The June 13, 2002 LWN Weekly
looked at the "type enforcement" patents held by Secure
Computing Corporation, and how those patents could threaten the
distribution and use of the NSA SELinux distribution. Now SCC has issued
a new statement
with regard to those patents:
...it is the policy of Secure Computing to retain and enforce its
rights in all of its patents and other intellectual property. In
this case, we have decided to make an exception to that policy, and
to support the reasonable expectations of the open source community
SCC has also posted on its website a "statement of assurance" (in PDF
format) with the details of its policy toward SELinux. This statement
is worth a close look; many users may find it rather less than assuring.
Here is the core of what SCC promises:
Subject to the limitations described in this Statement of
Assurance, Secure Computing will not assert the Subject Patent Rights with
respect to any use, modification, or distribution of SELinux
software that is permitted by, and is in compliance with, the terms
and conditions of Version 2 of the GNU General Public License.
In case that isn't clear enough, consider this other paragraph from the
No license is granted in this Statement of Assurance with respect
to the Subject Patents, or any other patent or other intellectual
property right, or software or other product.
Other companies which have tried to make software patents work with free
software (i.e. FSMLabs, Red Hat) have licensed the patent(s) for the uses
they permit. SCC has done no such thing; they just say they won't come
after you if you meet the requirements. You're still legally infringing
the patent, SCC just agrees to look the other way.
If you were thinking about using SELinux in a product, or as part of a
larger service offering, you should already be pretty nervous about a
"statement of assurance" that does not actually grant the right to use the
relevant patents. There is more, though. For example:
Secure Computing reserves the right to assert the Subject Patent
Rights with respect to VPN gateways, perimeter and distributed
firewalls, URL filtering, authentication and authorization for
applications, hosts, and devices, and other products, features and
functions that are beyond the scope of the Assurance. The use or
distribution of such products, features, or functions with SELinux
will not make the Assurance applicable to them.
Translated into English, this phrase is telling us that the "statement of
assurance" only applies if you're not actually doing anything related to
security. Or anything else, for that matter: what Linux system doesn't
handle "authorization for devices"?
There are a few other details that jump out when one reads this "statement
- It only applies to SELinux; no other free software may use the
patents. Neither can "software that merely interoperates with
SELinux." The obvious next question is: what, exactly, is
SELinux, and what "merely interoperates" with SELinux? Just about any
application could be excluded by this language.
- SCC reserves the right to sell its patents to somebody else without
requiring them to uphold what few guarantees this statement provides. When
SCC gets tired of SELinux, it need only sell the patents to a
subsidiary and it's all over.
- SCC states that it may have "other patents," and that those patents
are not covered by the statement.
And, of course, if you still feel that this statement is sufficiently
assuring, bear in mind that it's not a contract, it's just another
transient promise hosted on a web site. SCC's previous web-hosted
statement, remember, was:
We plan to provide the security enhancements made to Linux under
this project to the community without restriction in full
compliance with the letter and spirit of the GPL.... There will be
no restrictions on the use of TE [type enforcement] by the Linux
open source community. We believe that leveraging the resources of
the Linux community is the best way to develop robust security for
That promise vanished from SCC's site in June, though it can still be found
the web archive project; it has been replaced by something that, by any
account, is not "without restriction." What reason is there for anybody to
believe that this "statement of assurance" will be any less ephemeral?
It seems that SCC is trying to create the appearance of working with the
free software community without actually giving anything away. Instead,
the company has used U.S. taxpayer's money to embed its own proprietary
technology into what was a free system. SELinux brought a lot of energy to
the secure Linux development process; among other things, it was one of the
driving forces behind the development of the Linux Security Module patches,
which are currently being integrated into the 2.5 kernel. SELinux itself,
however, will have a hard time recovering from its patent problems. The
secure Linux that we use in the
future may have to based on some other technology.
to post comments)