Open Source Market Segment LS
Open Source Market Segment RS
×

Message

Failed loading XML...
Monday, 10 February 2020 10:42

Linux kernel patch maker says court case was only way out

By
Brad Spengler: "It seems like there's a lot of politics going on behind the scenes, which with we have no involvement." Brad Spengler: "It seems like there's a lot of politics going on behind the scenes, which with we have no involvement." Supplied

The head of security firm Open Source Security, Brad Spengler, says he had little option but to file a lawsuit against open source advocate Bruce Perens, who alleged back in 2017 that security patches issued for the Linux kernel by OSS violated the licence under which the kernel is distributed.

The case ended last week with Perens coming out on the right side of things; after some back and forth, a court doubled down on its earlier decision that OSS must pay Perens' legal costs as awarded in June 2018.

The dispute began in August 2017 over remarks that Perens made about the OSS patches, collectively referred to as Grsecurity. In those remarks, Perens described OSS' efforts as presenting "a contributory infringement and breach of contract risk".

The issue centres around the General Public Licence version 2 under which the Linux kernel is distributed. It specifies that if anyone distributes any software covered by this licence, then source code has to be offered as well. Exceptions are made for code that is not a derivative of the original software.

In his comments, Perens said people should avoid using the Grsecurity patch. "It (the patch) is a derivative work of the Linux kernel which touches the kernel internals in many different places. It is inseparable from Linux and cannot work without it," he wrote.

"It would fail a fair-use test (obviously, ask offline if you don’t understand). Because of its strongly derivative nature of the kernel, it must be under the GPL version 2 licence, or a licence compatible with the GPL and with terms no more restrictive than the GPL. Earlier versions were distributed under GPL version 2."

But OSS disputed this interpretation, saying its subscription agreements for Grsecurity gave it the right to terminate a client's subscription, were he/she to redistribute the code for the patches to a third party.

The only limit being placed, OSS argued, was restricting that person's access to future updates or versions (that is, patches that have not yet been developed, created, or released), if the patches were redistributed outside of the explicit obligations under the GPLv2 to the client’s customers.

The details of the case, along with links to earlier hearings, are here.

iTWire contacted Spengler soon after the case ended, as he had promised to speak at length about the issue once all legal issues were done and dusted. Queries submitted by iTWire along with Spengler's answers in full are given below:

iTWire: Do you have regrets about going to court over Perens' statement and not attempting to settle it through third parties whom both of you know?

Spengler: The only third parties I know of are the FSF [Free Software Foundation] and the SFC [Software Freedom Conservancy]. I don't know what other parties Perens may know, as he's never contacted us before. On our blog here, we provided a copy of mails for the public that to-date have not been answered by the FSF. Indeed, I do believe that had anyone else prominent in the community spoken up to defend our reputation, it may not have ultimately been necessary to pursue a case of defamation. That that didn't happen whatsoever I don't think is anything we can control - we can't force people who will not respond to us to respond.

Not only will they not respond to us, but we're aware of at least one other [entity] the FSF stopped speaking to completely after they pressed the FSF to look into this matter. As someone who spent half his life creating free security software for the public, and a former SFC supporter myself, I think it's a sad situation and [has] soured my perception of these groups in general. The damage was done very quickly, spread out over many tech news sites and translated into several languages.

It seems like there's a lot of politics going on behind the scenes, which with we have no involvement. Why neither the FSF nor SFC called out Perens when he was the clear outlier here, I don't know. I'd like to know, and I'm sure many others would too, but my impression is they're hoping this will all blow over, none of it will stick to them, and it'll just be our reputation [that's] ruined in the process.

Is there any previous animus between you and Perens which may have contributed to his making this statement, the one that led to the lawsuit?

Not at all, this whole situation completely came out of left field. Not only no animus, but we've also never even spoken or even been in the same building as each other. As we mentioned on our blog, there was an anonymous troll infamous in the community known as "MikeeUSA" who had been harassing us for some time, and women in open source for even longer. He poses as a lawyer and provided the legal theories that Perens repeated to a worldwide audience. The same troll attempted to bait RMS [Richard Stallman, head of the FSF], Eben Moglen, and Bradley Kuhn [both well-known figures in the free software world] as well, but none of them took the bait.

I would like to think that Perens now realises he was wrong and acted recklessly, knowing that Red Hat has had similar subscription agreements for two decades, and that the FSF has said in the past that subscription agreements identical to ours are compliant with the GPL. They were very clear that the GPL does not demand providing future services like updates or support to a person just because you provided them with a copy of your work (that they are free to do what they want with).

If Perens is a man of integrity, once the lawsuit is fully complete and he and his lawyers have cashed their cheques, I do hope he acknowledges he was wrong and got caught up in what he was being told by an anonymous troll. In his rush for justice, where he didn't bother to contact us ahead of time, or even see a copy of our subscription agreement (where it affirms that customers have all the rights and obligations of Grsecurity's licence, the GPLv2), he ended up getting way ahead of himself and the facts.

He doesn't have to like subscription agreements like the ones Red Hat and we have, he's free, of course, to believe they're against the "spirit" of the GPL (if there's any of that left), but if he does apologise for his statements I'd welcome that and would forgive him. I realise that he may have already felt that, but due to the ongoing legal matter, wouldn't have been able to express it. We'll see.

To what extent (a money figure, if possible) do you reckon Perens' claims have cost you in terms of business?

It's hard to say. We submitted in court the number of potential customers we had been in talks with around the time of Perens' post that ended up not coming to fruition. Just adding up the quoted amounts was a significant sum of money, but without asking each potential customer and getting honest answers, we won't know. Had the case gone to a jury trial, that's something that we would have done as part of that process.

The larger problem was that it hurt the trajectory of the company and eliminated any goodwill we had. As mentioned in the court documents, we had been in the process of bringing on an additional kernel developer, which had to be put on hold. We've had to deal with many expenses as a result of this that we otherwise wouldn't have had to deal with (or at least not nearly as soon).

We have had to work twice as hard, with many sleepless nights, particularly around the time that [processor vulnerabilities] Meltdown and Spectre were announced. But as a result of that effort, the company is doing well now, albeit not as well as it could have been doing at this point. We were able to recently hire the developer we were unable to hire earlier. The company is stable and expanding quickly.

Our customers recognise the value of the work we produce, and new customers come to us purely through word-of-mouth about the excellent support and security current customers receive. The technical and service-related aspects of our reputation thankfully haven't been damaged by Perens.

It's important to note that the $3 million in damages sought was for Perens and Does 1-50, including the anonymous troll posing as a lawyer who was the source for Perens' statements.

How much do you charge for a Grsecurity subscription (stable and stable plus pro support)?

There are many factors involved in producing a quote: for instance, if any specialised hardware needs to be purchased to support a particular customer effectively (since we support a wide variety of architectures). In general, the pricing is tiered, with discounts available for academic and non-profit organisations. Anyone interested is encouraged to either fill out the contact form on the website, or email contact@grsecurity.net. We have full-time sales staff who can help answer any questions they may have.

What do you plan to do in the future to mitigate the effects of this court decision?

We've already taken appropriate measures to ensure the continued stability of the company and prepare for any eventuality. Over the years, we have mostly kept to ourselves and focused on our work, but recent events have taught us that if we don't put our own history out there, someone else will write it for us. So we'll be putting more effort into that. Now that we're actually able to discuss the matters involving the case, I hope the public will soon see the commonsense facts of the matter.

For instance, under Perens' interpretation of the GPL, it would be a violation to refuse to support someone who modifies the GPL'd code you provided them. I think when people think about it this way, it's clear that 1) under this interpretation, everyone would be a GPL violator, and 2) things like future updates, support, and warranty, are completely separate offerings that the GPL has no control over.

I also think this whole situation has damaged the reputations of the GPL experts [whom] the public trusts. As we mentioned in our briefs, the public looks to them to provide factual, well-reasoned information. When one expert is saying one thing and the rest — including the creators of the GPL — are saying something completely different, the GPL begins to look a little arbitrary and like something companies want to avoid. The experts involved would need to do some work of their own to repair that confidence and provide certainty.

Would you agree that your approach to people (possibly to customers too, certainly in my case) could be a little less aggressive in order to build relationships rather than treating everyone as an adversary?

We have great, professional relationships with all of our customers. It is a completely different experience from our end, compared to dealing with people who view you not as a person, but as a means to get something free. I've seen many others in free software get burnt out by the culture of entitlement that exists. Even when we were providing Grsecurity free, users were always impressed with the speed and quality of support they received. I guess that level of support is unheard of in the commercial world, so our paying customers are even more surprised and thankful for it. It's one of my favorite aspects of the work we do.

If you're referring to our relationship with certain kernel developers (it's not all, we actually have very good relationships with some), I would remind your readers that in many instances that goes both ways. For instance, Linus [Torvalds, the creator of Linux] had his "garbage" quote moment that you and other news sites rushed to publish for the sensational aspect of it. Yet no one mentioned that he called them "garbage" only because we hadn't split them up into little pieces for them free, for work that they happily ignored (or were otherwise hostile and dismissive of) for many years.

We had actually had someone meet Linus at a conference to ask him if he would correct that statement, knowing the way in which it was being misleadingly reported, but he would not. Again, nothing we can do about that.

When small parts of our work were being incorporated by the Kernel Self Protection Project (KSPP), often badly, and sometimes without appropriate credit, we had made a proposal to several companies behind the project to assist them full-time in upstreaming, security training, and other matters, provided that we were able to still have time to continue to work on new Grsecurity features.

Had any of them agreed, it would have eliminated any possibility of a company around Grsecurity, but we were willing to do it at the time to solve the problem they had created without having to take the action we did that affected our users. Unfortunately, none of the companies were interested in paying for the proposal.

At this point, I think that [our] relationship with certain developers is too far gone. It's partially a philosophical disagreement. We've long objected to their intentional covering up of security vulnerabilities, and would view our assistance to them as enabling that practice. Today, we're happy doing our own thing, just as we've been doing for the past 20 years. I very rarely post on mailing lists, haven't commented on LWN [Linux Weekly News, a site run by kernel developer Jonathan Corbet] for several years, etc. The people I'm dealing with on a daily basis now are our customers – it keeps me busy, and it's great.

A major contributor to the conflict is that there's a subsection of people who are offended by our very existence. The fact that upstream Linux security isn't very good, and that something that doesn't exist upstream has been better for many years triggers some very primitive responses. I think if people look at any of our recent blogs, like this one or this, there's nothing hostile about them at all. Yet some of the feedback that appears in response to them is completely [and] unnecessarily hostile - [merely] for pointing out bugs of all things and issues in processes that could be fixed to produce a better result for everyone.

I don't know that there's much we can do to control the response of that kind of fanatical base, other than simply not report on bugs in public.

But yes, depending on the situation, I can be overly direct, as I know you can as well :).

Read 5683 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here

ENABLING MICROSOFT TEAMS IN THE CONTACT CENTRE

If you're looking at enabling Microsoft Teams for your contact centre, you should bookmark this webinar.

Marketing budgets are now focused on Webinars combined with Lead Generation.

Our panellists from Whangarei District Council (NZ) and Maurice Blackburn Lawyers (Aus) were closely involved in recent projects to enable Microsoft Teams for their own contact centres.

They have kindly agreed to join Enghouse and Microsoft to talk about some of the things they would recommend as most critical for IT and CX professionals planning a Teams Contact Centre migration.

Date: 11 May 2022
Time: 12pm AEST | 2pm NZST | 10am SGT

We look forward to having you join us. Please click the button below to register.

REGISTER HERE!

SONICWALL 2022 CYBER THREAT REPORT

The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Ransomware
Cryptojacking
Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.

GET REPORT!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments