Grsecurity® is an extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening that generally require no configuration. It has been actively developed and maintained for the past 14 years. Commercial support for grsecurity is available through Open Source Security, Inc.
In a big red block at the top of their home page is the following warning:
Important Notice Regarding Public Availability of Stable Patches
Due to continued violations by several companies in the embedded industry of grsecurity®'s trademark and registered copyrights, effective September 9th 2015 stable patches of grsecurity will be permanently unavailable to the general public. For more information, read the full announcement.
And I thought GRSecurity was based on the GPL'd work called "Linux". Guess I was wrong.
(Score: 5, Interesting) by Anonymous Coward on Monday September 07 2015, @09:22AM
based on the GPL'd work called "Linux". Guess I was wrong.
You are wrong. Copyleft covers copying ONLY. The copyright holder retains all other rights, including the right to choose whether to distribute and to whom to distribute. The GPL clearly mandates that source be provided ONLY to recipients of binaries. If you do not buy binaries and you do not receive binaries, you have absolutely no right to receive sources.
From TFA:
So, if you want patches, buy them from Grsecurity or negotiate to buy them from a sponsor. If you are lucky then someone might be willing to sell to you. But the GPL does NOT EVER guarantee you free shit for free, which is what you seem to want "because Linux."
(Score: 3, Interesting) by Anonymous Coward on Monday September 07 2015, @09:41AM
Therefore, two weeks from now, we will cease the public dissemination of the stable series and will make it available to sponsors only.
The GPL does NOT EVER guarantee you free shit for free, which is what you seem to want "because Linux."
But the GPL does promise that you can do what you like with it, without any restriction other than preserving GPL terms. So, it only takes one person to subscribe to their "improvements", and publish them for everyone to use.
Personally, I' take the view that if their "improvements" to the kernel were uncontroversially beneficial, they would have been absorbed into mainstream code already, so I'm not intending to use them.
(Score: -1, Flamebait) by Anonymous Coward on Monday September 07 2015, @09:52AM
But the GPL does promise that you can do what you like with it, without any restriction other than preserving GPL terms. So, it only takes one person to subscribe to their "improvements", and publish them for everyone to use.
That's why the market value of Free Software is $0.00 and Linux users are smelly freetard neckbeards who beg on street corners.
(Score: 0) by Anonymous Coward on Monday September 07 2015, @10:51PM
beggars in IN make over 100k, AND they have neckbeards!
(Score: 0) by Anonymous Coward on Monday September 07 2015, @11:13PM
>That's why the market value of Free Software is $0.00 and Linux users are smelly freetard neckbeards who beg on street corners.
They make a deal with a devil and then wish not to give him his due when it turns out that the deal was exactly as stated:
We give you something for "free", you give us the best years of your lives.
(Score: 4, Insightful) by ThePhilips on Monday September 07 2015, @10:03AM
But the GPL does promise that you can do what you like with it, without any restriction other than preserving GPL terms. So, it only takes one person to subscribe to their "improvements", and publish them for everyone to use.
Yes.
But recall the whole RHEL vs CentOS debacle.
RedHat sells lots of of GPLed components to the RHEL customers. And even though they are GPLed, you would rarely, if ever, find them for free download on the net.
Personally, I' take the view that if their "improvements" to the kernel were uncontroversially beneficial, they would have been absorbed into mainstream code already, so I'm not intending to use them.
That discussion is more than a decade old.
GrSecurity patches (and similar) are very intrusive, and generally trade performance for a promise of higher security. It's not just couple of places patched or a loadable module a-la AppArmor or SELinux. They patch and change lots of code, including the very low-level routines, making the kernel as a whole harder to develop and maintain.
OTOH, the security people also not very eager. The fame of merging it into the mainline would fade quickly. While by maintaining their own patchsets, they have something akin to a product, and an associated with it service to sell.
(Score: 0) by Anonymous Coward on Monday September 07 2015, @10:10AM
Also, the Linux=GPL snark is utterly irrelevant unless GRSecurity is being distributed as a binary without sources. Which it isn't. They're playing the game to the rules. They're pissed off by big guys who aren't.
I know they can't name names, but would be interested in knowing who to sneer at.
(Score: 0) by Anonymous Coward on Monday September 07 2015, @03:45PM
Ah, so linux is distributed under a bare license, and thus any rightsholder (of which there are tens of thousands) can revoke Brad Spenglers permission to modify their work at any time (barring estoppel)...
Or we under contract law where extrinsic evidence of the parties intentions at the time of the agreement (if there is an agreement at all) come into play? Oh you thought the four corners of the document were all there was?
(Score: 2) by _NSAKEY on Monday September 07 2015, @04:53PM
Two of the offending companies are almost certainly Intel and Verifone. Here, have a collection of links:
https://twitter.com/ioerror/status/636677916365996032 [twitter.com]
https://twitter.com/grsecurity/status/450995354972864513 [twitter.com]
https://www-ssl.intel.com/content/dam/www/public/us/en/documents/white-papers/iot-security-profiles-white-paper.pdf [intel.com]
https://news.ycombinator.com/item?id=10126648 [ycombinator.com]
The basic problem here is that they're using the grsec name and not providing any means whatsoever for end users to acquire the source. Personally, I think the lawsuit should be complemented with an update to enlightenment.tgz [grsecurity.net] that specifically targets and exploits the products of the companies he's suing.
(Score: 3, Informative) by stormreaver on Monday September 07 2015, @11:23AM
Copyleft covers copying ONLY.
Copyright, and therefore copyleft, covers copying, modification, and distribution.
The GPL clearly mandates that source be provided ONLY to recipients of binaries. If you do not buy binaries and you do not receive binaries, you have absolutely no right to receive sources.
Provided that GRSecurity distributes the entire kernel with their patches to its customers, there's no problem. There is a problem, though, if GRSecurity distributes only its patches to its customers without the rest of the kernel sources, or if GRSecurity tries to prohibit its paying customers from making the patches publicly available.
(Score: 0) by Anonymous Coward on Monday September 07 2015, @11:36AM
There's no problem with distributing patches alone without the rest of the kernel sources, as long as GRSecurity offers to provide the rest of the kernel sources to anyone who asks for them. And no, GRSecurity can't prohibit paying customers from making the patches publicly available, but they can jack up the price until customers don't want to give away for free something that they paid a lot of money for.
(Score: 0) by Anonymous Coward on Monday September 07 2015, @07:35PM
> but they can jack up the price until customers don't want to give away for free something that they paid a lot of money for.
The presupposes that there is an actual set of prices at the intersection of "too expensive to give away" and "cheap enough to buy."
I doubt it.
(Score: 0) by Anonymous Coward on Monday September 07 2015, @10:52PM
> And no, GRSecurity can't prohibit paying customers from making the patches publicly available, but they can jack up the price until customers don't want to give away for free something that they paid a lot of money for.
Ever heard of "bad faith".
No?
Ever heard of "frustration of purpose"
No?
You seem to be forgetting the thousands of copyright holders who aren't spengler who own the work from which this patch is derived.
Oh but you think there's no agreement between spengler and they now, don't you? Ok, so then there is just a bare license, not an irrevokable agreement between the linux copyright holders and spengler, and they can revoke that license. Is that what you want?
(Score: 0) by Anonymous Coward on Monday September 07 2015, @10:42PM
GRsecurity is a derivative work. Why that matters is discussed way below.
Copyright allows you to restrict a work, what area of the law allows you to grant permission?
Property and Contract law.
The significance of this is discussed in other posts below.
Suffice to say: either spengler's license to modify linux can be revoked at will (barring estoppel) if he has permission as a license (property law), or extrinsic evidence that bears on the agreement (such as the intention of the parties, usage in trade of terms, course of dealings, etc) can be brought in to discover the full effect of the agreement (remeber: no integration clause here) since we would be proceeding under contract law (which is what you want if you want what linux is licensed under to be irrevokable). We can discover if all X contributors to linux intended derivative works to be closed in this manner, what the usage in trade was of these terms, what the course of dealings were vis a vis spengler and the linux rightsholders up till this time. Etc. It all bears to what the actual agreement is (if there is any to begin with).
If he has neither (another possibility), then his "grant" to modify the linux source code is just completely invalid from the start.
And before you dismiss all this, please study the basis of the law onwhich you base you documents and agreements.
Just because your techi friends repeat some dogma about OSS "license"s, doesn't mean they have a firm basis in law.
Guess why it takes years to get a law degree.