Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday February 16 2020, @02:22PM   Printer-friendly
from the no-way-out dept.

https://www.itwire.com/open-source/linux-kernel-patch-maker-says-court-case-was-only-way-out.html

The head of security firm Open Source Security, Brad Spengler, says he had little option but to file a lawsuit against open source advocate Bruce Perens, who alleged back in 2017 that security patches issued for the Linux kernel by OSS violated the licence under which the kernel is distributed.

The case ended last week with Perens coming out on the right side of things; after some back and forth, a court doubled down on its earlier decision that OSS must pay Perens' legal costs as awarded in June 2018.

The remainder of the article is an interview with Brad Spengler about the case and the issue.

iTWire contacted Spengler soon after the case ended, as he had promised to speak at length about the issue once all legal issues were done and dusted. Queries submitted by iTWire along with Spengler's answers in full are given below:

Previously:
Court Orders Payment of $259,900.50 to Bruce Perens' Attorneys


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by barbara hudson on Monday February 17 2020, @12:34AM (9 children)

    by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Monday February 17 2020, @12:34AM (#958948) Journal
    Nobody is required to download the source. The license is a distribution only license. The person who I got it from is dead? Then anyone who I distributed a copy of the program to who now wants the source is simply out of luck. I'm not required to obtain the source from elsewhere - and in the case of modified source, it's probably not possible even with an Ouija board. Force majeure is a real thing.

    On top of that, what are the damages? Zero. So much for frivolous de minimus lawsuits.

    And when I obtain it via BitTorrent or VPN, it's not possible to know who I got my copy from so I can't go back to them for the source. So if I give someone a copy, I'll tell them to read the warranty disclaimer that comes with all Linux distros - no warranty whatsoever, including no warranty of fitness for any purpose whatsoever. That would include no warranty of fitness to redistribute.

    After all, my distro didn't even include a LICENSE.txt. Guess they want to save bandwidth.

    --
    SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by sjames on Monday February 17 2020, @01:33AM (6 children)

    by sjames (2882) on Monday February 17 2020, @01:33AM (#958967) Journal

    But nobody is dead in this case. The source exists and is easily within Spenglerr's grasp.

    Your suppositions are untested. They may never be tested since if the author of a program is dead and took the source to the grave, who would do the suing?

    • (Score: 2) by barbara hudson on Monday February 17 2020, @02:01AM (5 children)

      by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Monday February 17 2020, @02:01AM (#958979) Journal
      You point out a fact that supports my argument. Nobody is suing Spangler for violating the GPL. That was my original point - this stupid lawsuit changed nothing. He is free to continue to distribute patches without the source and simply revoke the license of anyone who asks for the source. Since they no longer have a valid license,?they have no grounds for claiming a GPL license violation.

      There's no getting around it because anyone who complains loses their license to the binary, so without a license to the binary, they can't demand the source.

      After all, he's free not to license his code. Now what would make it even more interesting is if no original source is included in the patches. Then you can't even argue it's a derivative work. That's how I'd do it. And who could complain, if there was no GPL source in the patches? Someone could do a whole Linux work alike that way, nobody can complain. Or they could take FreeBSD code to make a works alike and again, no gpl hassles.

      --
      SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
      • (Score: 2) by sjames on Monday February 17 2020, @02:45AM (3 children)

        by sjames (2882) on Monday February 17 2020, @02:45AM (#958996) Journal

        Nobody is, but they still have the option to do so. Thus, the thin ice.

        As for what Spengler thought he had to gain by suing Perens, I can't imagine.

        He was and is free to create a compatible not Linux kernel, but he didn't.

        • (Score: 2) by barbara hudson on Monday February 17 2020, @03:52AM (2 children)

          by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Monday February 17 2020, @03:52AM (#959011) Journal
          Back in the 80s I'm sure I wasn't the only one modifying binaries with a hex editor. If I were to do that today I could redistribute the binaries and never give the source because there is no source, never was.

          Now let's teach an AI to do that, modify the binary directly and by trial and error get closer to the desired outcome. No source (or technically the binary IS the source), so no requirement to redistribute "source code" to the mods. You're free to do a binary diff to see the changes, Since the binary is the only source that ever existed. There's no edit- compile-link-run cycle, no source code to compile, no object code to link in, so no requirement to distribute nonexistent sources.

          Will this happen? Well, it's possible to do, so that pretty much guarantees that it's already being done by people who need to add spying capabilities to other countries hardware and software without having the source. The US 3-letter gangs are most certainly doing to to both domestic and foreign software and firmware.

          Wouldn't be surprised if some crooks are trying it too. Because you simply don't need source code, just time and brains, or an artificial facsimile thereof.

          As for commercial possibilities, since the end user is dependent on the hacker AI for future patches, they can either pay or not - and if they distribute the patches as they're allowed by the GPL, the hackerAI is free to cut them off from any future updates. All permitted under the GPL.

          --
          SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
          • (Score: 2) by sjames on Monday February 17 2020, @06:18AM

            by sjames (2882) on Monday February 17 2020, @06:18AM (#959057) Journal

            Back in the '80s it was not even clear that copyright applied to software. Companies put copyright notices in just in case and as a deterrent to copying.

            You're missing a fundamental point though. It's not GRsec CUSTOMERS who necessarily have a cause to sue, it'd the many authors of the Linux kernel. Any one of them might choose to sue at any time. Will the courts decide that a diff (source or binary) that depends on a copy of the original to produce a functional result is constructively distributing a derived work? Nobody can say for sure unless/until such a case is brought and winds it's way through the courts, but it is a distinct possibility.

          • (Score: 2) by Immerman on Monday February 17 2020, @04:41PM

            by Immerman (3985) on Monday February 17 2020, @04:41PM (#959201)

            >Back in the 80s I'm sure I wasn't the only one modifying binaries with a hex editor. If I were to do that today I could redistribute the binaries and never give the source because there is no source, never was.

            Except that the instant you distribute you're violating copyright law - unless you have a license that allows you to distribute. As some kid sharing stuff with friends in the pre-napster days, you were unlikely to get caught, but that doesn't make it any more legal.

            Do that with any proprietary software, and the original copyright holder will be fully within their legal rights to come down on you like a ton of bricks for copyright infringement

            Do that with GPLed software - and either you provide the source code on demand as required by the license, or the original copyright holder will be fully within their legal rights to come down on you like a ton of bricks for copyright infringement.

            The GPL is the only thing allowing you to redistribute the code legally, so if you're not 100% in compliance with the license - including providing source code on demand, then you're automatically guilty of copyright infringement.

            Sounds like GRSecurity isn't obviously violating the letter of the GPL, assuming they really do provide the source code on demand. But they're certainly violating the spirit.

      • (Score: 2) by Runaway1956 on Monday February 17 2020, @05:48AM

        by Runaway1956 (2926) Subscriber Badge on Monday February 17 2020, @05:48AM (#959045) Journal

        He is free to continue to distribute patches without the source and simply revoke the license of anyone who asks for the source. Since they no longer have a valid license,?they have no grounds for claiming a GPL license violation.

        That's some stupid shit right there. You have unwittingly allowed people to revoke licenses for all sorts of stupid-assed reasons. Remember the upskirt assholes, who could have revoked any license of any female who complained about their sexist attitudes? Or, how about a bunch of racist assholes, who can revoke your license for being the wrong complexion?

        Asking for the source is most definitely NOT grounds for revoking a license when GPL is involved. Not even with BSD licensing would that be so. Complete and utter nonsense.

  • (Score: 0) by Anonymous Coward on Friday February 21 2020, @05:16AM (1 child)

    by Anonymous Coward on Friday February 21 2020, @05:16AM (#960594)

    >" On top of that, what are the damages? Zero. So much for frivolous de minimus lawsuits. "

    Owners of registered copyrighted works can pursue statutory damages, moron (and attorneys fees). Congress was ahead of you on this, you stupid fucking know-nothing idiot.

    • (Score: 2) by barbara hudson on Friday February 21 2020, @02:21PM

      by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Friday February 21 2020, @02:21PM (#960676) Journal
      And yet the owners of registered copyrights rarely get the full statutory damages. Also, I've argued that people should register their copyright, but almost nobody does. Look at the copyright notices on open source projects - no copyright registration, no registration dates, so it's only actual damages, which are de minimus.

      So who's the moron?

      --
      SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.