Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
GRSecurity Closes Stable Patch to Linux Kernel. How do you feel about this?
25 views
Skip to first unread message
Verivel Enix
Sep 15, 2015, 3:20:05 AM9/15/15
to
Go to grsecurity.org, look on the side panel where it lists the versions, you see:
Stable (Restricted): 3.1-3.2.71 Last updated: 09/13/15
Stable (Restricted): 3.1-3.14.52 Last updated: 09/13/15
Test (Free): 3.1-4.1.7 Last updated: 09/13/15
What does this mean? It means the stable source patches, which are wholely derivative works of the linux kernel, have been brought closed. This is how to "un-GPL" a work, 101. That is what has happened, effectivly: they got around your intent that derivative works be open, like the linux kernel, except this time they are not even distributing source (like RedHat does) but not the binaries, the source itself is restricted. What do these stable patches consist of? It is a diff
that is created by linux kernel + grsecurity changes to linux kernel + backports of security
patches to the linux kernel. 200 dollars a month if you want it. They're using your security patches,
and have closed the source of the finished "product" to all the world.
GRSecurity Linux Kernel patch ends public accessability of stable patches. (The full rundown)
Grsecurity is a 4MB patch of the linux kernel. For 14 years now Brad Spengler and "PaxTeam" have released
to the public a patch to the kernel that prevents buffer overflows, adds address space protection, adds
Access Control List functions, prevents various other security related errors (the programs are terminated
rather than allowed to write to protected memory or execute other flaws), aswell as various improvements
shell servers might find useful such as allowing a user to only see his own processes (unless he is in
a special group), and tracking the ipaddress associated with a particular process.
Now Brad Spengler has announced that there will be no more public distribution of the stable GRSecurity
patch of the linux kernel.
Some supporters of GRSecurity have claimed that GRSecurity is not even a derivative work of the linux kernel
and that Spengler may do whatever he wishes, including closing to code to all except those who pay him 200
dollars per month. Detractors contend that GRSecurity is a derivative work, and have noted that it is not likely that the thousands of linux code contributors intended that derivative works be closed in this manner. Detractors have also noted the differences between copyright grants and alienations based on property law and those based on contract law, and that the linux kernel is likely "licensed" under contract law and not "licensed" under property law (to use the term loosely), and that this has implications regarding the relevancy of the intentions of the parties. Detractors have also noted that the agreement is not likely to be deemed fully integrated. Supporters of GRSecurity have then claimed that the linux kernel's license (GPLv2) is just a "bare license". Detractors then noted that licenses (creatures of property law) can be rescinded by the licensor at-will (barring estoppel), and in that case any contributor to the Linux Kernel code could rescind Brad Spengler's permission to create derivative works of their code at will, and that the GRSecurity Supporters should hope that Linux (and the GPL) is "licensed" under a contract and not a bare license.
The whole situation stems from WindRiver, a subsidiary on Intel(R), mentioning that they use GRSecurity in their product. Brad Spengler wished for WindRiver to pay him a 200 dollars per month fee. Spengler then threatened to sue Intel under copyright law and trademark law. He, at that time, claimed that Intel was "violating the GPL" (a claim that has now been rescinded) and his trademark on the word "GRSecurity" (a claim which still stands but is currently not being pursued in court). Intel threatened to ask for legal cost reimbursement if Spengler brought this to court (Judges often reward this for spurious baseless claims to discourage excessive litigation).
It has been noted that Brad Spengler's copyright claim is more-or-less non-existent, and his trademark claim is very weak and near non-existent (thus the threat for reimbursement of fees). In trademark law one is barred from, within a field of endeavor, conflating another persons trademark with ones own product one created. Here WindRiver (a subsidiary of Intel(R)) simply noted that it used the grsecurity patch in it's product: It did not create a brand new piece of code and call that "GRSecurity": It simply used what Spengler provided.
In retaliation, Spengler has announced he is closing the stable grsecurity patch to all but those who pay him 200 dollars per month. (And notes that any other branch is not fit for human consumption)
--
More can be found at: grsecurity.org and http://grsecurity.net/announce.php
The text of the announcement:
"Important Notice Regarding Public Availability of Stable Patches
Due to continued violations by several companies in the embedded industry of grsecurity®'s trademark and registered copyrights, effective September 9th 2015 stable patches of grsecurity will be permanently unavailable to the general public. For more information, read the full announcement."
_____________________________________________________________
Sign up for FREE email from zipido.com at http://zpdo.com and get your own Free Website.
Stable (Restricted): 3.1-3.2.71 Last updated: 09/13/15
Stable (Restricted): 3.1-3.14.52 Last updated: 09/13/15
Test (Free): 3.1-4.1.7 Last updated: 09/13/15
What does this mean? It means the stable source patches, which are wholely derivative works of the linux kernel, have been brought closed. This is how to "un-GPL" a work, 101. That is what has happened, effectivly: they got around your intent that derivative works be open, like the linux kernel, except this time they are not even distributing source (like RedHat does) but not the binaries, the source itself is restricted. What do these stable patches consist of? It is a diff
that is created by linux kernel + grsecurity changes to linux kernel + backports of security
patches to the linux kernel. 200 dollars a month if you want it. They're using your security patches,
and have closed the source of the finished "product" to all the world.
GRSecurity Linux Kernel patch ends public accessability of stable patches. (The full rundown)
Grsecurity is a 4MB patch of the linux kernel. For 14 years now Brad Spengler and "PaxTeam" have released
to the public a patch to the kernel that prevents buffer overflows, adds address space protection, adds
Access Control List functions, prevents various other security related errors (the programs are terminated
rather than allowed to write to protected memory or execute other flaws), aswell as various improvements
shell servers might find useful such as allowing a user to only see his own processes (unless he is in
a special group), and tracking the ipaddress associated with a particular process.
Now Brad Spengler has announced that there will be no more public distribution of the stable GRSecurity
patch of the linux kernel.
Some supporters of GRSecurity have claimed that GRSecurity is not even a derivative work of the linux kernel
and that Spengler may do whatever he wishes, including closing to code to all except those who pay him 200
dollars per month. Detractors contend that GRSecurity is a derivative work, and have noted that it is not likely that the thousands of linux code contributors intended that derivative works be closed in this manner. Detractors have also noted the differences between copyright grants and alienations based on property law and those based on contract law, and that the linux kernel is likely "licensed" under contract law and not "licensed" under property law (to use the term loosely), and that this has implications regarding the relevancy of the intentions of the parties. Detractors have also noted that the agreement is not likely to be deemed fully integrated. Supporters of GRSecurity have then claimed that the linux kernel's license (GPLv2) is just a "bare license". Detractors then noted that licenses (creatures of property law) can be rescinded by the licensor at-will (barring estoppel), and in that case any contributor to the Linux Kernel code could rescind Brad Spengler's permission to create derivative works of their code at will, and that the GRSecurity Supporters should hope that Linux (and the GPL) is "licensed" under a contract and not a bare license.
The whole situation stems from WindRiver, a subsidiary on Intel(R), mentioning that they use GRSecurity in their product. Brad Spengler wished for WindRiver to pay him a 200 dollars per month fee. Spengler then threatened to sue Intel under copyright law and trademark law. He, at that time, claimed that Intel was "violating the GPL" (a claim that has now been rescinded) and his trademark on the word "GRSecurity" (a claim which still stands but is currently not being pursued in court). Intel threatened to ask for legal cost reimbursement if Spengler brought this to court (Judges often reward this for spurious baseless claims to discourage excessive litigation).
It has been noted that Brad Spengler's copyright claim is more-or-less non-existent, and his trademark claim is very weak and near non-existent (thus the threat for reimbursement of fees). In trademark law one is barred from, within a field of endeavor, conflating another persons trademark with ones own product one created. Here WindRiver (a subsidiary of Intel(R)) simply noted that it used the grsecurity patch in it's product: It did not create a brand new piece of code and call that "GRSecurity": It simply used what Spengler provided.
In retaliation, Spengler has announced he is closing the stable grsecurity patch to all but those who pay him 200 dollars per month. (And notes that any other branch is not fit for human consumption)
--
More can be found at: grsecurity.org and http://grsecurity.net/announce.php
The text of the announcement:
"Important Notice Regarding Public Availability of Stable Patches
Due to continued violations by several companies in the embedded industry of grsecurity®'s trademark and registered copyrights, effective September 9th 2015 stable patches of grsecurity will be permanently unavailable to the general public. For more information, read the full announcement."
_____________________________________________________________
Sign up for FREE email from zipido.com at http://zpdo.com and get your own Free Website.
to...@tuxteam.de
Sep 15, 2015, 3:40:09 AM9/15/15
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, Sep 14, 2015 at 03:00:05PM -0700, Verivel Enix wrote:
> Go to grsecurity.org, look on the side panel where it lists the versions, you see:
>
> Stable (Restricted): 3.1-3.2.71 Last updated: 09/13/15
> Stable (Restricted): 3.1-3.14.52 Last updated: 09/13/15
> Test (Free): 3.1-4.1.7 Last updated: 09/13/15
[...]
> Some supporters of GRSecurity have claimed that GRSecurity is not even a derivative work of the linux kernel
> and that Spengler may do whatever he wishes, including closing to code to all except those who pay him 200
> dollars per month.
> Detractors contend that GRSecurity is a derivative work [...]
Calm down. Yes, that sucks. WindRiver sucks too.
Here's my take, worth as much as free advice is.
- - GRSecurity is free to distribute its stuff as it likes, and to take
$200 for it.
- - Since this stuff is a set of patches to the Linux kernel, it is
derived work and is under the same GPLV2. This is, I think
uncontroversial. No need to be a "Detractor" or what.
- - This means that
(a) GRSecurity has to make available their source code *to those
they distribute the program to*
(b) the receiving party receives also the license to re-distribute,
modify, study... the program as it sees fit *provided* they
stick to the provisions of the GPL (i.e. make available the
source, give on the rights they received).
So if you want to do a service to humankind, stop whining, cough up
the $200 and redistribute GRSecurity. All happy. You could try to
recoup some of your costs by asking for some contributions.
Ah, you aren't out to serve humanity? What was your purpose, then?
Uh, oh.
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlX3ytEACgkQBcgs9XrR2kZ6XgCfZ4IashmEyya6o8pScJeDCHXk
44cAoIBFSWCfhW/zQq3/zCmGub0/ND7r
=5oz3
-----END PGP SIGNATURE-----
Hash: SHA1
On Mon, Sep 14, 2015 at 03:00:05PM -0700, Verivel Enix wrote:
> Go to grsecurity.org, look on the side panel where it lists the versions, you see:
>
> Stable (Restricted): 3.1-3.2.71 Last updated: 09/13/15
> Stable (Restricted): 3.1-3.14.52 Last updated: 09/13/15
> Test (Free): 3.1-4.1.7 Last updated: 09/13/15
> Some supporters of GRSecurity have claimed that GRSecurity is not even a derivative work of the linux kernel
> and that Spengler may do whatever he wishes, including closing to code to all except those who pay him 200
> dollars per month.
Calm down. Yes, that sucks. WindRiver sucks too.
Here's my take, worth as much as free advice is.
- - GRSecurity is free to distribute its stuff as it likes, and to take
$200 for it.
- - Since this stuff is a set of patches to the Linux kernel, it is
derived work and is under the same GPLV2. This is, I think
uncontroversial. No need to be a "Detractor" or what.
- - This means that
(a) GRSecurity has to make available their source code *to those
they distribute the program to*
(b) the receiving party receives also the license to re-distribute,
modify, study... the program as it sees fit *provided* they
stick to the provisions of the GPL (i.e. make available the
source, give on the rights they received).
So if you want to do a service to humankind, stop whining, cough up
the $200 and redistribute GRSecurity. All happy. You could try to
recoup some of your costs by asking for some contributions.
Ah, you aren't out to serve humanity? What was your purpose, then?
Uh, oh.
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlX3ytEACgkQBcgs9XrR2kZ6XgCfZ4IashmEyya6o8pScJeDCHXk
44cAoIBFSWCfhW/zQq3/zCmGub0/ND7r
=5oz3
-----END PGP SIGNATURE-----
Stuart Longland
Sep 15, 2015, 4:50:05 PM9/15/15
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 15/09/15 17:37, to...@tuxteam.de wrote:
> So if you want to do a service to humankind, stop whining, cough
> up the $200 and redistribute GRSecurity. All happy. You could try
> to recoup some of your costs by asking for some contributions.
… and be prepared for all the former GRSecurity freeloaders to come
along and start downloading the stable branch from you instead.
It's a shame they had to go down that road, but it was the companies
that saw it as a "free beer" kernel for their devices rather than as
an open kernel. i.e. they're expected to contribute something in return.
Regards,
- --
Stuart Longland (aka Redhatter, VK4MSL)
I haven't lost my mind...
...it's backed up on a tape somewhere.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJV+IB2AAoJEE36GRQQveO3uwkP/1+P4Z5+jNc1+FSQsnjA24Yf
jz6+Nkz/RdySAFUmZk85m5PAlOHWqvNzqKbiYvCpsSHRdUbqNEgoH88TiDQzEpKt
z2/ivu+r/szB5Oa+NRmUf92tumGrFXCPaDnpdqCWYef1w/ZNavaV270wiB3xYp49
zRDQ4Nhef3V5j41gIGL1JDXg9oE5jt4Sd+NCsQPYp6ZBMfYSSOic2A3YMwnNMZIb
s9sTI+zYh9usPa9yhe8kU1639Yo/5W5urcQtxxSCNLQrn2io/9ZywhJz1L8U948N
t7ITLeP5BUdDAu9ju3H7elksd0BfsKxhHw03fUYNEsFkQgcwZ8HTZv/b4+FDhc5i
m1apJ5rswL5sdcZD0k0tSw61b10zFRnsiV8RRRJ0GnpqHNRN2ZMC15cak1qBlVf4
J4pVVee8ghpy6R1WH7zkrtCwZoWAAkKBl6GPKAQVBp0N7+sw0JKXsKDYKGnvgAq0
UEotl9pOvWXXQoXsIhIWCXSz+iCrStu4Y6w28Mfv1KElm97QqlB7du7Bj0V9E8wc
HvJ/Jau4yQrhzIAM54ulvly5uvO3pTBF2x85xpciGPhA5n9YNfTJkmghSoXOifmx
wF31sTd9BNfsfpAyIij5jhbMWRRa09hBdNbANpXC6BtaeDIZb+Obq6BYrjTi30Gc
4aJ4bUE1eEPArx0i4bw/
=16M1
-----END PGP SIGNATURE-----
Hash: SHA256
On 15/09/15 17:37, to...@tuxteam.de wrote:
> So if you want to do a service to humankind, stop whining, cough
> up the $200 and redistribute GRSecurity. All happy. You could try
> to recoup some of your costs by asking for some contributions.
along and start downloading the stable branch from you instead.
It's a shame they had to go down that road, but it was the companies
that saw it as a "free beer" kernel for their devices rather than as
an open kernel. i.e. they're expected to contribute something in return.
Regards,
- --
Stuart Longland (aka Redhatter, VK4MSL)
I haven't lost my mind...
...it's backed up on a tape somewhere.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJV+IB2AAoJEE36GRQQveO3uwkP/1+P4Z5+jNc1+FSQsnjA24Yf
jz6+Nkz/RdySAFUmZk85m5PAlOHWqvNzqKbiYvCpsSHRdUbqNEgoH88TiDQzEpKt
z2/ivu+r/szB5Oa+NRmUf92tumGrFXCPaDnpdqCWYef1w/ZNavaV270wiB3xYp49
zRDQ4Nhef3V5j41gIGL1JDXg9oE5jt4Sd+NCsQPYp6ZBMfYSSOic2A3YMwnNMZIb
s9sTI+zYh9usPa9yhe8kU1639Yo/5W5urcQtxxSCNLQrn2io/9ZywhJz1L8U948N
t7ITLeP5BUdDAu9ju3H7elksd0BfsKxhHw03fUYNEsFkQgcwZ8HTZv/b4+FDhc5i
m1apJ5rswL5sdcZD0k0tSw61b10zFRnsiV8RRRJ0GnpqHNRN2ZMC15cak1qBlVf4
J4pVVee8ghpy6R1WH7zkrtCwZoWAAkKBl6GPKAQVBp0N7+sw0JKXsKDYKGnvgAq0
UEotl9pOvWXXQoXsIhIWCXSz+iCrStu4Y6w28Mfv1KElm97QqlB7du7Bj0V9E8wc
HvJ/Jau4yQrhzIAM54ulvly5uvO3pTBF2x85xpciGPhA5n9YNfTJkmghSoXOifmx
wF31sTd9BNfsfpAyIij5jhbMWRRa09hBdNbANpXC6BtaeDIZb+Obq6BYrjTi30Gc
4aJ4bUE1eEPArx0i4bw/
=16M1
-----END PGP SIGNATURE-----
to...@tuxteam.de
Sep 16, 2015, 3:10:04 AM9/16/15
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, Sep 16, 2015 at 06:32:59AM +1000, Stuart Longland wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 15/09/15 17:37, to...@tuxteam.de wrote:
> > So if you want to do a service to humankind, stop whining, cough
> > up the $200 and redistribute GRSecurity. All happy. You could try
> > to recoup some of your costs by asking for some contributions.
>
> … and be prepared for all the former GRSecurity freeloaders to come
> along and start downloading the stable branch from you instead.
Well -- that's what you get into with GPL. Probably GRSecurity wouldn't
have a business case at all weren't it for the GPL of the Linux kernel.
> It's a shame they had to go down that road, but it was the companies
> that saw it as a "free beer" kernel for their devices rather than as
> an open kernel. i.e. they're expected to contribute something in return.
That sucks, especially considering that those $200 are probably petty
change for Wind River. I think there are several "venues of attack":
(1) Naming and Shaming. Always very effective.
(2) Trademark ("yeah, include our product, but don't use our name").
Combined with (1) might do wonders.
(3) Close scrutiny of GPL compliance (are they really making all
their changes available?) Conservancy[1] might be of help here.
- - - - - - - -
[1] https://sfconservancy.org/
Regards
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlX5FJkACgkQBcgs9XrR2kY/bgCggRJGicLITa02QKKFKXKzJ8fD
E18AnA9DwXoRydMHtFvkU4swDNUt852t
=50eP
-----END PGP SIGNATURE-----
Hash: SHA1
On Wed, Sep 16, 2015 at 06:32:59AM +1000, Stuart Longland wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 15/09/15 17:37, to...@tuxteam.de wrote:
> > So if you want to do a service to humankind, stop whining, cough
> > up the $200 and redistribute GRSecurity. All happy. You could try
> > to recoup some of your costs by asking for some contributions.
>
> … and be prepared for all the former GRSecurity freeloaders to come
> along and start downloading the stable branch from you instead.
have a business case at all weren't it for the GPL of the Linux kernel.
> It's a shame they had to go down that road, but it was the companies
> that saw it as a "free beer" kernel for their devices rather than as
> an open kernel. i.e. they're expected to contribute something in return.
change for Wind River. I think there are several "venues of attack":
(1) Naming and Shaming. Always very effective.
(2) Trademark ("yeah, include our product, but don't use our name").
Combined with (1) might do wonders.
(3) Close scrutiny of GPL compliance (are they really making all
their changes available?) Conservancy[1] might be of help here.
- - - - - - - -
[1] https://sfconservancy.org/
Regards
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlX5FJkACgkQBcgs9XrR2kY/bgCggRJGicLITa02QKKFKXKzJ8fD
E18AnA9DwXoRydMHtFvkU4swDNUt852t
=50eP
-----END PGP SIGNATURE-----
0 new messages