|
|
Log in / Subscribe / Register

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

[Posted August 3, 2017 by corbet]

The Register reports that the developers of the grsecurity patch set have filed a defamation suit against Bruce Perens. "A legal complaint filed on behalf of Grsecurity in San Francisco, California, insists the company's software complies with the GPLv2. Grsecurity's agreement, the lawsuit states, only applies to future patches, which have yet to be developed. 'There is no explicit or implicit term, section, or clause in the GPLv2 that is applicable over future versions or updates of the Patches that have not yet been developed, created, or released by [Grsecurity],' the complaint contends."
to post comments

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 3, 2017 21:59 UTC (Thu) by flussence (guest, #85566) [Link]

Interesting move. Let's watch as this whole charade ends cata-SCO-phically for them.

(Cata-Streisand-ically works better IMO, but is a bit of a mouthful.)

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 3, 2017 23:28 UTC (Thu) by jubal (subscriber, #67202) [Link] (22 responses)

Interesting choice of a lawyer; one would think that it's better to employ someone who specialises in handling defamation, libel or slander cases, not someone who clearly describes himself (on his two homepages, no less) as a patent attorney.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 1:04 UTC (Fri) by jhoblitt (subscriber, #77733) [Link] (17 responses)

Careful -- you might get sued for slander...

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 8:12 UTC (Fri) by anselm (subscriber, #2796) [Link] (15 responses)

It can't be slander if the guy himself says he is a patent attorney.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 14:38 UTC (Fri) by HenrikH (subscriber, #31152) [Link] (14 responses)

Depends on jurisdiction but I assume from your comment that this is the way it works in the US. Over here (Sweden) it does not matter if the statement is true or not.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 14:53 UTC (Fri) by anselm (subscriber, #2796) [Link] (13 responses)

Do you mean to say that in Sweden one can be sued for slander if one repeats something somebody else says about themselves on their own web site?

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 17:09 UTC (Fri) by JoeBuck (subscriber, #2330) [Link] (12 responses)

Obligatory disclaimer: IANAL.

In the US, truth is an absolute defense against charges of libel/slander, and the burden of proof is on the accuser to prove that the alleged defamatory statements are false as well as harmful. In the UK, I am pretty sure that the burden of proof is reversed and the accused has to prove that all statements made are true.

That said, I think Bruce Perens may be wrong in his claim that just signing the contract is a GPL violation, if the person who signs the contract plans only to use the code internally and will not distribute binaries to any other party. But suppose that's the case. Then Perens has expressed an erroneous opinion, which probably doesn't amount to libel or slander in the US. But again, IANAL.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 19:05 UTC (Fri) by pbonzini (subscriber, #60935) [Link] (8 responses)

In some civil law countries you can be guilty of slander even if you say the truth. The "exceptio veritatis" ("I said the truth so it's not slander") only applies to specific cases. Traditionally they were very limited, but recent case law tends to apply to web and online publishing the less restrictive norms that were used for printed materials.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 19:26 UTC (Fri) by jhoblitt (subscriber, #77733) [Link] (7 responses)

Would it be slander to report a criminal to the police? What about the press publishing (presumably, a public fact) the conviction of a mass-murderer?

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 22:24 UTC (Fri) by richard77 (guest, #117898) [Link] (5 responses)

Of course not, since in both cases there are higher interests (public defense and right to inform).
In Italian law for example, the defense from slander/libel based only on the truth is not allowed. You have to demonstrate that there was public interest in disclosure of the facts.
So if you disclose that your neighbor is unfaithful to his wife (for example) you could be guilty even if it is true. But if she/he is a famous person you could base your defense on the reasonable idea that the general public has the right to know. Of course said defense would not work if you can't demonstrate the facts. (IANAL, this is just my understanding based on not authoritative sources)

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 5, 2017 7:44 UTC (Sat) by rsidd (subscriber, #2582) [Link] (2 responses)

Makes sense, that.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 5, 2017 13:02 UTC (Sat) by Wol (subscriber, #4433) [Link] (1 responses)

I remember a case in Germany, where a court injunction was obtained to stop a publication about a scandal.

But thinking hard about that case, the magazine was hyping it up about "they've kept this scandal secret for 20 years" when it had been all over the papers when it actually happened. So the magazine was in fact maliciously pretending there had been a cover-up.

Cheers,
Wol

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 5, 2017 15:57 UTC (Sat) by anselm (subscriber, #2796) [Link]

That sort of thing is SOP in the tabloid industry. It's fairly common to see headlines on the title page like “Celebrity XYZ – Weeks of horror – How she narrowly escaped a gruesome death” and the story on the inside explains that when the person was 4 years of age 25 years ago, she attended the same school where a measles outbreak happened last week. They're certainly not above opening with “Celebrity XYZ – Divorce scandal – Read all about it!” when the actual divorce happened 20 years ago and was widely reported at the time. This may not technically be outright libel because no factual untruths are reported, but it is certainly walking a thin line.

Here in Germany, some celebrities go after these shenanigans with a vengeance – which is good fun because technically a formal retraction must be published in the same sort of conspicuous place and visibility as the original claim – while others don't really seem to care (presumably based on the theory that “any publicity is good publicity”, or because they don't want to engage in a never-ending game of whack-a-mole).

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 5, 2017 17:08 UTC (Sat) by JoeBuck (subscriber, #2330) [Link] (1 responses)

Same in the US, but the true statement about your neighbor's affair wouldn't be slander or libel, but possibly invasion of privacy. So you'd be guilty of something else.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 5, 2017 18:56 UTC (Sat) by anselm (subscriber, #2796) [Link]

It can hardly be an invasion of privacy if you repeat something about person X which is (a) true and (b) has already been published by person X on their own web site (e.g., the fact that person X is a patent attorney).

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 5, 2017 18:33 UTC (Sat) by pbonzini (subscriber, #60935) [Link]

Criminal code violations are the main thing that is excepted, so you could even talk about them freely (if they are true) without committing libel.

Reporting to the police is of course possible, but if it turns out to be false you risk being accused of slander (and would quickly lose too, presumably).

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 5, 2017 18:50 UTC (Sat) by drag (guest, #31333) [Link] (2 responses)

Generally speaking in the USA the only time it gets very serious is if you accuse somebody of being a criminal when they are not convicted of being one in a formal publication.

Of course in the USA you can sue anybody for pretty much anything in civil court. You probably won't win if you are just trying to sue somebody for a personal insult, but you can still take them to court.

I would love to be a part of a lawsuit that involved somebody suing over a personal insult like 'smelly f-face' where you have professional lawyers attempting to document that the 'Yes your honor, the defendant actually is a smell f-face and here are the reasons why... '. Then you would have lists of documents showing that the guy actually is a f-er and people familiar with the plaintiff being brought up to testify if the plaintiff actually was smelly or not.

That would be awesome.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 5, 2017 21:39 UTC (Sat) by micka (subscriber, #38720) [Link] (1 responses)

What's a "smelly f-face" ?

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 6, 2017 16:15 UTC (Sun) by drag (guest, #31333) [Link]

nonsense word.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 12:25 UTC (Fri) by jubal (subscriber, #67202) [Link]

If I were to choose, I'd go for libel, though.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 11:44 UTC (Fri) by SLi (subscriber, #53131) [Link] (3 responses)

If the central defense is going to be that the assertions in his blog post are correct as a matter of law, it seems to make sense to hire an attorney who knows about such issues.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 12:22 UTC (Fri) by jubal (subscriber, #67202) [Link]

Sure. In addition to a litigator who specialises in libel/slander/defamation cases. But hey, it could've been worse, Spengler could've wanted to litigate pro se. (Now that would be a spectacle that I could consider getting a ticket for.)

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 18:49 UTC (Fri) by yokem_55 (subscriber, #10498) [Link] (1 responses)

I'm not sure the defense even needs to argue that they are legally correct. Simply that this is a matter which is debatable, that there is currently no precedent in any US court to say one way or another for sure, and this case is not where that question should be answered.

Now if there was a ruling that GrSecurity's is legally in the right, Perens could not make statements of fact to the contrary, but while the matter is until unresolved legally, Perens can express his opinion on the matter.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 6, 2017 23:49 UTC (Sun) by rahvin (guest, #16953) [Link]

Peren's comments are protected by the 1st amendment. GrSecurity made the mistake of filing in California which has a very strong Anti-SLAPP law and Bruce's lawyers will make an anti-SLAPP motion probably by mid next week. The Judge will then determine if Bruce's statements are protected as a matter of law. Given that the first sentence of his statement says that everything follows is his opinion there are very good odds that Bruce will win that motion.

What does the Anti-SLAPP motion do? It throws out any and all claims that are protected as a matter of law, basically speech that's protected by the first amendment. Part of this motion if Bruce win's is that he can ask for and be awarded legal fees. I'd place pretty good odds Bruce will win and GrSecurity will be paying Bruce's really expensive legal fees.

If you curious about this aspect of American law that exists in most states (but not all) I suggest you read the SLAPP article by Ken White at https://www.popehat.com/2012/06/07/why-yes-i-am-into-slap.... Ken is an attorney and spends his free time blogging about and helping defend bloggers against SLAPP suits.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 4:15 UTC (Fri) by philh (subscriber, #14797) [Link] (5 responses)

I have it on rather good authority that: an expresion of opinion in the US is protected free speech, and that this is such an expression of opinion, and so the case is pretty sure to simply be dismissed.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 6:51 UTC (Fri) by patrick_g (subscriber, #44470) [Link] (1 responses)

According to the lawer of Grsecurity (at the end of this article) :

No court of law has ever established that a statement implying a false assertion of fact is constitutionally protected speech, and we intend to hold Mr Perens accountable to the fullest extent permitted by law.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 6, 2017 23:51 UTC (Sun) by rahvin (guest, #16953) [Link]

That's what you get when you hire a lawyer specialized in patents to file a Defamation claim.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 8:54 UTC (Fri) by ledow (guest, #11753) [Link] (2 responses)

Er... no.

You can't just say anything you like.

"Hey, I think you do nasty things to small children"... is that an opinion, or slander/libel?

You are protected from stating such claims, only if they are the truth. Unfortunately, proving they are true when the other side disagrees often requires going to court.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 11:55 UTC (Fri) by mathstuf (subscriber, #69389) [Link] (1 responses)

Hyperbole is also protected. That's why shows like The Daily Show and SNL are fine. Simply adding "in my opinion" or "I think" can get you pretty far.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 12:05 UTC (Fri) by mathstuf (subscriber, #69389) [Link]

The original post is hedged with lots of "IMO", "potentially", and ends with "please verify with your lawyer; this is only my non-professional analysis". And it's in California. I'd look into the viability of a SLAPP motion to hit back and get attorney fees if I were Perens.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 6:14 UTC (Fri) by flewellyn (subscriber, #5047) [Link]

This is a productive use of everyone's time.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 6:28 UTC (Fri) by mm7323 (subscriber, #87386) [Link] (2 responses)

This can only have a further chilling effect on reporting of the grsec stuff. Already the argumentative nature of the grsec comments on any of the excellent articles corbert had written has seen him prefer to write about accounting software.

Now with a fear of being sued, frivolous or not, I'm sure we will see lots more articles about accounting software which is very sad.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 8:45 UTC (Fri) by Flameeyes (subscriber, #51238) [Link]

Unless you actually are looking for a replacement for accounting software, like I am O:)

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 19:30 UTC (Fri) by jkingweb (subscriber, #113039) [Link]

I am actually extremely curious about accounting software. The breadth of LWN's reporting is a strength, not a weakness: there's more to computing than the security of its systems...

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 7:27 UTC (Fri) by cdamian (subscriber, #1271) [Link] (3 responses)

I am sure this is going end well for Grsecurity. Nothing like suing people from the community you ultimately want to sell to later.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 11:53 UTC (Fri) by SLi (subscriber, #53131) [Link] (2 responses)

To be honest, if Grsecurity (or whatever the company's name is) believes Bruce to be wrong in his public legal warnings, it seems to me that getting a court to adjudicate that issue is exactly the way to reassure potential clients that buying from them is legally safe. And yes, the license issue will probably be central to the case, since being correct about the warning is a sufficient defense.

I would think that Grsecurity believes Bruce is not going to fold, so their lawyer probably believes they have a case. Now, I don't know which side is correct about the license issues; they are clearly somewhat nuanced. In any case it will be interesting to see this (possibly sucks for Bruce though).

In any case, this is probably also the only way for Grsecurity to get an authoritative answer on whether what they are doing is legal or not. Courts do not take hypothetical cases, there needs to be an actual controversy. This case might provide just such a vehicle to adjudicate the license issue.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 14:54 UTC (Fri) by luto (subscriber, #39314) [Link]

I'd be very surprised if that's the outcome, since it seems highly unlikely that this case will hinge on the correctness of Bruce's claims.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 6, 2017 23:59 UTC (Sun) by rahvin (guest, #16953) [Link]

In the US you are fully entitled to be wrong and have opinions about things. This is a very misunderstood bit of law.

What you can't do is allege a fact that's not true. I can't say you are a convicted pedophile (when you aren't). That presents a fact that's not true. But I can say I think you are a pedophile, and I can say I think you're a pedophile because I saw you touching children. See the fact you allege must not only be false, but it can't be an opinion and it must be a fact that's not present or linked to in some way. So I can assert your a pedophile without the opinion statement if I link to a police report that presents facts that would make reasonable people assume you're a pedophile.

Defamation claims are difficult to make, they require that a very specific set of circumstances happened. And as Ken While at Popehat says, the hallmark of a frivolous defamation claim is a lack of specificity in the claims. You must point to specific statements and show how they aren't true. Nothing Bruce said reaches this level, hell the first sentence disclaims everything that follows as opinion.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 7:54 UTC (Fri) by amacater (subscriber, #790) [Link] (4 responses)

Both parties to this are quiet and unasuming - both are likely to be unprepared for the oxygen of publicity. I've often wondered how the US squares free speech, defamation and slander ... I'll grab some popcorn

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 10:00 UTC (Fri) by rsidd (subscriber, #2582) [Link] (2 responses)

Judging by your subscriber #, you probably remember this previous instance of calm behaviour involving one of these parties. Large popcorn bag needed.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 10:03 UTC (Fri) by rsidd (subscriber, #2582) [Link]

[replying to myself] that said, I believe Perens is correct this time and may well have been correct in the link I posted, too.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 11:25 UTC (Fri) by itvirta (guest, #49997) [Link]

That does seem calm enough. Bruce's text, that is. The quoted part not so much,
but then I didn't see the author of that being involved in the current case.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 14:41 UTC (Fri) by richard77 (guest, #117898) [Link]

I my humble opinion and considering that I am not a lawyer, I would dare to say that speaking about a pending litigation would be an unwise move from both parties.
I would presume that lawyers of both will prevent their customers to talk.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 9:01 UTC (Fri) by ledow (guest, #11753) [Link] (3 responses)

"How to destroy confidence in your business, lesson one".

Honestly, who would touch grsecurity now, knowing that you can't talk about it openly, you "can't" distribute it despite it being GPL, and you stand to lose your access the second they disagree with something you've done?

Also, no matter the interpretation or legal truth, suing someone's **webhost** for assisting in defamation, because said someone provided an interpretation of an open source licence is ludicrous.

The only saving grace? Being a lawsuit now, we probably won't get said guy on here trying to make himself understood.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 9:02 UTC (Fri) by ledow (guest, #11753) [Link]

Sorry, last line refer to Mr grsecurity, not Bruce.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 15:23 UTC (Fri) by flussence (guest, #85566) [Link] (1 responses)

>Also, no matter the interpretation or legal truth, suing someone's **webhost** for assisting in defamation, because said someone provided an interpretation of an open source licence is ludicrous.
Agreed. It's quite telling that they skipped the usual attacks on message and character this time and went all the way to attacking the venue. That's about as far from refuting the central point as one can possibly get without outright admitting fault. They seem to have figured out the normal public tantrums would lose them money immediately here, so they're trying to terrorise Perens into silence by… burning down his property instead of merely covering the walls in graffiti. These dirty tactics shouldn't be a surprise to anyone at this point.

Reading between the lines, I think Open Source Security finally figured out that their chickens are coming home to roost; this will likely be only the *first* assault of many, as the protection racket funds dry up and they become increasingly desperate. They never have been ones to back down honourably, or to prioritise their long-term survival over a chance to take a swing at someone.

They'll get the justice they deserve in the end though. A pity this won't be nearly as entertaining as the last bunch of schoolyard bullies who tried to pick a fight with all of Linux. :-(

>The only saving grace? Being a lawsuit now, we probably won't get said guy on here trying to make himself understood.
Good catch... Quick! Let's cram in civilized and productive discussions about kernel security while they're gagged!

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 16:15 UTC (Fri) by jubal (subscriber, #67202) [Link]

Reading between the lines, I think Open Source Security finally figured out that their chickens are coming home to roost; this will likely be only the *first* assault of many, as the protection racket funds dry up and they become increasingly desperate.
I always thought that the first question before playing the lawsuit game was “how much money can I burn”. 'Tis no business for the desperate, the impoverished and the only relatively well off.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 13:54 UTC (Fri) by ledow (guest, #11753) [Link] (3 responses)

Okay,

According to: https://govtribe.com/vendor/open-source-security-inc-alex...

Open Source Security Inc. has:

$140K annual revenue / 1 employee(s)

(Hello, Mr Bradley Spengler / PaXTeam on here, I believe)

But the court filing seeks relief of $2m, with $1m "punishment".

How can you justify 14 times your annual revenue (not even profit) in loss or damage because of one guy making a website post? That's just LUDICROUS. Proving those kinds of damages will be enormously tricky given that you COULDN'T be hurt for that amount of money from a single incident, much less prove it.

Sure, there's probably some legal games (where you can't up your damages if you later find them to be more than you thought, etc. so you start high and expect the court to decimate it), but that's just hilarious.

Honestly, I hope he pushes his "company" (of one person) into the ground with this. It's just a shame that he tries to take others with him. I hope there are some pro bono people out there helping out Mr Perens.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 4, 2017 15:04 UTC (Fri) by clump (subscriber, #27801) [Link]

A temporary reprieve of nastiness here would be nice. Unfortunately this type of fight is painful and will be deleterious to everyone involved. Being the recipient of a lawsuit, with or without merit, can't be a good feeling. SCO was mentioned earlier in this thread and is an apt example of how far you can go without merit.

Too bad things have become this way.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 7, 2017 0:07 UTC (Mon) by rahvin (guest, #16953) [Link] (1 responses)

Bruce doesn't need pro-bono. GrSecurity will be paying his legal fees after Bruce wins the Anti-SLAPP motion his lawyers are preparing right now.

GrSecurity is going to deeply regret filing this. Bruce has a very high caliber law firm on his side, this type of firm can bill a million dollars in a week. And when you win an Anti-SLAPP motion you are practically guaranteed to win legal fees, particularly in California where the suit was filed. I'm not aware of a single Anti-SLAPP motion that was won in Cali that didn't result in an award of legal fees.

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 7, 2017 17:56 UTC (Mon) by dbaker (guest, #89236) [Link]

That's because California's Anti-SLAPP law is brilliant, it doesn't allow the judge to not award fees if the defendant succeeds with the motion; at least, that's what Ken White says in the blog post you linked to ;)

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 7, 2017 21:29 UTC (Mon) by xorbe (guest, #3165) [Link] (1 responses)

"... it's my opinion that ..." Their lawsuit isn't going to go far against someone's clearly stated opinion (vs as a claimed fact).

Linux kernel hardeners Grsecurity sue Bruce Perens (Register)

Posted Aug 7, 2017 21:49 UTC (Mon) by sfeam (subscriber, #2841) [Link]

You are missing a level of implicature. Perens' long blog entry is written in the form "because Grsecurity did bad things A and B and C, it is my opinion that if you use their product you will be guilty of infringement D." The part that he labels as opinion is the consequence to the end customer. The list of things he doesn't like about Grsecurity's actions themselves are treated as fact.

I take no position on the merits of the law suit, but the complaint is not simply about a bit of advice clearly labeled as opinion.

Linux vendors' business models

Posted Aug 7, 2017 21:47 UTC (Mon) by paulj (subscriber, #341) [Link] (11 responses)

Can someone explain to me how the GrSecurity business model differs from that of other well-known Linux vendors, and other open-source vendors?

E.g., a well-known Linux vendor has a support contract that will terminate if you distribute their binary packages, including GPLed ones like their modified Linux kernel.

I know of another company active in open-source who have a business model that involves selling source access to their software, that includes modified GPL components. As, in many years, I've never known the GPL modifications to leak from their customers, I assume future access to their modifications is predicated on not releasing previously obtained source.

If GrSecurity lose, a number of vendors are going to have sleepless nights (and I'm going to be asking some companies for damages for the years they've spent violating the GPL licence on my code I guess ;) ).

Linux vendors' business models

Posted Aug 8, 2017 7:31 UTC (Tue) by seyman (subscriber, #1172) [Link] (10 responses)

> Can someone explain to me how the GrSecurity business model differs from that of other well-known Linux vendors, and other open-source vendors?

The novelty here seems to be that Open Source Security, Inc. is withdrawing public access and forbidding redistribution of GPL-licensed source code.

> you distribute their binary packages, including GPLed ones

IANAL but I'm not sure you can have GPL-licensed binaries. That sounds next to impossible to pull off from a legal standpoint.

> If GrSecurity lose, a number of vendors are going to have sleepless nights [...]

Note that it's entirely possible for Open Source Security, Inc. to lose without someone judging the legality of their support contracts. It is, after all, "only" a defamation suit.

Linux vendors' business models

Posted Aug 8, 2017 18:58 UTC (Tue) by paulj (subscriber, #341) [Link] (9 responses)

If a work is GPL, then the GPL applies to the work, regardless of mechanical translations. I.e., binaries are still covered by the GPL. The GPL licence has some different conditions for distributing the work in binary form, but that doesn't affect how copyright applies to the work, regardless of non-creative transform. (Is my layman's understanding from legal advice).

Linux vendors' business models

Posted Aug 8, 2017 20:57 UTC (Tue) by rahulsundaram (subscriber, #21946) [Link] (8 responses)

"If a work is GPL, then the GPL applies to the work, regardless of mechanical translations. I.e., binaries are still covered by the GPL"

Nothing in the GPL requires binaries to be made public. If you have the source and the ability to create binaries from them, you are good to go. The "Open Source Security" twist on the business model is the lack of public patches for the source code modifications for the Linux kernel but GPL doesn't require that either. In any case, the litigation isn't about any of this but about a blog post.

Linux vendors' business models

Posted Aug 8, 2017 21:17 UTC (Tue) by paulj (subscriber, #341) [Link] (7 responses)

Who argued binaries must be made public? GPL doesn't require that, per se. Nor must the source be made public either. All that is required is that the /recipient/ be *free* to redistribute the work under the GPL too (which includes making public).

There are a number of vendors who distribute GPL software privately (meeting all the requirements of the GPL, in this regard), and in addition do so on the basis of side-contracts that say that continued access to the GPL software is dependent on non-distribution of either the source and/or the binaries of the GPL software being distributed (which the recipient of the GPL software is explicitly allowed, as long as meet its terms, which requires passing on the same rights).

My understanding is that what GrSecurity are doing is inline with the above. They provide source patches against the kernel of their security work under the GPL (at which point, if they're distributing source only, their GPL obligations are exhausted - no obligation to give to arbitrary 3rd parties). They then have some kind of an additional side-contract with the recipient to say that future access will terminate if the patches are distributed (one linux vendor frames it in terms of "trademark" violation, fuzzing the grey line even further, but ignore that for now).

If that's correct, they are no different to a number of other Linux vendors and open-source specialist companies that I know of: Private GPL distribution + side-contract that future business depends (explicitly or implicitly) on the recipient not exercising their GPL rights to re-distribute on the work publicly.

If GrSecurity and their side-contract:future-business business model violates the GPL, then so do the very similar business models of some others.

(Modulo the additional fuzziness of the trademark thing - that said, that particular vendor knows full well it's not in interest to be silly about this, and now even directly supports a fully public clone distro, along with a bleeding edge distro; so no ill-will toward that vendor as such).

Linux vendors' business models

Posted Aug 8, 2017 22:09 UTC (Tue) by rahulsundaram (subscriber, #21946) [Link] (4 responses)

>> If GrSecurity and their side-contract:future-business business model violates the GPL, then so do the very similar business models of some others.

Only a court can make such determinations.

Linux vendors' business models

Posted Aug 9, 2017 5:35 UTC (Wed) by paulj (subscriber, #341) [Link] (3 responses)

Hence that line being a conditional statement ("If ...").

Linux vendors' business models

Posted Aug 9, 2017 10:57 UTC (Wed) by rahulsundaram (subscriber, #21946) [Link] (2 responses)

>Hence that line being a conditional statement ("If ...").

Regardless of the "if", only a court can make a determination on what constitutes a license violation.

Linux vendors' business models

Posted Aug 9, 2017 20:46 UTC (Wed) by paulj (subscriber, #341) [Link] (1 responses)

Well yes. Who said otherwise?

That said, some cases are obvious enough that one can easily predict which direction a judgement would go. This isn't one of those cases though. Which is why it'll be interesting to see what happens with GrSecurity (even if it goes to court, there may be no ruling relevant to interpreting the GPL infringement though).

Linux vendors' business models

Posted Aug 9, 2017 22:00 UTC (Wed) by rahulsundaram (subscriber, #21946) [Link]

> Well yes. Who said otherwise?

I was replying directly to this quote from you:

>>If GrSecurity and their side-contract:future-business business model violates the GPL, then so do the very similar business models of some others.

>> Which is why it'll be interesting to see what happens with GrSecurity (even if it goes to court, there may be no ruling relevant to interpreting the GPL infringement though)

Yes, as I said earlier, the current case isn't going to settle that.

Linux vendors' business models

Posted Aug 11, 2017 6:56 UTC (Fri) by dvdeug (subscriber, #10998) [Link]

A contract that punishes the receiver of GPLed source code for distributing it seems like a violation of the GPL. If the receiver of GPLed source code distributes it and the sender chooses not to engage in further contracts with the distributor, then it seems a lot more debatable.

trademarks...

Posted Aug 25, 2017 8:10 UTC (Fri) by Garak (guest, #99377) [Link]

If GrSecurity and their side-contract:future-business business model violates the GPL, then so do the very similar business models of some others.

(Modulo the additional fuzziness of the trademark thing - that said, that particular vendor knows full well it's not in interest to be silly about this, and now even directly supports a fully public clone distro, along with a bleeding edge distro; so no ill-will toward that vendor as such).
IceWeasel seems to struggle, at least on Android. Know any good Chromium forks? Trademark barriers to forking sure do gum up the works of the FOSS ecology. But yeah, particular vendors could be way more evil, but OTOH maybe to be even more evil they have to seem a bit less evil, or even kind of good in this regard. But yes, FOSS was founded with evil in mind, the barriers to forking even with proper trademark scrubbing are not unreasonably high. But somehow there is the forks-ought-to-be-minimized narrative that plays against my forks-ought-to-be-maximized counternarrative. Of course then you have software and business model patents... And Snowden and spooks and oppressive governments. What a wacky world.

Seriously though, the news seems to emphasize the job loss to automation narrative. I wish more people could see that we have a clear need for more judges and lawyers and government officials. Wouldn't it be neat if in a case like this you could call up the the cyber-police department, and they would be obligated to answer you officially as to a nuanced question of "is doing X, Y, and Z against the law? For the reasons this person said?". That would seem reasonable in a world where it is clearly unreasonable to expect every citizen to understand all the pages of law they are subject to.

Of course the scary truth is that there are so many laws, many of them bad and stupid, that ultimately individuals tend to be at the mercy of the political and financial power that their enemies can bring to bear against them. Now if only my ISP could not legally choose to cease to do business with me based on the type and amount of their service I use that I have clearly paid for. Maybe then I could understand where Free Speech is found amidst CyberSpace. Ah, the future-business-contractual-chilling-rules, nasty gambit that one, likes to hide in the ferengi print.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds