OpenSSL after Heartbleed

As far as I know, the LF/CII is not paying for Kees Cook's work. There are a large number of engineers who are working on the Kernel Self Protection Project, and many of them are sponsored by the employers to do so as part of their day job. To the extent that many of these companies happen to be members of the Linux Foundation is really besides the point. Each of these companies have made their own, rational decision that it is in their best interest to collaborate together to make the upstream kernel better with respect to security.

Similarly, a few words about how the CII works. The CII was fundamentally about large companies getting together to donate money into a common pot to help fund work, that couldn't be done by various member company's own engineers. Again, each of the companies decided that it was in their own self-interest to fund work to make Linux and its core infrastructure more secure. This is probably why you didn't hear back from the LF as a small company. It wasn't worth their time to accept small change funding, when the same amount of time could be used to work with a company who was interested in donating half a million dollars or more.

I suspect that if you took a look at the amount of work that is being done by the KSPP, a very large amount of it is being done by engineers who are funded by their companies to work on these features. More importantly, whether these companies are helping the KSPP by assigning engineers to work on it, or by paying contractors to do various bits of works, what's important is this is simply _more_ security work to make Linux better. It is not within the Linux Foundation's power, or any corporate entity's power, to stop work being done by a volunteer or by an engineer working for another company.

What they _can_ do is work together on a solution that is good enough such that interest in supporting a more proprietary solution is decreased. This may be what is going on with grsecurity; as other says, I don't have enough transparency into the motivations of why grsecurity did what it chose to do. But this also no different from what happened when customers stopped purchasing Sun machines and switched from Solaris to Linux. Was Solaris technically better in some ways? Sure! But there is business value more than just "technical superiority". Once an Open Source operating system was good enough that it would work for companies and their customers, the openness was far more important than small, specific points where Solaris might be technologically superior.

The same is certainly true for grsecurity. There are various reasons why companies have not wanted to base their product on a fork of grsecurity. We can debate what those reasons are, or whether those companies are right in having come to those conclusions, but every company has the right to decide for itself where it wants to put development dollars, just as each volunteer can decide where he or she will devote her volunteer energies. If those companies choose to put their energy behind the KSPP, there is nothing intrinsically wrong with it, and it's nothing personal. grsecurity wasn't meeting their needs (and the need is not just absolute security), so they chose to do something else, and to support something else.

I understand that you feel part of the grsecurity community, and so it is easy to feel that this is all a great conspiracy which is somehow evil. That is, I suppose natural, but competition for supporters is a real part of the open source ecosystem. This is something where Linux has won, and NetBSD and Hurd have been, shall we say, less successful at attracting people who might be interested in sponsoring their development work. But again, there was no great conspiracy at work here. Linux was simply better suited for the needs of those companies that chose to support Linux, and to hire Linux developers to work full-time on making Linux better, and the network effect took over from there.

The final thing I will note is that closing off the sources is something that in the long run won't work for the embeeed and IOT market. That's because while grsecurity may have closed off source access on their website, Linux is still open source and under the GPL, which means that they can not prevent their downstream sub-licensees from redistributing the grsecurity changes. So for example, if grsecurity is used in a cell phone, and that cell phone is sold in the stores, anyone can buy the cell phone, request that they get sources to the kernel used in the cell phone, and then they can make it available on their web site. *Nothing* can stop them from doing that; if grsecurity/PaX tried to prohibit this, they would be in violation of the GPL. They could prevent this by choosing not to sell grsecurity to embedded, mobile, or IOT market --- but then (a) they would be cutting off a large segment of their market, and (b) it means, ipso factor, that grsecurity is worthless for those markets, and it becomes yet another reason why all of those companies who are supporting KSPP were right to do so. Montavista tried a similar approach (only making their fork of the kernel available to their direct customers, and no distributing the sources on their web site), but in the long run, that did not prove to be a winning business strategy. I suspect grsecurity/PAX team will find a similar dynamic at work.