Article on GRSecurity, RMS, etc.

Xen list at xenhideout.nl
Mon Jun 6 11:34:38 UTC 2016 

concernedfossdev at teknik.io schreef op 05-06-2016 7:01:

> Soylent news has published an article/discussion on GRSecurity, RMS, 
> etc
> If you're interested it's here:
> https://soylentnews.org/article.pl?sid=16/06/02/214243

You know, at risk of sparking more controversy here:

That article only summarizes your article and your response from RMS you 
have already posted, here, but adds nothing else.


But here is one comment from the comments:

"The Grsecurity devs have been providing, and continue to provide an 
unbelievably valuable service to the planet, for free and against huge 
opposition, for 15 years. Their gpl patchset for the latest linux 
kernel, with the latest features is free. It contains a feature (RAP) 
that kills ROP via func ptr abuse, the basis for a total game change wrt 
to kernel security. There were many years of totally unpaid work that 
went into creating this. If you want to make a "stable" version of this 
patch, you are free to do so.

The work that goes into designing and implementing these security 
enhancements, then retrofitting them into the linux kernel, and 
maintaining them, is beyond belief. I know because I have tried. Without 
security expertise, a lot of these features would bit rot and not work 
as intended within a very short space of time. Just what the "infosec" 
industry and "sigint" people would like. Grsecurity has turned what is 
most likely the least secure OS kernel into the most secure, by a large 
margin. Everyone else in infosec has engaged in a huge circle jerk, 
selling snake oil and forcing companies who can afford it into running 
costly (and totally ineffective) network based counter intelligence 
operations. When huge companies started to advertise that they used 
"Grsecurity" while in reality they used some watered down variant with 
most of the features turned off, giving nothing back, something clearly 
had to be done.

If you are a big company and want to use Grsecurity with support, and 
advertise as such, you now have to pay. You get perks for this over and 
above support from the devs. There is nothing wrong with this. The only 
other option that guarantees the vital independence of the devs is some 
community support via a foundation or the like. The business "community" 
just steals and infringes trademarks if they can get away with it, 
preferring security theater over actual security. The user "community" 
threatens legal beard action to wring every last drop of blood out of 
the providers, so this option doesn't seem like a goer. Absolutely 
hateful behavior against the few who try and succeed in improving real 
world computer security."


Apparently a comment from a well-seasoned "infosec" developer. The 
reality is that this is the only way conceivable for this person to make 
a living doing this thing.

The reality is that it is a vast and substantial contribution spanning 
millions of hours of work, so to speak.

The reality is also, which I have read more often, that Linus himself 
kinda doesn't want to increase security if it could be costly over 
performance. He is extremely reluctant to patch anything, to the point 
of absurdity himself.

Now someone is making a living doing this, they suddenly want it?

They want in on the money? What is this?

I know firsthand how much "opposition" there can be against anything 
that changes anything. You have a good idea? It will be opposed.

My own life in the Linux world is constant opposition.

Every idea you bring to the table, gets shot down.

You get no support for anything you want to do. If it doesn't agree with 
them, you've already lost.

They want the code you have yet to produce, but they will try to prevent 
you from producing it.

Then if you do manage to produce it on your own, they want it, and if 
they like it after all, they will take it.

And that is the issue I have with Linux.


---------------------------------------------------
They will try to prevent you from doing your thing, ostracizing you from 
the community.

If you have then done it on your own, they want the benefits regardless, 
for their own purposes, and their own gain.
---------------------------------------------------

This is just what is happening here as well. Same experience, same 
facets. Just greedy people. There have been innumerable opportunities to 
integrate it into the mainline kernel, I'm sure.

But you people try to frame it into the language of that GRsecurity is 
now stealing from the Linux developers (from Linus).

That he is "taking" without "giving back".

No, the reality is that you are trying to take from him without giving 
back, now that he has made a living out of it.

In Dutch the children say "What you say, you are yourself" or words to 
that effect (What you say that another does, you are doing yourself). 
"You are what you say I am".

---------------------------------------------------
You are what you say Bradley Spengler is.
---------------------------------------------------

So you know you can say this is about fairness and licenses, but all I 
see is greed expressed. And that is fine. But don't make a living out of 
it ;-).

More information about the Ubuntu-devel-discuss mailing list