Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday February 16 2020, @02:22PM   Printer-friendly
from the no-way-out dept.

https://www.itwire.com/open-source/linux-kernel-patch-maker-says-court-case-was-only-way-out.html

The head of security firm Open Source Security, Brad Spengler, says he had little option but to file a lawsuit against open source advocate Bruce Perens, who alleged back in 2017 that security patches issued for the Linux kernel by OSS violated the licence under which the kernel is distributed.

The case ended last week with Perens coming out on the right side of things; after some back and forth, a court doubled down on its earlier decision that OSS must pay Perens' legal costs as awarded in June 2018.

The remainder of the article is an interview with Brad Spengler about the case and the issue.

iTWire contacted Spengler soon after the case ended, as he had promised to speak at length about the issue once all legal issues were done and dusted. Queries submitted by iTWire along with Spengler's answers in full are given below:

Previously:
Court Orders Payment of $259,900.50 to Bruce Perens' Attorneys


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by sjames on Monday February 17 2020, @01:33AM (6 children)

    by sjames (2882) on Monday February 17 2020, @01:33AM (#958967) Journal

    But nobody is dead in this case. The source exists and is easily within Spenglerr's grasp.

    Your suppositions are untested. They may never be tested since if the author of a program is dead and took the source to the grave, who would do the suing?

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by barbara hudson on Monday February 17 2020, @02:01AM (5 children)

    by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Monday February 17 2020, @02:01AM (#958979) Journal
    You point out a fact that supports my argument. Nobody is suing Spangler for violating the GPL. That was my original point - this stupid lawsuit changed nothing. He is free to continue to distribute patches without the source and simply revoke the license of anyone who asks for the source. Since they no longer have a valid license,?they have no grounds for claiming a GPL license violation.

    There's no getting around it because anyone who complains loses their license to the binary, so without a license to the binary, they can't demand the source.

    After all, he's free not to license his code. Now what would make it even more interesting is if no original source is included in the patches. Then you can't even argue it's a derivative work. That's how I'd do it. And who could complain, if there was no GPL source in the patches? Someone could do a whole Linux work alike that way, nobody can complain. Or they could take FreeBSD code to make a works alike and again, no gpl hassles.

    --
    SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
    • (Score: 2) by sjames on Monday February 17 2020, @02:45AM (3 children)

      by sjames (2882) on Monday February 17 2020, @02:45AM (#958996) Journal

      Nobody is, but they still have the option to do so. Thus, the thin ice.

      As for what Spengler thought he had to gain by suing Perens, I can't imagine.

      He was and is free to create a compatible not Linux kernel, but he didn't.

      • (Score: 2) by barbara hudson on Monday February 17 2020, @03:52AM (2 children)

        by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Monday February 17 2020, @03:52AM (#959011) Journal
        Back in the 80s I'm sure I wasn't the only one modifying binaries with a hex editor. If I were to do that today I could redistribute the binaries and never give the source because there is no source, never was.

        Now let's teach an AI to do that, modify the binary directly and by trial and error get closer to the desired outcome. No source (or technically the binary IS the source), so no requirement to redistribute "source code" to the mods. You're free to do a binary diff to see the changes, Since the binary is the only source that ever existed. There's no edit- compile-link-run cycle, no source code to compile, no object code to link in, so no requirement to distribute nonexistent sources.

        Will this happen? Well, it's possible to do, so that pretty much guarantees that it's already being done by people who need to add spying capabilities to other countries hardware and software without having the source. The US 3-letter gangs are most certainly doing to to both domestic and foreign software and firmware.

        Wouldn't be surprised if some crooks are trying it too. Because you simply don't need source code, just time and brains, or an artificial facsimile thereof.

        As for commercial possibilities, since the end user is dependent on the hacker AI for future patches, they can either pay or not - and if they distribute the patches as they're allowed by the GPL, the hackerAI is free to cut them off from any future updates. All permitted under the GPL.

        --
        SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
        • (Score: 2) by sjames on Monday February 17 2020, @06:18AM

          by sjames (2882) on Monday February 17 2020, @06:18AM (#959057) Journal

          Back in the '80s it was not even clear that copyright applied to software. Companies put copyright notices in just in case and as a deterrent to copying.

          You're missing a fundamental point though. It's not GRsec CUSTOMERS who necessarily have a cause to sue, it'd the many authors of the Linux kernel. Any one of them might choose to sue at any time. Will the courts decide that a diff (source or binary) that depends on a copy of the original to produce a functional result is constructively distributing a derived work? Nobody can say for sure unless/until such a case is brought and winds it's way through the courts, but it is a distinct possibility.

        • (Score: 2) by Immerman on Monday February 17 2020, @04:41PM

          by Immerman (3985) on Monday February 17 2020, @04:41PM (#959201)

          >Back in the 80s I'm sure I wasn't the only one modifying binaries with a hex editor. If I were to do that today I could redistribute the binaries and never give the source because there is no source, never was.

          Except that the instant you distribute you're violating copyright law - unless you have a license that allows you to distribute. As some kid sharing stuff with friends in the pre-napster days, you were unlikely to get caught, but that doesn't make it any more legal.

          Do that with any proprietary software, and the original copyright holder will be fully within their legal rights to come down on you like a ton of bricks for copyright infringement

          Do that with GPLed software - and either you provide the source code on demand as required by the license, or the original copyright holder will be fully within their legal rights to come down on you like a ton of bricks for copyright infringement.

          The GPL is the only thing allowing you to redistribute the code legally, so if you're not 100% in compliance with the license - including providing source code on demand, then you're automatically guilty of copyright infringement.

          Sounds like GRSecurity isn't obviously violating the letter of the GPL, assuming they really do provide the source code on demand. But they're certainly violating the spirit.

    • (Score: 2) by Runaway1956 on Monday February 17 2020, @05:48AM

      by Runaway1956 (2926) Subscriber Badge on Monday February 17 2020, @05:48AM (#959045) Journal

      He is free to continue to distribute patches without the source and simply revoke the license of anyone who asks for the source. Since they no longer have a valid license,?they have no grounds for claiming a GPL license violation.

      That's some stupid shit right there. You have unwittingly allowed people to revoke licenses for all sorts of stupid-assed reasons. Remember the upskirt assholes, who could have revoked any license of any female who complained about their sexist attitudes? Or, how about a bunch of racist assholes, who can revoke your license for being the wrong complexion?

      Asking for the source is most definitely NOT grounds for revoking a license when GPL is involved. Not even with BSD licensing would that be so. Complete and utter nonsense.