from the justice-in-action dept.
From The Register:
After three years of legal wrangling, the defamation lawsuit brought by Brad Spengler and his company Open Source Security (OSS) against open-source pioneer Bruce Perens has finally concluded.... Spengler and OSS sued Perens for a June 2017 blog post in which Perens ventured the opinion that grsecurity, Open Source Security's Linux kernel security enhancements, could expose customers to potential liability under the terms of the General Public License (GPL).
OSS says that customers who exercise their rights to redistribute its software under the GPL will no longer receive software updates – the biz wants to be paid for its work, a problem not really addressed by the GPL. Perens, the creator of the open-source definition, pointed out that section six of the GPLv2 prohibits modifications of the license terms.
In December 2017, San Francisco magistrate judge Laurel Beeler determined that Perens had expressed an opinion as allowed under American law and dismissed the defamation claim. Perens then sought to recoup legal expenses under California's Anti-Strategic Lawsuits Against Public Participation (SLAPP) statute, [and] a month later he was awarded more than $526,000 in damages.
Spengler and OSS then appealed, and managed to get the award reduced to about $260,000, but not overturned.... Perens gets nothing personally for his trouble, but his legal team will be paid. O'Melveny & Myers LLP will receive $262,303.62 for the district court litigation (fees and costs) and $2,210.36 for the appeal (costs) while the Electronic Frontier Foundation will be paid $34,474.35 (fees) and $1,011.67 (costs) for its role in the appeal.
- Linux Kernel Patch Maker Says Court Case Was Only Way Out
- Court Orders Payment of $259,900.50 to Bruce Perens' Attorneys
- Bruce Perens Wants to Anti-SLAPP GRSecurity's Brad Spengler With $670,000 in Legal Bills
- Grsecurity's Defamation Suit Against Bruce Perens Dismissed
- Linux Kernel Hardeners Grsecurity Sue Open Source's Bruce Perens
- Bruce Perens Warns of Potential Contributory Infringement Risk for Grsecurity Customers
Grsecurity is a patch for the Linux kernel which, it is claimed, improves its security. It is a derivative work of the Linux kernel which touches the kernel internals in many different places. It is inseparable from Linux and can not work without it. it would fail a fair-use test (obviously, ask offline if you don’t understand). Because of its strongly derivative nature of the kernel, it must be under the GPL version 2 license, or a license compatible with the GPL and with terms no more restrictive than the GPL. Earlier versions were distributed under GPL version 2.
Currently, Grsecurity is a commercial product and is distributed only to paying customers. My understanding from several reliable sources is that customers are verbally or otherwise warned that if they redistribute the Grsecurity patch, as would be their right under the GPL, that they will be assessed a penalty: they will no longer be allowed to be customers, and will not be granted access to any further versions of Grsecurity. GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition.
By operating under their policy of terminating customer relations upon distribution of their GPL-licensed software, Open Source Security Inc., the owner of Grsecurity, creates an expectation that the customer’s business will be damaged by losing access to support and later versions of the product, if that customer exercises their re-distribution right under the GPL license. This is tantamount to the addition of a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms. Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kernel, terminates, and the copyright of the Linux Kernel is infringed. The contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached.
In late June, noted open-source programmer Bruce Perens warned that using Grsecurity's Linux kernel security could invite legal trouble.
"As a customer, it's my opinion that you would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity," Perens wrote on his blog.
The following month, Perens was invited to court. Grsecurity sued the open-source doyen, his web host, and as-yet-unidentified defendants who may have helped him draft that post, for defamation and business interference.
Grsecurity offers Linux kernel security patches on a paid-for subscription basis. The software hardens kernel defenses through checks for common errors like memory overflows. Perens, meanwhile, is known for using the Debian Free Software Guidelines to draft the Open Source Definition, with the help of others.
Linus Torvalds, who oversees the Linux kernel, has called Grsecurity's patches "garbage".
... (read the rest at the register)
El Reg reports
Linux kernel security biz Grsecurity's defamation lawsuit against open-source stalwart Bruce Perens has been dismissed, although the door remains open for a revised claim.
In June, Perens opined in a blog post that advised companies to avoid Grsecurity's Linux kernel security patches because it might expose them to claims of contributory infringement under the Linux kernel license, GPLv2.
Grsecurity then accused Perens of fearmongering to harm the firm's business, and sued him in July.
On [December 21], the judge hearing the case, San Francisco magistrate judge Laurel Beeler, granted [Perens'] motion to dismiss the complaint while also denying--for now--his effort to invoke California's anti-SLAPP law.
SLAPP stands for Strategic Lawsuit Against Public Participation, and describes legal complaints aimed at silencing public discourse and free speech. In 1992, California passed its anti-SLAPP statute to provide a defense against such legal bullying. Many other states and countries have similar laws.
In addition, Beeler denied Grsecurity's motion for summary judgment, which amounts to asking the judge to agree that the facts are so clear a ruling can be rendered without a trial.
"The court holds that Mr Perens's [sic] statements are opinions that are not actionable libel, dismisses the complaint with leave to amend, denies the anti-SLAPP motion without prejudice, and denies the motion for summary judgment", Judge Beeler ruled.
The page links to another article where Torvalds' opinion (similar in nature to Perens', but more colorful, as usual) was discussed in June.
Having defeated a defamation claim for speculating that using Grsecurity's Linux kernel hardening code may expose you to legal risk under the terms of the GPLv2 license, Bruce Perens is back in court.
This time, he's demanding Bradley Spengler – who runs Open Source Security Inc and develops Grsecurity – foots his hefty legal bills, after Spengler failed to successfully sue Perens for libel.
Perens, a noted figure in the open source community, and his legal team from O'Melveny & Myers LLP – as they previously told The Register – want to be awarded attorneys' fees under California's anti-SLAPP statute, a law designed to deter litigation that aims to suppress lawful speech.
That deterrence takes the form of presenting unsuccessful litigants with the bill for the cost of defending against meritless claims.
"Plaintiffs Open Source Security, Inc. and Bradley Spengler sued Defendant Bruce Perens to bully him from expressing his opinions that Plaintiffs' business practices violate Open Source licensing conditions and to discourage others from expressing the same opinions," Perens' latest filing, submitted to a US district court in San Francisco today, declared.
"Rather than allowing the public to judge Plaintiffs' contrary opinions through public debate, Plaintiffs tried to 'win' the argument on this unsettled legal issue by suing him."
Perens is asking for $667,665.25 in fees, which covers 833.9 hours expended on the litigation by numerous attorneys and a $188,687.75 success fee agreed upon to allow Perens to retain representation he might not otherwise have been able to afford.
Bruce Perens has a blog post on his site stating that the court has ordered Open Source Security, Inc. and Bradley Spengler to pay $259,900.50 to his attorneys. At issue was Bruce getting sued for pointing out that Grsecurity and their customers are involved in contributory infringement and breach of contract by deploying their product in conjunction with the Linux kernel under the no-redistribution policy employed by Grsecurity.
The court has ordered Open Source Security, Inc, and Bradley Spengler to pay $259,900.50 in legal fees to my attorneys, O’Melveny and Meyers. The court awarded about half what we asked for, courts usually do reduce awards. There is no new comment at this time, but please see my comment upon asking for the award of legal fees.
Here are all of the case documents.
Earlier on SN:
Bruce Perens Wants to Anti-SLAPP GRSecurity's Brad Spengler With $670,000 in Legal Bills (2018)
Grsecurity's Defamation Suit Against Bruce Perens Dismissed (2017)
Bruce Perens Warns of Potential Contributory Infringement Risk for Grsecurity Customers (2017)
The head of security firm Open Source Security, Brad Spengler, says he had little option but to file a lawsuit against open source advocate Bruce Perens, who alleged back in 2017 that security patches issued for the Linux kernel by OSS violated the licence under which the kernel is distributed.
The case ended last week with Perens coming out on the right side of things; after some back and forth, a court doubled down on its earlier decision that OSS must pay Perens' legal costs as awarded in June 2018.
The remainder of the article is an interview with Brad Spengler about the case and the issue.
iTWire contacted Spengler soon after the case ended, as he had promised to speak at length about the issue once all legal issues were done and dusted. Queries submitted by iTWire along with Spengler's answers in full are given below: