Grsecurity is a patch for the Linux kernel which, it is claimed, improves its security. It is a derivative work of the Linux kernel which touches the kernel internals in many different places. It is inseparable from Linux and can not work without it. it would fail a fair-use test (obviously, ask offline if you don’t understand). Because of its strongly derivative nature of the kernel, it must be under the GPL version 2 license, or a license compatible with the GPL and with terms no more restrictive than the GPL. Earlier versions were distributed under GPL version 2.
Currently, Grsecurity is a commercial product and is distributed only to paying customers. My understanding from several reliable sources is that customers are verbally or otherwise warned that if they redistribute the Grsecurity patch, as would be their right under the GPL, that they will be assessed a penalty: they will no longer be allowed to be customers, and will not be granted access to any further versions of Grsecurity. GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition.
By operating under their policy of terminating customer relations upon distribution of their GPL-licensed software, Open Source Security Inc., the owner of Grsecurity, creates an expectation that the customer’s business will be damaged by losing access to support and later versions of the product, if that customer exercises their re-distribution right under the GPL license. This is tantamount to the addition of a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms. Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kernel, terminates, and the copyright of the Linux Kernel is infringed. The contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached.
(Score: 4, Informative) by Fnord666 on Thursday July 06 2017, @11:56AM (2 children)
In case you're wondering what this is about, here are Grsecurity's Stable Patch Agreement [grsecurity.net] and the announcement [grsecurity.net] detailing their reasons for going to this model.
(Score: 2) by Arik on Thursday July 06 2017, @10:04PM (1 child)
Unfortunately their 'fix' is not only not likely to solve the problem, it's going to create a whole bunch more.
Such as the fact that they no longer have any right to distribute any of this at all, due to termination of the copyright license they built their work on.
Ooops!?
If laughter is the best medicine, who are the best doctors?
(Score: 2) by Wootery on Friday July 07 2017, @08:52AM
The fact that it's the Linux kernel makes it particularly significant. If this is goes unchallenged, or if it's challenged and the bastards get away with it, it would send the message that the GPL is toothless to protect even the Linux kernel -- essentially the GPL's flagship product.
(Score: 5, Informative) by requerdanos on Thursday July 06 2017, @12:18PM (11 children)
(Almost) No one was talking about grsecurity for a while, but their recent mention on LKML seems to have raised interest again.
At the time that grsecurity "went dark", I wondered where one could download the clean binaries a la RHEL/Centos, or at least the gr source (or patch set), but never found a place. Then seeing that other projects depending on grsecurity were terminated because of lack of grsecurity availability kind of confirmed that there was nowhere to get it.
Perens, I believe, has parsed the situation exactly correctly. The terms of the GPL2 [gnu.org] are clear: Term 6, "... You may not impose any further restrictions on the recipients' exercise of the rights granted herein ..." means that one can't place additional restrictions, as Perens points out -- in fact, the license affirms that customers (those receiving the distributed program or code) specifically may distribute it verbatim (term 1), or even distribute compiled versions (not just source)(term 3).
Further, term 4 states that "You may not... sublicense, or distribute the Program except as expressly provided under this License." Which is what grsecurity isn't complying with (they are distributing and sublicensing under *different* terms with additional restrictions). Term 4 continues... "Any attempt otherwise to... sublicense or distribute the Program... will automatically terminate your rights under this License." Game over. Grsecurity has no right to distribute modified versions of the Linux kernel.
As to "contributory infringement", term 4 says "However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. " So if you comply with grsecurity's wishes, you are infringing and your rights are terminated, which is okay because to comply with grsecurity's wishes, you don't need the right to modify or distribute their kernels because you won't be doing it.
I say it's okay because of term 5, which explains "You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works." It is fine not to comply with a license that you have not accepted, and you do not need to accept the GPL to use a GPL'd program. Not complying just means you can't modify nor distribute.
These terms are detailed and intricate, but not complicated. It would be interesting to read a (coherent) argument in favor of grsecurity's position.
(Score: 1, Interesting) by Anonymous Coward on Thursday July 06 2017, @01:49PM (6 children)
If GRSECURITY is distributing patches it doesn't violate the GPL, or qualify as a derivative work, unless it explicitly includes copyrighted code from the linux kernel and doesn't qualify under the interoperation clauses. Otherwise the ZFS on Linux patches, BSD in general (go look at how many non-BSD licenses are available as both non-default and default build options in Open/Free/NetBSD kernels!) and many other things (including all software operating on top of Oracle/Microsoft operating systems!) would qualify as derived works and fall under the copyright jurisdiction of their relevant dictators.
Furthermore, what took Bruce so long? This happened like 4-5 years ago. It was discussed lots when they were closing it up, and there has been plenty of time for a lawsuit to make its way through the courts, if anybody cared, or if they were really in violation.
Given all this, I am inclined to ask: 'Who cares?'
GRSecurity was a big thing 20 years ago to about 10 years ago, but it is irrelevant today.
(Score: 4, Interesting) by pendorbound on Thursday July 06 2017, @02:06PM (1 child)
Read up on GPL and derivative work, as well as Linus' own writing [yarchive.net] on the topic. The key distinction between GRSec and ZFS is that ZFS is a driver originally written for another operating system that was ported to Linux. It's not a derived work because it is a work unto itself that was adapted to also work with Linux. Linus describes the AFS driver as, "something like a driver that was originally written for another operating system (ie clearly not a derived work of Linux in origin)."
GRSec is fundamentally different because it has no life without the kernel. It's designed explicitly and exclusively to be used with the kernel. Distributing it as patches *might* (but probably doesn't) exclude the patchset from being GPL. Problem for them is that it's distributed with the explicit intent of merging those patches with the base kernel. As soon as that merge is completed, the resulting work is GPL because the kernel is GPL. A user then has the freedom under the GPL to redistribute that resultant work under GPL. Any attempt to prevent them from doing so is a GPL violation. GRSec's threats against their customers distributing the resultant work is a violation.
(Score: 2) by Wootery on Friday July 07 2017, @08:59AM
This is the same reasoning Torvalds applies to nVidia's binary-blob graphics drivers. Strikes me as a fairly scary loophole, but where one should draw the line is a difficult question.
Obviously derivative: deeply-integrated Linux-specific machinery like SELinux. Obviously non-derivative: connecting to a web-server which happens to run Linux. Much lies between the two extremes.
Of course, in a court of law, it doesn't matter much what Torvalds and Stallman think the licence means.
(Score: 0) by Anonymous Coward on Thursday July 06 2017, @02:19PM (1 child)
Patch files include significant portions of the original work, so I think this argument is wrong on the face of it.
Uh no, this happened just a couple months ago (around March I think), when grsecurity pulled the public "testing" patches and started actually cancelling people's subscriptions for exercising permissions granted to them by the GPL. They were unhappy with the fact that KSPP was getting their stuff merged into mainline Linux.
I don't think this is a long-term successful plan for grsecurity because all the distributions hate them now, and the community isn't going to be putting in any effort to make sure things work with grsecurity anymore.
(Score: 2) by Bot on Thursday July 06 2017, @02:32PM
Eh, this is the side effect of the popularity of the GPL. It gets adopted by people for convenience, not because they believe in freedom. No matter how much you invest in a linux based project, what you get in return from it is an order of magnitude more. So, idealism aside, they are still in debt with free software, no matter what. And if they do not recognize this, I am afraid I am going to stop trusting them for everything else.
Account abandoned.
(Score: 4, Insightful) by Bot on Thursday July 06 2017, @02:27PM (1 child)
the patch will always be used with the kernel, so claiming it is not derivative is valid only for those people who will take the patch print it out, put the result in a frame and display it as modern art.
Account abandoned.
(Score: 4, Insightful) by requerdanos on Thursday July 06 2017, @03:48PM
There's interesting reading on this topic at grsecurity's web site, where they explain [grsecurity.net] that certain features are present in the, quote, "grsecurity kernels":
(Emphasis added)
grsecurity makes a strong case on this page that their product is a derivative of the stock Linux kernel, to which their grsecurity kernels are directly compared.
(Score: 5, Informative) by TheRaven on Friday July 07 2017, @09:16AM (3 children)
I'll give it a go, in the interests of playing devil's advocate (as I understand their position):
They grant you access to their code under GPLv2. Nothing that you do will affect this. They permit you to do everything that GPLv2 permits. If you choose to exercise these rights in a particular way, then they will refuse to do business with you in the future. Your rights to the code that you have already received under GPLv2 are unaffected. You may continue to use, modify, or distribute this code as you wish, but you will not receive any further updates from them. They're not infringing the GPL, because they never restrict what you can do with the code that you have already received - their license does not relate to your rights to the code, but to your access to their update mechanism.
This kind of thing is fairly common with GPL'd code. Imagine that you are a major CPU vendor and you want to give partners early access to a feature. You give them a modified version of Linux and GCC to experiment with. You can't stop them from distributing these, but you really don't want them to (it would pre-announce the feature publicly, and the experimental versions may have things like opcode assignments that will change in the final shipping version). You have a gentlemen's agreement not to publish the code, and if they do then they won't get early access to future new features. This is one of the reasons that ARM is now increasingly prototyping with LLVM and FreeBSD: it's easier to share with partners without legal hassles.
sudo mod me up
(Score: 3, Interesting) by requerdanos on Friday July 07 2017, @05:09PM
Thank you.
Well, no, they claim specifically that "The User has all rights and obligations granted by grsecurity's software license, version 2 of the GNU GPL" but reveal additional, more restrictive terms just afterwards.
There is no question whether they are doing this; it's not a matter for speculation or argument. In their own words, their prohibition on exercising your distribution rights under the GPL are "terms" in their "agreement" that you can "violate" -- there is no question here. Their agreement that adds additional terms to the GPL with a penalty for violation is on their website [grsecurity.net] for review.
Under "Termination" in their additional-terms-added-to-the-GPL-in-violation-of-same-agreement, they say that their aim is only to terminate access to code if you violate the terms of the agreement under which they are distributed (meaning, the additional-terms-added-to-the-GPL-agreement), they also "reserve the right" to revoke access "at any time for any reason," with or without a refund to customers who prepaid.
That section reads (emphasis added):
Not only do they deny (as "violations") freedoms 2 and 3 as they relate to distribution, they even deny freedom 0, to freely use of their kernel in the first place:
This is as big a deal or bigger than the denial of freedoms 2 and 3, distribution of verbatim or modified copies. They do not even let you use their kernels freely; grsecurity has to approve of each and every computer before you are allowed to run their kernel on it. That is not an example of someone having all the freedom of the GPL.
If you "violate" their "terms" of the additional-terms-added-to-the-GPL-in-violation-of-same-agreement, then it will be "terminated." An agreement that is additional, with terms, adds "additional terms" and they are more restrictive than the GPL. This is disallowed.
Given that they are adding terms to the GPL that make it more restrictive, as previously covered in this thread and by Perens, their rights are terminated under the GPL and they don't have any right to do anything at all with the kernel, much less modify it, redistribute the patches, and withhold the source code and add the additional restriction that everyone who receives it from them also withhold it, and deny even freedom 0 to use the software freely in the first place.
That's seriously a no-no to do, even if they claim they aren't doing it as they do it.
Consider the following pseudocode:
while (user_data_remains) {
display_duplicitous_message("I am totally not erasing all the user data.\n");
erase_all_user_data();
}
What would this code, if implemented, accomplish? Would the presence of the "display" clause mean that the next line does not exist, despite the fact that it does exist?
Either the writer of such a claim is less than knowledgeable, and believes additional terms are not additional terms, more restrictive terms are not more restrictive, and black is white for all we know; or the writer believes that You The Reader/Customer are less than knowledgeable, and that You will believe such nonsense.
Their additional, more restrictive terms specifically and substantially restrict what you can do with the code, in terms of both use and distribution. Their license does not remove your rights under the GPL, but that's only because such additional terms are invalidated by the GPL of the parent work.
That they impose a penalty if you violate their additional, more restrictive terms goes over and above just having the additional terms--normally if you violate license terms the penalty is that "the license said not to do this but I did it anyway," and perhaps terminate your rights under that license. But they are actually writing a penalty into the license for violating their additional, more restrictive terms that they assert in addition to the terms of the GPL, such that they will go beyond that and actually terminate your rights under other agreements as well.
Well, not exactly this kind of thing, in my opinion.
It's questionable whether partners sharing code among themselves counts as "distribution," and a gentleman's agreement is not the same as a EULA that curtails freedoms 0, 2, and 3 of the GPL regardless of any agreement or lack thereof. Parties to a gentleman's agreement are working together. Parties to the additional-terms-added-to-the-GPL-in-violation-of-same-agreement are more likely working against each other, and they're doing so under false pretenses.
Amen to that.
I wasn't convinced by your explanation, and if you would be so kind, I would like to know your opinion or impression of whether I took the time to properly listen to and consider it. I feel that I did, but then again, if I have a blind spot, I would not know about it.
(Score: 0) by Anonymous Coward on Sunday July 09 2017, @03:50PM (1 child)
That's what I thought and what they COULD have done, basically stating something like: "we reserve the right to cancel subscriptions at any time. Subscriptions are meant to help people secure their own systems, and we are thus likely to cancel subscriptions that are to a significant degreee used for other purposes". This likely would make it just a matter of "well, we do business only with certain types of customers".
However they instead wrote it as a legal agreement, to the terms of which you have to agree, which to me seems like it would break any kind of justification like yours since it clearly makes it additional contract terms, which the GPL CLEARLY forbids.
In which case the only way for them to be allowed to distribute the kernel or any derivative again (including patches, as long as they contain a relevant amount of code not written by them, and in particular including internal distribution like any of their developers doing a checkout from their version control system) would be to get every major kernel contributor to personally re-instantiate their license. Good that they didn't just piss most of those off...
Either incredibly stupid, or the kind of people that bet everything on the chances of being able to get away with it. Either way, with that attitude it's no wonder their code was usually rejected.
(Score: 0) by Anonymous Coward on Wednesday July 12 2017, @09:43PM
"That's what I thought and what they COULD have done, basically stating something like: "we reserve the right to cancel subscriptions at any time. Subscriptions are meant to help people secure their own systems, and we are thus likely to cancel subscriptions that are to a significant degreee used for other purposes". This likely would make it just a matter of "well, we do business only with certain types of customers"."
Nope. Once a pattern emerged and was known that they only cancel subscriptions of people who redistribute the patches it would be a clear case of imposing an additional terms through course of business practice. Terms can be written, verbal, or implicit. That would be an implicit additional term.
You and the rest of the lay people here have to understand: the law has dealt with pretty much every issue you can come up with and... you don't know the law.
(Score: 5, Insightful) by Thexalon on Thursday July 06 2017, @12:31PM (23 children)
They know full well at this point that they're blatantly violating the GPL. What they are trying to do is test the willingness of someone with copyright on the Linux kernel to go after them: If nobody goes after them then they're scot-free. If they go to court then they'll try to confuse the judge and maximize the costs of the suit until the plaintiffs give up.
It's important to know that a not-totally uncommon business strategy is to put yourself in a position where you can get sued, and simply hope that the other party won't bother. I had to deal with one of those: He would simply never pay any kind of bill, ever, unless somebody sued him. Last I checked, he owed something like $270K to various creditors, including a major bank, the city he lived in (he'd never paid taxes), his dentist, about 12 different contract developers, and his office cleaners.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 5, Touché) by requerdanos on Thursday July 06 2017, @01:35PM (8 children)
The Grsecurity folks seem very mature and experienced in their kernel security measures, but alarmingly less so in other ways: Their argument is not that they simply refuse to comply on general principle--it's a very specific principle that "those who do the work should be getting paid for it." Their stand appears to be based on doing what they believe is right, not on trying to get away with doing wrong.
They complain that they made some GPL'd software, and then they got frustrated and decided to stop publicly distributing that software when other people built upon it and profited from that. This represents at a minimum a serious misunderstanding of the GPL.
They argued that they were putting in the work to make the patches, paying hosting on the servers to put the patches up for download, and doing all the really hard things, and other people who were not paying them money, were taking their software and using it and packaging it usefully and doing other profitable (but sometimes dodgy) things with it in a way that did not make them any money--and that because they put in the work to make the product, they should be getting the money.
I believe it's important to note, about their principled stand for what they believe is right, that in their talking about who put in all the hard work to build their product and who therefore should get paid, they didn't mention the estimated three billion dollars [blogspot.com] worth of labor that went into the Linux kernel itself, which their product is a nifty but relatively minor derivative of in terms of SLOC in Linux vs. their patches, nor did they mention any payments they made because of these heartfelt beliefs to, say, the Linux Foundation [linuxfoundation.org].
Science fiction writer Murray Leinster wrote [google.com] along these lines in the 1950s:
They certainly have every right to stop paying for hosting to assist other people who are profiting from their hard work, but under the GPL they don't have the right to forbid others from doing so.
(Score: 2) by kaszz on Thursday July 06 2017, @01:57PM
Which leaves the question as to when someone will sue Grsecurity? And who will do it? Who funds it?
If they aren't nice we can offer to send poettering to "help" .. :p
(Score: 0) by Anonymous Coward on Thursday July 06 2017, @02:17PM
" Their argument is not that they simply refuse to comply on general principle--it's a very specific principle that "those who do the work should be getting paid for it." Their stand appears to be based on doing what they believe is right, not on trying to get away with doing wrong."
Then they should not be touching GPL'ed software. End of story.
(Score: 3, Insightful) by Thexalon on Thursday July 06 2017, @05:55PM (5 children)
If they want to do that, they can make their own proprietary stuff. They can't take GPL'd stuff and redistribute it in the way they're doing.
I've noticed, as a general habit, that principles often follow self-interest. In GRSecurity's case, I have to think that Upton Sinclair's Law might have something to do with it: "It is extremely difficult to get a man to understand something when his salary depends on his not understanding it."
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by requerdanos on Thursday July 06 2017, @06:33PM
Or make really hardened, security-filled BSD kernels.
(Score: 0) by Anonymous Coward on Thursday July 06 2017, @07:17PM (3 children)
1. You're arguing a practical & moral position ("those who do the work should be getting paid for it") against a legal polemic (under the terms of the GPL...). If violating the GPL means more devs get paid fairly for their work, then so be it. After all, the copyright law the GPL hacks around just to get some collaborative work done is inherently flawed so the GPL can't be expected to work perfectly for everything and everybody.
2. For companies like Red Hat that control the mainlining process, there's far more money to be made from keeping the kernel insecure and on a Microsoft-esque continues service&maintenance patch-cycle then actually addressing security issues at the design level in a constructive way. They have, and they will reject mainlining attempts of features that compete against their own off-tree patches. So, GRSec going away simply means a bigger company will take over and will have even more power and influence then GRSec to keep things the way they are. And if they can't keep the patches off-tree, they'll shim them with some modular design just like nVidia did for graphics so they can sell special security blobs to their private clients.
GRSec are like private security: Making them illegal won't miraculously make the police less corrupt and useless. But fixing the police will drive most private security firms out-of-business.
(Score: 4, Interesting) by Thexalon on Thursday July 06 2017, @08:14PM (2 children)
The GPL has a practical and moral position, as well as the law, behind it. It goes like this: "Software can be duplicated nearly for free, so it is best viewed not as a product but as a public body of knowledge. When you make a new discovery, it is your responsibility to put it out to the public so the body of public knowledge expands and becomes more useful."
Nonsense. Devs get paid to work on GPL'd software all the time. Some examples:
- People that work for Red Hat and IBM and such and get paid to work on improving Linux.
- People who are employed as developers or admins for a company who have to dig into a problem, find and make the fix, and contribute a patch or documentation upstream so everyone else that has the same problem doesn't have to duplicate the work. They got paid by their company.
- People who get short-term contracts to add a feature to a GPL'd package that wasn't there before but is useful to their client, who then contributes the new feature upstream.
All those devs got paid for their work. None of them did what GRSecurity did, of taking but refusing to give back. As a sibling poster pointed out, if GRSecurity wanted to play by the rules, they could have done so with BSD.
Red Hat does not control the "mainlining" process. Linus Torvalds does, and he works for the Linux Foundation. I don't know where you got the impression that Red Hat has veto power, but they've never had veto power over what goes into the mainline Linux kernel.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Thursday July 06 2017, @09:42PM
Redhat does not have such direct power over kernel. But tries, over and over, and goes with as much indirect control as it gets. Userspace is becoming more and more RH controlled, as discussed in a recent story. https://soylentnews.org/article.pl?sid=17/07/03/1232216 [soylentnews.org]
With kernel, the minions tried to push kdbus. https://igurublog.wordpress.com/2015/05/04/kdbus-systemds-kid-cousin-come-to-stay/ [wordpress.com] (outdated article, but "photo" of how it was two years ago)
Linus disliked how it was done and said no. Other kernel devs also raised multiple tech points. And so far it seems the kdbus is sleeping, or more probably dead just like HAL. Now the plan is bus1. https://en.wikipedia.org/wiki/D-Bus#KDBUS [wikipedia.org] It seems RH has plans half done for when the current one fails. https://github.com/bus1/bus1/blob/master/ipc/bus1/main.c [github.com] "Copyright (C) 2013-2016 Red Hat, Inc."
RH, putting the C of Corporate in FOSS. Don't worry, sooner or later it will have a C. And probably no F.
(Score: 3, Informative) by Arik on Thursday July 06 2017, @09:47PM
However they do clearly have tremendous influence, and it's not being used for good.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by Grishnakh on Thursday July 06 2017, @04:10PM (9 children)
I had to deal with one of those: He would simply never pay any kind of bill, ever, unless somebody sued him. Last I checked, he owed something like $270K to various creditors, including a major bank, the city he lived in (he'd never paid taxes), his dentist, about 12 different contract developers, and his office cleaners.
How does someone like that manage to get anywhere in American society these days? That's a recipe for disaster. For one thing, someone like that would have a horrible credit rating, so they wouldn't ever be able to buy a house or car without cash. A lot of jobs will also check your credit rating, so he'd be ineligible for those too (esp. anything where they do a background check, or need a security clearance). Not paying your city taxes is really bad: they don't have to sue you, they can just seize your property and evict you. The dentist, cleaners, and other people are generally screwed though since they have to sue him. You can only get away with that kind of behavior so long; if you're poor and have a shithole place, you can do it a certain amount but you're never going to making much money because of the poor credit rating. But not paying your taxes will get you in really hot water sooner or later; you can screw over other people a certain amount, but trying to screw over the government is never a good idea.
(Score: 0) by Anonymous Coward on Thursday July 06 2017, @05:33PM (5 children)
It's easy to get by that way. It helps to be tall, attractive, have a nice, white smile, a firm handshake, and a lot of enthusiasm about how much money you'll be making the person you're scamming who is providing you with a service you don't intend to pay for.
Sociopathy is simply playing the game by the rules. The game doesn't have nearly the rules you've been brainwashed from kindergarten on to believe it does, and the consequences for breaking the rules are subject to the same slick tactics.
Being taken to court is all part of the game, and the game continues in the courthouse. Their property won't get seized until after a lengthy appeals process that will drag on for years and years, and there's a chance they may get off on a technicality all together.
That is why sociopaths need to be put behind bars. All of them. Permanently. If that's too expensive for the rest of us, we should just kill them once we figure out they're a sociopath.
(Score: 2) by frojack on Thursday July 06 2017, @05:43PM (1 child)
You mean all those things Mrs Wilson said she was going to add to my permanent record from the 4th grade are gone?
Free at last!!.
No, you are mistaken. I've always had this sig.
(Score: 2) by fido_dogstoyevsky on Thursday July 06 2017, @11:31PM
You wish! [xkcd.com]
It's NOT a conspiracy... it's a plot.
(Score: 0) by Anonymous Coward on Thursday July 06 2017, @05:59PM
Prison is an utter waste. With these types already winning every office, public and private, the future doesn't look to bright. There really is only one cure [soylentnews.org] if you care about the future of the species.
(Score: 2) by Arik on Thursday July 06 2017, @08:00PM (1 child)
The problem is that Congress would never vote to put themselves behind bars and you know it.
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Friday July 07 2017, @05:55AM
Hey, I found a sociopath.
(Score: 4, Interesting) by frojack on Thursday July 06 2017, @05:37PM (2 children)
I assure you it is far more common than you think.
They pay (cash mostly) for critical things like food, fuel, electricity. They stiff arm anyone dumb enough to grant them any credit.
I know this guy (lives down the street), who purchased a brand new house, committing only a small down payment. At that time he (somehow) had enough credit (or enough fake papers) to get the bank loan.
He never paid a dime on that house, until sheriffs showed up. He then paid two or three payments, knowing just how many he had to pay to extinguish the lender's seizure papers, then he went right back to not making any payments. The lenders had to start the long paper-work train all over again to begin seizure.
He spent a weekend in jail once when he ignored a Judge's order to appear. Not jailed for the debts he owed, but simply because he pissed off the wrong judge by ignoring the order. He confused the issue, (he thought the condo association had him thrown in jail - which is almost impossible in the US) and always paid that creditor from then on.
It took 12 years to get him out of that house. He had all of his house pre-packed and ready to go when the Sheriffs arrived to give him 4 hours to be out. (He knew they were coming somehow). Of course he left all the furnishings, (also unpaid for), skipped out on the rest of his condo dues, and the last few months of power, gas, water bills.
He only drove junkers. He made sure he had nothing worth seizing, but a a neighbor saw him pull into a nearby national park in a huge motor home on a couple different occasions (same vehicle), which he also never paid for, but kept well hidden).
He was employed, but insisted on getting paid in cash money, and would move to a different job as soon as garnishment papers were filed. He actually did good work, I believe he was a brick layer or plumber with reasonable skills.
To him it was a game. He knew the rules very well.
There are lots of them around.
No, you are mistaken. I've always had this sig.
(Score: 3, Interesting) by Grishnakh on Thursday July 06 2017, @08:59PM (1 child)
Wow, that sure sounds like a lousy way to lead your life, not just because of the basic morality issue of ripping people off, but the sheer pain-in-the-ass factor of spending all your mental energy figuring out how to game the system like that. This guy sounds like someone who likely has no friends and is forever single.
(Score: 2) by Immerman on Friday July 07 2017, @12:08AM
Personally I agree. But how much effort is it, really, compared to the amount of effort required to do the work to actually pay for the same lifestyle?
(Score: 0) by Anonymous Coward on Thursday July 06 2017, @06:00PM
For some reason they seem to have moved their corporation from Virginia (right next to D.C.) to Pennsylvania.
Are there few or no intellectual property lawyers registered to the Pennsylvania State Bar?
(A suit is usually heard in a court in the defendant's district)
(Score: 2) by wirelessduck on Friday July 07 2017, @02:31AM
Check some of Bruce's posts to the Devuan DNG mailing list. He's quite convinced that he, as an expert witness, would have no trouble convincing a judge of the licence violation. I don't have time to find them all, but here's a relevant one. The rest are easily searchable on Google.
https://lists.dyne.org/lurker/message/20170701.230508.cc795b98.en.html [dyne.org]
(Score: 2) by Wootery on Friday July 07 2017, @08:55AM (1 child)
I'm guessing he doesn't care if his credit rating ends up in the sewer? Good luck to him with the IRS. Bit of a dangerous strategy.
(Score: 0) by Anonymous Coward on Saturday July 08 2017, @01:49PM
I think this creeps morally rotten position is but a logical conclusion of the current state of affairs: law is only there if you can afford it. And even if you pay your way into a courthouse it's still something of a coin flip. And these sad facts is what blood sucking vermins like this guy literally bank on.
Justice definitely should be there for everybody, even for those broke and penniless.
(Score: 2) by Runaway1956 on Thursday July 06 2017, @02:02PM (5 children)
Over the years, I've read a few articles questioning how good GRsecurity is. I suppose the best answer is, "They are pretty good - but - the alternatives are as good, and possibly better." Why pay for GRsecurity, when there is no fee involved with the alternatives?
https://www.cyberciti.biz/tips/selinux-vs-apparmor-vs-grsecurity.html [cyberciti.biz]
Linux Kernel Security (SELinux vs AppArmor vs Grsecurity)
Posted on May 27, 2009in Categories CentOS, Debian Linux, fedora linux, Gentoo Linux, GNU/Open source, Linux, Linux distribution, Networking, RedHat/Fedora Linux, Security, Slackware, Suse Linux, Ubuntu Linux last updated May 27, 2009
Conclusion:
All three offers very good protection and I can select them based upon the following simple criteria:
New user / ease of use : Grsecurity
Easy to understand policy and tools : AppArmor
Most powerful access control mechanism : SELinux
_________________________________
As an aside, ye olde site, aternativeto seems to come up empty on this: https://alternativeto.net/browse/search?q=GRsecurity [alternativeto.net] The two offerings have diddly squat to do with security, or kernal patches. Strange . . .
A MAN Just Won a Gold Medal for Punching a Woman in the Face
(Score: 1) by slap on Thursday July 06 2017, @04:31PM (2 children)
That comparison was 8 years ago. A lot has probably changed since then.
(Score: 2) by frojack on Thursday July 06 2017, @06:09PM (1 child)
So it was Yesterday then?
2009-ish. And all we've found since then is some corner cases and a couple major fuckups in third party software that were a lot harder to exploit than all the hype media made them out to be. (None of which were protected against by Grsecurity or any of the other packages).
A lot of kernel features have been ADDED, some bugs proactively patched, but realistically there hasn't been that much that affects these security add-ons.
No, you are mistaken. I've always had this sig.
(Score: 2) by Immerman on Friday July 07 2017, @12:48AM
Have the security add-ons remained static since then? Failed to address their weaknesses nor expanded their strengths?
I mean cars haven't changed a lot in the last few decades, but if I wanted a comparison between manufacturers, I'd really want a comparison of *current* models, not the models made ten years ago.
(Score: 2) by requerdanos on Thursday July 06 2017, @06:14PM
The grsecurity folks have written a feature-for-feature comparison [grsecurity.net] of grsecurity kernels, SELinux, AppArmor, and Kernel Self-Protection Project (KSPP). It's written specifically to present the 31 features that grsecurity finds to be important (i.e. the ones grsecurity has), and it doesn't disappoint: The final scores are grsecurity 31, SELinux 3, AppArmor 3, and KSPP 2 and a half (1 full feature + 3 half "watered down" features).
Take it with a grain of salt because of the source, but then again, the data it contains is important too. The chart is undated, but refers to KSPP's inception in 2015 as "recent," so definitely more recent than the cyberciti blog post.
(Score: 0) by Anonymous Coward on Friday July 07 2017, @02:18PM
grsec was the best for normal people who wanted/needed real security improvements.
now we have the linux-hardened/hardened kernel project: https://github.com/copperhead/linux-hardened/wiki [github.com]
(Score: 0) by Anonymous Coward on Thursday July 06 2017, @05:49PM
You enter their servers and extract the code... Done... Let's not waste time masturbating to fiction and wishful thinking
(Score: 0) by Anonymous Coward on Thursday July 06 2017, @06:04PM (1 child)
https://pastebin.ca/3838883 [pastebin.ca]
Here's a "Quick" rundown
(Not quick...)
------------------------
Some Legal Analysis:
------------------------
The GRSecurity patch snakes through almost the entire kernel; it really touches everywhere
(and Brad Spengler etc have publicly attested to this as a bullet point as it doesn't only
add features but fixes various in-place security errors); and not even as a monolithic block,
it puts a paw here, and there, and there (so on and so on for 8MBs), with the deft agility of a cat,
and the dexterity of a vine wrapped every which-way around the many branches of a bush:
it is a non-separable derivative work.
A counter example would be the Nvidia GFX driver: a portion of that driver works across platforms.
That portion which works on Linux, Windows, etc is a separable work and thus can be argued
to be standalone before a court. Furthermore, in the Nvidia case, that portion was likely
developed on another platform and the wrapper was then built to conform to it.
The wrapper itself that interfaces with linux is licensed under the same terms as linux.
Other drivers can be written in a similar way.
With GRSecurity, on the other-hand, that is absolutely impossible. GRSecurity exists
only to give the linux kernel "self protection" (their words IIRC). They do this
by going in with a scalpel to thousands of areas in the kernel and making small
but important* edits and additions, as-well as by writing some new routines to then
use throughout the kernel.
Unlike a plug-in; their derivative work does not and cannot stand alone.
The Anime-Subs cases reaffirmed somewhat recently that a derivative work
that cannot stand alone and is not authorized is an infringing work.
(Ex: You're a fan, you listen to the Anime Girl cartoon in Japanese,
you write down what they say, you distribute that: that text is a
derivative work and not a standalone one: it required the existence
of the cartoon to itself exist or have any meaning).
I think the situations are very different thusly and that a court
would find GRSecurity to be infringing. If the GRSecurity patch is not
a derivative work then nothing in the realm of source-code is.
To Brad Spengler I'm referred to as a "troll" (months, perhaps a year later
in a discussion I was not involved in), for engaging with RMS on the issue earlier
(something which remains in Mr Spengler's mind:
http://www.openwall.com/lists/kernel-hardening/2017/06/04/24 [openwall.com]
>... It has been nearly 4 months now and despite repeated follow-ups, I still
>haven't received anything back more than an automated reply. Likewise
>regarding some supposed claims by RMS which were published last year by
>internet troll mikeeusa -- I have been trying since June 3rd of last
>year to get any response from him, but have been unable to. So when you ...
(RMS' opinion can be seen here:
(*7) https://lists.debian.org/debian-user/2016/06/msg00020.html [debian.org] )
As for making modifications: To create the patch Brad Spengler modified the
linux-kernel over the course of 15 years, and to continue continually producing
new patches he continually modifies the linux-kernel even more. Without
permission of the license he has no right to modify the kernel. The mechanical
modification that is done by patching is a red-herring in this case since it's
not needed to argue infringement on Mr Spengler's part once he has been found
to have added an additional term to the agreement between him and further
distributees of the derivative work. Once he has done that, he has violated
the license grant, and he no-longer has a right to distribute the work, nor
to distribute derivative works, nor to modify the work in-order to create
future derivative works.
------------------------
Correction to common
programmer's misunderstanding
------------------------
They don't have to add a term to the GPL per-se as the GPL is not a party to the agreement, it is "merely" the (not-fully integrated) writing describing the license that the rights-holders have granted GRSecurity et al.
That is: the GPL in-part describes the license grant that the linux rights-holders have extended.
(There may be other parts described elsewhere, even verbally or through a course of business dealings or relationship)
(Copyright law, being quite bare on it's own, often borrows much from contract law)
Licensees must extend the same grant to Distributees, they cannot add an additional term to that relationship.
GRSecurity has added such a term.
They did not pen it into the text of the GPL.
But, according to existing testimony they did make it clear that redistribution will not be tolerated.
It is unknown if an electronic or hard copy of this additional term controlling the relationship exists,
or whether it was a verbal agreement, or even some implicit understanding. Any which way: it is a forbidden additional
term.
(Score: 0) by Anonymous Coward on Thursday July 06 2017, @06:09PM
------------------------
Background:
------------------------
GRSecurity goes full commercial, no more free testing patches, threatens programmer trying to port.
(*1) https://lwn.net/Articles/723169/ [lwn.net]
(*2) https://www.phoronix.com/forums/forum/software/general-linux-open-source/948623-grsecurity-kernel-patches-will-no-longer-be-free-to-the-public?page=1 [phoronix.com]
(*3) https://www.embedded-linux.de/18-news/886-grsecurity-nicht-mehr-kostenlos-verfuegbar [embedded-linux.de]
(*4) https://www.theregister.co.uk/2017/04/26/grsecurity_linux_kernel_freeloaders/ [theregister.co.uk]
GRSecurity removes public testing patch - goes full commercial.
(*5) http://www.openwall.com/lists/kernel-hardening/2017/06/04/24 [openwall.com]
>"Don't worry about it, there's nothing for a "grateful" user like yourself
>to download anymore. Boy, if I had more "grateful" users like yourself
>obsessed with harrassing us on Twitter, Reddit, and IRC so that they
>can go around and paint themselves as some kind of victim, I wouldn't
>know what to do with myself.
>
>-Brad"
Brad Spengler prevents a private purchaser from redistributing the sourcecode via contract clauses between him and they: thus willfully frustrating the purpose of the license HE was granted by the linux kernel rightsholders. This is another reason a court may find him in violation of the license grant of the GPL. As we discussed previously. (See: ****)
Also Brad Spengler threatens others with lawsuit in a nearly transparent attempt to get them to stop porting over the work:
>" This stops *now* or I'm sending lawyers after you and
(*6) http://www.openwall.com/lists/kernel-hardening/2017/06/03/14 [openwall.com]
>Guys, this is your *last warning*. This stops *now* or I'm sending lawyers
>after you and the companies paying you to plagiarize our work and violate
>our *registered* copyright (which for the record entitles us to punitive
>damages which now are very easily provable). It's time to get serious
>about attribution -- what you are doing is completely unacceptable. I'm
>already in contact with lawyers to prepare for the next time this happens.
>If any of this plagiarized and misattributed code actually made it into
>the Linux kernel, you'd all be in a world of pain.
Here Brad Spengler threatens a copyright infringement lawsuit regarding his non-original wholly-derivative work.
(An original work stands alone). This while he threatens those paying customers who might redistribute the work (see: **** below).
Note: Copyright licenses (like any license to use the property of another (copyright is freely alienable in the same way real property is)) are freely revocable unless barred by estoppel. The GPL v2 lacks a no-revocation clause thus estoppel would be more difficult to argue (additonally none of the "agreeing parties" have ever met each other).
Note2: GrSecurity is a derivative work of the linux kernel, it is non-seperable: it wholly relies on the linux kernel source code to work.
Courts in both the US and Germany have reaffirmed that if a work based on another work cannot stand alone it is clearly a derivative work.
(See the Anime Subtitles case from a few years ago) (See page 6 of the phoronix discussion at *2 for a review)
Note3:The linux kernel is not under joint copyright, it is simply a collection of derivative work upon derivative work.
A simple solution is for one or many of the rightsholders to the code GRSecurity is derived from/ modifies to rescind Brad Spengler's license to use or modify their code.
Additionally copyright violation claims can be filed as Brad Spengler has reportedly attempted to frustrate the purpose of the agreement that allows him to modify the linux kernel in the first place; placing additional restrictions to prevent redistribution of the sourcecode (a court would not be fooled by such a scheme).
(Addionally there were third parties who contributed to the GRSecurity code base when it was publically distributed.)
Other snippets from (*5) include Mr Spengler's unhappiness with the publication of his scheme and RMS's opinion of it:
>... It has been nearly 4 months now and despite repeated follow-ups, I still
>haven't received anything back more than an automated reply. Likewise
>regarding some supposed claims by RMS which were published last year by
>internet troll mikeeusa -- I have been trying since June 3rd of last
>year to get any response from him, but have been unable to. So when you ...
RMS' opinion can be seen here:
(*7) https://lists.debian.org/debian-user/2016/06/msg00020.html [debian.org]
>Re: GRsecurity is preventing others from employing their rights under version 2 the GPL to redistribute source code
>Richard Stallman (May 31 2016 10:27 PM)
>
>[[[ To any NSA and FBI agents reading my email: please consider ]]]
>[[[ whether defending the US Constitution against all enemies, ]]]
>[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>
>If I understand right, this is a matter of GPL 2 on the Linux patches.
>Is that right? If so, I think GRsecurity is violating the GPL on
>Linux.
>
>--
>Dr Richard Stallman
>President, Free Software Foundation (gnu.org, fsf.org)
>Internet Hall-of-Famer (internethalloffame.org)
>Skype: No way! See stallman.org/skype.html.
(****)
GRsecurity is preventing others from employing their rights under version 2 the GPL to redistribute
(by threatening them with a non-renewal of a contract to recive this patch to the linux kernel.)
(GRsecurity is a derivative work of the linux kernel (it is a patch))
People who have dealt with them have attested to this fact:
https://www.reddit.com/r/KotakuInAction/comments/4grdtb/censorship_linux_developer_steals_page_from_ [reddit.com]
andi
"You will also lose the access to the patches in the form of grsec not renewing the contract.
Also they've asked us (a Russian hosting company) for $17000+ a year for access their stable
patches. $17k is quite a lot for us. A question about negotiating a lower price was completely
ignored. Twice." -- fbt2lurker
And it is suggested to be the case here aswell:
https://www.reddit.com/r/linux/comments/4gxdlh/after_15_years_of_research_grsecuritys_rap_is_here [reddit.com]
"Do you work for some company that pays for Grsecurity? If so then would you kindly excersise the
rights given to you by GPL and send me a tarball of all the latest patches and releases?" --
lolidaisuki
"sadly (for this case) no, i work in a human rights organization where we get the patches by a
friendly and richer 3rd party of the same field. we made the compromise to that 3rd party to not
distribute the patches outside and as we deal with some critical situations i cannot afford to
compromise that even for the sake of gpl :/
the "dumber" version for unstable patches will make a big problem for several projects, i would
keep an eye on them. this situation cannot be hold for a long time" -- disturbio
(Score: 0) by Anonymous Coward on Thursday July 06 2017, @10:28PM (6 children)
I do not believe GPL is violated here, at least not in any legal form. It is violated in spirit.
Only recipients of BINARY produced with GPL source are entitles to the said source. There are much more blatant violations of this clause -- see many routers, TVs and other devices where you cannot get the source code for the Linux kernel or the drivers even if you legally acquire that product. That is a violation of GPL.
The GRSec authors are not preventing redistribution of patches under GPLv2. They only add additional contractual clauses outside GPL that terminates their additional agreements in case they do. This is not additional condition to the license. These are external terms. Like if you are working for an employer that extends GPL software for internal-use only. Then some employee publishes the changes against their employment contract and gets terminated.
So where is the violation?
(Score: 0) by Anonymous Coward on Friday July 07 2017, @01:00AM (4 children)
But punishing people for exercising their rights under the GPL is a violation of it.
(Score: 0) by Anonymous Coward on Friday July 07 2017, @05:09PM (3 children)
You'll never convince programmers of this. They believe the "no additional terms" clause in the GPL is some form of copyright protection against changing the text of the GPL, and that as-long as their additional term is on a napkin stapled to the License text, or in an email separate form the text, or communicated verbally, or through course of business... then it "isn't an additional term" and they're in the clear.
That is: they believe they can attach any codicil they wish. They are BRILLIANT programmers and know everything about every field from birth.
(Score: 0) by Anonymous Coward on Saturday July 08 2017, @01:53PM (2 children)
It's not programmers you have to convince but lawyers and judges.
(Score: 0) by Anonymous Coward on Sunday July 09 2017, @09:40AM
GRSecurity is clearly violating the license grant (as has been explained at length).
Convincing a Judge would not be difficult.
Convincing Programmers that it is THEY who do not understand the Law and that their schemes are transparent to the Law and are nothing new... is what is difficult.
Programmers believe they just know everything, weather in their field or not, especially White American Men.
And, yes; IAAL.
(Score: 0) by Anonymous Coward on Sunday July 09 2017, @09:47AM
>It's not programmers you have to convince but lawyers and judges.
Yea, great comeback: other lawyers and a judge would ___surely___ be fooled by GRSecurity's codicil.
GPLv2 says no additional terms (to agreement between GRSecurity and further distributees)
GRSecurity creates codicil or side-bar agreement thus adding additional terms (to agreement between GRSecurity and further distributees).
Programmers such as you snarkily say "hehehe you'd have to convince a lawyer or a Judge".
Just stating the facts would be enough, without even an argument.
But hey, programmer, you know far more about the law than lawyers and such right?
(Score: 0) by Anonymous Coward on Friday July 07 2017, @05:19PM
>by Anonymous Coward on Thursday July 06, @10:28PM (#535910)
>I do not believe
It does not matter what you believe. Your existence as a proud white programmer doesn't make you an expert on everything, though you may think it does. You may also believe that you can "control" a woman somehow when the police and state are opposed to you and anyone who can't is "weak" and it will be different for you because you are so smart you can convince her not to divorce you. Everything's fine. Only weak non-whites want to marry young girls instead of strong women like us white men who can take the challenge!
Take a read of the license, and take a read of the lengthily explanations, also learn some law.
And yes I am a Lawyer. And yes, your understanding is lacking.
GRSecurity has added a term not present in the license grant the Linux-Kernel owners have extended to GRSecurity to the the agreement between GRSecurity and those to whom it is distributing the derivative work. This is explicitly forbidden. The Linux-Kernel copyright owners forbid such behavior in their license upon pain of automatic revocation.
Argue all you want the other-way, I will likely not respond. If 5 pages of explanation aren't enough, then nothing can overcome the self-sure hubris.