[kernel-hardening] Why does no one care that Brad Spengler of GRSecurity is blatantly violating the intention of the rightsholders to the Linux Kernel?

aconcernedfossdev at airmail.cc aconcernedfossdev at airmail.cc
Thu Jun 15 15:56:52 UTC 2017


Also Brad Spengler has been threatening legal action against an openwall 
developer back-porting features of Brad's wholly, non-standalone, 
derivative work.


He also calls GRSecurity an "Original Work", which it is not (see the 
Anime Subs cases for the court's opinion) (GRSecurity is such a 
non-standalone derivative work, so the Linux Licensing terms absolutely 
do apply (it's a patch that snakes through the whole of the Linux Kernel 
source tree, touching everything like a vine).

Here's a quick rundown:
-------------------------------------

GRSecurity goes full commercial, no more free testing patches, threatens 
programmer trying to port.

(*1) https://lwn.net/Articles/723169/
(*2) 
https://www.phoronix.com/forums/forum/software/general-linux-open-source/948623-grsecurity-kernel-patches-will-no-longer-be-free-to-the-public?page=1
(*3) 
https://www.embedded-linux.de/18-news/886-grsecurity-nicht-mehr-kostenlos-verfuegbar
(*4) 
https://www.theregister.co.uk/2017/04/26/grsecurity_linux_kernel_freeloaders/

GRSecurity removes public testing patch - goes full commercial.

(*5) http://www.openwall.com/lists/kernel-hardening/2017/06/04/24

> "Don't worry about it, there's nothing for a "grateful" user like 
> yourself
> to download anymore.  Boy, if I had more "grateful" users like yourself
> obsessed with harrassing us on Twitter, Reddit, and IRC so that they
> can go around and paint themselves as some kind of victim, I wouldn't
> know what to do with myself.
> 
> -Brad"


Brad Spengler prevents a private purchaser from redistributing the 
sourcecode via contract clauses between him and they: thus willfully 
frustrating the purpose of the license HE was granted by the linux 
kernel rightsholders. This is another reason a court may find him in 
violation of the license grant of the GPL. As we discussed previously. 
(See: ****)

Also Brad Spengler threatens others with lawsuit in a nearly transparent 
attempt to get them to stop porting over the work:

> " This stops *now* or I'm sending lawyers after you and

(*6) http://www.openwall.com/lists/kernel-hardening/2017/06/03/14

> Guys, this is your *last warning*.  This stops *now* or I'm sending 
> lawyers
> after you and the companies paying you to plagiarize our work and 
> violate
> our *registered* copyright (which for the record entitles us to 
> punitive
> damages which now are very easily provable).  It's time to get serious
> about attribution -- what you are doing is completely unacceptable.  
> I'm
> already in contact with lawyers to prepare for the next time this 
> happens.
> If any of this plagiarized and misattributed code actually made it into
> the Linux kernel, you'd all be in a world of pain.

Here Brad Spengler threatens a copyright infringement lawsuit regarding 
his non-original wholly-derivative work.
(An original work stands alone). This while he threatens those paying 
customers who might redistribute the work (see: **** below).



Note: Copyright licenses (like any license to use the property of 
another (copyright is freely alienable in the same way real property 
is)) are freely revocable unless barred by estoppel. The GPL v2 lacks a 
no-revocation clause thus estoppel would be more difficult to argue 
(additonally none of the "agreeing parties" have ever met each other).

Note2: GrSecurity is a derivative work of the linux kernel, it is 
non-seperable: it wholly relies on the linux kernel source code to work.
Courts in both the US and Germany have reaffirmed that if a work based 
on another work cannot stand alone it is clearly a derivative work.
(See the Anime Subtitles case from a few years ago) (See page 6 of the 
phoronix discussion at *2 for a review)

Note3:The linux kernel is not under joint copyright, it is simply a 
collection of derivative work upon derivative work.

A simple solution is for one or many of the rightsholders to the code 
GRSecurity is derived from/ modifies to rescind Brad Spengler's license 
to use or modify their code.

Additionally copyright violation claims can be filed as Brad Spengler 
has reportedly attempted to frustrate the purpose of the agreement that 
allows him to modify the linux kernel in the first place; placing 
additional restrictions to prevent redistribution of the sourcecode (a 
court would not be fooled by such a scheme).

(Addionally there were third parties who contributed to the GRSecurity 
code base when it was publically distributed.)


Other snippets from (*5) include Mr Spengler's unhappiness with the 
publication of his scheme and RMS's opinion of it:
> ... It has been nearly 4 months now and despite repeated follow-ups, I 
> still
> haven't received anything back more than an automated reply. Likewise
> regarding some supposed claims by RMS which were published last year by
> internet troll mikeeusa -- I have been trying since June 3rd of last
> year to get any response from him, but have been unable to. So when you 
> ...

RMS' opinion can be seen here:
(*7) https://lists.debian.org/debian-user/2016/06/msg00020.html

> Re: GRsecurity is preventing others from employing their rights under 
> version 2 the GPL to redistribute source code
> Richard Stallman  (May 31 2016 10:27 PM)
> 
> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
> [[[ whether defending the US Constitution against all enemies,     ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> 
> If I understand right, this is a matter of GPL 2 on the Linux patches.
> Is that right?  If so, I think GRsecurity is violating the GPL on
> Linux.
> 
> --
> Dr Richard Stallman
> President, Free Software Foundation (gnu.org, fsf.org)
> Internet Hall-of-Famer (internethalloffame.org)
> Skype: No way! See stallman.org/skype.html.


(****)
GRsecurity is preventing others from employing their rights under 
version 2 the GPL to redistribute
(by threatening them with a non-renewal of a contract to recive this 
patch to the linux kernel.)
(GRsecurity is a derivative work of the linux kernel (it is a patch))

People who have dealt with them have attested to this fact:
https://www.reddit.com/r/KotakuInAction/comments/4grdtb/censorship_linux_developer_steals_page_from_
andi
"You will also lose the access to the patches in the form of grsec not 
renewing the contract.
Also they've asked us (a Russian hosting company) for $17000+ a year for 
access their stable
patches. $17k is quite a lot for us. A question about negotiating a 
lower price was completely
ignored. Twice." -- fbt2lurker

And it is suggested to be the case here aswell:
https://www.reddit.com/r/linux/comments/4gxdlh/after_15_years_of_research_grsecuritys_rap_is_here
"Do you work for some company that pays for Grsecurity? If so then would 
you kindly excersise the
rights given to you by GPL and send me a tarball of all the latest 
patches and releases?" --
lolidaisuki
"sadly (for this case) no, i work in a human rights organization where 
we get the patches by a
friendly and richer 3rd party of the same field. we made the compromise 
to that 3rd party to not
distribute the patches outside and as we deal with some critical 
situations i cannot afford to
compromise that even for the sake of gpl :/
the "dumber" version for unstable patches will make a big problem for 
several projects, i would
keep an eye on them. this situation cannot be hold for a long time" -- 
disturbio







On 2017-06-15 15:51, aconcernedfossdev at airmail.cc wrote:
> It's an obvious blatant violation. He is not allowed to add additional
> terms, but being a "clever" programmer it seems that he has decided
> that because the additional term that he (and seemingly PaxTeam) has
> imposed is not written within the four corners of license grant
> document but instead is communicated in some other way that
> """""doesn't make it an additional term""""" and he has """"cleverly
> circumvented the linux copyright terms"""", which obviously is not the
> case but other random programmers will argue and swear it's fine till
> hell freezes over and get very angry when someone with a legal
> background informs them otherwise.
> 
> I think many people are not aware of the violation because it's only
> been a month since GRSecurity pulled the sourcecode: it was almost a
> moot point before then with no real damage. Such is no-longer the
> case.
> 
> On 2017-06-15 15:43, Greg KH wrote:
>> On Thu, Jun 15, 2017 at 03:34:06PM +0000, aconcernedfossdev at airmail.cc 
>> wrote:
>>> Why does no one care that Brad Spengler of GRSecurity is blatantly 
>>> violating
>>> the intention of the rightsholders to the Linux Kernel?
>>> He is also violating the license grant, Courts would not be fooled by 
>>> his
>>> scheme to prevent redistribution.
>>> 
>>> The license grant the Linux Kernel is distributed under disallows the
>>> imposition of additional terms. The making of an understanding that 
>>> the
>>> derivative work must not be redistributed (lest there be retaliation) 
>>> is the
>>> imposition of an additional term. The communication of this threat is 
>>> the
>>> moment that GRSecurity violates the license grant. Thence-forth
>>> modification, making of derivative works, and distribution of such is 
>>> a
>>> violation of the Copyright statute. The concoction of the transparent 
>>> scheme
>>> shows that it is a willful violation, one taken in full knowledge by
>>> GRSecurity of the intention of the original grantor.
>> 
>> If you feel that what they are doing is somehow violating your 
>> copyright
>> on the Linux kernel, then you have the right to take legal action if 
>> you
>> so desire.  To tell others what to do, however, is not something that
>> usually gets you very far in the world.
>> 
>> Best of luck!
>> 
>> greg k-h




More information about the Ubuntu-devel-discuss mailing list