GRsecurity is preventing others from employing their rights under version 2 the GPL to redistribute source code
concernedfossdev at teknik.io
concernedfossdev at teknik.io
Wed Jun 1 14:06:05 UTC 2016
I contacted them, they didn't seem to give a damn.
I went to the channel and sent emails.
No response to the emails, the channel log was as follows
(essentially: we have no money, and anyone can treat the GPL as the BSD license, it's all good in the end and if anyone doesn't like it they can bring the tort claims, we wont help)
Opensource has no teeth.
Some people claim that patches to the kernel aren't derivative works.
This has never been tested in court either way specifically for code patches.
Perhaps you and others could contact the SFC, I don't even know if my mails get through to them.
-30 gnu_user http://pastebin.ca/3614117
-39 kfogel gnu_user: I am not a lawyer, and I don't represent the Conservancy, but this does sound disturbing. It is not a new situation
even back in the 1990s, there were cases where some companies attempted to sign private contracts with customers whereby the
customers agreed to give up some of their rights under the GPLv2, as a condition of receiving patches under the GPLv2. My
memory is that the FSF determined this to be a violation of the GPL (on the patch
-39 kfogel supplier's part), but I am not positive of that, nor do I remember the specific parties involved. However, the case was very
similar to what you are describing with grsecurity.
-42 kfogel gnu_user: It is *quite* likely, by the way, that grsecurity is delivering slightly different patches (you know, whitespace
differences or trivial variable name differences, that sort of thing) to different customers, in order to be able to identify
who leaks a patch in violation of the contract. (See https://en.wikipedia.org/wiki/Trap_street for maps, but on a per-customer
-43 kfogel gnu_user: I'm pointing this out because some customer might be tempted to leak anonymously. They should be aware that they are
probably identifiable, unless they try to scrub the diff in some way (might be hard). If you can get multiple customers to
privately compare their patches, you can determine if grsecurity is using this technique.
-45 kfogel gnu_user: bkuhn knows a lot about GPL compliance; I hope he reads the above and can recommend and/or take some action.
-45 gnu_user kfogel: I hope so too.
-45 vmbrasseur IIRC, bkuhn may be in transit right now.
-45 gnu_user kfogel: this situation is not new to the law
-45 gnu_user companies do this all the time against one another and are brought to court for tort violations
-46 gnu_user the difference here is that they all have direct privity with eachother
-46 gnu_user here the linux rightsholder does not have direct privity with the sublicensor that is prevented from redistirbuting
-47 gnu_user thus a quazi-contractual argument might have to be made
-47 kfogel gnu_user: Ah, sounds like you know much more about the history & context than I do anyway, good. Thanks for pointing this one
out I'm very curious to see what happensW!
-48 gnu_user the remedy would likely be in equity thusly (since quazi-contract etc)
-50 -!- JordiGH [jordi] has joined #conservancy
-51 -!- kfogel [~Karl] has quit [Ping timeout: 258 seconds]
-52 -!- kfogel [~Karl] has joined #conservancy
-04 @bkuhn gnu_user: I'm familiar with the public discussion about the grsecurity situation. If a customer thinks they have a tort claim of
some sort under GPL in a situation like this, they should certainly bring it on their own.
-05 @bkuhn Whether it's a GPL violation depends on various details that I'm not privy to. Redistribution is not mandatory under GPL, so
there would have to be some sort of specific GPLv2 Secition 6/7 problem shown.
-05 JordiGH Funding cuts have also tightened the conference travel budget, eh?
-05 @bkuhn JordiGH: huh?
-05 JordiGH Sorry, I thought you said you weren't at Pycon this year.
-06 @bkuhn JordiGH: if you are asking about PyCon, my talk wasn't accepted.
-06 JordiGH What was your proposal? Did you get any attention at all? Last time I submitted a talk, I'm sure nobody even looked at the
proposal beyond the title.
-06 @bkuhn JordiGH: I forget, anyway I was asked to keynote another conference elsewhere in the world tomorrow, so I am there now.
-07 JordiGH Oh! Neat! Where?
-07 @bkuhn JordiGH: http://oss2016.org/speakers
-08 JordiGH Finland!
-08 @bkuhn gnu_user: showing a GPLv2 Section 6 or 7 problem often require seeing what written agreements people have with the party. If
someone has specifics, they can certainly report the violation officially to compliance at sfconservancy.org
June 1 2016 9:13 AM, "Sam Bull" <sam.hacking at sent.com> wrote:
> As somebody previously mentioned the first time you posted this, I'm
> not sure why this is relevant to Ubuntu development?
> Perhaps you should get in touch with the Software Freedom Conservancy,
> and see if there is anything they can do. https://sfconservancy.org
> On Tue, 2016-05-31 at 03:12 +0000, concernedfossdev at teknik.io wrote:
>> GRsecurity is preventing others from employing their rights under
>> version 2 the GPL to redistribute (by threatening them with a non-
>> renewal of a contract to recive this patch to the linux kernel.)
>> (GRsecurity is a derivative work of the linux kernel (it is a patch))
>> People who have dealt with them have attested to this fact:
>> "You will also lose the access to the patches in the form of grsec
>> not renewing the contract.
>> Also they've asked us (a Russian hosting company) for $17000+ a year
>> for access their stable patches. $17k is quite a lot for us. A
>> question about negotiating a lower price was completely ignored.
>> Twice." -- fbt2lurker
>> And it is suggested to be the case here aswell:
>> "Do you work for some company that pays for Grsecurity? If so then
>> would you kindly excersise the rights given to you by GPL and send me
>> a tarball of all the latest patches and releases?" -- lolidaisuki
>> "sadly (for this case) no, i work in a human rights organization
>> where we get the patches by a friendly and richer 3rd party of the
>> same field. we made the compromise to that 3rd party to not
>> distribute the patches outside and as we deal with some critical
>> situations i cannot afford to compromise that even for the sake of
>> gpl :/
>> the "dumber" version for unstable patches will make a big problem for
>> several projects, i would keep an eye on them. this situation cannot
>> be hold for a long time" -- disturbio
>> Is this not tortious interference, on grsecurity's (Brad Spengler)
>> part, with the quazi-contractual relationship the sublicensee has
>> with the original licensor?
>> (Also Note: the stable branch now contains features that will never
>> make it to the "testing" branch, and are not allowed to be
>> redistributed, per the scheme mentioned above (which has been
>> successful: not one version of the stable branch has been released by
>> anyone, even those asked to do so, since the scheme has been put in
>> place (they say they cannot as they cannot lose access to the patch
>> as that may cost the lives and freedom of activists in latin
>> @xoreipeip @grsecurity they call it a "demo" version "20:14 <
>> spender> what's in the public version is < 1/5th the size of the full
>> oreipeip @grsecurity "20:21 < spender> also it wouldn't be as fast as
>> the commercial version [...] there are missing optimization passes"
More information about the Ubuntu-devel-discuss