https://www.itwire.com/open-source/linux-kernel-patch-maker-says-court-case-was-only-way-out.html
The head of security firm Open Source Security, Brad Spengler, says he had little option but to file a lawsuit against open source advocate Bruce Perens, who alleged back in 2017 that security patches issued for the Linux kernel by OSS violated the licence under which the kernel is distributed.
The case ended last week with Perens coming out on the right side of things; after some back and forth, a court doubled down on its earlier decision that OSS must pay Perens' legal costs as awarded in June 2018.
The remainder of the article is an interview with Brad Spengler about the case and the issue.
iTWire contacted Spengler soon after the case ended, as he had promised to speak at length about the issue once all legal issues were done and dusted. Queries submitted by iTWire along with Spengler's answers in full are given below:
Previously:
Court Orders Payment of $259,900.50 to Bruce Perens' Attorneys
(Score: 2) by barbara hudson on Monday February 17 2020, @12:22AM (8 children)
At that point, the recipient can either stfu or delete the software: the software was distributed with no warranty whatsoever, same as other open source programs.
And the distributor can argue away the whole thing as being de minimus, and as such non-justiciable. After all, where's the hardship on the original author? D ir any copyrights holders? Are they able to prove any financial losses? Harm to reputation? Nope. It was of so little financial value as is that people were able to sell fixes. It could be argued that availability of such fixes enhanced the value of the original. Weakening the GPL would probably result in more innovation. Certainly it hasn't improved with age.
After all, it's companies and products that have been able to construct walled gardens around Linux that are successful. Compare the various open source not-quite-phones with Android. Linux on laptops with Chromebooks. Linux on the desktop with FreeBSD and Quartz from Apple.
BTW, just checked and there's no LICENSE.txt or even a README.txt for Linux on my distro. A newb would assume that ift was free as in FreeBSD.
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 0) by Anonymous Coward on Monday February 17 2020, @01:53AM (5 children)
It is a kernel patch. The product IS the source.
(Score: 2) by barbara hudson on Monday February 17 2020, @02:09AM (4 children)
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 0) by Anonymous Coward on Monday February 17 2020, @03:03AM (3 children)
To do binary patches, everyone has to have the same binaries. The second I add in or cut out a different module, change my defaults, add my own source patches, use different compile options, etc. that binary changes.
And there is also the fact that if you actually looked at their downloads page or docs, you'd quickly realize that they are literally distributing GNU patch formatted files to be run against the extracted source tarball obtained from upstream.
(Score: 2) by barbara hudson on Monday February 17 2020, @03:58AM (2 children)
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 0) by Anonymous Coward on Tuesday February 18 2020, @03:20PM (1 child)
Patching the binaries is a derivative work too, you fucking moron.
(Score: 0) by Anonymous Coward on Tuesday February 18 2020, @08:20PM
Not only that, but do you really think anyone who is so paranoid that they think the default Linux kernel is not secure enough is going to run a fuzzy or conditional patcher on their kernel? This goes double when you realize all the minor changes that different compilers, flags, and CONFIGs can make in the final compiled product. Yep, lets run this untested, unauditable binary patch on our production system that requires a higher security level than the default or distro kernels.
(Score: 3, Touché) by Runaway1956 on Monday February 17 2020, @06:02AM
You're aware that a contract signed under duress and/or coercion is null and void?
Spengler's sales pitch is much like this: "I have something valuable, which you can't live without. I'll allow you to use it, if and only if, you waive your rights under the GPL." It's bullshit, plain and simple. You also have rights, Hudson. You have the right to stop defending some greedy-ass fuckwit who doesn't understand the GPL.
(Score: 2) by mobydisk on Tuesday February 18 2020, @09:20PM
I don't think so. The GPL is invoked at the time of distribution, not at the time the recipient asks for the source. So as soon as the GRSecurity tells the recipient "I won't give you this unless you agree to not distribute it" then GRSecurity is no longer in compliance. This happens even before the recipient gets the software. At that point GRSecurity no longer has the right to distribute the patches.
Breaking down the GPL as-written:
So Linus Torvalds grants me the right to redistribute the GRSecurity patches, not GRSecurity. And this happens at the time GRSecurity distributes their patches.
So GRSecurity is violating the GPL by merely asking their clients to sign a waiver of rights. It's not that the recipient can't agree to do so - it's that GRSecurity is not allowed to ask.