LWN.net Weekly Edition for June 13, 2002

SELinux and patents

SELinux is a distribution produced by the U.S. National Security Agency. It is based on the Linux Security Module architecture (which is not yet part of the 2.5 kernel). SELinux provides a whole set of mandatory access control features to protect parts of the system from each other. There is no "root" user in SELinux. Even if a server process is compromised, it is highly limited in the damage it can do to the rest of the system.

According to the license page, SELinux is freely distributable under the terms of the GPL. It looks like a high-quality and useful contribution to the Linux community.

There is a potential problem, however. Much of the actual work in the implementation of SELinux was done by Secure Computing Corporation (SCC). SCC, in its implementation of SELinux, used a technology that it calls type enforcement. As it turns out, SCC has a patent on this technology.

Concerns over the type enforcement patent are not new - they were first raised back in 2000. At that time, SCC put up an SELinux FAQ stating:

Recently, this page has been removed from the SCC web site - a move which should be of concern to anybody who is relying on web-based promises about access to patented technology. For now, the cached copy on Google is still available, though. Grab a copy while you can - web-posted promises can be ephemeral things.

More recently, in a conversation on the Linux Security Module list, an SCC employee made a rather different statement:

This, of course, puts a damper on many possible uses of SELinux, as well as negating any claims of GPL licensing. Projects which have used some of the SELinux code, such as the Debian SE effort, are having to reconsider.

It would appear that SCC has not really decided what its policy is going to be; a message has been posted stating:

So, SCC may eventually do the right thing (from the free software community's point of view) and preserve the free licensing of SELinux. (This cause will probably not be helped by sending inflammatory mail, by the way). Either way, this situation shows, yet another time, the sort of threat that software patents pose to free software.

Comments (6 posted)

Deersoft announces its existence

A press release hit the wires on June 12: a new company called "Deersoft" was announcing existence as a spam-fighting company. Deersoft, as it turns out, is an attempt to commercialize SpamAssassin, a highly effective, free spam filtering system.

SpamAssassin is certainly a good base to start with. We first started using it here at LWN some months ago; as one might imagine, LWN's public email addresses get substantial amounts of spam. SpamAssassin filters out the vast majority of that spam (though, we notice, its hit rate has fallen a little recently) with almost no false positives. The SpamAssassin developers have provided us a real service.

Deersoft is following a reasonably common strategy for companies built around a free software package: offer a value-added, proprietary version of the program. In this case, Deersoft is selling "SpamAssassin Pro," which brings SpamAssassin's capabilities to Microsoft Outlook. A 30-day demo version can be downloaded from the company's web site.

The idea of charging Outlook users as a way of supporting SpamAssassin development has a certain appeal. There is, however, a considerable list of contributors who were, it seems, not asked whether it was permissible to distribute their code under a proprietary license. SpamAssassin is licensed under the Artistic License, which is a little vague on just when this sort of distribution is allowed. LWN has talked with a couple of people who have contributed code to SpamAssassin; they recognize the significant role that Deersoft principal Craig Hughes has taken in SpamAssassin development and seem to not begrudge the use of their contributions in this manner.

One hopes that development of the free version of SpamAssassin will continue. The press release makes encouraging noises in that regard:

The lack of an actual 2.3.0 release on SpamAssassin.org as of this writing, one presumes, is just the result of some last-minute delays.

Free software companies have had a hard time since the bubble burst; it really is harder to make money when the code is freely available. SpamAssassin is a great counterexample to the often-made claim that free software can only imitate, not innovate. Wouldn't it be nice if it also helped provide a good example of a successful business built around free software?

Comments (none posted)

The Alexis de Tocqueville Institution report

The report issued by the Alexis de Tocqueville Institution has been extensively covered elsewhere. For those who may have missed it, here are the core points:

• The "open source helps terrorists" line that featured prominently in the advance press release is gone. Security issues are touched on, and the "security through obscurity" argument for proprietary software is presented, but the claim that open source assists terrorism has been deemphasized.

• Instead, the report is another attack on the GPL, featuring most of the usual arguments and some new ones as well. For example, the report claims that processing your code with a GPL-licensed tool (i.e. emacs or gcc) could force your code to be released under the GPL, which is nonsense.

• The quality of the research and writing is, in general, not what one would expect.

There are persistent claims that this report was directly funded by Microsoft, though nothing has been demonstrated in any definitive way. For the curious, this PoliTech posting documents many of the (numerous) past ties between Microsoft and the Institution.

(See also: this point-by-point rebuttal to the report by Leon Brooks).

Comments (2 posted)