Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday February 16 2020, @02:22PM   Printer-friendly
from the no-way-out dept.

https://www.itwire.com/open-source/linux-kernel-patch-maker-says-court-case-was-only-way-out.html

The head of security firm Open Source Security, Brad Spengler, says he had little option but to file a lawsuit against open source advocate Bruce Perens, who alleged back in 2017 that security patches issued for the Linux kernel by OSS violated the licence under which the kernel is distributed.

The case ended last week with Perens coming out on the right side of things; after some back and forth, a court doubled down on its earlier decision that OSS must pay Perens' legal costs as awarded in June 2018.

The remainder of the article is an interview with Brad Spengler about the case and the issue.

iTWire contacted Spengler soon after the case ended, as he had promised to speak at length about the issue once all legal issues were done and dusted. Queries submitted by iTWire along with Spengler's answers in full are given below:

Previously:
Court Orders Payment of $259,900.50 to Bruce Perens' Attorneys


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1) by khallow on Monday February 17 2020, @06:20PM (17 children)

    by khallow (3766) Subscriber Badge on Monday February 17 2020, @06:20PM (#959233) Journal

    In my view, GRSecurity is not imposing any further restrictions on the code that has been distributed - the recipient and the community can redistribute under the GPL as required.

    Then why would the subscription be terminated, if there were indeed no further restrictions on the code that was distributed? It obviously is a further restriction whether you choose to view it that way or not.

    What's missing here is that GRSecurity is constrained by the GPL 2.0 license on the Linux kernel. They do not have the option to impose these additional restrictions on what can be distributed (as Arik noted), because otherwise they aren't allowed to distribute those changes at all. That is, their code and their subscription both inherit the GPL 2.0 restrictions from the Linux kernel. They aren't allowed by the license to term subscriptions for people who redistribute their code.

  • (Score: 2) by Immerman on Monday February 17 2020, @08:42PM (16 children)

    by Immerman (3985) on Monday February 17 2020, @08:42PM (#959275)

    Would redistributing the code put you in violation of any license or contract? No.

    It would terminate the contract in accordance with its voluntary termination clause - but that's a restriction on the business agreement, not on the code.

    • (Score: 1) by khallow on Monday February 17 2020, @09:54PM (15 children)

      by khallow (3766) Subscriber Badge on Monday February 17 2020, @09:54PM (#959310) Journal

      Would redistributing the code put you in violation of any license or contract? No.

      It puts OSS in violation of the GPL 2.0 license on the Linux kernel.

      • (Score: 2) by Immerman on Monday February 17 2020, @10:20PM (14 children)

        by Immerman (3985) on Monday February 17 2020, @10:20PM (#959326)

        How, exactly?

        If you had a GRSecurity contract, got their GPL2 patches, and gave them to me - *I* would see no limitations, the license is completely unchanged GPL2.

        *You* would lose access to future updates from GRSecurity - but future updates aren't covered by the GPL.

        • (Score: 1) by khallow on Monday February 17 2020, @10:43PM (13 children)

          by khallow (3766) Subscriber Badge on Monday February 17 2020, @10:43PM (#959338) Journal

          *You* would lose access to future updates from GRSecurity

          There we go. The restriction/limit/etc that someone won't acknowledge as such.

          - but future updates aren't covered by the GPL.

          Of course, they are covered by the GPL. The GPL doesn't force you to engage in GPL-covered activities, such as releasing modifications of GPL licensed programs, but when you do, you have to comply with the license, even if it's an activity in the future.

          • (Score: 2) by Immerman on Monday February 17 2020, @11:18PM (12 children)

            by Immerman (3985) on Monday February 17 2020, @11:18PM (#959345)

            Is the limit/restriction/etc on the licensed code? Or on your ability to redistribute it? No, you can redistribute to your hearts content under the exact same license, exactly as it requires.

            There are *consequences* for distributing the code, but no *limitations or restrictions* on doing so. Exact language matters in law.
            >Of course, they are covered by the GPL.

            No, they aren't, because they don't exist yet.
            They will probably exist eventually, and when they do, they will probably be released under the GPL (though it's always theoretically possible that alternate licenses might be negotiated with all the upstream contributors.)

            But giving you code under the GPL today, doesn't put any obligation on me to give you more GPL code in the future.

            • (Score: 1) by khallow on Tuesday February 18 2020, @12:06AM (11 children)

              by khallow (3766) Subscriber Badge on Tuesday February 18 2020, @12:06AM (#959361) Journal

              Is the limit/restriction/etc on the licensed code? Or on your ability to redistribute it? No, you can redistribute to your hearts content under the exact same license, exactly as it requires.

              Why are you still asking when it's been explained to you? For example, here [soylentnews.org]

              [KilroySmith:]In my view, GRSecurity is not imposing any further restrictions on the code that has been distributed - the recipient and the community can redistribute under the GPL as required.

              [khallow:]Then why would the subscription be terminated, if there were indeed no further restrictions on the code that was distributed? It obviously is a further restriction whether you choose to view it that way or not.

              What's missing here is that GRSecurity is constrained by the GPL 2.0 license on the Linux kernel. They do not have the option to impose these additional restrictions on what can be distributed (as Arik noted), because otherwise they aren't allowed to distribute those changes at all. That is, their code and their subscription both inherit the GPL 2.0 restrictions from the Linux kernel. They aren't allowed by the license to term subscriptions for people who redistribute their code.

              or here

              [KilroySmith:] The GPL ties the hands of GRSecurity in many ways, but forcing them to forever support a customer that they no longer wish to do business with isn't one of those ties, IMHO.

              [AC:]Their product is a patch to the Linux kernel, making it a derivative work of the kernel, and thus the only reason why they can even distribute it all it is thanks to the GPL itself. It sounds like what they say is: "we distribute our patches to you under the GPL, but if you even try to exercise these other rights you supposedly have under it, we will stop giving you support and updates". That rather sounds a hell of a lot like they're adding extra terms to the license, prohibited by GPL section 6. It's not a matter of forcing them to forever support anyone. It's that they're adding extra terms and conditions to the redistribution of their patches in violation of the GPL.

              Further examples, here [soylentnews.org] and here [soylentnews.org]. These are all posts you replied to.

              You even agree [soylentnews.org] at one point.

              [barbara hudson:]Back in the 80s I'm sure I wasn't the only one modifying binaries with a hex editor. If I were to do that today I could redistribute the binaries and never give the source because there is no source, never was.

              [Immerman:]Except that the instant you distribute you're violating copyright law - unless you have a license that allows you to distribute. As some kid sharing stuff with friends in the pre-napster days, you were unlikely to get caught, but that doesn't make it any more legal.

              Do that with any proprietary software, and the original copyright holder will be fully within their legal rights to come down on you like a ton of bricks for copyright infringement

              Do that with GPLed software - and either you provide the source code on demand as required by the license, or the original copyright holder will be fully within their legal rights to come down on you like a ton of bricks for copyright infringement.

              The GPL is the only thing allowing you to redistribute the code legally, so if you're not 100% in compliance with the license - including providing source code on demand, then you're automatically guilty of copyright infringement.

              Sounds like GRSecurity isn't obviously violating the letter of the GPL, assuming they really do provide the source code on demand. But they're certainly violating the spirit.

              And don't constrain the recipient's rights under the GPL, which OSS does. Sorry, the GPL does more than just require access to source code on demand, it requires that you don't put constraints on distribution, even the relatively mild ones here, on downstream recipients of modified code. And yes, anything where even a relatively mild negative consequence/penalty follows redistribution, is a constraint/restriction/limit which is not allowed by the GPL 2.0 license.

              • (Score: 2) by Immerman on Tuesday February 18 2020, @01:22AM (10 children)

                by Immerman (3985) on Tuesday February 18 2020, @01:22AM (#959379)

                You seem to be operating under the assumption that putting constraints on future business transaction is equivalent to putting constraints on the licensed software. I don't see it, except in spirit. And the law is defined by the letter, not the spirit.

                I sell you a copy of ImmerOffice, and give you the full source code under the GPL. At that point I have fulfilled my legal obligation under the GPL.

                I then tell you that if you redistribute that code, I won't do business with you any more.

                I have not in any way revoked or limited any of the rights I already granted you, I have simply put conditions on you doing business with me in the future.

                It certainly violates the spirit of the GPL, especially for a product where regular updates are essential to the functionality, but nothing in the GPL actually requires me to continue doing business with you. I haven't altered what you can legally do with the software I already sold you in any way. I've only conditionally limited your ability to continue doing business with me.

                • (Score: 1) by khallow on Tuesday February 18 2020, @01:45AM (4 children)

                  by khallow (3766) Subscriber Badge on Tuesday February 18 2020, @01:45AM (#959389) Journal

                  You seem to be operating under the assumption that putting constraints on future business transaction is equivalent to putting constraints on the licensed software.

                  At first, I thought I understood what you were saying. The GPL 2.0 license does put constraints on present and future business transactions when they impinge on the license. But you seem to be claiming that "putting constraints on the licensed software" was something we were discussing? We weren't. We were discussing how the GPL 2.0 license constrains (or as you claim, doesn't constrain) OSS's restrictions on use of their product (since it is a modification of the Linux kernel which makes the GRSecurity subject to the GPL 2.0 license requirements), like penalizing customers who exercise a GPL prerogative to distribute GPL licensed code.

                  The software itself is not constrained.

                  • (Score: 2) by Immerman on Tuesday February 18 2020, @02:13AM (3 children)

                    by Immerman (3985) on Tuesday February 18 2020, @02:13AM (#959396)

                    >The GPL 2.0 license does put constraints on present and future business transactions when they impinge on the license.
                    Where, exactly, in the GPL2 does it put limitations on future transactions?

                    >But you seem to be claiming that "putting constraints on the licensed software" was something we were discussing?
                    Yes, we are. That's what the GPL is all about. So long as I give you the source code under the same GPL license that I received it, with no furtter limitations or restrictions on what you can do with it, my obligations under the GPL are fulfilled.

                    I sold you ImmerOffice, a derivative work of GPL2 software. I gave you the source under the exact same GPL2 license as I received the upstream version under. My obligations under the GPL2 license that I received from upstream are completely satisfied. You can spread that source and software far and wide, and there's nothing I can do about it.

                    Nothing I do from that point forward matters to *that* GPL-bound transaction. You have the source, you can do whatever you want with it (subject to GPL2). But I am under no obligation to do any further business with you.

                    A year later you want to buy the latest version from me. I can sell it to you or not - that's completely up to me. If I choose to only sell the latest version to people who didn't redistribute the previous version, that in no way limits your ability to redistribute the previous version. It only limits your ability to get access to the current version.

                    • (Score: 1) by khallow on Tuesday February 18 2020, @03:44AM (2 children)

                      by khallow (3766) Subscriber Badge on Tuesday February 18 2020, @03:44AM (#959422) Journal

                      Where, exactly, in the GPL2 does it put limitations on future transactions?

                      There's no time limit on any of the limitations listed in the GPL 2.0. The whole thing applies to the indefinite future.

                      But you seem to be claiming that "putting constraints on the licensed software" was something we were discussing?

                      Yes, we are. That's what the GPL is all about. So long as I give you the source code under the same GPL license that I received it, with no furtter limitations or restrictions on what you can do with it, my obligations under the GPL are fulfilled.

                      You mention no such way that GPL puts constraints on the licensed software. In reality, it puts constraints instead on the use, modification, ownership, distribution, etc of the software.

                      I sold you ImmerOffice, a derivative work of GPL2 software. I gave you the source under the exact same GPL2 license as I received the upstream version under. My obligations under the GPL2 license that I received from upstream are completely satisfied. You can spread that source and software far and wide, and there's nothing I can do about it.

                      Nothing I do from that point forward matters to *that* GPL-bound transaction. You have the source, you can do whatever you want with it (subject to GPL2). But I am under no obligation to do any further business with you.

                      False. If you have continued to distribute future modifications of ImmerOffice which continue to be derivative from GPL code, then you continue to be subject to the terms of the GPL of the original code. And contrary to your assertion, you remain under obligation from that GPL license to do such things as provide access to your code for anyone, even those whom you don't do business with.

                      What other contract can be voided merely because there is a future?

                      • (Score: 2) by Immerman on Tuesday February 18 2020, @03:13PM (1 child)

                        by Immerman (3985) on Tuesday February 18 2020, @03:13PM (#959535)

                        >You mention no such way that GPL puts constraints on the licensed software. In reality, it puts constraints instead on the use, modification, ownership, distribution, etc of the software.

                        Yes - either you adhere to the terms of the GPL2, or you can't redistribute. The GPL2 grants you a bunch of new rights - but only so long as you adhere to its limitations (full source release, no new license restrictions, etc on downstream code.) Use and modification are actually completely unrestricted, your GPL2 obligations are only triggered by distribution. Which is why Google can run their own custom version of Linux and other GPL2 software within their organization without sharing the source. As I recall that's one of the many things GPL3 changed.

                        >If you have continued to distribute future modifications of ImmerOffice which continue to be derivative from GPL code, then you continue to be subject to the terms of the GPL of the original code. And contrary to your assertion, you remain under obligation from that GPL license to do such things as provide access to your code for anyone, even those whom you don't do business with.

                        Actually, no. Read the GPL2 very carefully - you're only required to provide the GPL2ed source to people to whom you distribute the derivative work*. Most people make the source available to everyone out of convenience (if customers can re-share it anyway, why bother with all the trouble of limiting access), but e.g. if you sold shrink-wrapped GPL2 software bundled with the complete source on the same DVD as the software, then your obligations have been fully met and you don't need to do make the source available in any other form.

                        If I sell you ImmerOffice v1, then I am required to give you the full source to ImmerOffice v1 under the GPL2 either bundled or upon request. However, I have no obligation to provide you source code to v2 unless I have provided you with that version of the software. If I refuse to sell v2 you, then I don't have to give you the source to v2. Anyone I *do* sell to is still entitled to get the GPL2 source, and can give it to you freely - but that has nothing to do with me. Except that I would then refuse to sell them v3 or provide them with the source to that version.

                        *Clause 3 of the GPL2

                        3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:
                                a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
                                b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
                                c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)

                        Hmm...I hadn't actually remembered the "any third party" bit on subsection (b) - It would seem that if I don't provide you the source up front, bundled with the software, then I would indeed have to make it available to everyone. However, so long as I bundled the source, I'm home free. And in the case of a patch... well the patch is almost certainly delivered in source form to begin with, is it not?

                        • (Score: 1) by khallow on Tuesday February 18 2020, @06:20PM

                          by khallow (3766) Subscriber Badge on Tuesday February 18 2020, @06:20PM (#959613) Journal
                          Indeed, let's read the GPL 2 carefully. Arik [soylentnews.org] did that and came up with sections 4 and 6, which override your permissive interpretation of section 3.

                          you're only required to provide the GPL2ed source to people to whom you distribute the derivative work*.

                          And you are also "only" required to "not impose any further restrictions on the recipients' exercise of the rights granted herein". Sorry, but OSS's gimmick of not doing business with you if you exercise the right to redistribute is a restriction and would covered by the license. They are limited by the license as to what restrictions they can impose on their customers, section 3 notwithstanding.

                • (Score: 0) by Anonymous Coward on Tuesday February 18 2020, @07:16AM (4 children)

                  by Anonymous Coward on Tuesday February 18 2020, @07:16AM (#959465)

                  >You seem to be operating under the assumption that putting constraints on future business transaction is equivalent to putting constraints on the licensed software. I don't see it, except in spirit. And the law is defined by the letter, not the spirit.

                  When using some other Copyright holder's Work licensed to you under the terms of version 2 of the GPL: The GPL governs you, the licensee's business dealings with any future distributees where there is a nexus with the GPL'd work. It _FORBIDS_ you to engage in any contracting that adds ANY addtional terms between YOU and the Distributee. See section 6 and 4. You simply are NOT allowed to create such contracts between you the licensee and the distributees. When you DO create such a contract, your license is /IMMEDIATLY/ revoked (section 4). The MOMENT you offer additional terms, in a situation where the GPL'd Work (of another) is implicated.

                  >I sell you a copy of ImmerOffice, and give you the full source code under the GPL. At that point I have fulfilled my legal obligation under the GPL

                  . Wrong.

                  >I then tell you that if you redistribute that code, I won't do business with you any more.

                  You have now violated section 6 and section 4 of the GPL. The Copyright owners forbid such business dealings, weather you like it or not, mr american buisnesss man. The Copyrighted Work is NOT your property, it is NOT your posession, it is the COPYRIGHT OWNERS PROPERTY, and he may RESCIND your PERMISSION to use HIS PROPERTY at his LEASURE. Here he has chosen to rescind the license when you implicate his Work in a negative covenant inconsistent with the proffered terms.

                  >I have not in any way revoked or limited any of the rights I already granted you, I have simply put conditions on you doing business with me in the future.

                  Wrong: you have engaged in behavior forbidden by the Owner of the Copyrighted work, and have lost your PERMISSION to use his work, as stated in section 4. You no-longer have a license and hence-forth are implicated in Copyright infringement.

                  >It certainly violates the spirit of the GPL, especially for a product where regular updates are essential to the functionality, but nothing in the GPL actually requires me to continue doing business with you. I haven't altered what you can legally do with the software I already sold you in any way. I've only conditionally limited your ability to continue doing business with me.

                  It violates the text of section 6 and section 4. And yes, I am a lawyer. You should be sued in such a case. The Copyrighted work is NOT your property. It is NOT an item you have title to. You merely have permission to use another's property (like if you were /licensed/ to walk over someone's land), which is revoked at the owners leisure. The owner has stated that the permission is revoked if you add any additional terms between you and anyone you distribute the Work (or any derivative there-of) to. Which you have done so. No more license.

                  • (Score: 2) by Immerman on Tuesday February 18 2020, @03:26PM (2 children)

                    by Immerman (3985) on Tuesday February 18 2020, @03:26PM (#959539)

                    Where does it say you can't add any further terms to the transaction? It says you can't add any further *restrictions* to the

                    [Section] 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

                    So long as I provide you the full source under GPL2, then I'm putting no further restrictions on you redistributing it as you see fit. Threatening to refuse to do any further business with you if you exercise those rights, doesn't actually restrict your rights - it just restricts your future business dealings with me. You're perfectly free to flip me off and redistribute the source I gave you.

                    I don't see that section 4 is directly relevant, until we establish that I have indeed violated section 6.

                    • (Score: 0) by Anonymous Coward on Wednesday February 19 2020, @02:42AM (1 child)

                      by Anonymous Coward on Wednesday February 19 2020, @02:42AM (#959757)

                      >Where does it say you can't add any further terms to the transaction? It says you can't add any further *restrictions* to the

                      > 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void,

                      Grsecurity is a modification of the Program. They are modifying the Program, and sublicensing it, with added terms. They are in violation.

                      Additionally, A consequence, aswell as A negative covenant, is a restriction.

                      >You may not impose any further restrictions on the recipients' exercise of the rights granted herein.

                      They are violating the license on two counts, not just one count.

                      • (Score: 2) by Immerman on Wednesday February 19 2020, @03:55AM

                        by Immerman (3985) on Wednesday February 19 2020, @03:55AM (#959781)

                        Their argument is that there are no added terms. The patch is provided under the GPL2, which means you can redistribute it freely.

                        You won't be able to business with them anymore if you do, but that doesn't limit your ability to redistribute in any way.

                  • (Score: 2) by Immerman on Tuesday February 18 2020, @03:48PM

                    by Immerman (3985) on Tuesday February 18 2020, @03:48PM (#959549)

                    I suppose the question boils down to - does my threat to stop doing business with you in the future constitute a restriction on your rights to the GPL source I just gave you - or does it only constitute a restriction on our future business relationship?

                    I could certainly see a court case going either way - but it could be a very long and protracted battle. Aftrer all, I am giving you the full source nder the GPL2, and you and anyone downstream are completely free to redistribute it. Unlike more typical clear-cut GPL violations, where the the full source of the derivative work is not made available under the GPL, and the infringer thus clearly has no license to redistribute the code.