Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday February 16 2020, @02:22PM   Printer-friendly
from the no-way-out dept.

https://www.itwire.com/open-source/linux-kernel-patch-maker-says-court-case-was-only-way-out.html

The head of security firm Open Source Security, Brad Spengler, says he had little option but to file a lawsuit against open source advocate Bruce Perens, who alleged back in 2017 that security patches issued for the Linux kernel by OSS violated the licence under which the kernel is distributed.

The case ended last week with Perens coming out on the right side of things; after some back and forth, a court doubled down on its earlier decision that OSS must pay Perens' legal costs as awarded in June 2018.

The remainder of the article is an interview with Brad Spengler about the case and the issue.

iTWire contacted Spengler soon after the case ended, as he had promised to speak at length about the issue once all legal issues were done and dusted. Queries submitted by iTWire along with Spengler's answers in full are given below:

Previously:
Court Orders Payment of $259,900.50 to Bruce Perens' Attorneys


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by barbara hudson on Monday February 17 2020, @02:09AM (4 children)

    by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Monday February 17 2020, @02:09AM (#958984) Journal
    Cripes, what is wrong with people nowadays. I used to patch binaries directly, no source needed. There's no need for the source to patch a binary sitting on a machine. There were plenty of programs that would patch binaries directly from patch files consisting of instructions for the patch program of code offsets to cut out, binary code to overwrite with binary patches, etc. Why distribute source if it opens the door to problems?
    --
    SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Monday February 17 2020, @03:03AM (3 children)

    by Anonymous Coward on Monday February 17 2020, @03:03AM (#959002)

    To do binary patches, everyone has to have the same binaries. The second I add in or cut out a different module, change my defaults, add my own source patches, use different compile options, etc. that binary changes.

    And there is also the fact that if you actually looked at their downloads page or docs, you'd quickly realize that they are literally distributing GNU patch formatted files to be run against the extracted source tarball obtained from upstream.

    • (Score: 2) by barbara hudson on Monday February 17 2020, @03:58AM (2 children)

      by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Monday February 17 2020, @03:58AM (#959013) Journal
      There used to be patch programs that could handle different but similar binaries. As to them distributing patches to apply to source code, that is risky and stupid. Just hack the binary directly. It's not like the Russians, North Koreans, Iranians, and various crooks haven't been able to hack binaries of commercial software for around 40 years. No source code needed. No recompiling needed.
      --
      SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
      • (Score: 0) by Anonymous Coward on Tuesday February 18 2020, @03:20PM (1 child)

        by Anonymous Coward on Tuesday February 18 2020, @03:20PM (#959538)

        Patching the binaries is a derivative work too, you fucking moron.

        • (Score: 0) by Anonymous Coward on Tuesday February 18 2020, @08:20PM

          by Anonymous Coward on Tuesday February 18 2020, @08:20PM (#959648)

          Not only that, but do you really think anyone who is so paranoid that they think the default Linux kernel is not secure enough is going to run a fuzzy or conditional patcher on their kernel? This goes double when you realize all the minor changes that different compilers, flags, and CONFIGs can make in the final compiled product. Yep, lets run this untested, unauditable binary patch on our production system that requires a higher security level than the default or distro kernels.