Grsecurity stops issuing public patches, citing trademark abuse
The gurus behind the popular and respected Linux kernel hardening effort Grsecurity will stop providing their stable patches to the public. In future, only paying sponsors will get access to stable patches to shore up their kernels' defenses. The test series, unfit for production use, will however continue to be available, to avoid impacting the Gentoo Hardened and Arch Linux communities. The project's full source code will still be released to the public at large, but non-sponsors will have to pick through every update to find out what's applicable to them. The whole situation stems from WindRiver, a subsidiary of Intel, which "has been using the grsecurity name all over its marketing material and blog posts to describe their backported, unsupported, unmaintained version in a version of Linux with other code modifications that haven't been evaluated by us for security impact." After spending several thousand on legal fees, faced with "a huge legal team, the capability to drag out the case for years" and a threat to request "all available sanctions and attorneys' fees" were the lawsuit to proceed against them, Grsecurity decided pursuing the case through the courts was not practical.
to the public a patch to the kernel that prevents buffer overflows, adds address space protection, adds
Access Control List functions, prevents various other security related errors (the programs are terminated
rather than allowed to write to protected memory or execute other flaws), aswell as various improvements
shell servers might find useful such as allowing a user to only see his own processes (unless he is in
a special group), and tracking the ipaddress associated with a particular process.
Now Brad Spengler has announced that there will be no more public distribution of the stable GRSecurity
patch of the linux kernel.
Some supporters of GRSecurity have claimed that GRSecurity is not even a derivative work of the linux kernel
and that Spengler may do whatever he wishes, including closing to code to all except those who pay him 200
dollars per month. Detractors contend that GRSecurity is a derivative work, and have noted that it is not likely that the thousands of linux code contributors intended that derivative works be closed in this manner. Detractors have also noted the differences between copyright grants and alienations based on property law and those based on contract law, and that the linux kernel is likely "licensed" under contract law and not "licensed" under property law (to use the term loosely), and that this has implications regarding the relevancy of the intentions of the parties. Detractors have also noted that the agreement is not likely to be deemed fully integrated. Supporters of GRSecurity have then claimed that the linux kernel's license (GPLv2) is just a "bare license". Detractors then noted that licenses (creatures of property law) can be rescinded by the licensor at-will (barring estoppel), and in that case any contributor to the Linux Kernel code could rescind Brad Spengler's permission to create derivative works of their code at will, and that the GRSecurity Supporters should hope that Linux (and the GPL) is "licensed" under a contract and not a bare license.
The whole situation stems from WindRiver, a subsidiary on Intel(R), mentioning that they use GRSecurity in their product. Brad Spengler wished for WindRiver to pay him a 200 dollars per month fee. Spengler then threatened to sue Intel under copyright law and trademark law. He, at that time, claimed that Intel was "violating the GPL" (a claim that has now been rescinded) and his trademark on the word "GRSecurity" (a claim which still stands but is currently not being pursued in court). Intel threatened to ask for legal cost reimbursement if Spengler brought this to court (Judges often reward this for spurious baseless claims to discourage excessive litigation).
It has been noted that Brad Spengler's copyright claim is non-existent, and his trademark claim is very weak and near non-existent (thus the threat for reimbursement of fees). In trademark law one is barred from, within a field of endeavor, conflating another persons trademark with ones own product one created. Here WindRiver (a subsidiary of Intel(R)) simply noted that it used the grsecurity patch in it's product: It did not create a brand new piece of code and call that "GRSecurity": It simply used what Spengler provided.
In retaliation, Spengler has announced he is closing the stable grsecurity patch to all but those who pay him 200 dollars per month. (And notes that any other branch is not fit for human consumption)
--
More can be found at: grsecurity.org and http://grsecurity.net/announce.php
The text of the announcement:
"Important Notice Regarding Public Availability of Stable Patches
Due to continued violations by several companies in the embedded industry of grsecurity®'s trademark and registered copyrights, effective September 9th 2015 stable patches of grsecurity will be permanently unavailable to the general public. For more information, read the full announcement."