Warning: Grsecurity: Potential contributory infringement and breach of contract risk for customers
It\u2019s my strong opinion that your company should avoid the Grsecurity product sold at grsecurity.net because it presents a contributory infringement and breach of contract risk.
Grsecurity is a patch for the Linux kernel which, it is claimed, improves its security. It is a derivative work of the Linux kernel which touches the kernel internals in many different places. It is inseparable from Linux and can not work without it. it would fail a fair-use test (obviously, ask offline if you don\u2019t understand). Because of its strongly derivative nature of the kernel, it must be under the GPL version 2 license, or a license compatible with the GPL and with terms no more restrictive than the GPL. Earlier versions were distributed under GPL version 2.
Currently, Grsecurity is a commercial product and is distributed only to paying customers. My understanding from several reliable sources is that customers are verbally or otherwise warned that if they redistribute the Grsecurity patch, as would be their right under the GPL, that they will be assessed a penalty: they will no longer be allowed to be customers, and will not be granted access to any further versions of Grsecurity. GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition.
By operating under their policy of terminating customer relations upon distribution of their GPL-licensed software, Open Source Security Inc., the owner of Grsecurity, creates an expectation that the customer\u2019s business will be damaged by losing access to support and later versions of the product, if that customer exercises their re-distribution right under the GPL license. This is tantamount to the addition of a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms. Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kernel, terminates, and the copyright of the Linux Kernel is infringed. The contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached.
As a customer, it\u2019s my opinion that you would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity.
I have previously endorsed a company that distributes enhanced versions of GPL software to paying customers, but that company operated differently (and in a way that I would recommend to Grsecurity). They did not make any threat to customers regarding redistribution. They publicly distributed their commercial version within 9 months to one year after its customer-only distribution.
This other company was essentially receiving payment from its customers for the work of making new GPL software available to the public after a relatively short delay, and thus they were doing a public benefit and were, IMO, in compliance with the letter of GPL though perhaps not the spirit. In contrast, Grsecurity does no redeeming public service, and does not allow any redistribution of their Linux derivative, in direct contravention to the GPL terms.
(continued below...)
Isaiah Bailey
>linux
Liam Morris
In the public interest, I am willing to discuss this issue with companies and their legal counsel, under NDA, without charge.
I am an intellectual property and technology specialist who advises attorneys, not an attorney. This is my opinion and is offered as advice to your attorney. Please show this to him or her. Under the law of most states, your attorney who is contracted to you is the only party who can provide you with legal advice.
Jackson Robinson
Discuss.
BTW: Any words from the "U DUNT KNO DUH LAW, GRSECURITY IS DOIN FINE!" group?
Anything?
Want to tell me I'm a knowledgeless retard again?
Owen Wilson
>Another corporate shill attacking the only sane group of people on the Linux world who care about security and correctness.
This is why the security Swiss cheese known as Linux is less secure out of the box than the latest version of Windows.
The only advantage Lunix has in terms of security is their 1.2% market share which means there is less motivation to write malware for it.
In the end linux is a clusterfuck of patches and hacks with zero fucks given to design philosophy and quality control.
Ryan Jackson
Interesting. I didn't think that a business contract could be called an additional term to the license of a product distributed under the contract.
And in still not convinced. Bruce is an alright guy but is there a legal precedent?
Juan Lopez
> >I am an intellectual property and technology specialist who advises attorneys
So he is a jewish parasite who earns his shekels by making difficult the life of productive people.
A good example of why licenses as GPLV3 are pure cancer, they enable this people and this type of parasitic behavior.
If you want a truly permissive free software license use the MIT.
Lucas Green
The only case of gpl enforcement going wrong I've heard of is the linksys one.
Isaiah Fisher
>the MIT Public domain* Any restriction, no matter how small, infringes on someone's rights. Why the BSD/MIT zealots seem to be okay with preventing plagiarists from plagiarising after saying that "everyone" should have the right to do anything they want is beyond me.
Jack Myers
zlib and isc and wtf don't have that clause (Not the two clause bsd?). There is some issue with public domain not being a legal concept in some places so the rights reverting to whatever the default copyright ones are.
Isaiah Bennett
I don't understand your post
Nowhere in the post you replied I mention the text "Public Domain"
The MIT license is not public domain. It has two restrictions: you must mention the authors and if you burn your house running this software you can't sue me.
Matthew Edwards
>you must mention the authors And if I want to pass off your software as my own, I can't. Your license prevents me from doing something while people claim that the MIT license permits everyone to use the software however they want. It doesn't matter that plagiarism is seen as "bad;" the entire point of permissive licenses, according to the BSD/MIT zealots I mentioned, is that "everyone can use it, even if they'd use it for something bad."
Ethan Martin
They are objecting clauses about attribution and maybe even mentioning the upstream authors name in connecting to your own derived work and suggestion the public domain as a more permissive state for your software.
Liam Harris
WTF
I didn't know grsecurity went full evil.
Blake Young
>evil didn't this all happen because a certain high-profile company used their free patches instead of paying?
Robert Miller
I still feel like this could go either way
Parker Hughes
Ok, I think I am understand now.
Please don't generalize, I am not a BSD/MIT zealot and never claimed that the selling point of such license was that "everyone can use it, even if they'd use it for something bad." as you say.
That's not what I meant when I typed "truly permissive free software" license"
Generalizing is not going to get us anywhere.
Austin Ross
This is all new to me. When and who? And when did grsec change licenses?
Jason Sullivan
>who I don't think it's public I just heard this a few times
>when did grsec change licenses they didn't, everything is still under the GPL they simply removed the free patchset and stop supplying the paid stuff to you if you try to share it
Julian Hughes
Thx.
Do they sign the individual packages to know who shared the patchset, or those clients could just create their clone of scihub for grsec?
Jaxson Nguyen
I have no idea
Matthew Wilson
We all know this. Yet no one is going to do anything about it or move away to *BSD for example, the majority of Sup Forums would much rather have an insecure system. This just goes to show that we all care more about the 'feeling' of security rather than actually being secure.
Ignorance is bliss.
Caleb Martinez
Now even linux seems to be much-much more vulnerable. Grsecurity did close of a lot of vulerability classes dynamically. I'm seriously considering switching to bsd. Can you tell me how is freebsd more secure? (other than linux being hacked together, the fact everybody knows)
Gabriel Rodriguez
I think OpenBSD will suit you better for desktop use
------------------------ Some Legal Analysis: ------------------------ The GRSecurity patch snakes through almost the entire kernel; it really touches everywhere (and Brad Spengler etc have publicly attested to this as a bullet point as it doesn't only add features but fixes various in-place security errors); and not even as a monolithic block, it puts a paw here, and there, and there (so on and so on for 8MBs), with the deft agility of a cat, and the dexterity of a vine wrapped every which-way around the many branches of a bush: it is a non-separable derivative work.
A counter example would be the Nvidia GFX driver: a portion of that driver works across platforms. That portion which works on Linux, Windows, etc is a separable work and thus can be argued to be standalone before a court. Furthermore, in the Nvidia case, that portion was likely developed on another platform and the wrapper was then built to conform to it.
The wrapper itself that interfaces with linux is licensed under the same terms as linux.
Other drivers can be written in a similar way.
With GRSecurity, on the other-hand, that is absolutely impossible. GRSecurity exists only to give the linux kernel "self protection" (their words IIRC). They do this by going in with a scalpel to thousands of areas in the kernel and making small but important* edits and additions, as-well as by writing some new routines to then use throughout the kernel.
Unlike a plug-in; their derivative work does not and cannot stand alone.
The Anime-Subs cases reaffirmed somewhat recently that a derivative work that cannot stand alone and is not authorized is an infringing work.
(Ex: You're a fan, you listen to the Anime Girl cartoon in Japanese, you write down what they say, you distribute that: that text is a derivative work and not a standalone one: it required the existence of the cartoon to itself exist or have any meaning). ...
Nathaniel Hall
(continued)
(Ex: You're a fan, you listen to the Anime Girl cartoon in Japanese, you write down what they say, you distribute that: that text is a derivative work and not a standalone one: it required the existence of the cartoon to itself exist or have any meaning).
I think the situations are very different thusly and that a court would find GRSecurity to be infringing. If the GRSecurity patch is not a derivative work then nothing in the realm of source-code is.
To Brad Spengler I'm referred to as a "troll" (months, perhaps a year later in a discussion I was not involved in), for engaging with RMS on the issue earlier (something which remains in Mr Spengler's mind:
openwall.com/lists/kernel-hardening/2017/06/04/24 >... It has been nearly 4 months now and despite repeated follow-ups, I still >haven't received anything back more than an automated reply. Likewise >regarding some supposed claims by RMS which were published last year by >internet troll mikeeusa -- I have been trying since June 3rd of last >year to get any response from him, but have been unable to. So when you ...
As for making modifications: To create the patch Brad Spengler modified the linux-kernel over the course of 15 years, and to continue continually producing new patches he continually modifies the linux-kernel even more. Without permission of the license he has no right to modify the kernel. The mechanical modification that is done by patching is a red-herring in this case since it's not needed to argue infringement on Mr Spengler's part once he has been found to have added an additional term to the agreement between him and further distributees of the derivative work. Once he has done that, he has violated the license grant, and he no-longer has a right to distribute the work, nor to distribute derivative works, nor to modify the work in-order to create future derivative works.
Levi Rogers
(continued) ------------------------ Correction to common programmer's misunderstanding ------------------------
They don't have to add a term to the GPL per-se as the GPL is not a party to the agreement, it is "merely" the (not-fully integrated) writing describing the license that the rights-holders have granted GRSecurity et al.
That is: the GPL in-part describes the license grant that the linux rights-holders have extended. (There may be other parts described elsewhere, even verbally or through a course of business dealings or relationship) (Copyright law, being quite bare on it's own, often borrows much from contract law)
Licensees must extend the same grant to Distributees, they cannot add an additional term to that relationship. GRSecurity has added such a term.
They did not pen it into the text of the GPL. But, according to existing testimony they did make it clear that redistribution will not be tolerated. It is unknown if an electronic or hard copy of this additional term controlling the relationship exists, or whether it was a verbal agreement, or even some implicit understanding. Any which way: it is a forbidden additional term.
Brody Harris
>WTF > >I didn't know grsecurity went full evil.
I was telling you all for over a year now that they are violating the terms of the agreement.
You all said "YOU ARE LYING YOU DONT KNOW WHAT YOURE TALKING ABOUT YOU ARE NOT A LAWYER WE KNOW BETTER AS PROGRAMMERS AND KILL ANYONE WHO LIKES GIRLS, ROASTY MILFS FOREVER, MURICA, FK JEWISH GOD, JESUS BETTER A MILSTONE FOREVER!!!!!!!!, FK DEUTERONOMY, KILL ANYONE WHO WOULD MARRY YOUNG GIRLS!!!! KILLL!!!!!! !!!! MURRRRIIICCCCAAAA"
How does it feel now you white-knight-nationalist rostie worshiping anti-man+girl (allowed in Deuteronomy chapter 22, verse 28-29, in hebrew (not english)) .... pieces of garbage?
GRsecurity has implicitly added an additional term. You "BRILLIANT" programmers think that because they didn't pen it into the text of the copy of version 2 of the GPL that they distribute that makes an additional requirement or understanding that they have imposed "not an additional term" added to the agreement.
You scream and yell that I (me) am not a lawyer, and that your programmer knowledge somehow trumps my study of the law (you swear that I am not a lawyer).
Jayden Allen
Do you think I really give a fuck what some faggot lawyer thinks
> "hurrr i'm a do-nothing clipboard jockey"
-t. every lawyer ever
Chase Wood
T hate all the spengler guys now
Xavier Mitchell
To be frank, the kernel situation in BSD is even more dire. The BSD kernels are even older than Linux, but worse, each of the main BSD distributions rolls their own kernel instead of collaborating on a single tree.
The upshot of this is that improvements to one BSD don't necessarily filter over to the others, and when you do get significant cross-pollination you end up with stupid shit like a decade-old version of pf from OpenBSD being shoved into FreeBSD and modified past the point where keeping up with upstream is easy.
If you're going to try something, your best bet is FreeBSD because it's the most popular and stuff is most likely to work with it. In my opinion, OpenBSD's "security" track record is a weasel-word farce and only applies to the base install, which is fine precisely up to the point where you make any configuration changes or install any software. Plus, anybody tells you about how high quality their code is never had to deal with the buggy and crashy piece of shit known as OpenSMTPD, pushed out long before it was ready.
James Martin
>OpenSMTPD The OpenBSD httpd, on release, had a bug where downloading a large file crashed it, as well as a bug where using CGI could randomly freeze the whole thing.
Brandon Smith
So it turns out all OSes are just hacks behind the curtains?
Probably qubes gets at least something right: if something crashes, it won't kill the whole system. At least the xen idea is portable across OSes.
Joshua Moore
>Do you think I really give a fuck what some faggot lawyer thinks
Stupid white men think the world revolves around them personally (and that everyone that is not standing with them on their own particular square column of belief should be killed)
This stupid white man saw a post and thought "surely this is addressed to me personally"
> > "hurrr i'm a do-nothing clipboard jockey" > >-t. every lawyer ever
"hurrr ima waste the best years of my life not on creativity but working for a boss and slaving for an adult grown-ass wife!, dreams can come later, (oops once later arrives all creativity is dead!)"
-t. every stupid white man ever
I can't speak for Perens, but I can speak for myself. I program and make media for videogames. I also inform you stupid white (aka: anglo or (some)german) men about the law and you tell me how I'm wrong and should die etc and better a millstone and roasties are the best and kill anyone who likes girls etc etc because Jesus the Heritic against God overturned the Old Testament better a millstone bla bla bla.
I'm glad you slave for a boss and an old woman who rules over you but cares not for you. It's fitting. You are complete white-knight-nationalist scum after all.
Cooper King
It was an Intel subsidiary, Windriver if memory serves well. They were still doing it some time ago.
Landon Scott
FSF should obviously sue and crash them with no survivors. Anything else is silly.
Carter Butler
This is bullshit, you go to great lengths to say that it is a derived work, which no-one disputes, and then gloss over why the gpl invalidates only arguably conflicting contracts. Is there any legal precedent at all? And no, subs don't count because that is a completely different IP situation. Stop spreading FUD.
Isaac Gonzalez
found the BSD cuck
Jason Gray
Why does GRSecurity do this?
Jonathan Gonzalez
Believe I'm not a lawyer all you want, buddy. Make a wish upon a star.
I think it's time for you to explain to us how GRSecurity is NOT a derivative work. We've explained to you that it is for the last year. All you've done is scream nooooooo and DIEEEEE!!!
If you still can't accept it, locate your nearest school and ask a professor in meat space
Benjamin Brown
See: > Do you believe that GRSecurity stating they won't give you their future code if you choose to distribute current/existing code is a violation of the GPL?
Yes, absolutely.
But more importantly it is a violation of the license grant given to GRSecurity by the linux-kernel rightsholders.
They stipulated that further distributees must be granted license to derivative works under the same terms.
This requirement was in their license conditions, which are memorialized in the text that they distributed (in this case the text of version 2 of the GPL, sans later version incorporation)
Bentley Fisher
(continued) The thing that exists between the linux rightsholders and GRSecurity is the ether-real permission grant from the linux rightsholders. It is not, per-se, the GPL: each license grant is a separate "entity" (if you will) or occurrence. The GPL is simply the memorization of said grant.
When the distibutee creates a derivative work and wishes to distribute that derivative work, he can do so only with the permission of the owner of the copyrighted work (copyright is alienable in the same way real property is: if you wish to allow someone to walk across your land you may give him license to do so, you may also recind said license at anytime, unless he has materially relied on an agreement between the two of you that you will not recind said permission (inwhich case you may be estopped from recision, especially if he payed consideration)).
In this case the linux rights-holders require that the distributee grant the same terms to further distributees underwhich they gained permission to modify and distribute linux, and said rights-holders also forbid any additional terms.
Here GRSecurity has added an additional requirement/understanding: that there is to be no redistribution, and if there is redistribution that they will retaliate. This is both an additional term AND it is a term that directly violates the stated intent of the rights-holders.
Another farcical example of an additional term would be: "You shall hold a birthday party for X each year you redistribute this work". This would also violate the license grant, and terminate automatically said grant, however it is an example of an additional term that is not running completely 180 degree counter to the intention of the rights-holders (might be orthogonal). But even in this farcical case the grant conditions are violated.
Kayden Flores
(continued)
GRSecurity, and many programers, believe that if they create an additional term, but simply speak it verbally, or force it through course of doing business, or include it in a separate writing (email etc), that they are in the clear. They believe that the language in the memorialization means "you may not change the text here",(as if the GPL was trying to protect the "copyright" on it's own text),which is incorrect: what is being communicated is that no additional terms may be added to an agreement between further distributees and the down-the-chain distributor.
Which is exactly what GRSecurity has done.
Anthony Brown
What the fuck is Grsecurity.
Aiden Kelly
>release your groundbreaking software under Affero GPL >charge companies millions to multi-license it under a proprietary contract >laugh all the way to the bank while your code is still free for others to view and improve
Adam Collins
> > This is bullshit, you go to great lengths to say that it is a derived work, which no-one disputes, and then gloss over why the gpl invalidates only arguably conflicting contracts. Is there any legal precedent at all? And no, subs don't count because that is a completely different IP situation. Stop spreading FUD.
Who said anything about the GPL invalidating the additional agreement? It is the additional agreement that invalidates (or rather revokes) the license grant.
Get your facts straight. It's very simple.
See: >61245894 ( >61245878 ) ( >61245857 )
William Ward
>What the fuck is Grsecurity.
A flagrant violation of the linux-rights-holders property interests.
Jaxson Brown
Software isn't "released" (given away, granted to the public domain, transferred) generally. It is licensed. That is: the creator (or rights-holder) still fully owns it and may revoke permission to use it at any time (barring estoppel).
Christopher Kelly
The expression “the Linux kernel” can easily be misunderstood as meaning “the kernel of Linux” and implying that Linux must be more than a kernel. You can avoid the possibility of this misunderstanding by saying or writing “the kernel, Linux” or “Linux, the kernel”.
James Myers
grsecurity didn't violate a single point of GPLv2 which is what the kernel (which grsecurity is a derived work of) is licensed under
Christopher Ross
They've been fucked in the ass by Intel and Google which both used the patches they provided for the community.
And now Google is in serious damage control mode trying to get scraps of grsec patches they have together and "introduce them" upstream.
