lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20150914145814.BAED229A@m0087796.ppops.net>
Date:	Mon, 14 Sep 2015 14:58:14 -0700
From:	"Verivel Enix" <verivelenx@...ido.com>
To:	<linux-kernel@...r.kernel.org>
Subject: GRSecurity Closes Stable Patch to Linux Kernel. How do you feel about this?

Go to grsecurity.org, look on the side panel where it lists the versions, you see:

Stable (Restricted): 3.1-3.2.71 Last updated: 09/13/15
Stable (Restricted): 3.1-3.14.52 Last updated: 09/13/15
Test (Free): 3.1-4.1.7 Last updated: 09/13/15 

What does this mean? It means the stable source patches, which are wholely derivative works of the linux kernel, have been brought closed. This is how to "un-GPL" a work, 101. That is what has happened, effectivly: they got around your intent that derivative works be open, like the linux kernel, except this time they are not even distributing source (like RedHat does) but not the binaries, the source itself is restricted. What do these stable patches consist of? It is a diff
that is created by linux kernel + grsecurity changes to linux kernel + backports of security
patches to the linux kernel. 200 dollars a month if you want it. They're using your security patches,
and have closed the source of the finished "product" to all the world.

GRSecurity Linux Kernel patch ends public accessability of stable patches. (The full rundown)

Grsecurity is a 4MB patch of the linux kernel. For 14 years now Brad Spengler and "PaxTeam" have released
to the public a patch to the kernel that prevents buffer overflows, adds address space protection, adds
Access Control List functions, prevents various other security related errors (the programs are terminated
rather than allowed to write to protected memory or execute other flaws), aswell as various improvements
shell servers might find useful such as allowing a user to only see his own processes (unless he is in
a special group), and tracking the ipaddress associated with a particular process.

Now Brad Spengler has announced that there will be no more public distribution of the stable GRSecurity
patch of the linux kernel.

Some supporters of GRSecurity have claimed that GRSecurity is not even a derivative work of the linux kernel
and that Spengler may do whatever he wishes, including closing to code to all except those who pay him 200
dollars per month. Detractors contend that GRSecurity is a derivative work, and have noted that it is not likely that the thousands of linux code contributors intended that derivative works be closed in this manner. Detractors have also noted the differences between copyright grants and alienations based on property law and those based on contract law, and that the linux kernel is likely "licensed" under contract law and not "licensed" under property law (to use the term loosely), and that this has implications regarding the relevancy of the intentions of the parties. Detractors have also noted that the agreement is not likely to be deemed fully integrated. Supporters of GRSecurity have then claimed that the linux kernel's license (GPLv2) is just a "bare license". Detractors then noted that licenses (creatures of property law) can be rescinded by the licensor at-will (barring estoppel), and in that case any contributor to the Linux Kernel code could rescind Brad Spengler's permission to create derivative works of their code at will, and that the GRSecurity Supporters should hope that Linux (and the GPL) is "licensed" under a contract and not a bare license.

The whole situation stems from WindRiver, a subsidiary on Intel(R), mentioning that they use GRSecurity in their product. Brad Spengler wished for WindRiver to pay him a 200 dollars per month fee. Spengler then threatened to sue Intel under copyright law and trademark law. He, at that time, claimed that Intel was "violating the GPL" (a claim that has now been rescinded) and his trademark on the word "GRSecurity" (a claim which still stands but is currently not being pursued in court). Intel threatened to ask for legal cost reimbursement if Spengler brought this to court (Judges often reward this for spurious baseless claims to discourage excessive litigation).

It has been noted that Brad Spengler's copyright claim is more-or-less non-existent, and his trademark claim is very weak and near non-existent (thus the threat for reimbursement of fees). In trademark law one is barred from, within a field of endeavor, conflating another persons trademark with ones own product one created. Here WindRiver (a subsidiary of Intel(R)) simply noted that it used the grsecurity patch in it's product: It did not create a brand new piece of code and call that "GRSecurity": It simply used what Spengler provided.

In retaliation, Spengler has announced he is closing the stable grsecurity patch to all but those who pay him 200 dollars per month. (And notes that any other branch is not fit for human consumption)

--

More can be found at: grsecurity.org and http://grsecurity.net/announce.php

The text of the announcement:
"Important Notice Regarding Public Availability of Stable Patches
Due to continued violations by several companies in the embedded industry of grsecurity®'s trademark and registered copyrights, effective September 9th 2015 stable patches of grsecurity will be permanently unavailable to the general public. For more information, read the full announcement."



_____________________________________________________________
Sign up for FREE email from zipido.com at http://zpdo.com and get your own Free Website.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ