Pipe KPRX GRSecurity Linux Kernel patch to end public accessability of stable patches. (The full rundown)

GRSecurity Linux Kernel patch to end public accessability of stable patches. (The full rundown)

by
Anonymous Coward
in linux on (#KPRX)
Grsecurity is a 4MB patch of the linux kernel. For 14 years now Brad Spengler and "PaxTeam" have released
to the public a patch to the kernel that prevents buffer overflows, adds address space protection, adds
Access Control List functions, prevents various other security related errors (the programs are terminated
rather than allowed to write to protected memory or execute other flaws), aswell as various improvements
shell servers might find useful such as allowing a user to only see his own processes (unless he is in
a special group), and tracking the ipaddress associated with a particular process.

Now Brad Spengler has announced that there will be no more public distribution of the stable GRSecurity
patch of the linux kernel.

Some supporters of GRSecurity have claimed that GRSecurity is not even a derivative work of the linux kernel
and that Spengler may do whatever he wishes, including closing to code to all except those who pay him 200
dollars per month. Detractors contend that GRSecurity is a derivative work, and have noted that it is not likely that the thousands of linux code contributors intended that derivative works be closed in this manner. Detractors have also noted the differences between copyright grants and alienations based on property law and those based on contract law, and that the linux kernel is likely "licensed" under contract law and not "licensed" under property law (to use the term loosely), and that this has implications regarding the relevancy of the intentions of the parties. Detractors have also noted that the agreement is not likely to be deemed fully integrated. Supporters of GRSecurity have then claimed that the linux kernel's license (GPLv2) is just a "bare license". Detractors then noted that licenses (creatures of property law) can be rescinded by the licensor at-will (barring estoppel), and in that case any contributor to the Linux Kernel code could rescind Brad Spengler's permission to create derivative works of their code at will, and that the GRSecurity Supporters should hope that Linux (and the GPL) is "licensed" under a contract and not a bare license.

The whole situation stems from WindRiver, a subsidiary on Intel(R), mentioning that they use GRSecurity in their product. Brad Spengler wished for WindRiver to pay him a 200 dollars per month fee. Spengler then threatened to sue Intel under copyright law and trademark law. He, at that time, claimed that Intel was "violating the GPL" (a claim that has now been rescinded) and his trademark on the word "GRSecurity" (a claim which still stands but is currently not being pursued in court). Intel threatened to ask for legal cost reimbursement if Spengler brought this to court (Judges often reward this for spurious baseless claims to discourage excessive litigation).

It has been noted that Brad Spengler's copyright claim is non-existent, and his trademark claim is very weak and near non-existent (thus the threat for reimbursement of fees). In trademark law one is barred from, within a field of endeavor, conflating another persons trademark with ones own product one created. Here WindRiver (a subsidiary of Intel(R)) simply noted that it used the grsecurity patch in it's product: It did not create a brand new piece of code and call that "GRSecurity": It simply used what Spengler provided.

In retaliation, Spengler has announced he is closing the stable grsecurity patch to all but those who pay him 200 dollars per month. (And notes that any other branch is not fit for human consumption)

--

More can be found at: grsecurity.org and http://grsecurity.net/announce.php

The text of the announcement:
"Important Notice Regarding Public Availability of Stable Patches
Due to continued violations by several companies in the embedded industry of grsecurity®'s trademark and registered copyrights, effective September 9th 2015 stable patches of grsecurity will be permanently unavailable to the general public. For more information, read the full announcement."

History

2015-09-08 16:22
Grsecurity stops issuing public patches, citing trademark abuse
evilviper@pipedot.org
The gurus behind the popular and respected Linux kernel hardening effort Grsecurity will stop providing their sta 4MBble patch of the linux kernel. For 14 years now Brad Spengler and "PaxTeam" have released
to the public a patch
to the kernel that prevents buffer overflows, adds address space protection, adds<br>Access Controlic
. ListIn functions, prevents various other security related errors (the programs are terminated
rather than allowed to write to protected memory or execute other flaws)
, aswell as various improvements
shell servers might find useful such as allowing a user to
only see his own processes (unless he is in
a special group), and trackying the ipaddress asponsociated with a particular process.

Now Brad Spengler ha
s announced that there will bge no more public distribution ofaccess theo stable GRSecurity
patch of the linux kernel.

Some supporters of GRSecurity have claimed that GRSecurity is not even a derivative work of the linux kernel
and that Spengler may do whatever he wish
es, including closing to code to all except tshosre who pay him 200
dollars per month. Detractors contend that GRSec
urity is a derivative work, and have noted that it is not likely thatp the thousands of linux code contributors intended that derivative works be closed in this manner. Detractors have also noted the differences between copyright grants and alienations based on property law and those based on contract law, and that the linux kernel is' likdely "licfensed"s. The test series, unfit for production use, will however contract law and not "licensed" under property law (to use the term loosely), and that this has implications regarding thue relevancy of the intentions of the parties. Detractors have also noted that the agreement is not likely to be deemed fully integrated. Supporters of GRSecurity havailable, theno clavoid imed thpacting the linux kernel's licGense (GPLv2) is just a "bare license". Detractoo Hars thden noted that licenses (creatures of property law) can be rescinded by the licensor at-will (barring estoppel), and Arch Linux communities. The project’s full source code will still be released any contributor to the Linux Kernel code could rescind Brad Spublic at largengler's, permissibut non-sponsors will have to pick through every update to finderiv out what’s applivcable wtorks of their code at will, and that the GRSecurity Supporters should hope that Linux (and the GPL) is "licensed" under a contract and not a bare licensem.

The whole situation stems from WindRiver, a subsidiary onf Intel(R), mentioning that they use GRSecurity in their product. Brad Spengler wished for WindRiver to pay him a 200 dollars per month fee. Spengler then threatened to sue Intel under copyright law and trademark law. He, at that time, claimed that Intel was "violating the GPL" (a claim that has now been rescinded) and his trademark on the word "GRSecurity" (a claim which still stands but is currently not being pursued in court). Intel threatened to ask for legal cost reimbursement if Spengler brought this to court (Judges often reward this for spurious baseless claims to discourage excessive litigation).

It
"has been noted that Brad Spengler's copyright claim is non-existent, and his trademark claim is very weak and near non-existent (thus the threat for reimbursement of fees). In trademark law one is barred from, within a field of endeavor, conflating another persons trademark with ones own product one created. Here WindRiver (a subsidiary of Intel(R)) simply noted that it used the grsecurity patch in it's product: It did not creatme a brand new piecell ofver codits marketing material and call that "GRSecurity": It simply used what Spengler provided.

In retaliation, Spengler has announced he is closing the sta
ble ogrsecurity paostchs to all but those who pay him 200 dollars per month. (And notes that any other branch is not fit for human consumption)

--

More can
be found at: grshecurity.org and hbackported, unsupportp://ged, unmaintained versecurity.net/announce.php

The
tin a vextrsion of the announcement:
"Important Notice Regarding Public Availability of Stable Patches
Due to cont
Linux with other code vmodiolfications that haven't been evaluated by us for security impact." After spending several cthompusanid on legal fees, faced winth "a huge legal team, the embedded industry of grsecurapability®'s to dradg out them case for yearks" and registereda copyrights, effective September 9th 2015 stablre patches of grsecurity will be permanently unavailable to request "all available sanctions and attorneys' fees" were the lawsuit to proceed against thenm, Grsecurality decide public. For more suinformation,g read the fcase throullgh the courts wans nount pracementical."
2015-09-08 19:57
Grsecurity stops issuing public patches, citing trademark abuse
evilviper@pipedot.org
The gurus behind the popular and respected Linux kernel hardening effort Grsecurity will stop providing their stable patches to the public. In future, only paying sponsors will get access to stable patches to shore up their kernels' defenses. The test series, unfit for production use, will however continue to be available, to avoid impacting the Gentoo Hardened and Arch Linux communities. The project’s full source code will still be released to the public at large, but non-sponsors will have to pick through every update to find out what’s applicable to them.

The whole situation stems from WindRiver, a subsidiary of Intel, which "has been using the grsecurity name all over its marketing material and blog posts to describe their backported, unsupported, unmaintained version in a version of Linux with other code modifications that haven't been evaluated by us for security impact." After spending several thousand on legal fees, faced with "a huge legal team, the capability to drag out the case for years" and a threat to request "all available sanctions and attorneys' fees" were the lawsuit to proceed against them, Grsecurity decided pursuing the case through the courts was not practical.
Reply 4 comments

please, (Score: 0)

by Anonymous Coward on 2015-09-07 17:27 (#KQ3C)

cite some sources for the controversy. Your word vs. a press-release alone holds little value or weight.

Re: please, (Score: 0)

by Anonymous Coward on 2015-09-07 17:27 (#KQ3D)

its not asking much. due dilligence?

Re: please, (Score: -1, Troll)

by Anonymous Coward on 2015-09-07 23:09 (#KQRW)

Just want this story buried eh?

Go read a case book (3) or a treatise (3) if you want citations on the points of law. I'm not going to teach you it here.
You'll need to study copyright, property, and contract law.

Or you could just ask the grsec folks themselves, they're happy to tell you who the players are.

Imagine (Score: -1, Troll)

by Anonymous Coward on 2015-09-08 03:03 (#KR5B)

Imagine if someone claimed copyrightable works and the alienation thereof, had nothing to do with property law, and infact were not property, and they just kept banging on that.

You try to explain to them that there is realty, personal property, and intellectual property (copyrighted works specifically), and that you grant rights to these via license (under property law) or contract.

And that licenses are revokable at the will of the licensor.

And that v2 of the GPL does not have a no-revokation clause, so you really want to argue it's a contract (which it isn't...), otherwise spengler's permission to modify the linux kernel can be revoked at will by any plaintiff (linux kernel contributor).

Then the person you're talking to says "you can't copyright land", and just keeps repeating that and "hahaha".

#grsecurity
irc.oftc.net