[UPDATE - by martyb] Several comments have, rightly, noted this story was hard to understand. The SoylentNews community holds us to a high standard— I let you down on this one. Mea culpa. I have updated the story with this preface to better explain the issues at play and the parties involved.
This is a complicated story. Richard M. Stallman (RMS) founded the Free Software Foundation... and wrote the GNU General Public License (GPL). The GPL guarantees that any modifications made to GPL code must also be made available under the GPL. This, in turn, ensures the recipient has access to the source. A claim has been made that grsecurity, which provides a hardened version of the Linux Kernel, is violating the GPL — source code for the commercial version is not being made available to customers. This is succinctly summarized on Wikipedia:
"On May 30, 2016, a user of grsecurity's subscription-only stable patch set raised a concern on several mailing lists about the redistribution of the commercial patch set. Richard M. Stallman responded to the discussion with his personal opinion that grsecurity is violating the GPL on Linux kernel."
One of the aforementioned mailing lists was the Linux kernel mailing list (LKML). According to Wikipedia:
The Linux kernel mailing list is the main electronic mailing list for Linux kernel development, where the majority of the announcements, discussions, debates, and flame wars over the kernel take place. Many other mailing lists exist to discuss the different subsystems and ports of the Linux kernel, but LKML is the principal communication channel among Linux kernel developers. It is a very high-volume list, usually receiving about 1,000 messages each day, most of which are kernel code patches.
According to grsecurity's commerical support page:
All commercial support contracts come with access to our stable patch series, unavailable to the general public.
As an editor, I strive to present a readable story. On the other hand, when quoting another source, I refrain from making any changes, except adding an occasional [sic] or adding a link or two to define terms that may not be clear to our community. The LKML being what it is — nerds talking to nerds — the content is the focus and formatting often gets short shrift. I am NOT going to try and clean this up and run the very real risk of inadvertently changing the contents. So, in all its obtusely non-formatted glory, that posting is presented here, unchanged.
The original story follows.[/UPDATE]
RMS has weighed in on GRsecurity reportedly trying to prevent people from redistributing its product. [Note: original LKML formatting retained. -Ed]
Re: GRsecurity is preventing others from employing their rights under version 2 the GPL to redistribute source code
Richard Stallman (May 31 2016 10:27 PM)[...] If I understand right, this is a matter of GPL 2 on the Linux patches.
Is that right? If so, I think GRsecurity is violating the GPL on
Linux.--
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
[Continues...]
------------------------------------------------------
GRsecurity is preventing others from employing their rights under version 2 the GPL to redistribute (by threatening them with a non-renewal of a contract to recive this patch to the linux kernel.)
(GRsecurity is a derivative work of the linux kernel (it is a patch))People who have dealt with them have attested to this fact:
https://www.reddit.com/r/KotakuInAction/comments/4grdtb/censorship_linux_developer_steals_page_from_randi/
"You will also lose the access to the patches in the form of grsec not renewing the contract.
Also they've asked us (a Russian hosting company) for $17000+ a year for access their stable patches. $17k is quite a lot for us. A question about negotiating a lower price was completely ignored. Twice." -- fbt2lurkerAnd it is suggested to be the case here aswell:
https://www.reddit.com/r/linux/comments/4gxdlh/after_15_years_of_research_grsecuritys_rap_is_here/
"Do you work for some company that pays for Grsecurity? If so then would you kindly excersise the rights given to you by GPL and send me a tarball of all the latest patches and releases?" -- lolidaisuki
"sadly (for this case) no, i work in a human rights organization where we get the patches by a friendly and richer 3rd party of the same field. we made the compromise to that 3rd party to not distribute the patches outside and as we deal with some critical situations i cannot afford to compromise that even for the sake of gpl :/
the "dumber" version for unstable patches will make a big problem for several projects, i would keep an eye on them. this situation cannot be hold for a long time" -- disturbioIs this not tortious interference, on grsecurity's (Brad Spengler) part, with the quazi-contractual relationship the sublicensee has with the original licensor?
(Also Note: the stable branch now contains features that will never make it to the "testing" branch, and are not allowed to be redistributed, per the scheme mentioned above (which has been successful: not one version of the stable branch has been released by anyone, even those asked to do so, since the scheme has been put in place (they say they cannot as they cannot lose access to the patch as that may cost the lives and freedom of activists in latin america)))
https://twitter.com/marcan42/status/726101158561882112
@xoreipeip @grsecurity they call it a "demo" version "20:14 what's in the public version is also it wouldn't be as fast as the commercial version [...] there are missing optimization passes"
(Score: 0) by Anonymous Coward on Friday June 03 2016, @12:50AM
What's so special about this outfit compared to other streams of patches?
(Score: 0) by Anonymous Coward on Friday June 03 2016, @01:13AM
The twitter source claims that the "stable" patches contains additional features that the "testing" patches do not and publishes an alleged admission from the irc channel of the developer.
@xoreipeip @grsecurity they call it a "demo" version "20:14 what's in the public version is also it wouldn't be as fast as the commercial version [...] there are missing optimization passes"
@marcan42 @grsecurity So what's your point? Nobody gives them shit(oh sorry, lots of ppl do)but they should just go FOSS with all the stuff?
0 retweets 0 likes
In the LWN discussion the GrSecurity developer disputes this and calls the commentators "trolls"
So what there is is a he-said-she-said between 3 or 4 public testimonial sources and a legal discussion about copyright law, grants, contact and quazi-contract principals, and the GPL assuming the testimonial sources are speaking the truth.
(Score: 0) by Anonymous Coward on Friday June 03 2016, @01:15AM
"20:14 spender --- what's in the public version is 1/5th the size of the full version"
"20:21 spender --- also it wouldn't be as fast as the commercial version
[...] there are missing optimization passes"
The dev of GrSecurity disputes this and says the twitter source misinterprets what was written.
(Score: 5, Insightful) by RamiK on Friday June 03 2016, @11:25AM
They're special because GRsecurity's patches actually work, and work well. The problem is both sides are both right and wrong:
GRsecurity's argument: The Linux Foundation doesn't care about security. They're only interested in new hardware support and features. They don't design with security in mind. They don't spec for secure designs. They intentionally keep bad designs in and patch holes when specific issues are surfaced as means to justify their existence.
The Linux Foundation + RMS argument: GRsecurity should stick to the GPL and upstream their work. Anything else is a license violation and extortion.
While the law is on the Linux foundation's side, GRsecurity aren't lying. Anyone who spent time on exploit disclosure sites knows what they're talking about. In an ideal world, the corporate members of the linux foundation would have been pressured by their customers for proper security work which would have led to funding GRsecurity. However, the foundation realized the same thing the US government realized, security theater is cheaper and easier then real security. So, we end up with the GRsecurity people practically running a protection and extortion model while RMS and the foundation complain about the GPL.
It's quite the nasty affair overall. Ideally, one of the platinum or gold members will do the responsible thing and buy off GRsecurity. Because "winning" here and taking down GRsecurity will be a net technical lose to Linux.
compiling...
(Score: 5, Insightful) by Thexalon on Friday June 03 2016, @02:29PM
What you're advocating sounds a lot to me like winning the battle and losing the war.
GRSecurity's proper and legal course of action would have been to either:
1. Send in patches to the Linux kernel in the normal way. They might get included, they might not, depending on what BDFL Linus wants.
2. Create their own GPL fork of the Linux kernel, distributed with source code.
Instead, by all appearances, they created their own proprietary fork of the Linux kernel, which is exactly what the "viral" nature of the GPL is intended to prevent. If they'd wanted to do something like that, they should have started with BSD, which allows this, rather than Linux, which doesn't.
Buying them off might sound good in theory, but that also would encourage them, or some other group of enterprising people, to repeat this behavior. The right approach is to sue them into the ground (which they are now doing), take their source patch set as part of the damages, and incorporate those into the mainline kernel.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 4, Insightful) by RamiK on Friday June 03 2016, @03:05PM
Buying them off might sound good in theory, but that also would encourage them, or some other group of enterprising people, to repeat this behavior.
I will welcome that. You see, the conditions that make this possible are rather unique:
1. The work must be valuable and indispensable.
2. The Linux Foundation must be intentionally neglecting doing the same work themselves.
Or in one word, it's good competition. It pressures the foundation to explain why they're not providing the service (proper security) themselves to the point a third party can get people to use their patches under illegal terms.
It reminds me of criminal organizations. Under healthy economic and legal conditions, people don't need to violate the law and risk years and lives in prison to exist. It takes a corrupt and derelecting regime for this kind of activities to sprout and linger. Sure, crime must be fought. But when it gets to industrial scale, you start thinking if you're fighting on the wrong side.
Similarly, while we condone GRsecurity, we also need to ask ourselves how did we come to this? Why doesn't the Linux Foundation provide security? Could it be because many of their members make money from off-tree kernel patches and impossibly difficult to replicate installations for their corporate customers? Could it because the foundation simply prefers spending money on office furniture and company resorts instead of actually spending money where they should?
To me, they're more Robin Hood stealing from the rich to give to the poor, or worker unions pulling a little muscle where otherwise they lose in courts since they can't afford litigation like corporations, then your local neighborhood meth dealer. And it's not like it's a life threatening situation like real gangs... So overall, I think we can all benefit from a little more competition in this space.
compiling...
(Score: 3, Interesting) by Thexalon on Friday June 03 2016, @03:39PM
A better metaphor: I'm going to fence off a portion of a city park and declare it part of my land. There's nothing "Robin Hood" about it: The Linux code is effectively held in common thanks to the GPL. GRSecurity isn't stealing from the Linux Foundation or its members, they're stealing from everybody who uses it and doesn't want to pay their protection money by keeping their patches secret.
The potential for legal competition with the Linux Foundation already exists: Anybody at all is free to fork the Linux codebase, and/or distribute their own patchset, so long as they keep it GPL'd. If you think you, RamiK, could do a better job than Torvalds, you could take Linux as it stands right now, and make your own "Ramix", and try to get a bunch of people on board. GRSecurity had this as an option as well.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 4, Interesting) by RamiK on Friday June 03 2016, @07:32PM
How is land a metaphor for bits of code? When someone fences off public property, the public loses. When someone makes an unlicensed copy, no one loses. You could argue Linux loses potential additions, but those additions wouldn't have been made were it not for unlicensed usage of Linux.
Look, this isn't a static state where GRsecurity simply refused to mainline their work. This stuff goes all the way back to OpenWall when the developers tried to mainline, but foundation developers refused because their employers made money off patching security exploits in their on and off tree distributions. This stuff went on for a good decade up until relatively recently. Look here: https://lwn.net/Articles/538600/ [lwn.net] .
I understand the situation isn't normal and we all usually side with GNU and the foundation when violations occur. But these guys made decades worth of work and attempted to mainline it at different times and were continually rejected. Finally, they said "fuck you" to the foundation, closed off their source and started selling it. And you know what? It worked. All those lies the foundation said all these years about how the patches aren't necessary and aren't good enough, were proven false. Now, when as the dust clears and it's obvious who was doing what, the foundation is trying to divert attention from 15yrs worth of neglect and mishandling, by bitching about the GPL getting violated.
This is reminiscent of all those years when everyone knew about the poor state of OpenSSL, but too many people wanted to keep it broken for their personal, corporate and governmental gains. Luckily, a big enough exploit and a few people who actually managed to make money of it legally decided to create LibreSSL. But this was the exception rather then the rule.
Besides, the GPL gets violated by foundation members all the time but they get away with it. Intel keeps it's microcode and firmware blobs right in the mainline. Oracle is getting away with distributing a non-GPL compatible file system to it's customers. Google forked off Linux and kept the source secret for months just for kicks. The only different the way I see it, is money. GRsecurity are too small to afford oiling up the foundation pockets to look the other way like the platinum and gold members, so they get heat over it.
If it wasn't for the history or the foundation own behavior regarding security and GPL violations, I would be right there with you on this. But this is a special situation. This is where the GPL is selectively used, and against some very good people who tried doing the right thing for a while but were blocked by some very corrupt people.
Sometimes, there's enough gray in an issue to look the other way.
compiling...
(Score: 3, Interesting) by Thexalon on Friday June 03 2016, @10:08PM
(emphasis mine)
The first part is perfectly fine. The second part is not. If they had decided to fork the kernel and host their own copy of the source and maybe some binaries somewhere, and asked for donations and/or sold support to cover their costs, that would have been fine. But that's not what they did, which is why they're in hot water.
If they had wanted to do that to one of the BSDs instead, that would have been fine too. Again, that's not what they did.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by RamiK on Friday June 03 2016, @11:03PM
Fine in what sense? They would have fulfilled the license terms, which would have satisfied their legal obligations, but to what ends? Personal destitution? Are they to be martyrs for the law of intellectual property and the GPL workaround? The whole purpose of these laws was to guarantee social benefits by providing personal compensation for inventors of valuable ideas. The GPL is a hack on these laws to allow collaborative software projects to operate in the open while compensating the developers while guaranteeing the freedoms of users and developers. And yet, the workaround failed here. The developers could not be compensated for their work should they have opened it to the public.
Look, these laws and the GPL aren't moral laws and agreements. They're hacks stacked on compromises topped on corruption. I understand the need of RMS to protect the GPL. But there's room for common sense in judgement. You wouldn't hang a thief for stealing bread in times of great surplus but unemployment just because he couldn't get a job. Similarly, these guys aren't exactly a Scrooge McDuck corporation self-appropriating public resources to make more money. They're a tiny outfit of developers doing some valuable work but breaking a few rules used by some of history's most wealthy organizations.
Are we supposed to shed a tear over IBM and Intel not getting their licensing terms respected when the law allowing them to letter such licenses is one of the most corrupt and unjust laws in our times? Should we disregard the circumstances, and follow the law blindly? I'm sorry, but if I was the judge, I'd find GRsecurity guilty and fine them 1$ for every day they fail to follow the license.
TL;DR Don't confuse laws and contracts with morality.
compiling...
(Score: 2) by Thexalon on Saturday June 04 2016, @03:27PM
The GPL is basically the legal codification of a moral argument, that goes something like this: "If the goal is for people to be able to have their computers completely under their own control, then we need a base of software with source code so that anybody can modify it as they choose. We're going to engage in a collaborative effort to make that software so that we can, as a community, build something extremely useful for everybody. If you want to collaborate, great! If you don't want to share and keep all your toys to yourself, you can do so, but not in this sandbox."
You may not agree with that moral argument, but that's what the GPL stands for.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by RamiK on Monday June 06 2016, @09:53PM
The GPL is basically the legal codification of a moral argument
It's a flawed compromise at achieving all of the above in the real realm of IP laws. Like Linux as an OS, it's good enough for most cases, but falls flat on others: Litigation costs mean that GPL will always depends on the kindness of strangers, or your personal financial success. In huge projects like linux, gold and platinum firmwares will be allowed. The spirit of the license will always be circumvented by the letter of the law, starting with shims and tivoization, and ending with international treaties and IP\copyright laws that can circumvent the license by changing the laws that it stands on.
Overall, the GPL is good enough for most projects. But when it comes to linux, it's not enough. It has flaws left and right. And since we can't fix the license, the only thing we can do is allow some civil disobedience as a community while pressuring the corporate sponsors to do the right thing. If it means flaming nVidia for shims and blobs despite the GPL allowing it, or if it means siding with GRsecurity when they close off their code despite the GPL forbidding it.
Overall, I advocate for some legal and moral casuistry here.
compiling...
(Score: 2) by Bot on Saturday June 04 2016, @11:10PM
> When someone makes an unlicensed copy, no one loses.
Sure, but
When someone sells a thing which is .3% made by him, and the rest made by others, the others lose their moral rights and their cut.
I spend 10 years for a story that I want everybody to know, somebody fixes up the plot in one month and sell it. I either get my part or I break his legs. This is not legal, but it is fair.
Account abandoned.
(Score: 0) by Anonymous Coward on Sunday June 05 2016, @12:32AM
And since that "fix up" is a derivative work, you are legally entitled: without your permission that "fix up" is illicit copyright infringement, and if the person doing the "fix up" agrees with you on some licensing scheme and then disregards the parts of the agreement he doesn't like... it's, again, copyright infringement.
(Score: 0) by Anonymous Coward on Friday June 03 2016, @05:35PM
The Kernel community has been complete assholes to Brad Spengler.
On the other threads where the legal aspects of this situation were being discussed people came out of the wood work to say "grsecurity sucks" "who needs grsecurity" etc.
The person arguing the legal aspects (against grsecurity's position) had to inform them that grsecurity, infact, does not suck and that linux security without GRSec is swiss cheeze.
(Score: 0) by Anonymous Coward on Tuesday June 07 2016, @04:30PM
Unless I misunderstood what you mean by "upstream": It's important to note that the GPL doesn't require the copyright holder to "upstream" their contributions to the original project. Actually, I recall reading a section of the GPL (at least version 3 for sure) that forbids such requirement.
(Score: 0) by Anonymous Coward on Tuesday June 07 2016, @11:31PM
The issue is that "downstream" is contractually preventing any redistribution after they themselves modify and redistribute.
Outside of the agreement, "downstream" has no right to modify linux nor redistribute linux and any derivative work of the linux kernel.
"Upstream" wrote in the agreement that anyone may redistribute, and that any work created from their work _must_ be under these same terms.
"Downstream" took "Upstream"'s work, under the agreement, created a derivative work and now includes terms that forbid redistribution.
Thus the "upstream" will never get said contributions back, nor will anyone else, the right to redistribute being a condition of modifying or distributing the work or any derivative work.
The license "upstream" has given has been violated.
(Score: 0) by Anonymous Coward on Saturday June 11 2016, @12:48PM
You do have a point. But, we cannot say that "downstream" is required to send adaptations to "upstream". Because, as far as I know the GPL forbids that requirement (in compliance with freedom 1 and 3).
The sending of the adaptations from "downstream" to "upstream" *can* happen on its own, but it can't be forced.
(Score: 0) by Anonymous Coward on Saturday June 18 2016, @05:24PM
It cannot be prevented either.
You cannot try to delete a section of an agreement and then expect the court to allow you to seek protection under that agreement.
Here the party is effectively deleting the redistribution clause in the agreement, all the while seeking protection under the rest of the agreement so that it is not liable for copyright infringement (without the agreement there is no rights to modify or redistribute).
Since the party has treated the agreement under-which it is seeking protection in bad faith (didn't live up to it's bargain, and didn't intend to) the court will not allow it protection under the agreement: thus any modification or distribution by the party would be copyright infringement.
It is very simple:
Linux says: everyone can redistribute.
You take Linux under agreement that says everyone can redistribute.
You say, no, you cannot redistribute.
Court will say "well then you cannot hide from Linux (rights owners) suing you for copyright infringement"
You can't poison the stream and then try to drink from it.
(Score: 0) by Anonymous Coward on Friday June 03 2016, @01:06AM
Updates:
One of the public testimonial sources today said they feel genuinely affected
(IE: the case is not moot and they are sticking by their testimony which Brad called into question at the lwn thread
http://lwn.net/Articles/689385/ [lwn.net] )
And says that this is "always" how Mr Spengler behaves.
Also talked about not liking threats (I suppose of the contract being pulled if redistribution under the GPL occurs)
So, while Brad Spengler claims the testimonial sources are "trolls", one of said sources, atleast, is speaking today and has not disappeared into the wind as a "troll" would:
------------
lolidaisuki 2 points 3 hours ago
> If someone is genuinely affected
You'd know that there are people who are affected if you'd read what OP posted.
-------------
OP post: https://www.reddit.com/r/linux/comments/4m6mm5/libreplanetdiscuss_grsecurity_is_preventing/ [reddit.com]
Excerpt from: https://www.reddit.com/r/linux/comments/4m6mm5/libreplanetdiscuss_grsecurity_is_preventing/d3tf3dn [reddit.com]
User page of source: https://www.reddit.com/user/lolidaisuki [reddit.com]
(Score: 4, Informative) by bob_super on Friday June 03 2016, @01:20AM
But this need to be cleaned up.
RMS is 240V, or maybe 120V.
GRsecurity is what? You need to click the "continue" to get that defined.
is that an e-mail? where does it start and where does it end?
If you don't know about the background, the title and TFS are really hard to decipher.
Also: Does RMS speak for himself or for the FSF? That changes the weight the opinion carries...
(Score: 0) by Anonymous Coward on Friday June 03 2016, @01:29AM
https://en.wikipedia.org/wiki/Grsecurity [wikipedia.org]
This might help. Looks like they are patching the kernel then distroing the binary. So yeah they probably are in violation. Like a zillion other companies out there.
That is actually assuming they do anything at all. Since they are unwilling to show the code to anyone esp with an open source project says they probably have nothing really worth paying for. They probably want to hide that as long as possible to keep the money coming in.
(Score: 0) by Anonymous Coward on Friday June 03 2016, @06:05AM
Using google/wikipedia fixes the smaller personal problem of not knowing what the hell is the article about. It doesn't fix the bigger problem of editor incompetence and possible contempt toward "uneducated" readers. To be fair, it isn't particularly bad here, YET.
However, if you allow it to deterioriate, you'll eventually get to the point where editors and louder than average commenters also expect the same for esoteric extensions of enterprisey software, as if that kind of shit was actually a legitimate part of common geek knowledge.
(Score: 4, Informative) by martyb on Friday June 03 2016, @12:28PM
Yes, I dropped the ball on that one. I have updated the story with a preface which I hope better explains the parties and the complaint at hand. Please let me know if further elaboration is necessary.
A small elaboration while I am here. Taken from Wikipedia [wikipedia.org]:
I have known of them pretty much from the time of their inception. My editor of choice is emacs (written by RMS), so that may have something to do with it, too. The first several times I saw RMS, I confused it with: "Root Mean Square" [wikipedia.org]. I now automatically make the mental correction depending on context. I'll try and be more attentive to things like this in the future.
Thanks for holding us to high standards; I let you down on this one, but I certainly learned a lesson and hope to do better in the future.
Wit is intellect, dancing.
(Score: 1) by kurenai.tsubasa on Friday June 03 2016, @02:48PM
Thanks! Much appreciated. Don't be too hard on yourself :)
(Score: 2) by martyb on Friday June 03 2016, @06:25PM
Thank-you! That's my usual MO, and I occasionally need a reminder... probably a side-effect of the many years invested in doing software test and QA!
Wit is intellect, dancing.
(Score: 0) by Anonymous Coward on Friday June 03 2016, @05:23PM
Actually, sorry. My comment was an overreaction because I've often found the attitudes at slashdot annoying as hell and I prefer soylent to stay smarter than that.
(Score: 2) by martyb on Friday June 03 2016, @06:19PM
Apology not necessary, but greatly appreciated. Thanks!
Ummm, that's why *I* am here, too! And I'd dare say the rest of the staff, too!
Do keep in mind that we are an all-volunteer staff here; what you see is done on our "off hours". I mention that not as an excuse but to offer some perspective on what happens "behind the scenes."
If you'd like to show your appreciation, submit a story (the weekend is coming and the submission queue is looking pretty grim at the moment.) Or, to help keep the lights on, subscribe [soylentnews.org]. If you don't want to get a subscription for yourself, there is also the option of giving a gift subscription to some other user on the site. Our funding period for the first half of the year ends this month and we still have a ways to go.
Wit is intellect, dancing.
(Score: 3, Interesting) by Username on Friday June 03 2016, @01:30AM
I have no idea what’s happing either but this dude better upload his open source derivative work before he gets shot. Nobody likes code thieves.
(Score: 0) by Anonymous Coward on Friday June 03 2016, @01:44AM
Agreed wholly.
This and the previous Devuan post is god damn ADHD travesty.
(Score: 0) by Anonymous Coward on Friday June 03 2016, @01:47AM
Editors not doing their job and cleaning up submissions so they can be easily read? Reminds me of the site with the other color scheme...
Ohwell, we'll have to take it line by line.
(Score: 3, Interesting) by Anonymous Coward on Friday June 03 2016, @03:50AM
Actually, both posts are by marty, the most conscientious editor here in my opinion. Maybe too much is being loaded on his plate?
(Score: 0) by Anonymous Coward on Friday June 03 2016, @04:48AM
This one involves delicate legal issues, it may not be possible to actually edit into something easy to read without being versed in the law. He did his best.
(Score: 2) by martyb on Friday June 03 2016, @12:05PM
Bingo! As much as the formatting of the quoted text drives ME bonkers, a quotation is exactly that — quoting what was written. And, as you so saliently note, it DOES involve "delicate legal issues." A small mistake on my part in either MY understanding of the situation, or in my making an attempt at reformatting, runs the very real risk of changing something important.
I've updated the story with a preface which, I hope, clarifies the parties and issues in question.
Wit is intellect, dancing.
(Score: 2) by martyb on Friday June 03 2016, @11:57AM
Many thanks for the kind words — I do try. And that is a most cogent observation. I worked 13 of the 14 days preceding that story's going out. Might not have been at my best at that time. ;)
I've updated the story to, hopefully, address the concerns raised here. See the reply to this comment [soylentnews.org] for more.
Wit is intellect, dancing.
(Score: 2) by martyb on Friday June 03 2016, @11:44AM
I have updated the story. As much as the formatting of the original discussion on the LKML (Linux kernel mailing list) drives *me* crazy, it is what it is, and when I quote something, I present it as it is. That is what a quotation is. I have added a preface to the story which, I hope, clarifies the issues and provides background information on the matter at hand.
Wit is intellect, dancing.
(Score: 2) by theluggage on Friday June 03 2016, @10:39AM
Seconded.
The summary is supposed to summarise the news, and maybe provide a bit of context (which might be absent from the linked article if it is from a 'specialist' source). If anybody wants to plough through the raw LKML dialog that's what links are for.
Silly thing is - the summary does take the trouble to explain what the GPL is (nothing wrong with that) - but then assumes that everybody knows who RMS is, who/what GRSecurity is, what the LKML is...
(Score: 2) by martyb on Friday June 03 2016, @12:37PM
Yes, blew it on that one. I think I was partly overwhelmed by the wretched formatting of the Linux Kernel Mailing List snippet. I was also trying to deal with the fact that someone else (an Anonymous Coward) had also submitted this as a story. Took a bit to verify that the other submission was completely contained within this one.
I remembered the GPL needed elaboration, as it was at the heart of the issue, but then dropped the ball on RMS and LKML. Oops!
Added a preface defining these terms and (hopefully) summarizing what was at issue in this case. Please let me know if I left anything out.
Wit is intellect, dancing.
(Score: 2) by theluggage on Friday June 03 2016, @09:38PM
Much better (now I feel like a big nasty troll for whinging).
Armchair quarterbacking, I'd say that "grsecurity, which provides a hardened version of the Linux Kernel, ..." hits the sweet spot for the level of background elaboration for a summary, whereas a whole paragraph from Wikipedia on LKML is a bit OTT - expanding the ETLA [catb.org] to "Linux Kernel Mailing List" would have done. However, Captain Obvious always beats the Cryptic Crusader in a fight :-)
(Score: 2) by martyb on Friday June 03 2016, @11:39AM
Yes, the story does make assumptions as to previous knowledge -- not my best work by a large margin. I have updated the story with a preface to better explain the participants and the issue in question. You rightly hold us to a high standard and I let the community down. I trust this update makes things clearer and provides the needed background information.
Wit is intellect, dancing.
(Score: 2) by bob_super on Friday June 03 2016, @06:09PM
Thanks for the hard work.
I try not to bitch, because wording my own (few) submissions was a pain. But since I had missed to original issue, deciphering this one required way more synapses than I had left.
(I'm also not a big fan of people getting their own TLAs).
(Score: 2) by martyb on Friday June 03 2016, @06:41PM
I try not to bitch, because wording my own (few) submissions was a pain. But since I had missed to original issue, deciphering this one required way more synapses than I had left.
Yep, try doing that at 11pm after a full day at work and trying to fill out the story queue to last though the night. I appreciate your understanding and willingness to overlook the occasional bobble on our part!
TLA? What's that? <grin>
See how easy it is to fall into that 'trap'? I was not a big fan of writing essays or reports in school, and now I get to work on several of them every day, and have thousands of people review and critique my work. =) But seriously, it's been a great experience, I've learned a lot, and met a wonderful bunch of people. There's a story coming down the queue about meaningfulness in one's work. The feedback from the community carries great weight for me and helps make my days meaningful. I'd like to think that, on most days, the world is a better place for me being in it. Some days, I am more successful than others. Yesterday didn't start out so good. Still, I carry on and try to do better tomorrow.
Wit is intellect, dancing.
(Score: 5, Informative) by Gravis on Friday June 03 2016, @01:31AM
sublicensing GPLv2 code is prohibited. [gnu.org]
4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.
(Score: 0) by Anonymous Coward on Friday June 03 2016, @01:45AM
sublicensee in the OP refers to the 3rd link in the chain.
Linux devs (licensor) --> Grsecurity (Licensee) ---> whom GRsecurity is distributing the derivative work to (sublicensee).
Could have said licensee' , But that just means "Licensee, sub 1"
(Score: -1, Troll) by Anonymous Coward on Friday June 03 2016, @01:43AM
RMS is a big niqqa ryte?
If he done got a problems with wut happenin why dunt he do sum'thin about it?
???
GRSec a bigga nigga?
(Score: -1, Offtopic) by Anonymous Coward on Friday June 03 2016, @01:55AM
RMS wanna be a big nigga talking shit!
PUT UP O POST UP ~!!!!
OTePH
(Score: 0, Funny) by Anonymous Coward on Friday June 03 2016, @02:07AM
Ain't no nigga bigga than RMS. Period.
(Score: 0) by Anonymous Coward on Friday June 03 2016, @05:59AM
+1 Absolute truth
(Score: 0) by Anonymous Coward on Friday June 03 2016, @06:49AM
https://www.youtube.com/watch?v=nGt_JGHYEO4 [youtube.com]
(Score: 0) by Anonymous Coward on Friday June 03 2016, @02:20PM
Ain't no nigga bigga than RMS. Period.
Word to your mutha, ice ice baby...
(Score: 0) by Anonymous Coward on Friday June 03 2016, @06:03PM
Make him king, because this be truf.
(Score: 0) by Anonymous Coward on Sunday June 05 2016, @05:07AM
Word is bond, and you is da truth!
(Score: 0) by Anonymous Coward on Sunday June 05 2016, @09:10AM
RMS is the biggest fuckin nigga that ever bee'd
(Score: 3, Interesting) by kurenai.tsubasa on Friday June 03 2016, @02:13AM
Hmm…. Perhaps this is a good issue being brought to light by MikeeUSA. I believe that GPL violations should be prosecuted viciously.
There is a story here. I recognize some of the names from the previous article in this format. This story needs to be presented cogently.
We need a clear description of what this patch does and why anybody would pay $17,000 to have it. If it's the case that people have paid for a derivative work of the Linux kernel, then this must be righted. How am I to believe that this is not a tempest in a teapot?
(Score: 0) by Anonymous Coward on Friday June 03 2016, @04:46AM
It will take an investigative journalist to actually interview the parties in the know, if they will be interviewed.
This story stems from a few statements made by people who seem to have had dealings with the dev, and who have only spoken now in the last week or two.
It's a breaking story, and one wonders what other facts will come to light, if any, and what will be disputed, and then counter argued?
(Score: 4, Insightful) by MichaelDavidCrawford on Friday June 03 2016, @05:32AM
It's just that it's not permissible to prevent anyone who recieves your $$$ kernel from distributing it further.
Yes I Have No Bananas. [gofundme.com]
(Score: 0) by Anonymous Coward on Friday June 03 2016, @05:41AM
That's a fucking expensive kernel, wtf?
(Score: 2) by MichaelDavidCrawford on Friday June 03 2016, @06:36AM
I expect a true "Enterprise Grade" install costs that much, when you add in the support and integration.
Yes I Have No Bananas. [gofundme.com]
(Score: 1, Touché) by Anonymous Coward on Friday June 03 2016, @06:47AM
Does it come with rock diamond prostitutes and crystahl?
(Score: 3, Informative) by TheRaven on Friday June 03 2016, @08:36AM
sudo mod me up
(Score: 2) by shrewdsheep on Friday June 03 2016, @10:03AM
Then you should leak it anonymously and be in the clear.
(Score: 2) by MichaelDavidCrawford on Friday June 03 2016, @04:19PM
in the junk mail business, names are rented per-use, not sold. To catch cheaters, you add some "trap names" to your list. These are fictional people at real addresses, typically your friends and relatives. You ask them to send you any direct mail they receive, then watch out for who is sending what.
One of Working Software's Trap Names was "James B. Stanken".
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by hendrikboom on Friday June 03 2016, @04:20PM
They might have watermarked the kernel they distribute.
(Score: 0) by Anonymous Coward on Friday June 03 2016, @06:16PM
Those who pay the money, it has been reported, download from a directory specifying their username.
IE: bla.org/support/myusername
This is, indeed, what some in the channel of the conservancy warns about:
18:39 gnu_user: I am not a lawyer, and I don't represent the Conservancy, but this does sound disturbing. It is not a new situation -- even back in the 1990s, there were cases where some companies attempted to sign private contracts with customers whereby the customers agreed to give up some of their rights under the GPLv2, as a condition of receiving patches under the GPLv2. My memory is that the FSF determined this to be a violation of the GPL (on the patch
18:39 supplier's part), but I am not positive of that, nor do I remember the specific parties involved. However, the case was very similar to what you are describing with grsecurity.
18:42 gnu_user: It is *quite* likely, by the way, that grsecurity is delivering slightly different patches (you know, whitespace differences or trivial variable name differences, that sort of thing) to different customers, in order to be able to identify who leaks a patch in violation of the contract. (See https://en.wikipedia.org/wiki/Trap_street [wikipedia.org] for maps, but on a per-customer basis.)
18:43 gnu_user: I'm pointing this out because some customer might be tempted to leak anonymously. They should be aware that they are probably identifiable, unless they try to scrub the diff in some way (might be hard). If you can get multiple customers to privately compare their patches, you can determine if grsecurity is using this technique.
(Score: 2) by choose another one on Friday June 03 2016, @07:57PM
They don't quite do that either - apparently all they ship is a patch, you build the kernel.
Allegedly they will not renew your support contract if you distribute it further. That is their right, and not restricted by GPL. Now, if there is a contractual term in their support contract that attempts to forbid further distribution or terminate the contract if you do, then _that_ might be a problem, but appears to be no allegation or evidence of that.
It isn't clear to me that this is a violation of the GPL, nor is it clear what the difference is between this and what Cygnus used to do with GCC (remember the days of report GCC bug, get told it is known and fixed, ask for fix, get told it is only available with Cygnus $$$$ support contract?). Granted it appears to be being done with less professionalism and more rudeness than Cygnus, but the GPL contains no restrictions on rudeness, if it did Linus would have fallen foul long ago.
Some of you kids may not remember Cygnus and their business model, but rms should.
[ To be fair to them, Cygnus always intended that what you paid for was early access to fixes and they sent them upstream to go into the free releases, but the FSF GCC maintainer sat on them. This eventually resulted in EGCS, which rms opposed because he thought the freeloading masses shouldn't have all the fixes and new features, or something. ]
(Score: 0) by Anonymous Coward on Sunday June 05 2016, @06:14AM
It's the exact same thing that Red Hat does for RHEL. If GRsecurity is in violation then so it Red Hat, and I'm sure Red Hat's lawyers have done their homework.
(Score: 0) by Anonymous Coward on Sunday June 05 2016, @08:40AM
>It's the exact same thing that Red Hat does for RHEL. If GRsecurity is in violation then so it Red Hat, and I'm sure Red Hat's lawyers have done their homework.
No it is similar but may not be quite the same depending on if the fact pattern is true; Red Hat distributes its sources (as a big monolithic patch) publicly to head off any such challenges.
Thus the challenges would be deemed moot to begin with before even getting to court as the copyright holders don't have any real issues to complain about.
(They have gotten what they were looking to get out of the agreement: the modified source came back to them; and that is the basis of the bargain when it comes to the GPL, and such has been attested to countless times (the devs speaking about why they went with GPL over bsd etc: yes this matters))
Yes RH's lawyers did do their homework.
Mootness here (with GRSec) depends on whether the twitter source is correct.
If the twitter source is correct (Brad says the twitter source got it wrong in the lwn article) and the stable patch has more "goodies" then the original licensor
might be interested in such things and the case wouldn't be moot (there would be something to fight over, grab at, which is not the case in the RH fact pattern)
If the twitter source is _incorrect_ and the stable patches contain nothing of interest vis a vis the "testing" patches that the kernel devs would care about...
then it is similar to the RH situation (the original licensor would not have an issue to care about, since they only seem to care about the bleeding edge)
Something can be a technical license violation but have such little effect that the court wouldn't entertain the case or if it would would award a nominal recovery ($1).
That depends on the facts; which are decided by the jury.
The violation is restricting sub-licensees from redistributing when the original licensor said not to do that to begin with (original licensor said all recipients of the work and/or derivative works shall be-able to redistribute)
(Score: 1) by kurenai.tsubasa on Friday June 03 2016, @02:54PM
Good catch. I goofed there. The GPL does permit selling.
(Score: 0) by Anonymous Coward on Friday June 03 2016, @03:24PM
BUT NOBODY'S RECEIVING A $$$ KERNEL!
Do your bloody research before posting please. GRSecurity distribute a *patchset*. They can licence *that* any way they chose, and the GPL source code provision clause *DOES NOT APPLY*.
All they're selling is taint. You have to inject it into the kernel yourself. High quality taint, but it's still taint.
(Score: 2) by sjames on Friday June 03 2016, @03:57PM
Constructively, it remains the illicit re-licensing of a derivative work.
The legal concept of construction exists specifically to deal with "clever" people who try to skate on a technicality.
(Score: 0) by Anonymous Coward on Friday June 03 2016, @06:06PM
Indeed, someone suggested something similar "cleverness" elsewhere, this was a response:
>>4510
>For instance a set of scripts that insert code and or replace
>code into the linux kernel code. Then withold the scripts
>with a non redistribution license? I don't see how scripts
>that tell a computer to do something to a gpl software is a
>derivative work until it is applied. After application it is a
>derivative work. But before application it can be proprietary.
If patches are derivative works, and they very likely are in cases like this one (though some people argue otherwise), then either way GRSecurity would be a derivative work.
You have to think about how the patch itself is created, not the end result once it is created.
What the GRSec dev does is he takes the linux source code, goes through it, and makes thousands upon thousands of edits and changes and additions.
Then he takes a diff of that.
So what the patch is describing is a totality that the derivative work "linux kernel+GRSecurity changes". A certain patch can only work with a certain version of the linux kernel; it does not stand alone in any way.
This points towards it being a derivative work rather than, say, a "bolt on"
(Though in a number of cases (not all) even "bolt on"s have been found to be derivative works)
Think of how in creating GRSecurity the dev has really gotten into the guts of the linux source code, really touched all the contours and creavaces of it...
he didn't just write a program in a seperate file and then reference a subroutine of it once or twice to link it into the linux code.
No, these are extensive edits to the linux code itself, all over the place. One cannot live without the other. GRSecurity meanders all through the source tree like the blood vessels and capillary system in any mammal.
To make oblique refrence some old foundational cases:
A painting of Dorthy from the wizard of oz you painted yourself is a derivative work.
Now think of if you took a picture of dorthy from the wizard of oz, and then you did a partial tracing over that on a transparency, and then you tried to sell the tracing.
MGM would have a copyright infringement claim against you as It would be a derivative work of the motion picture still: your line work taking on the contours of their copywritten work: decending from it.
One often can't "get around" a court's rulings via process, they see through it usually.
I do not think a court would rule GRSecurity not a derivative work, due to how it was constructed (over years and years, always being innately connected and running through the linux source code). But who can say until it would be litigated?
Another answer is maybe Brad Spengler likes opensource and wants to keep it open?
(Score: 0) by Anonymous Coward on Friday June 03 2016, @06:39PM
SJames: the people at endchan's /tech/ say you are wrong:
http://endchan.xyz/tech/res/4339.html [endchan.xyz]
(Also they will claim "you've made no arguments" likely, and if you have a law degree and have passed the bar will claim that didn't happen either:)
(Score: 0) by Anonymous Coward on Friday June 03 2016, @08:15PM
http://endchan.xyz/tech/res/4339.html
<blockquote>
>>4564
It's not dug into the code until the patch is applied. You are wrong.
If I read the linux kernel (allowed since it is GPLv2, freedom to study the code) and then in a seperate text file make notes of psuedo code of things that I would like to change. ex.
Title: MyNotesOnLinux.txt
/BOF
At line 564 I would like a for loop that checks if a driver is working properly.
At line 634 I would like to delete line 634 to line 676. And instead output to the screen "SUCK IT!" ten times.
/EOF
Then what you're telling me is that the file MyNotesOnLinux.txt, is a derivative work of linux? Are you mental? Not only that I'm claiming that my file MyNotesOnLinux.txt is under MY copyright and that it is not lisenced under GPLv2. However when I go into the linux kernel and apply the changes the file
Linux_Kerenel_modified.cc, is now a modified linux kernel and is GPLv2. That's what I am claiming.
>>4562
This case was about using the image of DukeNukem on a sales box of a mod package that creates new levels. It used the character image of Duke Nukem on the box cover. This is where the copyright infringement case was brought to court over, namely over the image of the character Duke Nukem and reproduction of this image on a sales box cover.
> Do you think you can win now?
I'll skim some more documents about that case and get back to you. But probably for what I'm saying, I would argue it in court, I'd give it a go.
</blockquote>
(Score: 2) by sjames on Sunday June 05 2016, @04:12AM
The patch cannot effectively hold a license other than GPL. Lets assume it does for a moment. Now, I apply it to the appropriate GPL kernel source. The output is clearly under the GPL since it was clearly derived from the GPL code. Now, I take kernel-grsec and diff it against the vanilla kernel and I get a patch. It came from two GPL code bases and a GPLed utility. How can that output be anything but GPL? But it is naturally identical to the supposedly proprietary gresc patch (which was created using the same procedure against the same two GPL sources).
(Score: 0) by Anonymous Coward on Sunday June 05 2016, @04:50AM
Well here is the response I got on another thread about it:
http://endchan.xyz/tech/res/4339.html#4658 [endchan.xyz]
--------------------------
>>4644
>>4646
Listen to this pedophile Jew preach his evil sins.
>Reminder that Jews worship Satan in synagogues.
"Behold, I will make them of the synagogue of Satan, which say they are Jews, and are not, but do lie; behold, I will make them to come and worship before thy feet, and to know that I have loved thee." --Jesus Christ, aka God
God Himself cursed you, but you fucking rats persist in perverting His Word. We believers in Jesus Christ know you liars to be cursed to eternity in Hell for worshipping Satan in your synagogues and lying about it to subvert everyone.
Go suck a baby penis you faggot Rabbi.
--------------------------
So there you have it: if you believe what you believe you're a Jew and thank God for Jesus or else we would still be marrying young girls (the horrors), also go suck a cock.
That's from the "GPL is BSD as long as you know how to draft an NDA" crowd.
(Score: 2) by sjames on Sunday June 05 2016, @05:31AM
I'd love to see him make that argument in court.
(Score: 0) by Anonymous Coward on Sunday June 05 2016, @08:54AM
What would the court say?
One, alleged lawyer, more-or-less said that another poster's legal analysis was now, retroactively, wrong (though they were interested in it previously) because it came out that said poster wished he could marry cute young girls.
Since having young girls as brides is statutory rape in all of western civilization; the other poster's analysis of the legal issues involved in this copyright case were now totally suspect and infact wrong.
Also other poster should "move to syria" (to get bombed).
(Score: 0) by Anonymous Coward on Sunday June 05 2016, @08:57AM
http://endchan.xyz/tech/res/4339.html#4643 [endchan.xyz]
>>4639
By the way Mr. Lawyer, you're going to lose your license to practice with #4)
>4) Oppose men taking sweet young female children to marry...
A criminal code violation called statutory rape.
I don't take anything you say on this topic seriously anymore, and I wouldn't hire you or recommend you to any clients.
------
>>4648
You don't respect the laws of the United States of America, or the wisdom of the the United States Congress and Senate, or the state legislature where you live, so quite frankly pack up and go to another country. Because of this fact that you've just demonstrated shouldn't be practicing federal law period.
And yes if you were indicted and convicted for that particular crime you would be disbarred, and you should know that.
(Score: 0) by Anonymous Coward on Sunday June 05 2016, @08:59AM
(also from the "GPL is BSD as long as you know how to draft an NDA" crowd.)
(Score: 0) by Anonymous Coward on Sunday June 05 2016, @09:03AM
(previous opinion of poster before the "go to syria" posts: http://endchan.xyz/tech/res/4339.html#q4641 [endchan.xyz] )
Are one poster, me.
I think your arguments are interesting, you attitude is not however.
Linus Torvolds hasn't claimed copyright infringement on the derivative works of GRSecurity patches or has he? If not then why are we talking about it?
(So once one says they would like to marry young girls, as men did prior to the woman's movement, now all those "interesting arguments" are completely, suddenly, invalid)
(Score: 0) by Anonymous Coward on Friday June 03 2016, @06:54PM
(Score: 2) by hendrikboom on Friday June 03 2016, @04:24PM
Proprietary patches are OK to distribute as restrictively as you want. What you can't do is distribute a patched kernel without allowing reditribution.
(Score: 0) by Anonymous Coward on Friday June 03 2016, @06:18PM
Ever heard of the concept of a derivative work?
Nope?
Guess you've never read a casebook on copyright, nor the 1973 statute.
But hey, you're a techie and know everything allready.
GRSec winds through the kernel: it's not a bolt on.
(Score: 2) by snick on Friday June 03 2016, @01:14PM
So, is the thing being argued about distributed as a patch, or as a binary?
If it is a patch, it necessarily containers GPL'd source code, but a strong argument could be made that this is fair use.
RMS is not the ultimate authority on copyright law, so the fact that he is voicing an opinion merely means that this must be a day ending in "y."
(Score: 0) by Anonymous Coward on Friday June 03 2016, @01:20PM
can't be fair use if you are selling the stable branch...which is exactly what GRSec is doing here.
(Score: 0) by Anonymous Coward on Friday June 03 2016, @03:26PM
It's a patch. Read the LWN link. Look at mjg's comments. GPL does not apply.
(Score: 2) by HiThere on Friday June 03 2016, @05:21PM
If they sell the patch, and the patch doesn't contain code GPLd by someone else, and the purchaser applies the patch to the Linux source, then there doesn't seem to be a problem. If any of those conditions is violated, then there does. This implies that they cannot distribute either source or binaries with the patch already in place. They could, however, include a shell script to apply their patch.
Caution: IANAL. This is just my opinion, based on my understanding of the GPL.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Friday June 03 2016, @06:10PM
Indeed, you are not a lawyer. The thing is, techies think they know what they are talking about when they didn't go through 3 years of law school and didn't study for, take, and pass the bar exam.
When a person who has done so explains why the techies are wrong the techies howl that that person is lying about graduating, passing the bar, studying this issue, etc.
The techie is just such a genius, he doesn't need any of that learned knowlege. He just KNOWS the law by sheer brain power.
Indeed, infact, someone suggested something similar "cleverness" elsewhere, this was a response:
>>4510
>For instance a set of scripts that insert code and or replace
>code into the linux kernel code. Then withold the scripts
>with a non redistribution license? I don't see how scripts
>that tell a computer to do something to a gpl software is a
>derivative work until it is applied. After application it is a
>derivative work. But before application it can be proprietary.
If patches are derivative works, and they very likely are in cases like this one (though some people argue otherwise), then either way GRSecurity would be a derivative work.
You have to think about how the patch itself is created, not the end result once it is created.
What the GRSec dev does is he takes the linux source code, goes through it, and makes thousands upon thousands of edits and changes and additions.
Then he takes a diff of that.
So what the patch is describing is a totality that the derivative work "linux kernel+GRSecurity changes". A certain patch can only work with a certain version of the linux kernel; it does not stand alone in any way.
This points towards it being a derivative work rather than, say, a "bolt on"
(Though in a number of cases (not all) even "bolt on"s have been found to be derivative works)
Think of how in creating GRSecurity the dev has really gotten into the guts of the linux source code, really touched all the contours and creavaces of it...
he didn't just write a program in a seperate file and then reference a subroutine of it once or twice to link it into the linux code.
No, these are extensive edits to the linux code itself, all over the place. One cannot live without the other. GRSecurity meanders all through the source tree like the blood vessels and capillary system in any mammal.
To make oblique refrence some old foundational cases:
A painting of Dorthy from the wizard of oz you painted yourself is a derivative work.
Now think of if you took a picture of dorthy from the wizard of oz, and then you did a partial tracing over that on a transparency, and then you tried to sell the tracing.
MGM would have a copyright infringement claim against you as It would be a derivative work of the motion picture still: your line work taking on the contours of their copywritten work: decending from it.
One often can't "get around" a court's rulings via process, they see through it usually.
I do not think a court would rule GRSecurity not a derivative work, due to how it was constructed (over years and years, always being innately connected and running through the linux source code). But who can say until it would be litigated?
Another answer is maybe Brad Spengler likes opensource and wants to keep it open?
(Score: 2) by snick on Friday June 03 2016, @06:30PM
Shorter AC:
My original point was that there may be an argument here, and the fact that RMS chimed in means nothing. AC's trenchant analysis is equally meaningless.
The only way to get to the answer is to make the argument and see what the courts say.
(Score: 0) by Anonymous Coward on Sunday June 05 2016, @09:05AM
Wouldn't the courts say, in their own way, "Fuck Software Communism, GRSec can do as they please, GPL is an invalid restraint on trade!"
(Score: 0) by Anonymous Coward on Friday June 03 2016, @07:28PM
I have been sending RMS emails about whatever updates there are to the story (GRSecurity Dev disputing things, etc, then atleast one of the sources sticking by their story etc). He responded:
---------------
[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> Another update for full disclosure as it happens: The GRSecurity
> developer now claims that the two reddit sources (the guy from the
> russian hosting company, and the guy from the non-for-profit) are
> lying
I suggest challenging the GRSecurity developer to post that patch
and show us its license.
--
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.
(Score: 0) by Anonymous Coward on Sunday June 05 2016, @09:09AM
Yall niggaz everybody aught be sendin' emails n shit to RMS, na sayin, mufka?
Get ON IT!
(Score: 0) by Anonymous Coward on Friday June 03 2016, @09:37PM
The Grsecurity devs have been providing, and continue to provide an unbelievably valuable service to the planet, for free and against huge opposition, for 15 years. Their gpl patchset for the latest linux kernel, with the latest features is free. It contains a feature (RAP) that kills ROP via func ptr abuse, the basis for a total game change wrt to kernel security. There were many years of totally unpaid work that went into creating this. If you want to make a "stable" version of this patch, you are free to do so.
The work that goes into designing and implementing these security enhancements, then retrofitting them into the linux kernel, and maintaining them, is beyond belief. I know because I have tried. Without security expertise, a lot of these features would bit rot and not work as intended within a very short space of time. Just what the "infosec" industry and "sigint" people would like. Grsecurity has turned what is most likely the least secure OS kernel into the most secure, by a large margin. Everyone else in infosec has engaged in a huge circle jerk, selling snake oil and forcing companies who can afford it into running costly (and totally ineffective) network based counter intelligence operations. When huge companies started to advertise that they used "Grsecurity" while in reality they used some watered down variant with most of the features turned off, giving nothing back, something clearly had to be done. If you are a big company and want to use Grsecurity with support, and advertise as such, you now have to pay. You get perks for this over and above support from the devs. There is nothing wrong with this. The only other option that guarantees the vital independence of the devs is some community support via a foundation or the like. The business "community" just steals and infringes trademarks if they can get away with it, preferring security theater over actual security. The user "community" threatens legal beard action to wring every last drop of blood out of the providers, so this option doesn't seem like a goer. Absolutely hateful behavior against the few who try and succeed in improving real world computer security.
(Score: 0) by Anonymous Coward on Friday June 03 2016, @09:59PM
You have your facts somewhat wrong:
The techie user "community" debates a legal issue adinfinum, given a fact pattern, on the chans, on the FOSS IRC channels, etc and claims anyone with legal knowledge is lying and doesn't know what they are talking about, while they, the Techie users, not having a day of law study under their belt know all because they once read the text of the GPL.
The Techie users then also declare that "GRSecurity is shit"
Those trying to explain the legal issues both inform the Techie user "community" that GRSecurity is not "shit" and, infact it is linux security that is swiss cheeze without GRsecurity.
That being said, the legal issues still stand and thus they consult others for backup.
This blunts the assuredness of the Techie user community as to their inherited knowlege about the law when one of their authorities agrees with those who actually studied the law.
So here it is, there are two sides in this debate on the chans and the IRC channels:
Side one:
"GRSecurity is shit and worthless AND nothing has been done wrong legally AND anyone who has studied the law, has a degree, etc etc doesn't know shit anyway and is wrong"
Side two:
"GRSecurity is vital. Based on the given fact pattern in OP and the testimony of the public sources cited, there is a violation however of the original agreement between the licensor and the licensee given the expectation that the licensee has for the treatment of any sublicensees when there is created derivative works based on the licensed work or the licensor"
Side one never ever gave up on it's points ("grsec is shit garbage but circumventing the intent of an agreement through "cleverness" is fine").
No matter what side two explains, nothing gets through to side one.
And thus it has gone on.
Suggestion: Publicly explain your side (Side Three), and explain what ROP and RAP are, no one knows.
The sources for the fact pattern are under the impression that the stable patches contain additional features which the testing patches do not.
They have stated this and discussed this.
Side two (legal arguments) is basing its analysis on that fact pattern.
Side one (techie users) is just saying "grsecurity is shit" "who cares" at the same time they are saying "restricting redistribution through clever means is fine"
(Score: 0) by Anonymous Coward on Friday June 03 2016, @10:02PM
*licensed work of the licensor"
(Score: 3, Interesting) by darkfeline on Saturday June 04 2016, @02:29AM
Let me play lawyer for a moment, since I think I have a better grasp of the GPL than others.
GPL summarized: if you distribute software which is compiled from GPL source code, whether unmodified or modified, you must also make available that source code to the recipients of the compiled software under a GPL license.
From my understanding, GRsec is not forbidding recipients of the patched kernel to redistribute the source code, which they do provide under a GPL license, they are simply refusing to continue doing business with anyone who does redistribute it.
This is perfectly legal under the GPL. The GPL does not say that you must continue providing updated versions and support to your users even if they redistribute the source code.
To emphasize, unless they changed their policy, GRsec is NOT forbidding people from distributing their source code, they will just refuse to do business with anyone who does distribute it, cutting off all future support and releases.
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Saturday June 04 2016, @08:26PM
>Let me play lawyer for a moment,
How about you don't, techie. How about you go to law school for a few years first, pass the bar, etc.
It's called bad faith.
As I explained before, grsecurity-dev only has the right to modify and redistribute linux (or create derivative works based on the linux kernel) because of the agreement he agreed to. Outside of that he does not have such a right and commits copyright infringement.
The agreement stipulates that all further licensees also retain the same rights (to redistribute, modify, etc) that the initial licensee was granted.
If you're a party to an agreement, and then violate that agreement, or treat it in bad faith, your rights under that agreement are dissolved.
Why is this so hard for you techies to understand? It's a basic point of law!
You can't go an circumvent the agreement through "clever" means and expect a court to uphold the parts of the agreement that are good for you.
Outside of the license grant, GRSec dev has NO right to do ANYTHING with the linux kernel.
The license grant, granted by the original rights-holders, stipulates that any, for lack of a better term, sublicensee (of derivative works etc) is to be granted the same rights as the first licensee
That is the BASIS of the BARGAIN the original licensors are striking with the licensees:
You can use this property for free, modify it, distribute it, etc: it is open, BUT you must allow the same for anyone else to whom it or any derivative work is distributed.
Once the basis of the bargain is intentionally frustrated there is no bargain, no agreement, no grant.
Just bare copyright.
All rights reserved.
AKA: copyright infringement on any modification or dissemination.
(Score: 0) by Anonymous Coward on Sunday June 05 2016, @06:24AM
Ah, and you are not playing lawyer too? Follow your own advice please.
(Score: 0) by Anonymous Coward on Sunday June 05 2016, @08:24AM
Law school + Bar suggests I might be more qualified to discuss points of law on le forum, no?
Or are you saying that you've studied law and passed the exam at some time too and thus we are equally knowledgeable in this field?
(Score: 2) by darkfeline on Sunday June 05 2016, @10:30AM
But you didn't even address my argument. In fact, your long tirade affirms half of my argument.
GRsec didn't violate the terms of the GPL license. The GPL license requires them to distribute their source code to their clients under the GPL license, which they do.
The GPL does not require one to continue doing business with one's clients. If that were true, for example, Google would be legally bound to keep doing business with all Android vendors perpetually. GRsec is perfectly free to stop doing business with anyone who redistributes their GPL licensed source code.
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Tuesday June 07 2016, @07:27AM
Keep telling yourself that.
You are not studied in the law. Accept this.
You don't have the slightest clue how the law of agreements works (AKA: contracts etc)
which is why you say "you haven't addressed my point!"
I have. You are just too ignorant to realize that.
Similar to how most western peoples are too ignorant to realize men should be free to take as brides cute young girls, as once they were prior to feminism.
The fact of the matter is that GRSecurity is using the threat of an action or inaction to prevent sublicensees from enacting a privilege they have been given by the _original_ licensor to who's terms GRSecurity agreed, and to who's terms are the only thing _allowing_ GRSecurity to modify the kernel source code to create the derivative work and distribute it in the first place.
Obviously once you frustrate that agreement you lose your privileges under it. This is a basic point of the law of agreements.
You cannot say "I get what I want, but fk the rest of your terms", even if you are "clever" about it.
The linux licensors said that any distributed derivative work shall be freely re-distributable.
When you come to that license and think to yourself "haha, I shall circumnavagate that clause and cause my derivative work to NOT be redistributable in the real world" you have committed bad faith vis-a-vis the agreement and the court will not, when the licensor sues you for copyright infringement, recognize the clauses that would protect you (they will give them no effect, that is your reward for making sure that other clauses (redistribution) would be ineffectual).
The linux licensors want to eventually have changes "come back" to them. They adopted the GPL for this purpose. You frustrate the use of one term, you cannot hide behind another.
Very simple, I don't understand why you don't get this, they teach this in the first month or two.
(Score: 0) by Anonymous Coward on Sunday June 05 2016, @12:45AM
its ironic that the left-wing loonies want their "fair cut" with respect to software development, but when it comes to anything else it becomes "greedy capitalism"
(Score: 0) by Anonymous Coward on Sunday June 05 2016, @05:09AM
No.
I am totally not surprised.
When it's something they work on, THEY want their cut.
When it's any other industry "fuck em, ship all the jobs to mexico".
Every blue collar worker should despise tech heads to the point of grievous assault on sight.
(Score: 0) by Anonymous Coward on Sunday June 05 2016, @05:42AM
There were announcements about ROP and RAP (one supplanting the other).
GRSec seemed excited about it, but no one really says what it is.
Please tell us more details and get the word out better.
It's sad when one makes a release, and it's alot of work, but others don't appreciate it.
I know how that feels.
But someone needs to make a release announcement.
I know it's tiring after coding a feature, so it should be a fan from the IRC channel.
(Score: 0) by Anonymous Coward on Sunday June 05 2016, @06:27AM
I think this might explain it : https://grsecurity.net/rap_faq.php. [grsecurity.net] It's too much for me to read, so good luck.
(Score: 0) by Anonymous Coward on Sunday June 05 2016, @08:45AM
They really should do some advertising, or talking to the community.
It's fun to just dev stuff, but you need someone, some enthusiastic person, to do press releases too.
I see how happy the devs are with this new thing, but no one knows about it.