Monday, 10 February 2020 10:42

Linux kernel patch maker says court case was only way out

By
Brad Spengler: "It seems like there's a lot of politics going on behind the scenes, which with we have no involvement." Brad Spengler: "It seems like there's a lot of politics going on behind the scenes, which with we have no involvement." Supplied

The head of security firm Open Source Security, Brad Spengler, says he had little option but to file a lawsuit against open source advocate Bruce Perens, who alleged back in 2017 that security patches issued for the Linux kernel by OSS violated the licence under which the kernel is distributed.

The case ended last week with Perens coming out on the right side of things; after some back and forth, a court doubled down on its earlier decision that OSS must pay Perens' legal costs as awarded in June 2018.

The dispute began in August 2017 over remarks that Perens made about the OSS patches, collectively referred to as Grsecurity. In those remarks, Perens described OSS' efforts as presenting "a contributory infringement and breach of contract risk".

The issue centres around the General Public Licence version 2 under which the Linux kernel is distributed. It specifies that if anyone distributes any software covered by this licence, then source code has to be offered as well. Exceptions are made for code that is not a derivative of the original software.

In his comments, Perens said people should avoid using the Grsecurity patch. "It (the patch) is a derivative work of the Linux kernel which touches the kernel internals in many different places. It is inseparable from Linux and cannot work without it," he wrote.

"It would fail a fair-use test (obviously, ask offline if you don’t understand). Because of its strongly derivative nature of the kernel, it must be under the GPL version 2 licence, or a licence compatible with the GPL and with terms no more restrictive than the GPL. Earlier versions were distributed under GPL version 2."

But OSS disputed this interpretation, saying its subscription agreements for Grsecurity gave it the right to terminate a client's subscription, were he/she to redistribute the code for the patches to a third party.

The only limit being placed, OSS argued, was restricting that person's access to future updates or versions (that is, patches that have not yet been developed, created, or released), if the patches were redistributed outside of the explicit obligations under the GPLv2 to the client’s customers.

The details of the case, along with links to earlier hearings, are here.

iTWire contacted Spengler soon after the case ended, as he had promised to speak at length about the issue once all legal issues were done and dusted. Queries submitted by iTWire along with Spengler's answers in full are given below:

iTWire: Do you have regrets about going to court over Perens' statement and not attempting to settle it through third parties whom both of you know?

Spengler: The only third parties I know of are the FSF [Free Software Foundation] and the SFC [Software Freedom Conservancy]. I don't know what other parties Perens may know, as he's never contacted us before. On our blog here, we provided a copy of mails for the public that to-date have not been answered by the FSF. Indeed, I do believe that had anyone else prominent in the community spoken up to defend our reputation, it may not have ultimately been necessary to pursue a case of defamation. That that didn't happen whatsoever I don't think is anything we can control - we can't force people who will not respond to us to respond.

Not only will they not respond to us, but we're aware of at least one other [entity] the FSF stopped speaking to completely after they pressed the FSF to look into this matter. As someone who spent half his life creating free security software for the public, and a former SFC supporter myself, I think it's a sad situation and [has] soured my perception of these groups in general. The damage was done very quickly, spread out over many tech news sites and translated into several languages.

It seems like there's a lot of politics going on behind the scenes, which with we have no involvement. Why neither the FSF nor SFC called out Perens when he was the clear outlier here, I don't know. I'd like to know, and I'm sure many others would too, but my impression is they're hoping this will all blow over, none of it will stick to them, and it'll just be our reputation [that's] ruined in the process.

Is there any previous animus between you and Perens which may have contributed to his making this statement, the one that led to the lawsuit?

Not at all, this whole situation completely came out of left field. Not only no animus, but we've also never even spoken or even been in the same building as each other. As we mentioned on our blog, there was an anonymous troll infamous in the community known as "MikeeUSA" who had been harassing us for some time, and women in open source for even longer. He poses as a lawyer and provided the legal theories that Perens repeated to a worldwide audience. The same troll attempted to bait RMS [Richard Stallman, head of the FSF], Eben Moglen, and Bradley Kuhn [both well-known figures in the free software world] as well, but none of them took the bait.

I would like to think that Perens now realises he was wrong and acted recklessly, knowing that Red Hat has had similar subscription agreements for two decades, and that the FSF has said in the past that subscription agreements identical to ours are compliant with the GPL. They were very clear that the GPL does not demand providing future services like updates or support to a person just because you provided them with a copy of your work (that they are free to do what they want with).

If Perens is a man of integrity, once the lawsuit is fully complete and he and his lawyers have cashed their cheques, I do hope he acknowledges he was wrong and got caught up in what he was being told by an anonymous troll. In his rush for justice, where he didn't bother to contact us ahead of time, or even see a copy of our subscription agreement (where it affirms that customers have all the rights and obligations of Grsecurity's licence, the GPLv2), he ended up getting way ahead of himself and the facts.

He doesn't have to like subscription agreements like the ones Red Hat and we have, he's free, of course, to believe they're against the "spirit" of the GPL (if there's any of that left), but if he does apologise for his statements I'd welcome that and would forgive him. I realise that he may have already felt that, but due to the ongoing legal matter, wouldn't have been able to express it. We'll see.

To what extent (a money figure, if possible) do you reckon Perens' claims have cost you in terms of business?

It's hard to say. We submitted in court the number of potential customers we had been in talks with around the time of Perens' post that ended up not coming to fruition. Just adding up the quoted amounts was a significant sum of money, but without asking each potential customer and getting honest answers, we won't know. Had the case gone to a jury trial, that's something that we would have done as part of that process.

The larger problem was that it hurt the trajectory of the company and eliminated any goodwill we had. As mentioned in the court documents, we had been in the process of bringing on an additional kernel developer, which had to be put on hold. We've had to deal with many expenses as a result of this that we otherwise wouldn't have had to deal with (or at least not nearly as soon).

We have had to work twice as hard, with many sleepless nights, particularly around the time that [processor vulnerabilities] Meltdown and Spectre were announced. But as a result of that effort, the company is doing well now, albeit not as well as it could have been doing at this point. We were able to recently hire the developer we were unable to hire earlier. The company is stable and expanding quickly.

Our customers recognise the value of the work we produce, and new customers come to us purely through word-of-mouth about the excellent support and security current customers receive. The technical and service-related aspects of our reputation thankfully haven't been damaged by Perens.

It's important to note that the $3 million in damages sought was for Perens and Does 1-50, including the anonymous troll posing as a lawyer who was the source for Perens' statements.

How much do you charge for a Grsecurity subscription (stable and stable plus pro support)?

There are many factors involved in producing a quote: for instance, if any specialised hardware needs to be purchased to support a particular customer effectively (since we support a wide variety of architectures). In general, the pricing is tiered, with discounts available for academic and non-profit organisations. Anyone interested is encouraged to either fill out the contact form on the website, or email contact@grsecurity.net. We have full-time sales staff who can help answer any questions they may have.

What do you plan to do in the future to mitigate the effects of this court decision?

We've already taken appropriate measures to ensure the continued stability of the company and prepare for any eventuality. Over the years, we have mostly kept to ourselves and focused on our work, but recent events have taught us that if we don't put our own history out there, someone else will write it for us. So we'll be putting more effort into that. Now that we're actually able to discuss the matters involving the case, I hope the public will soon see the commonsense facts of the matter.

For instance, under Perens' interpretation of the GPL, it would be a violation to refuse to support someone who modifies the GPL'd code you provided them. I think when people think about it this way, it's clear that 1) under this interpretation, everyone would be a GPL violator, and 2) things like future updates, support, and warranty, are completely separate offerings that the GPL has no control over.

I also think this whole situation has damaged the reputations of the GPL experts [whom] the public trusts. As we mentioned in our briefs, the public looks to them to provide factual, well-reasoned information. When one expert is saying one thing and the rest — including the creators of the GPL — are saying something completely different, the GPL begins to look a little arbitrary and like something companies want to avoid. The experts involved would need to do some work of their own to repair that confidence and provide certainty.

Would you agree that your approach to people (possibly to customers too, certainly in my case) could be a little less aggressive in order to build relationships rather than treating everyone as an adversary?

We have great, professional relationships with all of our customers. It is a completely different experience from our end, compared to dealing with people who view you not as a person, but as a means to get something free. I've seen many others in free software get burnt out by the culture of entitlement that exists. Even when we were providing Grsecurity free, users were always impressed with the speed and quality of support they received. I guess that level of support is unheard of in the commercial world, so our paying customers are even more surprised and thankful for it. It's one of my favorite aspects of the work we do.

If you're referring to our relationship with certain kernel developers (it's not all, we actually have very good relationships with some), I would remind your readers that in many instances that goes both ways. For instance, Linus [Torvalds, the creator of Linux] had his "garbage" quote moment that you and other news sites rushed to publish for the sensational aspect of it. Yet no one mentioned that he called them "garbage" only because we hadn't split them up into little pieces for them free, for work that they happily ignored (or were otherwise hostile and dismissive of) for many years.

We had actually had someone meet Linus at a conference to ask him if he would correct that statement, knowing the way in which it was being misleadingly reported, but he would not. Again, nothing we can do about that.

When small parts of our work were being incorporated by the Kernel Self Protection Project (KSPP), often badly, and sometimes without appropriate credit, we had made a proposal to several companies behind the project to assist them full-time in upstreaming, security training, and other matters, provided that we were able to still have time to continue to work on new Grsecurity features.

Had any of them agreed, it would have eliminated any possibility of a company around Grsecurity, but we were willing to do it at the time to solve the problem they had created without having to take the action we did that affected our users. Unfortunately, none of the companies were interested in paying for the proposal.

At this point, I think that [our] relationship with certain developers is too far gone. It's partially a philosophical disagreement. We've long objected to their intentional covering up of security vulnerabilities, and would view our assistance to them as enabling that practice. Today, we're happy doing our own thing, just as we've been doing for the past 20 years. I very rarely post on mailing lists, haven't commented on LWN [Linux Weekly News, a site run by kernel developer Jonathan Corbet] for several years, etc. The people I'm dealing with on a daily basis now are our customers – it keeps me busy, and it's great.

A major contributor to the conflict is that there's a subsection of people who are offended by our very existence. The fact that upstream Linux security isn't very good, and that something that doesn't exist upstream has been better for many years triggers some very primitive responses. I think if people look at any of our recent blogs, like this one or this, there's nothing hostile about them at all. Yet some of the feedback that appears in response to them is completely [and] unnecessarily hostile - [merely] for pointing out bugs of all things and issues in processes that could be fixed to produce a better result for everyone.

I don't know that there's much we can do to control the response of that kind of fanatical base, other than simply not report on bugs in public.

But yes, depending on the situation, I can be overly direct, as I know you can as well :).

CHIEF DATA & ANALYTICS OFFICER BRISBANE 2020

26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments