An Anonymous Coward writes:
The head of security firm Open Source Security, Brad Spengler, says he had little option but to file a lawsuit against open source advocate Bruce Perens, who alleged back in 2017 that security patches issued for the Linux kernel by OSS violated the licence under which the kernel is distributed.The case ended last week with Perens coming out on the right side of things; after some back and forth, a court doubled down on its earlier decision that OSS must pay Perens' legal costs as awarded in June 2018.
The head of security firm Open Source Security, Brad Spengler, says he had little option but to file a lawsuit against open source advocate Bruce Perens, who alleged back in 2017 that security patches issued for the Linux kernel by OSS violated the licence under which the kernel is distributed.
The case ended last week with Perens coming out on the right side of things; after some back and forth, a court doubled down on its earlier decision that OSS must pay Perens' legal costs as awarded in June 2018.
The remainder of the article is an interview with Brad Spengler about the case and the issue.
iTWire contacted Spengler soon after the case ended, as he had promised to speak at length about the issue once all legal issues were done and dusted. Queries submitted by iTWire along with Spengler's answers in full are given below:
Court Orders Payment of $259,900.50 to Bruce Perens' Attorneys
On top of that, what are the damages? Zero. So much for frivolous de minimus lawsuits.
And when I obtain it via BitTorrent or VPN, it's not possible to know who I got my copy from so I can't go back to them for the source. So if I give someone a copy, I'll tell them to read the warranty disclaimer that comes with all Linux distros - no warranty whatsoever, including no warranty of fitness for any purpose whatsoever. That would include no warranty of fitness to redistribute.
After all, my distro didn't even include a LICENSE.txt. Guess they want to save bandwidth.
But nobody is dead in this case. The source exists and is easily within Spenglerr's grasp.
Your suppositions are untested. They may never be tested since if the author of a program is dead and took the source to the grave, who would do the suing?
There's no getting around it because anyone who complains loses their license to the binary, so without a license to the binary, they can't demand the source.
After all, he's free not to license his code. Now what would make it even more interesting is if no original source is included in the patches. Then you can't even argue it's a derivative work. That's how I'd do it. And who could complain, if there was no GPL source in the patches? Someone could do a whole Linux work alike that way, nobody can complain. Or they could take FreeBSD code to make a works alike and again, no gpl hassles.
Nobody is, but they still have the option to do so. Thus, the thin ice.
As for what Spengler thought he had to gain by suing Perens, I can't imagine.
He was and is free to create a compatible not Linux kernel, but he didn't.
Now let's teach an AI to do that, modify the binary directly and by trial and error get closer to the desired outcome. No source (or technically the binary IS the source), so no requirement to redistribute "source code" to the mods. You're free to do a binary diff to see the changes, Since the binary is the only source that ever existed. There's no edit- compile-link-run cycle, no source code to compile, no object code to link in, so no requirement to distribute nonexistent sources.
Will this happen? Well, it's possible to do, so that pretty much guarantees that it's already being done by people who need to add spying capabilities to other countries hardware and software without having the source. The US 3-letter gangs are most certainly doing to to both domestic and foreign software and firmware.
Wouldn't be surprised if some crooks are trying it too. Because you simply don't need source code, just time and brains, or an artificial facsimile thereof.
As for commercial possibilities, since the end user is dependent on the hacker AI for future patches, they can either pay or not - and if they distribute the patches as they're allowed by the GPL, the hackerAI is free to cut them off from any future updates. All permitted under the GPL.
Back in the '80s it was not even clear that copyright applied to software. Companies put copyright notices in just in case and as a deterrent to copying.
You're missing a fundamental point though. It's not GRsec CUSTOMERS who necessarily have a cause to sue, it'd the many authors of the Linux kernel. Any one of them might choose to sue at any time. Will the courts decide that a diff (source or binary) that depends on a copy of the original to produce a functional result is constructively distributing a derived work? Nobody can say for sure unless/until such a case is brought and winds it's way through the courts, but it is a distinct possibility.
>Back in the 80s I'm sure I wasn't the only one modifying binaries with a hex editor. If I were to do that today I could redistribute the binaries and never give the source because there is no source, never was.
Except that the instant you distribute you're violating copyright law - unless you have a license that allows you to distribute. As some kid sharing stuff with friends in the pre-napster days, you were unlikely to get caught, but that doesn't make it any more legal.
Do that with any proprietary software, and the original copyright holder will be fully within their legal rights to come down on you like a ton of bricks for copyright infringement
Do that with GPLed software - and either you provide the source code on demand as required by the license, or the original copyright holder will be fully within their legal rights to come down on you like a ton of bricks for copyright infringement.
The GPL is the only thing allowing you to redistribute the code legally, so if you're not 100% in compliance with the license - including providing source code on demand, then you're automatically guilty of copyright infringement.
Sounds like GRSecurity isn't obviously violating the letter of the GPL, assuming they really do provide the source code on demand. But they're certainly violating the spirit.
He is free to continue to distribute patches without the source and simply revoke the license of anyone who asks for the source. Since they no longer have a valid license,?they have no grounds for claiming a GPL license violation.
That's some stupid shit right there. You have unwittingly allowed people to revoke licenses for all sorts of stupid-assed reasons. Remember the upskirt assholes, who could have revoked any license of any female who complained about their sexist attitudes? Or, how about a bunch of racist assholes, who can revoke your license for being the wrong complexion?
Asking for the source is most definitely NOT grounds for revoking a license when GPL is involved. Not even with BSD licensing would that be so. Complete and utter nonsense.
>" On top of that, what are the damages? Zero. So much for frivolous de minimus lawsuits. "
Owners of registered copyrighted works can pursue statutory damages, moron (and attorneys fees). Congress was ahead of you on this, you stupid fucking know-nothing idiot.
So who's the moron?