right to distribute the patches.

            Breaking down the GPL as-written:

            Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions.

            So Linus Torvalds grants me the right to redistribute the GRSecurity patches, not GRSecurity. And this happens at the time GRSecurity distributes their patches.

            You may not impose any further restrictions on the recipients' exercise of the rights granted herein.

            So GRSecurity is violating the GPL by merely asking their clients to sign a waiver of rights. It's not that the recipient can't agree to do so - it's that GRSecurity is not allowed to ask.

  • (Score: 2) by gtomorrow on Sunday February 16 2020, @08:44PM (3 children)

    by gtomorrow (2230) on Sunday February 16 2020, @08:44PM (#958883)

    As Arik said repeatedly, it's you that doesn't understand. In this case, you aren't waiving your rights. You are perfectly free not to enforce your rights but you are never at any moment irrevocably surrendering anything. In this case you may and can change your mind at any time regarding said rights. Specifically, under GPL, you can at any time request the source code and no one can legally tell you to, as you so eloquently put it, "pound sand".

    Geez...sometimes, Barbara, you are exhausting.

    • (Score: 0) by Anonymous Coward on Sunday February 16 2020, @09:48PM

      by Anonymous Coward on Sunday February 16 2020, @09:48PM (#958899)

      Geez...sometimes, Barbara, you are exhausting.

    • (Score: 0) by Anonymous Coward on Monday February 17 2020, @05:50AM (1 child)

      by Anonymous Coward on Monday February 17 2020, @05:50AM (#959046)

      And nothing can stop that company from doing its duty under the GPL and giving you that - and then terminating your relationship for future releases.

      Which is what's happening here.

      Which is why it's legal.

      • (Score: 0) by Anonymous Coward on Monday February 17 2020, @12:12PM

        by Anonymous Coward on Monday February 17 2020, @12:12PM (#959121)

        It is not legal.
        GRSecurity is forbidden from offering any additionally restrictive terms between it and the distributees of the derivative work.
        See section 6 and section 4 of the GPL (version 2).

        The copyright owners of the linux kernel (and of GCC, GRSecurity also makes GCC plugins, which are believed to be non-seperable derivative works aswell) have explicitly forbidden any additional restrictive terms between the licensee and the down-the-line distributee.

        It IS illegal. Criminally too since Spengler et al have made over 1000 dollars from the direct copyright infringement.

  • (Score: 1) by khallow on Monday February 17 2020, @06:31PM

    by khallow (3766) Subscriber Badge on Monday February 17 2020, @06:31PM (#959237) Journal

    I am free to waive any and all rights granted by copyright law, AND any license that uses copyright law.

    No, you're not. You can't waive any and all rights granted by copyright law because you can't waive the owners' rights for all the copyright you don't own. Neither GRSecurity or its customers (and certainly not you) have the authority to waive the license requirements because they don't own the copyright on the Linux kernel and thus, don't have the authority to issue themselves an exception to the license.