lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 29 Jul 2017 16:07:26 -0400
From:   Theodore Ts'o <tytso@....edu>
To:     "Paul G. Allen" <pgallen@...il.com>, nisus@...chan.it
Cc:     linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: Yes you have standing to sue GRSecurity

On Sat, Jul 29, 2017 at 09:32:36AM -0600, Paul G. Allen wrote:
> I have not contributed to the kernel for some time (I have been
> working on some stuff, but nothing that's been contributed), so I
> don't know if any of my code would be infringed (or if it's even in
> the latest kernels).
> 
> My work was on AGP and VIA drivers, so I am wondering if GRSecurity's
> patches affect that code?

It's not even clear that there is infringement.  The GPL merely
requires that people who have been distributed copies of GPL'ed code
must not be restricted from further redistribution of the code.  It
does not require that that someone who is distributing it must
available on a public FTP/HTTP server.

Brad Spengler has asserted that he has not forbidden any of his
customers from further redistribution of the code.  Other than his
claim of being in compliance with the GPL, I do not personally have
any information either suggesting that he is or is not violating the
terms of the GNU Public License.

Personally, I think I don't think it makes any difference one way or
another.  GRSecurity has made themselves irrelevant from the
perspective of upstream development.  If someone wants to find some
embedded device which is using GRSecurity, and wishes to purchase said
device, and then demand access to source code under the terms of the
GPL, and then post those sources on some web site, that is all within
their right to do.  For the most part, though, it's rarely useful to
get dead code posted on a web site.  This is the same reason that
people who do drive-by open sourcing of code largely don't make much
difference.  You can make a code drop of (for example) Digital's old
Tru64 advfs and make it available under an open source license.  But
even though it was a very good file system for its time, unless it
comes with a community of developers, the code drop will very likely
just sit there.

So personally, I don't think it's a particularly good use of *my* time
to investigate whether or not folks who are responsible for grsecurity
are violating the terms of the GPL, and to get involved in a lawsuit.
It may be that there is no "there" there, in which case it will be a
waste of my time.  And even if we can find proof that GRsecurity has
forbidden its customers from redistribution code derived from the
Linux kernel, in violation of the GPL, it will be messy, it will
enrich a bunch of attorneys --- and at the end of the day we will get
a dump of code that probably won't make any real difference to the
upstream development of the Linux kernel, since it will probably be
based on some ancient 3.18 kernel or some such.

Cheers,

						- Ted

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ