|
|
Log in / Subscribe / Register

A 'Statement of Assurance' on SELinux patents

[Posted July 30, 2002 by corbet]

The June 13, 2002 LWN Weekly Edition looked at the "type enforcement" patents held by Secure Computing Corporation, and how those patents could threaten the distribution and use of the NSA SELinux distribution. Now SCC has issued a new statement with regard to those patents:

...it is the policy of Secure Computing to retain and enforce its rights in all of its patents and other intellectual property. In this case, we have decided to make an exception to that policy, and to support the reasonable expectations of the open source community

SCC has also posted on its website a "statement of assurance" (in PDF format) with the details of its policy toward SELinux. This statement is worth a close look; many users may find it rather less than assuring.

Here is the core of what SCC promises:

Subject to the limitations described in this Statement of Assurance, Secure Computing will not assert the Subject Patent Rights with respect to any use, modification, or distribution of SELinux software that is permitted by, and is in compliance with, the terms and conditions of Version 2 of the GNU General Public License.

In case that isn't clear enough, consider this other paragraph from the Statement:

No license is granted in this Statement of Assurance with respect to the Subject Patents, or any other patent or other intellectual property right, or software or other product.

Other companies which have tried to make software patents work with free software (i.e. FSMLabs, Red Hat) have licensed the patent(s) for the uses they permit. SCC has done no such thing; they just say they won't come after you if you meet the requirements. You're still legally infringing the patent, SCC just agrees to look the other way.

If you were thinking about using SELinux in a product, or as part of a larger service offering, you should already be pretty nervous about a "statement of assurance" that does not actually grant the right to use the relevant patents. There is more, though. For example:

Secure Computing reserves the right to assert the Subject Patent Rights with respect to VPN gateways, perimeter and distributed firewalls, URL filtering, authentication and authorization for applications, hosts, and devices, and other products, features and functions that are beyond the scope of the Assurance. The use or distribution of such products, features, or functions with SELinux will not make the Assurance applicable to them.

Translated into English, this phrase is telling us that the "statement of assurance" only applies if you're not actually doing anything related to security. Or anything else, for that matter: what Linux system doesn't handle "authorization for devices"?

There are a few other details that jump out when one reads this "statement of assurance":

  • It only applies to SELinux; no other free software may use the patents. Neither can "software that merely interoperates with SELinux". The obvious next question is: what, exactly, is SELinux, and what "merely interoperates" with SELinux? Just about any application could be excluded by this language.

  • SCC reserves the right to sell its patents to somebody else without requiring them to uphold what few guarantees this statement provides. When SCC gets tired of SELinux, it need only sell the patents to a subsidiary and it's all over.

  • SCC states that it may have "other patents," and that those patents are not covered by the statement.

And, of course, if you still feel that this statement is sufficiently assuring, bear in mind that it's not a contract, it's just another transient promise hosted on a web site. SCC's previous web-hosted statement, remember, was:

We plan to provide the security enhancements made to Linux under this project to the community without restriction in full compliance with the letter and spirit of the GPL.... There will be no restrictions on the use of TE [type enforcement] by the Linux open source community. We believe that leveraging the resources of the Linux community is the best way to develop robust security for Linux.

That promise vanished from SCC's site in June, though it can still be found via the web archive project; it has been replaced by something that, by any account, is not "without restriction." What reason is there for anybody to believe that this "statement of assurance" will be any less ephemeral?

It seems that SCC is trying to create the appearance of working with the free software community without actually giving anything away. Instead, the company has used U.S. taxpayer's money to embed its own proprietary technology into what was a free system. SELinux brought a lot of energy to the secure Linux development process; among other things, it was one of the driving forces behind the development of the Linux Security Module patches, which are currently being integrated into the 2.5 kernel. SELinux itself, however, will have a hard time recovering from its patent problems. The secure Linux that we use in the future may have to based on some other technology.

to post comments

A 'Statement of Assurance' on SELinux patents

Posted Aug 1, 2002 5:26 UTC (Thu) by loening (guest, #174) [Link] (3 responses)

hmmm, perhaps an ammended version of the GPL could be used with the kernel to try to prevent stuff like this happening again.... something along the lines of adding a clause so as to restrict the implementation of patented technologies into the kernel unless that patented technology is made freely useable by all in the context of the kernel....

A 'Statement of Assurance' on SELinux patents

Posted Aug 1, 2002 16:44 UTC (Thu) by leonb (guest, #3054) [Link] (2 responses)

From the GPL preamble: 

 Finally, any free program is threatened constantly by software
 patents.  We wish to avoid the danger that redistributors of a free
 program will individually obtain patent licenses, in effect making the
 program proprietary.  To prevent this, we have made it clear that any
 patent must be licensed for everyone's free use or not licensed at all.

From clause 7: 

 For example, if a patent
 license would not permit royalty-free redistribution of the Program by
 all those who receive copies directly or indirectly through you, then
 the only way you could satisfy both it and this License would be to
 refrain entirely from distribution of the Program.

It seems that SELinux is already illegal.

SCC violating the GPL ?

Posted Aug 7, 2002 14:24 UTC (Wed) by riel (subscriber, #3142) [Link]

Would this mean SCC no longer has the right to use or distribute Linux ?

A 'Statement of Assurance' on SELinux patents

Posted Aug 7, 2002 22:29 UTC (Wed) by ejhuff (guest, #3150) [Link]

There was a fair amount of discussion on the SELinux mailing list. See for example, this message and replies on the SELinux list. These are all old patents. They expire in a few years. 
          Publication   / Filing        / Likely expiration
US4713753 Dec. 15, 1987 / Feb. 21, 1985 / Feb. 21, 2005
US4621321 Nov.  4, 1986 / Feb. 16, 1984 / Feb. 16, 2004
US4701840 Oct. 20, 1987 / June 20, 1986 / June 20, 2006
Please note that the GPL does not required that patent licenses be explicit or irrevocable. I can distribute and use SELinux under the GPL until such time as some successor of SCC actually revokes the revocable patent license which SCC has implicitly granted.

It appears to me that SCC was paid a lot of money by the NSA to develop the initial implementation of SELinux. One would assume that the contract the NSA negotiated would include provision for a royalty-free patent license, but it might not require that SCC admit that it grants such a license. See also this message on the SELinux list.

I claim SCC has in fact granted a royalty-free revocable license to use the patents with SELinux and derivative works under GPL (all that the GPL requires), but they would rather that everyone think they have not granted such a license. They don't want anyone to work on SELinux. They don't want anyone to use SELinux. They just want to keep the money the NSA paid them. To achieve these goals, they need to use FUD, but probably they can't actually revoke the license without first repaying the NSA.

GPL and Patents

Posted Aug 1, 2002 17:14 UTC (Thu) by leonb (guest, #3054) [Link]

Interesting links about patents and GPL:

Raph Levien has several patents and a license for GPL programs. See http://www.levien.com/patents.html. Raph's license might even more liberal than it looks: I still wonder whether a proprietary linux application (such as Oracle) can be said to be "practiced in conjunction" with software distributed under the GPL (such as the kernel or glibc).

The DjVuLibre project comes with a recently updated patent license. See http://djvu.sourceforge.net/licensing.html. It is slightly more restrictive than Raph's licence, but still free enough to have DjVuLibre listed in the FSF free sofware directory.

The DjVuLibre license was obtained because we (the djvulibre developers) maintained a constructive discussion with the Lizardtech lawyers. Without such a discussion, a corporate lawyer is tempted to produce a non-license and to convince himself that this will be good enough for the free software community. What do they know, after all?


Copyright © 2002, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds