GRsecurity is preventing others from redistributing source code

GRsecurity is preventing others from employing their rights under version 2 the GPL to redistribute (by threatening them with a non-renewal of a contract to recive this patch to the linux kernel.)
(GRsecurity is a derivative work of the linux kernel (it is a patch))

People who have dealt with them have attested to this fact:
reddit.com/r/KotakuInAction/comments/4grdtb/censorship_linux_developer_steals_page_from_randi/
"You will also lose the access to the patches in the form of grsec not renewing the contract.
Also they've asked us (a Russian hosting company) for $17000+ a year for access their stable patches. $17k is quite a lot for us. A question about negotiating a lower price was completely ignored. Twice." -- fbt2lurker

And it is suggested to be the case here aswell:
reddit.com/r/linux/comments/4gxdlh/after_15_years_of_research_grsecuritys_rap_is_here/
"Do you work for some company that pays for Grsecurity? If so then would you kindly excersise the rights given to you by GPL and send me a tarball of all the latest patches and releases?" -- lolidaisuki
"sadly (for this case) no, i work in a human rights organization where we get the patches by a friendly and richer 3rd party of the same field. we made the compromise to that 3rd party to not distribute the patches outside and as we deal with some critical situations i cannot afford to compromise that even for the sake of gpl :/
the "dumber" version for unstable patches will make a big problem for several projects, i would keep an eye on them. this situation cannot be hold for a long time" -- disturbio

Other urls found in this thread:

twitter.com/marcan42/status/726101158561882112
sfconservancy.org/
pastebin.ca/3614117
en.wikipedia.org/wiki/Trap_street
oss2016.org/speakers
theregister.co.uk/2016/04/27/linux_security_bug_report_row/
endchan.xyz/tech/res/4339.html
twitter.com/SFWRedditImages

(continued)

Is this not tortious interference, on grsecurity's (Brad Spengler) part, with the quazi-contractual relationship the sublicensee has with the original licensor?


(Also Note: the stable branch now contains features that will never make it to the "testing" branch, and are not allowed to be redistributed, per the scheme mentioned above (which has been successful: not one version of the stable branch has been released by anyone, even those asked to do so, since the scheme has been put in place (they say they cannot as they cannot lose access to the patch as that may cost the lives and freedom of activists in latin america)))
twitter.com/marcan42/status/726101158561882112
@xoreipeip @grsecurity they call it a "demo" version "20:14 < spender> what's in the public version is < 1/5th the size of the full version"
oreipeip @grsecurity "20:21 < spender> also it wouldn't be as fast as the commercial version [...] there are missing optimization passes"

I'm glad the NSA doesn't care about mone and selinux is free as in beer next to being free as in freedom

Linus needs to start caring about security and make Linux secure by default so we can throw grsecurity in the trash where it belongs

Do you have a source that isn't reddit? I don't want to click on links to that site

SELinux isn't a replacement for grsecurity

...

I can think of at least two other instances where a group of devs have tried to exploit their position in the FOSS community and it hasn't ended well for them in either case.

>Open Sound System(OSS)
>BitKeeper

FOSS community doesn't put up with nonsense.

A source other than reddit, when reddit is where the comments about various parties dealings with grsecurity posted their comments? No, I don't have any other source other than exactly where they posted their testimony: on those reddit threads, would you like to depose those people directly (it will be required so might as well get on it, no)?

Then we can have a source other than reddit.

This just came out this week, this direct testimony about what grsecurity has been up to, it's not the news article, it's in the comments. Before this week we could only speculate (we were right).

The Software Freedom Conservancy has been contacted ( sfconservancy.org/ ) (#conservancy on irc.freenode.net ).

However they say they are low on funds, and also the one representative in the channel there seemed to think this was "legally ok", even though I can assure you it is not.

Businesses commit such interference with other existing contractual rights all the time (attempting to limit them via their own 3rd party contracts etc). This is called tortious interferance with a business relationship. It is not a cut and dry 100pct standard-faire GPL violation so the representative might not have realized that there was a problem.

The difficulties in the case, which make it more expensive than a usual case are as follows:

No direct privity between the sublicensee (person purchasing grsec patch) and the original licensor (linux developer(s)). Thus a quazi-contractual relationship will have to be argued, perhaps unjust enrichment aswell.

There may not even be clear direct privity between grsec (brad spengler) and the licensor (linux dev) since they have never discussed anything.

However there is bad faith on spenglers part that could very well disqualify him from relying on the license grant, since he is attempting to circumvent it's terms (and now we have glimmers of proof of such)

Some interest was found on the channel:
18:30 < gnu_user> pastebin.ca/3614117
18:39 < kfogel> gnu_user: I am not a lawyer, and I don't represent the Conservancy, but this does sound disturbing. It is not a new situation
-- even back in the 1990s, there were cases where some companies attempted to sign private contracts with customers whereby the
customers agreed to give up some of their rights under the GPLv2, as a condition of receiving patches under the GPLv2. My
memory is that the FSF determined this to be a violation of the GPL (on the patch
18:39 < kfogel> supplier's part), but I am not positive of that, nor do I remember the specific parties involved. However, the case was very
similar to what you are describing with grsecurity.
18:42 < kfogel> gnu_user: It is *quite* likely, by the way, that grsecurity is delivering slightly different patches (you know, whitespace
differences or trivial variable name differences, that sort of thing) to different customers, in order to be able to identify
who leaks a patch in violation of the contract. (See en.wikipedia.org/wiki/Trap_street for maps, but on a per-customer
basis.)
18:43 < kfogel> gnu_user: I'm pointing this out because some customer might be tempted to leak anonymously. They should be aware that they are
probably identifiable, unless they try to scrub the diff in some way (might be hard). If you can get multiple customers to
privately compare their patches, you can determine if grsecurity is using this technique.
18:45 < kfogel> gnu_user: bkuhn knows a lot about GPL compliance; I hope he reads the above and can recommend and/or take some action.
18:45 < gnu_user> kfogel: I hope so too.
18:45 < vmbrasseur> IIRC, bkuhn may be in transit right now.

18:45 < gnu_user> kfogel: this situation is not new to the law
18:45 < gnu_user> companies do this all the time against one another and are brought to court for tort violations
18:46 < gnu_user> the difference here is that they all have direct privity with eachother
18:46 < gnu_user> here the linux rightsholder does not have direct privity with the sublicensor that is prevented from redistirbuting
18:47 < gnu_user> thus a quazi-contractual argument might have to be made
18:47 < kfogel> gnu_user: Ah, sounds like you know much more about the history & context than I do anyway, good. Thanks for pointing this one
out -- I'm very curious to see what happensW!
18:48 < gnu_user> the remedy would likely be in equity thusly (since quazi-contract etc)

18:47 < kfogel> gnu_user: Ah, sounds like you know much more about the history & context than I do anyway, good. Thanks for pointing this one
out -- I'm very curious to see what happensW!
18:48 < gnu_user> the remedy would likely be in equity thusly (since quazi-contract etc)

19:04 gnu_user: I'm familiar with the public discussion about the grsecurity situation. If a customer thinks they have a tort claim of
some sort under GPL in a situation like this, they should certainly bring it on their own.
19:05 Whether it's a GPL violation depends on various details that I'm not privy to. Redistribution is not mandatory under GPL, so
there would have to be some sort of specific GPLv2 Secition 6/7 problem shown.
19:05 < JordiGH> Funding cuts have also tightened the conference travel budget, eh?
19:05 JordiGH: huh?
19:05 < JordiGH> Sorry, I thought you said you weren't at Pycon this year.
19:06 JordiGH: if you are asking about PyCon, my talk wasn't accepted.
19:06 < JordiGH> What was your proposal? Did you get any attention at all? Last time I submitted a talk, I'm sure nobody even looked at the
proposal beyond the title.
19:06 JordiGH: I forget, anyway I was asked to keynote another conference elsewhere in the world tomorrow, so I am there now.
19:07 < JordiGH> Oh! Neat! Where?
19:07 JordiGH: oss2016.org/speakers
19:08 < JordiGH> Finland!
19:08 gnu_user: showing a GPLv2 Section 6 or 7 problem often require seeing what written agreements people have with the party. If
someone has specifics, they can certainly report the violation officially to [email protected]

Well, for example, an independent journal citing the comments from reddit would be great.

Because when you click on reddit links, you get 99% cancer and “replies to replies to replies” aka “look ma, me too!”-style circlejerking.

It makes me vomit

I notice with all seeming "GPL experts" they all seem to think circumventing the texts of the license grant through "clever" means is A-OK, and there's nothing to be done. That the GPL is, in practice, just the same as the BSD license if a LICENSEE decides so (and enacts some contracts to with a sublicensee to defeat the intention of the original licensor).

This is absolutely rediculious. It's like the "GPL Experts" have not been to law school and have not passed the bar.

In the law, what happens in practice matters.
Acting in Bad Faith to defeat the intentions of an agreement, that matters too.
Things such as tortious interference exist.

None of this is new to the law.

But whenever anyone talks to almost anyone on any free software channel, even #fsf, #gnu, nope, it's all good, nothing to be done, and you are just WRONG, the PROGRAMMERS and FANBOYS know waaaayyyyyyy more about the law than ANYONE who studied it.

I just get shouted down EVERY time.

Well that's too damn fucking bad for you.

Because there are no "independent faggot journalists" who cited this for you.

You know what you could do, cunt retard?
You could read the fucking OP post.

The excepts are right there cunt bitch.

Should not you be off cooking?

Fucking lol. The only way to make Linux' security not fucking dogshit is putting their shit behind paywalls.

(You)
>It makes me vomit
Pic very much related

You could at least have linked to theregister.co.uk/2016/04/27/linux_security_bug_report_row/

ABANDON SHIP!

The NSA probably got them.

OP, in all seriousness, this some shady shit.

I remember when they forbid the distribution with shitty excuses about people sharing "their" code. I immediately suspected this was suspicious. Like "someone" coerced the company to not continue distributing or auditing the code.

TrueCrypt all over again?

>the one representative in the channel there seemed to think this was "legally ok", even though I can assure you it is not.
How is it not? What's illegal here?
Are they not redistributing the source? Are they forbidding others from redistributing the source? Seems to me they're saying "if you redistribute the source, we won't do business with you again/charge you a lot for a renewal". How is this illegal? You can argue that they're assholes, but this isn't illegal.

>defending this security risk
Hi NSA.

Again, I'm not defending, I'm saying it's not illegal. There's no law saying you have to do business with everyone.
They're assholes, but it's not illegal.

A contractual hole is not "legal", but certainly is suspicious. As suspicious as defending this.

Where's the line? I'm here for the fucking.

>A contractual hole is not "legal"
How is this not legal?
Also, for the second or third time, I'm not defending they're actions, I'm saying OP misused the word "illegal".

Email RMS and ask him about this & contact FSF too, sick their lawyers on grsecurity

grsecurity must not be allowed to get away with this

What is your opinion of GRsecurity not wanting the source code to be widely redistributed? Lets see what you have to say "user".

Jesus Christ, you type like a redditor.
My opinion is that GRsecurity can not want anything, and that's completely irrelevant because the GPL allows anyone with the binary to get the source code and redistribute it. So them not wanting it matters exactly 0.
As for their blackmail tactics they're obviously shitty and I don't really understand why people who don't want source code redistributed would patch the Linux kernel and sell their work since they're forced to use a license that will ensure any of their clients can give away their work at any time. But they can refuse to work with/for anyone for any reason they want.

Was that so hard to say?

I guess not.

Edit: Downvotes? Wow, r/linux, just wow.

>actually blocking people who report bugs
how can someone be such a cocksucking faggot?

I got banned for reporting a risk for a wallhack in a game before... so i made a wallhack for the game.

>Are they not redistributing the source?
Correct
> Are they forbidding others from redistributing the source?
Correct.

> Seems to me they're saying "if you redistribute the source, we won't do business with you again/charge you a lot for a renewal".
>How is this illegal?
Hmm so there is Licensor (Linux Devs), they place their copyrighted work out there, under conditions.

There is Licensee (Brad Spengler, Grsecurity), he takes the copyrighted work under the terms and conditions and creates a derivative work (not allowed under pure copyright, only permissible as per the will of the rightsholder, as stated in the agreement)

The license states that, for permission to create a derivative work, one must allow others who gain access to that derivative work to redistribute said work, modify it, so on and so forth (otherwise there is no permission under the agreement).

Licensee creates derivative work.

Licensee sublicenses derivative work to sublicensee. Licensee stipulates that sublicensee may not redistribute derivative work. Licensee makes threats to ensure compliance with this demand that sublicensee not distribute derivative work. These demands are met: sublicensee dares not redistribute the work.

The conditions the Licensor placed on his work have been spurned, ignored, and abolished by the actions of the licensee.

Licensee has frustrated the purpose of the grant he has been give by licensor. It does not matter specifically how he went about doing so. He did so.

>You can argue that they're assholes, but this isn't illegal.

So in other words you are saying "you can argue that Brad Spengler has treated the agreement in... bad faith". Thank you for restating a portion of my case, in inadvertently

"But JUDGE, bad faith, when it comes to business dealings, contracts, grants, and the like is fine and good!"

>bla bla

So have you attended law school and passed the bar?

I have.

There is a legal term for this. It's called acting in bad faith.
That often gets your contract nullified.
Here there is a license grant. Spengler is acting in bad faith to frustrate its purpose.
It does not matter if he is breaking legs, threatening to expose secrets, or threatining to raise prices to exorbidant rates, or to cease sending the patches:
What matters is that his goal is to deny the sublicensee the right given to the sublicensee by the original licensor, and that he has obtained that goal via his actions (the threats here).

He has frustrated the purpose of the agreement (the grant) he had with the original licensor, and thus
the grant fails. In other words: he has violated the license.

It's very simple, I don't know why some here do not understand it, it's like you never graduated law school nor passed the bar.

The courts are not dumb, they've seen people try to be "clever" like this before for well over 100 years.
Just because some here have never heard of any of it doesn't mean what they then grind together their uneducated brain is correct (even though they will swear to high heaven it is, cuz it makes sence to them, centuries of caselaw and even black letter law be damned).

(continued response to)

There is a case.
Anyone who has taken 1 semester of torts and then casually leafed through a casebook on copyrights knows this.

You don't know this, that doesn't mean what you think is the law is: you are not trained even one day in the law. You are of the peanut gallery and should pipe down and keep your hands off the keyboard.

>Are they not redistributing the source?
>Correct
Show me where they refused to provide the source to anyone acquiring a binary from them.
> Are they forbidding others from redistributing the source?
>Correct.
Show me where/how they forbid someone trying to redistribute the source.

>The conditions the Licensor placed on his work have been spurned, ignored, and abolished by the actions of the licensee.
The first 2 words are emotional rhetoric and the 3rd is entirely wrong: the conditions of the GPL have not been abolished by the licensee.

>So in other words
So in other words it's not illegal because absolutely no laws have been broken. The GPL is not a law.

>I have.
Sure you did.

Your post explained your reasoning just fine, but
>I don't know why some here do not understand it
And I don't know why you don't understand my statement: it's not illegal. It's bad faith, but that's not the same as being against the law.

>there is a case
>so it's illegal

Over at endchan they are now arguing that a patch to the linux kernel, which cannot exist without the linux kernel, is not a derivative work!

> endchan.xyz/tech/res/4339.html


>Their argument is usually that, as a patch to a GPLv2 work (the Linux kernel), the patch (stable or otherwise) is a "derived work" under the GPL and is therefore also licensed under the GPL.
>Personally, I don't think that a patch distributed alone is a derivative work. I don't think this has been tested in court, though.

Now why does this fucking piece of SHIT think that what he (or she, but I think it's just some faggot "male") PERSONALLY believes matters?

What the FUCK is up with all the retarded self-important techies? You haven't read a PAGE of even one casebook, and suddenly what you PERSONALLY think in your uneducated mind has some merit?

No, it does not. There is a reason lawschool takes 3 years just for the BASICS. There is a reason you must then pass the Bar exam.

No, you fucking thinking it through in your know-nothing-about-the law brain has ZERO relevance and ZERO merit.

>Deeerrrr uhhh patttchh is noot a derivativer wurrk i dont dink!!!!

Scribbling on a picture of Dorthy is a derivative work.
Painting a likeness, fully from your own conciousness, of micky mouse is a derivative work.

But a patch that was made by taking the linux code and then adding lines of code here and there, all intermingled, all dependant upon the whole... now that, now that is SOMEHOW "not" a derivative work this fucking TECHIE says.


Guess what guys, The GPL is moot! Hacking on someone ELSE's code does not create a derivative work! All copyright caselaw is moot too!

Yep Yep

Looks like I will have to reexplain:

>Are they not redistributing the source?
Correct
> Are they forbidding others from redistributing the source?
Correct.

> Seems to me they're saying "if you redistribute the source, we won't do business with you again/charge you a lot for a renewal".
>How is this illegal?
Hmm so there is Licensor (Linux Devs), they place their copyrighted work out there, under conditions.

There is Licensee (Brad Spengler, Grsecurity), he takes the copyrighted work under the terms and conditions and creates a derivative work (not allowed under pure copyright, only permissible as per the will of the rightsholder, as stated in the agreement)

The license states that, for permission to create a derivative work, one must allow others who gain access to that derivative work to redistribute said work, modify it, so on and so forth (otherwise there is no permission under the agreement).

Licensee creates derivative work.

Licensee sublicenses derivative work to sublicensee. Licensee stipulates that sublicensee may not redistribute derivative work. Licensee makes threats to ensure compliance with this demand that sublicensee not distribute derivative work. These demands are met: sublicensee dares not redistribute the work.

The conditions the Licensor placed on his work have been spurned, ignored, and abolished by the actions of the licensee.

Licensee has frustrated the purpose of the grant he has been give by licensor. It does not matter specifically how he went about doing so. He did so.

>You can argue that they're assholes, but this isn't illegal.

So in other words you are saying "you can argue that Brad Spengler has treated the agreement in... bad faith". Thank you for restating a portion of my case, in inadvertently

"But JUDGE, bad faith, when it comes to business dealings, contracts, grants, and the like is fine and good!"

>bla bla

So have you attended law school and passed the bar?

I have.

What the fuck is kotaku?

is this some weeb shit?

So you failed to answer any questions asked and instead chose to repeat your baseless claims. Great job showing us you have no clue what you're talking about.

Gamer culture website. Cancer.

ITT:

Sup Forums thinks it has an international law degree

it will get sorted out like it always does. The license is legal binding and not just there for memes. The affected parties can just deal with enforcing it. GNU has legal arms that are capable of upholding the license in court as it has been needed before. See Moglen

Install OpenBSD.

>54843968
The GPLv2 is a text that outlines by what ways a licensee may use a copyrighted work provided by the licensor. In the case that the agreement is not followed standard copyright law applies (all rights reserved).

Contracts are often known as "private law", it allows parties to make their own agreement.

So yes, the agreement here is controlling "law", while the public law that allows such agreements to alienate rights to copyrighted works to be enforceable by the licensee so as to protect him against the licensor is the 1973 us copyright act.

However when the licensee violates the agreement he cannot find refuge in that agreement any longer.

Go attend law school.


And YES, I have both graduated law school and passed the bar.

Have you? No.

Might be a reason why you don't know what your talking about and can only cite the GPL itself (a small 1 page document) and nothing that surrounds it (you don't even know what it hangs on).

Please people, do not listen to that fool

>b-but muh MACs!

>And YES, I have both graduated law school and passed the bar.
>can't even greentext properly

Is this that law school in american samoa I keep hearing about?

>yfw lincucks have to pay for something BSD offers for free

LOL how's that GPL working out for ya, GNUcucks?

>So yes, the agreement here is controlling "law", while the public law that allows such agreements to alienate rights to copyrighted works to be enforceable by the licensee so as to protect him against the licensor is the 1973 us copyright act.
Which was not broken since the sub-licensee still has all the privileges and obligations given to them by the GPL. The copyright act has nothing to do with this because they didn't explicitly prevent anyone from doing anything that the GPL provides, they just said they wouldn't do business with them again if they CHOSE to do something that the GPL entitles them to do. This is a case of bad faith which is not illegal. This has been my only claim: it's not illegal.

>And YES, I have both graduated law school and passed the bar.
Alright, show me how acting on bad faith alone is a breach of the copyright act.

>use Linux
>no SSP by default because muh userland
>need grsec which has a proprietary, non-free, paywalled version that has extra features and bug fixes just to have proper kernel security
>switch to OpenBSD
>every important security feature since the beginning of time enabled by default
>large ports tree that has software patched to work with OpenBSD's enhanced security, only Linux distro that even comes close is Hardened Gentoo, and even that has shit that doesn't compile (fucking Chromium) and uses the shitty, free version of grsec
This is actually the only sane choice. The only thing I miss from Linux is the proc/sys filesystems.

>tfw openbsd literally breaks userspace left and right if it means more security
and that's why it's based

>install shit on Linux
>never know if something is patched properly
>install shit on OpenBSD
>shit doesn't even fucking install if it isn't secure
Feels pretty good knowing a bunch of autistic elitist masturbating monkeys have my back before I even run software.

Chromium works great on OpenBSD btw. I know because I use it on an old crappy Willamette Pentium 4 and it's faster than on Debian. And Debian doesn't even have packages for Lumina, I had to compile if from source on it, whereas on OpenBSD I literally just did # pkg_add lumina. Feels Goodman.

>shit doesn't even fucking install if it isn't secure
that stuff used to be much more common back in the day, fortunately programmers have gotten SLIGHTLY better so it doesn't happen as much anymore

wew, time to try to update my SP2's boot media to OpenBSD. Last time I tried to emerge Chromium ninja or whatever the fuck segfaulted and there was nothing about it in the forums.
So far the only issue I had with OpenBSD was the 10zig thin clients I have freeze at the BIOS memory check if there's an OpenBSD boot stick in them.

xombrero is a pretty good lightweight browser too, it's a webkit based browser developed by some openbsd devs

Is Wayland making any progress on it?

i think the only BSD that did make some progress on it was dragonfly

>Which was not broken since the sub-licensee still has all the privileges and obligations given to them by the GPL.

Incorrect in practice: the sublicensees have been effectively prevented from exercising the right given to them by the original licensor (linux devs) by the action of the intimediary (grsecurity). In this case, since spengler is working to frustrate the purpose of the grant given by the original licensor the court may very well nullify his right to seek cover of the license: IE: he has acted in bad faith in attempting (successfully here) to DENY a permission granted to the sublicensee by the original licensor and thus has violated the license and can be sued by the original licensor for copyright infringement. (Not to mention the sublicensee). Spengler has interfered with the relationship between the licensor (the rightsholder) and the sublicensee (likely a quazi-contractual relationship).

Why is this so hard for you to understand?

Please, go to law school or keep you mouth shut.

And other people here, why is it that you choose to believe people who have not been to law school and who have not passed the bar, over me, who has done both?

Why?

They read ONE document, the agreement.
I've read books.

Yet you decide that THEY know what they are talking about? That the written grant exists in a vacume.

It's ONE FUCKING PAGE.
That's a completely integrated, four corners, covers all cases document to you people?

Do you even know what I just said?

*(Not to mention the sublicensee for tort violations).

> Sup Forums legal advice:
> the GPL is the BSD license just aslong as you know how to draft an NDA