Slash Boxes

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 12 submissions in the queue.
posted by n1 on Thursday July 06 2017, @11:39AM   Printer-friendly
from the to-hell-with-gpl dept.

Bruce Perens warns of potential contributory infringement and breach of contract risk for customers of GRSecurity:

Grsecurity is a patch for the Linux kernel which, it is claimed, improves its security. It is a derivative work of the Linux kernel which touches the kernel internals in many different places. It is inseparable from Linux and can not work without it. it would fail a fair-use test (obviously, ask offline if you don’t understand). Because of its strongly derivative nature of the kernel, it must be under the GPL version 2 license, or a license compatible with the GPL and with terms no more restrictive than the GPL. Earlier versions were distributed under GPL version 2.

Currently, Grsecurity is a commercial product and is distributed only to paying customers. My understanding from several reliable sources is that customers are verbally or otherwise warned that if they redistribute the Grsecurity patch, as would be their right under the GPL, that they will be assessed a penalty: they will no longer be allowed to be customers, and will not be granted access to any further versions of Grsecurity. GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition.

By operating under their policy of terminating customer relations upon distribution of their GPL-licensed software, Open Source Security Inc., the owner of Grsecurity, creates an expectation that the customer’s business will be damaged by losing access to support and later versions of the product, if that customer exercises their re-distribution right under the GPL license. This is tantamount to the addition of a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms. Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kernel, terminates, and the copyright of the Linux Kernel is infringed. The contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached.

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by requerdanos on Friday July 07 2017, @05:09PM

    by requerdanos (5997) Subscriber Badge on Friday July 07 2017, @05:09PM (#536183) Journal

    I'll give it a go, in the interests of playing devil's advocate (as I understand their position)

    Thank you.

    They grant you access to their code under GPLv2. Nothing that you do will affect this. They permit you to do everything that GPLv2 permits.

    Well, no, they claim specifically that "The User has all rights and obligations granted by grsecurity's software license, version 2 of the GNU GPL" but reveal additional, more restrictive terms just afterwards.

    There is no question whether they are doing this; it's not a matter for speculation or argument. In their own words, their prohibition on exercising your distribution rights under the GPL are "terms" in their "agreement" that you can "violate" -- there is no question here. Their agreement that adds additional terms to the GPL with a penalty for violation is on their website [] for review.

    Under "Termination" in their additional-terms-added-to-the-GPL-in-violation-of-same-agreement, they say that their aim is only to terminate access to code if you violate the terms of the agreement under which they are distributed (meaning, the additional-terms-added-to-the-GPL-agreement), they also "reserve the right" to revoke access "at any time for any reason," with or without a refund to customers who prepaid.

    That section reads (emphasis added):

    While the Company aims only to terminate access to the stable patches in the event of willful violation of the terms in this agreement, we reserve the right to revoke access to the stable patches and changelogs at any time for any reason. In the event of termination, the Company will at its own discretion refund payment for any remaining pre-paid period.

    Not only do they deny (as "violations") freedoms 2 and 3 as they relate to distribution, they even deny freedom 0, to freely use of their kernel in the first place:

    Use of the patches on additional products without the consent of the Company will result in termination

    This is as big a deal or bigger than the denial of freedoms 2 and 3, distribution of verbatim or modified copies. They do not even let you use their kernels freely; grsecurity has to approve of each and every computer before you are allowed to run their kernel on it. That is not an example of someone having all the freedom of the GPL.

    If you "violate" their "terms" of the additional-terms-added-to-the-GPL-in-violation-of-same-agreement, then it will be "terminated." An agreement that is additional, with terms, adds "additional terms" and they are more restrictive than the GPL. This is disallowed.

    Given that they are adding terms to the GPL that make it more restrictive, as previously covered in this thread and by Perens, their rights are terminated under the GPL and they don't have any right to do anything at all with the kernel, much less modify it, redistribute the patches, and withhold the source code and add the additional restriction that everyone who receives it from them also withhold it, and deny even freedom 0 to use the software freely in the first place.

    That's seriously a no-no to do, even if they claim they aren't doing it as they do it.

    Consider the following pseudocode:

    while (user_data_remains) {
            display_duplicitous_message("I am totally not erasing all the user data.\n");

    What would this code, if implemented, accomplish? Would the presence of the "display" clause mean that the next line does not exist, despite the fact that it does exist?

    Either the writer of such a claim is less than knowledgeable, and believes additional terms are not additional terms, more restrictive terms are not more restrictive, and black is white for all we know; or the writer believes that You The Reader/Customer are less than knowledgeable, and that You will believe such nonsense.

    They're not infringing the GPL, because they never restrict what you can do with the code that you have already received - their license does not relate to your rights to the code, but to your access to their update mechanism.

    Their additional, more restrictive terms specifically and substantially restrict what you can do with the code, in terms of both use and distribution. Their license does not remove your rights under the GPL, but that's only because such additional terms are invalidated by the GPL of the parent work.

    That they impose a penalty if you violate their additional, more restrictive terms goes over and above just having the additional terms--normally if you violate license terms the penalty is that "the license said not to do this but I did it anyway," and perhaps terminate your rights under that license. But they are actually writing a penalty into the license for violating their additional, more restrictive terms that they assert in addition to the terms of the GPL, such that they will go beyond that and actually terminate your rights under other agreements as well.

    This kind of thing is fairly common with GPL'd code.

    Well, not exactly this kind of thing, in my opinion.

    [Imagine] you give them a modified version of Linux and GCC to experiment with. You can't stop them from distributing these, but you really don't want them to... You have a gentlemen's agreement

    It's questionable whether partners sharing code among themselves counts as "distribution," and a gentleman's agreement is not the same as a EULA that curtails freedoms 0, 2, and 3 of the GPL regardless of any agreement or lack thereof. Parties to a gentleman's agreement are working together. Parties to the additional-terms-added-to-the-GPL-in-violation-of-same-agreement are more likely working against each other, and they're doing so under false pretenses.

    This is one of the reasons that ARM is now increasingly prototyping with LLVM and FreeBSD: it's easier to share with partners without legal hassles.

    Amen to that.

    I wasn't convinced by your explanation, and if you would be so kind, I would like to know your opinion or impression of whether I took the time to properly listen to and consider it. I feel that I did, but then again, if I have a blind spot, I would not know about it.

    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3