lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 30 Jul 2017 11:47:31 +0200
From:   Pavel Machek <pavel@....cz>
To:     "Paul G. Allen" <pgallen@...il.com>
Cc:     linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: Yes you have standing to sue GRSecurity

Hi!

On Sat 2017-07-29 17:20:52, Paul G. Allen wrote:
> > It's not even clear that there is infringement.  The GPL merely
> > requires that people who have been distributed copies of GPL'ed code
> > must not be restricted from further redistribution of the code.  It
> > does not require that that someone who is distributing it must
> > available on a public FTP/HTTP server.
> >
> > Brad Spengler has asserted that he has not forbidden any of his
> > customers from further redistribution of the code.  Other than his
> > claim of being in compliance with the GPL, I do not personally have
> > any information either suggesting that he is or is not violating the
> > terms of the GNU Public License.
> >
> > Personally, I think I don't think it makes any difference one way or
> > another.  GRSecurity has made themselves irrelevant from the
> > perspective of upstream development.  If someone wants to find some
> > embedded device which is using GRSecurity, and wishes to purchase said
> > device, and then demand access to source code under the terms of the
> > GPL, and then post those sources on some web site, that is all within
> > their right to do.  For the most part, though, it's rarely useful to
> > get dead code posted on a web site.  This is the same reason that
> > people who do drive-by open sourcing of code largely don't make much
> > difference.  You can make a code drop of (for example) Digital's old
> > Tru64 advfs and make it available under an open source license.  But
> > even though it was a very good file system for its time, unless it
> > comes with a community of developers, the code drop will very likely
> > just sit there.
> >
> > So personally, I don't think it's a particularly good use of *my* time
> > to investigate whether or not folks who are responsible for grsecurity
> > are violating the terms of the GPL, and to get involved in a lawsuit.
> > It may be that there is no "there" there, in which case it will be a
> > waste of my time.  And even if we can find proof that GRsecurity has
> > forbidden its customers from redistribution code derived from the
> > Linux kernel, in violation of the GPL, it will be messy, it will
> > enrich a bunch of attorneys --- and at the end of the day we will get
> > a dump of code that probably won't make any real difference to the
> > upstream development of the Linux kernel, since it will probably be
> > based on some ancient 3.18 kernel or some such.
> >
> 
> If there is something to this (that GRSecurity is somehow in violation
> of the GPL), then it would probably be a very good idea for someone
> (the community, Red Hat, etc.) to protect the kernel. From my
> understanding, at least in America, protections under any license or

You probably still have code in the kernel. So you probably can sue
them. I'll have my fingers crossed for you :-), but otherwise don't
expect much help.

								Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ