Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday February 16 2020, @02:22PM   Printer-friendly
from the no-way-out dept.

https://www.itwire.com/open-source/linux-kernel-patch-maker-says-court-case-was-only-way-out.html

The head of security firm Open Source Security, Brad Spengler, says he had little option but to file a lawsuit against open source advocate Bruce Perens, who alleged back in 2017 that security patches issued for the Linux kernel by OSS violated the licence under which the kernel is distributed.

The case ended last week with Perens coming out on the right side of things; after some back and forth, a court doubled down on its earlier decision that OSS must pay Perens' legal costs as awarded in June 2018.

The remainder of the article is an interview with Brad Spengler about the case and the issue.

iTWire contacted Spengler soon after the case ended, as he had promised to speak at length about the issue once all legal issues were done and dusted. Queries submitted by iTWire along with Spengler's answers in full are given below:

Previously:
Court Orders Payment of $259,900.50 to Bruce Perens' Attorneys


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by sjames on Sunday February 16 2020, @09:06PM (17 children)

    by sjames (2882) on Sunday February 16 2020, @09:06PM (#958888) Journal

    Actually, that won't fly. GRSec is a work derived from the Linux kernel. Spengler's licence to distribute such a derived work AT ALL is contingent on him not asking the recipient to waive the rights granted under the GPL.

    In my opinion, Spengler's legal argument in the larger question is dangerously close to the hypothetical argument "I didn't mug him, he voluntarily handed me the money rather than risk being shot". ( Mr. Spengler, if you're reading this please note that this is my opinion and is stated as an opinion. I am not a laywer nor have I ever played one on TV.). That is, it's on thin ice.

    In the case at hand, Bruce was absolutely within his rights to offer his opinion that the whole thing was on thin ice. This was affirmed by the court. The court then doubled down by ruling that Bruce was so clearly within his rights that Spengler should pay the costs of defending those rights in court against his lawsuit.

    As is typical in cases where someone is sued for offering an opinion, the court did not rule on the correctness of the opinion itself, just on the right to state it.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by barbara hudson on Sunday February 16 2020, @10:35PM (14 children)

    by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Sunday February 16 2020, @10:35PM (#958922) Journal

    is contingent on him not asking the recipient to waive the rights granted under the GPL.

    No such clause in the gpl restricting the recipient from waiving their rights. It's an interesting problem, same as when the person who did the distribution doesn't have the source and can't get it from the person they got the program from. They're not obligated to dig up the source elsewhere, and the law allows for nullity of any clause that is impossible. "Sorry, I got it from BitTorrent and I can't identify the individual source of each part of the program to ask them for the source of their chunk."

    The GPL didn't anticipate things such as multiple unidentifiable distributors of chunks of programs. Or the death of the distributor. I can ask others for a copy, but the license doesn't oblige them to give me one.

    --
    SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
    • (Score: 0) by Anonymous Coward on Sunday February 16 2020, @11:20PM (2 children)

      by Anonymous Coward on Sunday February 16 2020, @11:20PM (#958933)

      It's an interesting problem, same as when the person who did the distribution doesn't have the source and can't get it from the person they got the program from.

      If you can't respect the license, don't do anything the license doesn't allow you to.
      If you can't distribute the source together with the binaries for a GPL licensed software, don't distribute the binaries.

      • (Score: 2) by barbara hudson on Monday February 17 2020, @12:45AM (1 child)

        by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Monday February 17 2020, @12:45AM (#958951) Journal
        The GPL doesn't require you to distribute a copy of the source when you distribute the program. Read it. The only thing it requires is that you, for a period of 3 years, offer to make a copy of the source available, only to those you distribute it to.

        So last week you download and distribute a program. This week people ask you for the source, you go to download a copy from the person you got it from, they're in a coma and their server is offline.

        Do you have an obligation to obtain the source elsewhere? No, and in the case of modified software it may not even be possible if the only source is in a coma.

        Are you in violation of the GPL? Again, no. As a matter of public policy, impossible contracts are void, and the GPL is a contract which is now attempting to impose an impossible obligation on you.

        The GPL has a few flaws in it that give rise to anomalous situations where the GPL simply can't be applied.

        --
        SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
        • (Score: 0) by Anonymous Coward on Monday February 17 2020, @08:47AM

          by Anonymous Coward on Monday February 17 2020, @08:47AM (#959079)

          The GPL doesn't require you to distribute a copy of the source when you distribute the program. Read it. The only thing it requires is that you, for a period of 3 years, offer to make a copy of the source available, only to those you distribute it to.

          Yes. It requires the distributor of the binaries to make the source available at no more than nominal charge of distributing the said source.

          So, as soon as someone asks for the source, you are obliged to distribute the source to them. If you fail to do this *and* continue to distribute the binary, then you are of course breaking the copyright law and can be held liable both in a civil or legal sense.

          In essence, if you make some derivative work of GPL to general public, then your competitor could buy a copy and require you to provide source code. At that point they could just distribute it free of charge. And if you fail to produce source code, you are breaking GPL. If you fail to sell to them, you are breaking other laws. Have a nice day.

          Are you in violation of the GPL? Again, no. As a matter of public policy, impossible contracts are void, and the GPL is a contract which is now attempting to impose an impossible obligation on you.

          GPL is not a contract.

          It's a copyright license. You are infringing copyright (breaking copyright laws) if you are distributing things without adhering to the said license.

    • (Score: 2) by sjames on Sunday February 16 2020, @11:47PM (10 children)

      by sjames (2882) on Sunday February 16 2020, @11:47PM (#958940) Journal

      If you didn't get the source from the person who distributed the binary to you, the license to distribute AT ALL is void but if it's GPL, you'll probably be cut some slack. But note that courts are rarely amused if you willfully create such a situation.

      • (Score: 2) by barbara hudson on Monday February 17 2020, @12:34AM (9 children)

        by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Monday February 17 2020, @12:34AM (#958948) Journal
        Nobody is required to download the source. The license is a distribution only license. The person who I got it from is dead? Then anyone who I distributed a copy of the program to who now wants the source is simply out of luck. I'm not required to obtain the source from elsewhere - and in the case of modified source, it's probably not possible even with an Ouija board. Force majeure is a real thing.

        On top of that, what are the damages? Zero. So much for frivolous de minimus lawsuits.

        And when I obtain it via BitTorrent or VPN, it's not possible to know who I got my copy from so I can't go back to them for the source. So if I give someone a copy, I'll tell them to read the warranty disclaimer that comes with all Linux distros - no warranty whatsoever, including no warranty of fitness for any purpose whatsoever. That would include no warranty of fitness to redistribute.

        After all, my distro didn't even include a LICENSE.txt. Guess they want to save bandwidth.

        --
        SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
        • (Score: 2) by sjames on Monday February 17 2020, @01:33AM (6 children)

          by sjames (2882) on Monday February 17 2020, @01:33AM (#958967) Journal

          But nobody is dead in this case. The source exists and is easily within Spenglerr's grasp.

          Your suppositions are untested. They may never be tested since if the author of a program is dead and took the source to the grave, who would do the suing?

          • (Score: 2) by barbara hudson on Monday February 17 2020, @02:01AM (5 children)

            by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Monday February 17 2020, @02:01AM (#958979) Journal
            You point out a fact that supports my argument. Nobody is suing Spangler for violating the GPL. That was my original point - this stupid lawsuit changed nothing. He is free to continue to distribute patches without the source and simply revoke the license of anyone who asks for the source. Since they no longer have a valid license,?they have no grounds for claiming a GPL license violation.

            There's no getting around it because anyone who complains loses their license to the binary, so without a license to the binary, they can't demand the source.

            After all, he's free not to license his code. Now what would make it even more interesting is if no original source is included in the patches. Then you can't even argue it's a derivative work. That's how I'd do it. And who could complain, if there was no GPL source in the patches? Someone could do a whole Linux work alike that way, nobody can complain. Or they could take FreeBSD code to make a works alike and again, no gpl hassles.

            --
            SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
            • (Score: 2) by sjames on Monday February 17 2020, @02:45AM (3 children)

              by sjames (2882) on Monday February 17 2020, @02:45AM (#958996) Journal

              Nobody is, but they still have the option to do so. Thus, the thin ice.

              As for what Spengler thought he had to gain by suing Perens, I can't imagine.

              He was and is free to create a compatible not Linux kernel, but he didn't.

              • (Score: 2) by barbara hudson on Monday February 17 2020, @03:52AM (2 children)

                by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Monday February 17 2020, @03:52AM (#959011) Journal
                Back in the 80s I'm sure I wasn't the only one modifying binaries with a hex editor. If I were to do that today I could redistribute the binaries and never give the source because there is no source, never was.

                Now let's teach an AI to do that, modify the binary directly and by trial and error get closer to the desired outcome. No source (or technically the binary IS the source), so no requirement to redistribute "source code" to the mods. You're free to do a binary diff to see the changes, Since the binary is the only source that ever existed. There's no edit- compile-link-run cycle, no source code to compile, no object code to link in, so no requirement to distribute nonexistent sources.

                Will this happen? Well, it's possible to do, so that pretty much guarantees that it's already being done by people who need to add spying capabilities to other countries hardware and software without having the source. The US 3-letter gangs are most certainly doing to to both domestic and foreign software and firmware.

                Wouldn't be surprised if some crooks are trying it too. Because you simply don't need source code, just time and brains, or an artificial facsimile thereof.

                As for commercial possibilities, since the end user is dependent on the hacker AI for future patches, they can either pay or not - and if they distribute the patches as they're allowed by the GPL, the hackerAI is free to cut them off from any future updates. All permitted under the GPL.

                --
                SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                • (Score: 2) by sjames on Monday February 17 2020, @06:18AM

                  by sjames (2882) on Monday February 17 2020, @06:18AM (#959057) Journal

                  Back in the '80s it was not even clear that copyright applied to software. Companies put copyright notices in just in case and as a deterrent to copying.

                  You're missing a fundamental point though. It's not GRsec CUSTOMERS who necessarily have a cause to sue, it'd the many authors of the Linux kernel. Any one of them might choose to sue at any time. Will the courts decide that a diff (source or binary) that depends on a copy of the original to produce a functional result is constructively distributing a derived work? Nobody can say for sure unless/until such a case is brought and winds it's way through the courts, but it is a distinct possibility.

                • (Score: 2) by Immerman on Monday February 17 2020, @04:41PM

                  by Immerman (3985) on Monday February 17 2020, @04:41PM (#959201)

                  >Back in the 80s I'm sure I wasn't the only one modifying binaries with a hex editor. If I were to do that today I could redistribute the binaries and never give the source because there is no source, never was.

                  Except that the instant you distribute you're violating copyright law - unless you have a license that allows you to distribute. As some kid sharing stuff with friends in the pre-napster days, you were unlikely to get caught, but that doesn't make it any more legal.

                  Do that with any proprietary software, and the original copyright holder will be fully within their legal rights to come down on you like a ton of bricks for copyright infringement

                  Do that with GPLed software - and either you provide the source code on demand as required by the license, or the original copyright holder will be fully within their legal rights to come down on you like a ton of bricks for copyright infringement.

                  The GPL is the only thing allowing you to redistribute the code legally, so if you're not 100% in compliance with the license - including providing source code on demand, then you're automatically guilty of copyright infringement.

                  Sounds like GRSecurity isn't obviously violating the letter of the GPL, assuming they really do provide the source code on demand. But they're certainly violating the spirit.

            • (Score: 2) by Runaway1956 on Monday February 17 2020, @05:48AM

              by Runaway1956 (2926) Subscriber Badge on Monday February 17 2020, @05:48AM (#959045) Homepage Journal

              He is free to continue to distribute patches without the source and simply revoke the license of anyone who asks for the source. Since they no longer have a valid license,?they have no grounds for claiming a GPL license violation.

              That's some stupid shit right there. You have unwittingly allowed people to revoke licenses for all sorts of stupid-assed reasons. Remember the upskirt assholes, who could have revoked any license of any female who complained about their sexist attitudes? Or, how about a bunch of racist assholes, who can revoke your license for being the wrong complexion?

              Asking for the source is most definitely NOT grounds for revoking a license when GPL is involved. Not even with BSD licensing would that be so. Complete and utter nonsense.

              --
              There is a supply side shortage of pronouns. You will take whatever you are offered.
        • (Score: 0) by Anonymous Coward on Friday February 21 2020, @05:16AM (1 child)

          by Anonymous Coward on Friday February 21 2020, @05:16AM (#960594)

          >" On top of that, what are the damages? Zero. So much for frivolous de minimus lawsuits. "

          Owners of registered copyrighted works can pursue statutory damages, moron (and attorneys fees). Congress was ahead of you on this, you stupid fucking know-nothing idiot.

          • (Score: 2) by barbara hudson on Friday February 21 2020, @02:21PM

            by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Friday February 21 2020, @02:21PM (#960676) Journal
            And yet the owners of registered copyrights rarely get the full statutory damages. Also, I've argued that people should register their copyright, but almost nobody does. Look at the copyright notices on open source projects - no copyright registration, no registration dates, so it's only actual damages, which are de minimus.

            So who's the moron?

            --
            SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
  • (Score: 0) by Anonymous Coward on Monday February 17 2020, @05:46AM (1 child)

    by Anonymous Coward on Monday February 17 2020, @05:46AM (#959044)

    contingent on him not asking the recipient to waive the rights granted under the GPL.

    Right. Which GRSecurity isn't doing. They never placed a restriction in the legal sense; they could not have sued any customers who release GPL'ed code. But yes they sure as hell can stop supporting clients who do, nothing in the GPL says you have to provide support.

    This is simple. Why is this so hard for Lentils to get? Arik and you and Barb Hudson are all barking up the weirdest unrelated trees. I get it, I get it, you saw a squirrel, but calm down, we're not squirrel hunting.