LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Linux in Business
Linux in the news
Announcements
Letters to the editor
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

LWN.net Weekly Edition for January 26, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Leading items

SELinux and patents

SELinux is a distribution produced by the U.S. National Security Agency. It is based on the Linux Security Module architecture (which is not yet part of the 2.5 kernel). SELinux provides a whole set of mandatory access control features to protect parts of the system from each other. There is no "root" user in SELinux. Even if a server process is compromised, it is highly limited in the damage it can do to the rest of the system.

According to the license page, SELinux is freely distributable under the terms of the GPL. It looks like a high-quality and useful contribution to the Linux community.

There is a potential problem, however. Much of the actual work in the implementation of SELinux was done by Secure Computing Corporation (SCC). SCC, in its implementation of SELinux, used a technology that it calls type enforcement. As it turns out, SCC has a patent on this technology.

Concerns over the type enforcement patent are not new - they were first raised back in 2000. At that time, SCC put up an SELinux FAQ stating:

Question 6: Will SCC use its patent on Type Enforcement TM to restrict use, future development, derivative work, or release of the source code of the system?

There will be no restrictions on the use of TE by the Linux open source community.... We will release source code for all the modifications to the existing kernel and for a general-purpose security policy engine under the GPL.

Recently, this page has been removed from the SCC web site - a move which should be of concern to anybody who is relying on web-based promises about access to patented technology. For now, the cached copy on Google is still available, though. Grab a copy while you can - web-posted promises can be ephemeral things.

More recently, in a conversation on the Linux Security Module list, an SCC employee made a rather different statement:

SELinux includes Type Enforcement technology developed and patented by the Secure Computing Corporation, who still holds rights to all commercial use of the technology. Before a colo company, or anyone else uses the technology commercially, it will be necessary to negotiate a license with Secure Computing. If anyone wants to do so, I can help get the ball rolling with our Legal and BD folks.

This, of course, puts a damper on many possible uses of SELinux, as well as negating any claims of GPL licensing. Projects which have used some of the SELinux code, such as the Debian SE effort, are having to reconsider.

It would appear that SCC has not really decided what its policy is going to be; a message has been posted stating:

We would like to set the record straight with a clear statement, and we will do that soon. However, we want to avoid creating more confusion, so we are going to take a little time to reflect before we respond. My initial response was intended to let people know that the licensing issues have not yet been resolved.

So, SCC may eventually do the right thing (from the free software community's point of view) and preserve the free licensing of SELinux. (This cause will probably not be helped by sending inflammatory mail, by the way). Either way, this situation shows, yet another time, the sort of threat that software patents pose to free software.

Comments (6 posted)

Deersoft announces its existence

A press release hit the wires on June 12: a new company called "Deersoft" was announcing existence as a spam-fighting company. Deersoft, as it turns out, is an attempt to commercialize SpamAssassin, a highly effective, free spam filtering system.

SpamAssassin is certainly a good base to start with. We first started using it here at LWN some months ago; as one might imagine, LWN's public email addresses get substantial amounts of spam. SpamAssassin filters out the vast majority of that spam (though, we notice, its hit rate has fallen a little recently) with almost no false positives. The SpamAssassin developers have provided us a real service.

Deersoft is following a reasonably common strategy for companies built around a free software package: offer a value-added, proprietary version of the program. In this case, Deersoft is selling "SpamAssassin Pro," which brings SpamAssassin's capabilities to Microsoft Outlook. A 30-day demo version can be downloaded from the company's web site.

The idea of charging Outlook users as a way of supporting SpamAssassin development has a certain appeal. There is, however, a considerable list of contributors who were, it seems, not asked whether it was permissible to distribute their code under a proprietary license. SpamAssassin is licensed under the Artistic License, which is a little vague on just when this sort of distribution is allowed. LWN has talked with a couple of people who have contributed code to SpamAssassin; they recognize the significant role that Deersoft principal Craig Hughes has taken in SpamAssassin development and seem to not begrudge the use of their contributions in this manner.

One hopes that development of the free version of SpamAssassin will continue. The press release makes encouraging noises in that regard:

Craig Hughes makes his ongoing dedication to the open software community clear, "Deersoft is committed to supporting the open source community, and is pleased to announce the release today of SpamAssassin(TM) 2.3.0."

The lack of an actual 2.3.0 release on SpamAssassin.org as of this writing, one presumes, is just the result of some last-minute delays.

Free software companies have had a hard time since the bubble burst; it really is harder to make money when the code is freely available. SpamAssassin is a great counterexample to the often-made claim that free software can only imitate, not innovate. Wouldn't it be nice if it also helped provide a good example of a successful business built around free software?

Comments (none posted)

The Alexis de Tocqueville Institution report

The report issued by the Alexis de Tocqueville Institution has been extensively covered elsewhere. For those who may have missed it, here are the core points:
  • The "open source helps terrorists" line that featured prominently in the advance press release is gone. Security issues are touched on, and the "security through obscurity" argument for proprietary software is presented, but the claim that open source assists terrorism has been deemphasized.

  • Instead, the report is another attack on the GPL, featuring most of the usual arguments and some new ones as well. For example, the report claims that processing your code with a GPL-licensed tool (i.e. emacs or gcc) could force your code to be released under the GPL, which is nonsense.

  • The quality of the research and writing is, in general, not what one would expect.

There are persistent claims that this report was directly funded by Microsoft, though nothing has been demonstrated in any definitive way. For the curious, this PoliTech posting documents many of the (numerous) past ties between Microsoft and the Institution.

(See also: this point-by-point rebuttal to the report by Leon Brooks).

Comments (2 posted)

Page editor: Jonathan Corbet
Next page: Security>>

Copyright © 2002, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds