|
|
Subscribe / Log in / New account

OpenSSL after Heartbleed

OpenSSL after Heartbleed

Posted May 5, 2017 14:20 UTC (Fri) by paulj (subscriber, #341)
In reply to: OpenSSL after Heartbleed by tytso
Parent article: OpenSSL after Heartbleed

GrSecurity can not directly stop redistribution of their GPL patches. However, they can make it clear that anyone doing so will no longer receive further patches or support.

There are a number of entities with this business model, both around the Linux kernel and other GPL software.

to post comments

OpenSSL after Heartbleed

Posted May 5, 2017 15:23 UTC (Fri) by tytso (subscriber, #9993) [Link] (3 responses)

Sure, but it only works when the subscribers are the end users. It doesn't work if the subscribers are manufacturers of cell phones, or IOT devices, because they are required to give sources if an end-user asks for the sources --- which will include grsecurity.

So for cell phones and IOT devices grsecurity is not the answer. Which is fine, I don't think it ever was the answer, because as a fork, it's not something that could be easily integrated into SOC vendor's fork of the kernel (which are so horrendous that good luck getting them even to build on another architecture; I've had the misfortune having to debug one of these kernels, and never have I seen such a wretch hive of hacks and villainy.)

But it just goes to show that grsecurity is not the answer for millions and millions of Linux systems --- cell phones and IOT devices. The only solution for those devices is KSPP.

OpenSSL after Heartbleed

Posted May 5, 2017 15:45 UTC (Fri) by paulj (subscriber, #341) [Link] (2 responses)

I'm glad to hear all the mobile phone and IoT device makers are so scrupulous about publishing the sources to the kernels they use.

GRSecurity can simply not sell patches to any vendors that intend to resell devices with binaries installed though. Simple.

OpenSSL after Heartbleed

Posted May 5, 2017 16:37 UTC (Fri) by tytso (subscriber, #9993) [Link]

.... and so GRSecurity is irrelevant to the vast majority, numerically speaking, of the systems and devices running Linux in the world.

This is certainly their right. And if they can make money doing that, fine. But they have made themselves completely irrelevant to Linux upstream development, and mostly irrelevant to the Linux ecosystem as a whole.

OpenSSL after Heartbleed

Posted May 5, 2017 17:59 UTC (Fri) by excors (subscriber, #95769) [Link]

> I'm glad to hear all the mobile phone and IoT device makers are so scrupulous about publishing the sources to the kernels they use.

Not all are, but some are. Not all care about security, but some do (a bit). I suspect there is a strong positive correlation between those groups. The people who would happily violate the GPL to use grsecurity wouldn't bother using grsecurity anyway, while the people who want to do the right thing can't use grsecurity. (The latter people probably wouldn't have used grsecurity anyway (for various reasons like difficulty integrating with obsolete SoC kernels etc) but now there's even less chance.)


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds