From The Register:
After three years of legal wrangling, the defamation lawsuit brought by Brad Spengler and his company Open Source Security (OSS) against open-source pioneer Bruce Perens has finally concluded.... Spengler and OSS sued Perens for a June 2017 blog post in which Perens ventured the opinion that grsecurity, Open Source Security's Linux kernel security enhancements, could expose customers to potential liability under the terms of the General Public License (GPL).
OSS says that customers who exercise their rights to redistribute its software under the GPL will no longer receive software updates – the biz wants to be paid for its work, a problem not really addressed by the GPL. Perens, the creator of the open-source definition, pointed out that section six of the GPLv2 prohibits modifications of the license terms.
In December 2017, San Francisco magistrate judge Laurel Beeler determined that Perens had expressed an opinion as allowed under American law and dismissed the defamation claim. Perens then sought to recoup legal expenses under California's Anti-Strategic Lawsuits Against Public Participation (SLAPP) statute, [and] a month later he was awarded more than $526,000 in damages.
Spengler and OSS then appealed, and managed to get the award reduced to about $260,000, but not overturned.... Perens gets nothing personally for his trouble, but his legal team will be paid. O'Melveny & Myers LLP will receive $262,303.62 for the district court litigation (fees and costs) and $2,210.36 for the appeal (costs) while the Electronic Frontier Foundation will be paid $34,474.35 (fees) and $1,011.67 (costs) for its role in the appeal.
Previously:
- Linux Kernel Patch Maker Says Court Case Was Only Way Out
- Court Orders Payment of $259,900.50 to Bruce Perens' Attorneys
- Bruce Perens Wants to Anti-SLAPP GRSecurity's Brad Spengler With $670,000 in Legal Bills
- Grsecurity's Defamation Suit Against Bruce Perens Dismissed
- Linux Kernel Hardeners Grsecurity Sue Open Source's Bruce Perens
- Bruce Perens Warns of Potential Contributory Infringement Risk for Grsecurity Customers
Related Stories
Grsecurity is a patch for the Linux kernel which, it is claimed, improves its security. It is a derivative work of the Linux kernel which touches the kernel internals in many different places. It is inseparable from Linux and can not work without it. it would fail a fair-use test (obviously, ask offline if you don’t understand). Because of its strongly derivative nature of the kernel, it must be under the GPL version 2 license, or a license compatible with the GPL and with terms no more restrictive than the GPL. Earlier versions were distributed under GPL version 2.
Currently, Grsecurity is a commercial product and is distributed only to paying customers. My understanding from several reliable sources is that customers are verbally or otherwise warned that if they redistribute the Grsecurity patch, as would be their right under the GPL, that they will be assessed a penalty: they will no longer be allowed to be customers, and will not be granted access to any further versions of Grsecurity. GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition.
By operating under their policy of terminating customer relations upon distribution of their GPL-licensed software, Open Source Security Inc., the owner of Grsecurity, creates an expectation that the customer’s business will be damaged by losing access to support and later versions of the product, if that customer exercises their re-distribution right under the GPL license. This is tantamount to the addition of a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms. Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kernel, terminates, and the copyright of the Linux Kernel is infringed. The contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached.
https://www.theregister.co.uk/2017/08/03/linux_kernel_grsecurity_sues_bruce_perens_for_defamation/
In late June, noted open-source programmer Bruce Perens warned that using Grsecurity's Linux kernel security could invite legal trouble.
"As a customer, it's my opinion that you would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity," Perens wrote on his blog.
The following month, Perens was invited to court. Grsecurity sued the open-source doyen, his web host, and as-yet-unidentified defendants who may have helped him draft that post, for defamation and business interference.
Grsecurity offers Linux kernel security patches on a paid-for subscription basis. The software hardens kernel defenses through checks for common errors like memory overflows. Perens, meanwhile, is known for using the Debian Free Software Guidelines to draft the Open Source Definition, with the help of others.
Linus Torvalds, who oversees the Linux kernel, has called Grsecurity's patches "garbage".
... (read the rest at the register)
El Reg reports
Linux kernel security biz Grsecurity's defamation lawsuit against open-source stalwart Bruce Perens has been dismissed, although the door remains open for a revised claim.
In June, Perens opined in a blog post that advised companies to avoid Grsecurity's Linux kernel security patches because it might expose them to claims of contributory infringement under the Linux kernel license, GPLv2.
Grsecurity then accused Perens of fearmongering to harm the firm's business, and sued him in July.
On [December 21], the judge hearing the case, San Francisco magistrate judge Laurel Beeler, granted [Perens'] motion to dismiss the complaint while also denying--for now--his effort to invoke California's anti-SLAPP law.
SLAPP stands for Strategic Lawsuit Against Public Participation, and describes legal complaints aimed at silencing public discourse and free speech. In 1992, California passed its anti-SLAPP statute to provide a defense against such legal bullying. Many other states and countries have similar laws.
In addition, Beeler denied Grsecurity's motion for summary judgment, which amounts to asking the judge to agree that the facts are so clear a ruling can be rendered without a trial.
"The court holds that Mr Perens's [sic] statements are opinions that are not actionable libel, dismisses the complaint with leave to amend, denies the anti-SLAPP motion without prejudice, and denies the motion for summary judgment", Judge Beeler ruled.
The page links to another article where Torvalds' opinion (similar in nature to Perens', but more colorful, as usual) was discussed in June.
Previous: Linux Kernel Hardeners Grsecurity Sue Open Source's Bruce Perens
Bruce Perens Warns of Potential Contributory Infringement Risk for Grsecurity Customers
http://www.theregister.co.uk/2018/02/08/bruce_perens_grsecurity_anti_slapp/
http://perens.com/2018/02/08/bruce-perens-seeks-mandatory-award-of-legal-fees-for-his-defense-in-open-source-security-inc-and-bradley-spengler-v-bruce-perens/
Having defeated a defamation claim for speculating that using Grsecurity's Linux kernel hardening code may expose you to legal risk under the terms of the GPLv2 license, Bruce Perens is back in court.
This time, he's demanding Bradley Spengler – who runs Open Source Security Inc and develops Grsecurity – foots his hefty legal bills, after Spengler failed to successfully sue Perens for libel.
Perens, a noted figure in the open source community, and his legal team from O'Melveny & Myers LLP – as they previously told The Register – want to be awarded attorneys' fees under California's anti-SLAPP statute, a law designed to deter litigation that aims to suppress lawful speech.
That deterrence takes the form of presenting unsuccessful litigants with the bill for the cost of defending against meritless claims.
"Plaintiffs Open Source Security, Inc. and Bradley Spengler sued Defendant Bruce Perens to bully him from expressing his opinions that Plaintiffs' business practices violate Open Source licensing conditions and to discourage others from expressing the same opinions," Perens' latest filing, submitted to a US district court in San Francisco today, declared.
"Rather than allowing the public to judge Plaintiffs' contrary opinions through public debate, Plaintiffs tried to 'win' the argument on this unsettled legal issue by suing him."
[...]
Perens is asking for $667,665.25 in fees, which covers 833.9 hours expended on the litigation by numerous attorneys and a $188,687.75 success fee agreed upon to allow Perens to retain representation he might not otherwise have been able to afford.
Bruce Perens has a blog post on his site stating that the court has ordered Open Source Security, Inc. and Bradley Spengler to pay $259,900.50 to his attorneys. At issue was Bruce getting sued for pointing out that Grsecurity and their customers are involved in contributory infringement and breach of contract by deploying their product in conjunction with the Linux kernel under the no-redistribution policy employed by Grsecurity.
The court has ordered Open Source Security, Inc, and Bradley Spengler to pay $259,900.50 in legal fees to my attorneys, O’Melveny and Meyers. The court awarded about half what we asked for, courts usually do reduce awards. There is no new comment at this time, but please see my comment upon asking for the award of legal fees.
Here are all of the case documents.
Earlier on SN:
Bruce Perens Wants to Anti-SLAPP GRSecurity's Brad Spengler With $670,000 in Legal Bills (2018)
Grsecurity's Defamation Suit Against Bruce Perens Dismissed (2017)
Bruce Perens Warns of Potential Contributory Infringement Risk for Grsecurity Customers (2017)
https://www.itwire.com/open-source/linux-kernel-patch-maker-says-court-case-was-only-way-out.html
The head of security firm Open Source Security, Brad Spengler, says he had little option but to file a lawsuit against open source advocate Bruce Perens, who alleged back in 2017 that security patches issued for the Linux kernel by OSS violated the licence under which the kernel is distributed.
The case ended last week with Perens coming out on the right side of things; after some back and forth, a court doubled down on its earlier decision that OSS must pay Perens' legal costs as awarded in June 2018.
The remainder of the article is an interview with Brad Spengler about the case and the issue.
iTWire contacted Spengler soon after the case ended, as he had promised to speak at length about the issue once all legal issues were done and dusted. Queries submitted by iTWire along with Spengler's answers in full are given below:
Previously:
Court Orders Payment of $259,900.50 to Bruce Perens' Attorneys
(Score: 3, Funny) by Rosco P. Coltrane on Monday March 30 2020, @10:26AM (22 children)
Attorney fees are obscene.
(Score: 5, Insightful) by EJ on Monday March 30 2020, @11:19AM (17 children)
No. The moral of this story is: Don't file bullshit lawsuits.
(Score: 3, Touché) by coolgopher on Monday March 30 2020, @12:18PM (16 children)
I think the story is big enough to have more than one moral :)
(Score: 0) by Anonymous Coward on Monday March 30 2020, @12:24PM
Morality is subjective enough to cover loads of bullshit :)
(Score: 5, Insightful) by DannyB on Monday March 30 2020, @03:03PM (14 children)
Okay, here's a second moral of the story:
Don't violate the GPL.
There are ways to make money from GPL code, but don't 'try to take away others' rights under the GPL in order to make you money. The GPL was designed to prevent Microsoft from doing exactly that.
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Monday March 30 2020, @06:57PM (2 children)
Wasn't it conceived by RMS because he couldn't get access to the source while hacking away on a Unix machine in the MIT AI lab?
(Score: 0) by Anonymous Coward on Monday March 30 2020, @07:45PM
Always best to go to a good source, playing the telephone game* tends to muddle the original story--
https://www.oreilly.com/openbook/freedom/ch01.html [oreilly.com]
It was a PDP-10 running ITS and a fancy new laser printer from Xerox that came without printer driver source code.
* https://www.wikihow.com/Play-the-Telephone-Game [wikihow.com]
(Score: 2) by DannyB on Monday March 30 2020, @08:38PM
<no-sarcasm>
I do know the story about RMS unable to get source for a printer driver.
Microsoft and its tactics were known at this time. GPL didn't want a Microsoft (or Oracle) to steal volunteer efforts and not be obligated to release the source. Whether or not Microsoft or any other name was in the authors' mind at the time, the license clearly foresaw this possibility and precluded it.
</no-sarcasm>
The lower I set my standards the more accomplishments I have.
(Score: 2) by Thexalon on Monday March 30 2020, @07:31PM (9 children)
The GPL had quite specifically a goal of trying to prevent somebody from doing to GPL'd code what Apple did to BSD code.
And yeah, GRSecurity had a fundamentally flawed business model of trying to do that to Linux and thinking they had a loophole around the restrictions the GPL placed on it.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Informative) by loonycyborg on Monday March 30 2020, @10:15PM (8 children)
Actually this court ruling didn't answer whether this actually is a GPL violation. The court only ruled against defamation claim. Bruce Perens can still end up being actually wrong if another court rules so if this question is raised on his own merits rather than part of anti-defamation suit.
(Score: 2) by All Your Lawn Are Belong To Us on Wednesday April 01 2020, @01:48PM (7 children)
At first when I read your comment I thought it wasn't quite correct, because truth is a defense to defamation in the United States. That would imply falsehood is essential to proving defamation (i.e. to be defamed what has to be said against you must be false). It is different in other jurisdictions - in some it doesn't matter if it was true if you can prove malicious intent in revealing it. However, the defense against this claim here was that Perrens was only expressing opinion (and his original blog post [perens.com] states that at least three times, that it was his opinion. He added in IANAL to sweeten that.
Despite that, just because something is labeled as opinion does not necessarily make it such [minclaw.com]. He does make implications of fact in his post as to what the GPL 2.0 represented and that grsecurity was violating it. If they could have proved Perrens claims as false they would have, even if Perrens presented it (three times in said blog post sued over) that it was his opinion and that he was not a lawyer. That does not, as you state, prove that what he said was true. But it goes a ways towards being able to assume it prima facie.
Ultimately without actually going into the case itself, one doesn't know if what Perrens said was determined to be legally factual, or just an opinion that could be wrong, although we do know that it was defended on the grounds of being opinion.
What really would have been needed was for a customer of grsecurity to go ahead and republish, be denied updates, and then sue. That would seem to be the acid test of whether Perrens' opinion was correct.
This sig for rent.
(Score: 2) by loonycyborg on Wednesday April 01 2020, @03:52PM (6 children)
What then would be claims of such a customer? Contract violation? GPL can't make this contract void, only effect infringing GPL has in this case is that grsecurity cannot actually distribute their modifications as they're unauthorized derivative work because alleged GPL violation made GPL license not apply to grsecurity's patches. So the only way for this to be tested is for kernel devs to sue grsecurity for copyright infringement.
(Score: 2) by All Your Lawn Are Belong To Us on Friday April 03 2020, @03:04PM (4 children)
IANAL, BTW, and this is just my opinion (see what I did there? ;) )
It's not that the GPL rendered the agreement void, it is that the GPL prevents grsecurity from voiding an otherwise legal agreement.
But if I'm a customer, and I purchased grsecurity's product and republished it (because I can prove the GPL that would have applied to grsecurity) and they denied me security upgrades then I think the case could be made for tortious business interference. It would hinge on having the court recognize that grsecurity's product, by using a GPL 2.0 license, cannot legally prevent redistribution of the end product. Their trying to introduce contractual complications which are not lawful makes those complications null and void and cannot therefore be grounds to deny update patches that other customers received without further consideration. Or, simply, it's not legal to terminate their 'stable patch access agreement' (which is no longer available) when parent licensing agreements specifically authorize that behavior. I think that's a fair summary of what Perens was saying.
What Perens missed is that the suing customer have to prove real damages occurred before such a claim could be actionable. Which would likely consist of having to prove that missing a grsecurity patch was the proximate cause of some real damage which can be quantified.
And what grsecurity missed is that they could have simply phrased it, "We can terminate this agreement at any time and without notice and without any compensation to you, and if you are so informed you lose the license to use the software and must destroy any copies you have created." Then if they determine somebody publishes it, terminate the agreement with absolutely no reference as to why, and so notify them it is now their responsibility to delete any and all copies. That wouldn't be good for business but would protect them legally. Not dissimilar to not specifying why you terminate someone in right-to-work states - if you do not tell an employee why they are terminated the employee can still bring a suit but is on far shakier ground to prevail. Neither of those are ethically good but theuy
This sig for rent.
(Score: 2) by loonycyborg on Saturday April 04 2020, @07:57AM (3 children)
I think a court would be very suspicions of this legal theory because it looks like obvious end run over Linux Kernel devs being unwilling to sue grsecurity themselves. Also GPL by itself cannot mandate anyone to distribute anything. So even if GPL violation were shown to exist then the part of grsecurity not providing the patches to the customer would be still valid. In fact it would be the only the contract part that is still valid. They're always in the right to not distribute their unauthorized derivative work.
(Score: 2) by All Your Lawn Are Belong To Us on Monday April 06 2020, @06:16PM
The question would be who actually suffers the damage. If it's just copyright then the end user isn't damaged. If the end customer is damaged then it shouldn't matter to the Linux devs.
GPL (the version in question) doesn't mandate distribution. It mandates no interference of someone to distribute. And the GPL prevents exactly what you say because it explicitly gives the right to distribute derivative works without need to seek an authorization. Thus by stating that a derivative work can't be distributed they are in violation of their own agreements to use the code, and trying to enforce that is a tort by virtue of interfering with what is clearly a legally permissible action of the licensing chain.
This sig for rent.
(Score: 2) by All Your Lawn Are Belong To Us on Monday April 06 2020, @06:19PM (1 child)
Lots of "theys" in one of my sentences. Trying again (not that it matters)… "Thus by stating that a derivative work can't be distributed grsecurity is in violation of grsecurity's own agreements to use the Linux kernel code. By their trying to enforce no distribution of their derivative work, when the GPL explicitly authorizes that, is a tort by virtue of interfering with what is clearly a legally permissible action of the GPL 2.0 licensing chain."
This sig for rent.
(Score: 2) by loonycyborg on Tuesday April 07 2020, @12:13AM
It's still off. grsecurity wasn't in any agreement with kernel devs. GPL is a license, not a contract. grsecurity are not enforcing no distribution. They merely refuse to distribute. GPL isn't forcing distribution. GPL can only revoke copyright license conditionally. Nothing less, nothing more.
(Score: 2) by All Your Lawn Are Belong To Us on Friday April 03 2020, @03:07PM
... Neither of those [terminating a worker with no stated cause, or a proviso that can be terminated] are ethically good but they are legal.
This sig for rent.
(Score: 2) by FatPhil on Monday March 30 2020, @09:52PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by FatPhil on Monday March 30 2020, @09:54PM (2 children)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by FatPhil on Monday March 30 2020, @09:56PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 4, Insightful) by Gaaark on Monday March 30 2020, @10:09PM
Yes, he should have been compensated for his time: he probably lost wages somewhere and had to 'F' around dealing with their shit.
Pay the lawyer fees, yes, but also pay him for his time.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by ledow on Tuesday March 31 2020, @09:41AM
The guy was basically told "It's just an opinion.... let's not get silly with lawsuits" and decided to proceed anyway. The costs are incurred beyond that point... where he could have just said "Okay" but instead brought a frivolous lawsuit.