Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Open Source The Courts Operating Systems Software Hardware Linux Technology

Linux Kernel Hardeners Grsecurity Sue Open Source's Bruce Perens (theregister.co.uk) 307

An anonymous reader shares a report from The Register: In late June, noted open-source programmer Bruce Perens [a longtime Slashdot reader] warned that using Grsecurity's Linux kernel security could invite legal trouble. "As a customer, it's my opinion that you would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity," Perens wrote on his blog. The following month, Perens was invited to court. Grsecurity sued the open-source doyen, his web host, and as-yet-unidentified defendants who may have helped him draft that post, for defamation and business interference. Grsecurity offers Linux kernel security patches on a paid-for subscription basis. The software hardens kernel defenses through checks for common errors like memory overflows. Perens, meanwhile, is known for using the Debian Free Software Guidelines to draft the Open Source Definition, with the help of others.

Grsecurity used to allow others to redistribute its patches, but the biz ended that practice for stable releases two years ago and for test patches in April this year. It offers its GPLv2 licensed software through a subscription agreement. The agreement says that customers who redistribute the code -- a right under the GPLv2 license -- will no longer be customers and will lose the right to distribute subsequent versions of the software. According to Perens, "GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition." A legal complaint (PDF) filed on behalf of Grsecurity in San Francisco, California, insists the company's software complies with the GPLv2. Grsecurity's agreement, the lawsuit states, only applies to future patches, which have yet to be developed. Perens isn't arguing that the GPLv2 applies to unreleased software. Rather, he asserts the GPLv2, under section 6, specifically forbids the addition of contractual terms.

This discussion has been archived. No new comments can be posted.

Linux Kernel Hardeners Grsecurity Sue Open Source's Bruce Perens

Comments Filter:
  • Prove it's true (Score:4, Insightful)

    by Anonymous Coward on Saturday August 05, 2017 @05:04AM (#54945631)

    That would put a full stop to Gr's suit.
    But besides that, it's pretty clear this is an intimidation move because it would be relatively trivial to just show you're not doing it.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Yeah, suing the god damned web hoster as well is a sure sign they want to discourage this kind of talk in future.

    • Re:Prove it's true (Score:5, Informative)

      by thesupraman ( 179040 ) on Saturday August 05, 2017 @05:50AM (#54945683)

      I would suggest that if that is their intention, they do not know Mr Perens very well, and have not done their homework.
      I suspect they are currently experiencing bit of a surprise in the reaction to their attempted strong-arming..
      I also suspect they are rather wet-behind-the-ears (at least their decision makers) in the area of kernel security, to try such a play.

      They are trying to play a legal-loophole game, when never goes down very well with the kernel maintainers, to say the least.
      And they have quite possibly forgotten the fact that the maintainers could make their lives a LOT harder basically at well, by making their patches unworkable in subsequent releases..

      Or they could just say sorry, and hope that they get some forgiveness - I am betting they wont..

      • Re: (Score:3, Informative)

        by Anonymous Coward

        And they have quite possibly forgotten the fact that the maintainers could make their lives a LOT harder basically at well, by making their patches unworkable in subsequent releases..

        That isn't really a viable solution.
        Writing kernel code specifically to make it incompatible rather than to get the best solution will cause all sorts of problems.

        They could release new code under a non-GPL license that is mostly identical with GPL but prohibits usage together with grsecurities software, but I'm not sure such a license will hold up in court and it is a bit against the free software mindset.
        (OK, BSD is a bit more along the lines of "You can do whatever you want, even if you use the code for

      • I would suggest that if that is their intention, they do not know Mr Perens very well, and have not done their homework.

        I would suggest that they definitely know who Bruce Perens is, and that their legal counsel is simply a typical self-described type A who wants to fuck everything.

        • Re:Prove it's true (Score:5, Interesting)

          by Anonymous Coward on Saturday August 05, 2017 @08:13AM (#54946017)

          Their legal counsel is a one-man firm, and if you read his online reviews, they are all about his patent filings. It sounds like he is in over his head.

          Perens is using a big firm that has lawyers for every sort of legal issue, and his lead attorney wrote a book on Open Source licensing. If she has built expertise in Open Source, she and Perens would have worked together before.

      • GRSecurity is demanding a jury trial, which means the emotional power of the lawyers on each side will play an important part, which means they are trying to make it as painful as possible for Bruce, even if they lose.
    • by SLi ( 132609 )

      How would it be trivial to show? They assert what they do is legal; Bruce asserts it is not. It's mostly a dispute of law, not of facts.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      This demand proves Perens' point about dealing with Grsecurity stuff inviting legal trouble.

      Either way from GPL violations or from a litigious company like this case.

    • Re:Prove it's true (Score:4, Insightful)

      by FooAtWFU ( 699187 ) on Saturday August 05, 2017 @07:03AM (#54945815) Homepage

      Proving it's true would not put a full stop to the suit; it would be a thing that you prove in the suit itself. This is expensive because it means you're paying lawyers lots of money. The thing that's supposed to put a full stop to the suit is an anti-SLAPP motion, because this appears to be a Strategic Lawsuit Against Public Participation; among other things, this typically stays all discovery, saving much expense,

      Unfortunately I'm not up to speed on California-specific anti-SLAPP statutes.

      • Re:Prove it's true (Score:5, Insightful)

        by gnasher719 ( 869701 ) on Saturday August 05, 2017 @07:25AM (#54945879)

        Proving it's true would not put a full stop to the suit; it would be a thing that you prove in the suit itself. This is expensive because it means you're paying lawyers lots of money.

        Bruce Perens' councel is Heather Meeker of Oâ(TM)Melveny and Meyers, author of a book about use of Open Source software in the enterprise. I wouldn't be surprised if she gives him a good deal for representation in court if needed. (I thought Bruce Perens is a lawyer as well, but probably respects the old saying "a man who represents himself in court has a fool for a lawyer and a fool for a client").

        What he said is "It is my strong opinion..." which I think stops what he says from being libel. GrSecurity could have replied "It is our strong opinion that Bruce Perens is incompetent and has no idea what he is talking about", which would probably not be libel for the same reason, being an opinion and not declared to be fact. Suing him has no chance of winning, and the huge risk that a court might agree that Bruce Perens' opinion is actually correct. That's most likely something that he would argue, in addition to the 100% winner argument "I said it was just my opinion".

        • Re:Prove it's true (Score:5, Insightful)

          by jenningsthecat ( 1525947 ) on Saturday August 05, 2017 @07:51AM (#54945941)

          Bruce Perens' councel is Heather Meeker of Oâ(TM)Melveny and Meyers...

          I suspect Perens and Ms Meeker will also have some assistance from the EFF. The potential chilling effects of this suit, and its blatant misuse of judicial process, are too important for the EFF to remain on the sidelines for long.

        • by arth1 ( 260657 )

          While he's not an attorney at law, he knows a few things about it, and I'm sure he'll use lawyers quite well.

          And I also suspect that he won't be posting here, but will follow the generally sound advice that when hit with a lawsuit, do not comment on it except through lawyers. Anything said is potential ammunition or intel for your adversaries, neither of which helps your case.

          • And I also suspect that he won't be posting here, but will follow the generally sound advice that when hit with a lawsuit, do not comment on it except through lawyers.

            I suspect that there will be a public statement, because cases in the public interest are won partly in the public sphere. I further suspect that Bruce himself will let us know about it when it happens, but that he won't engage in [much] commentary in the story, and that any he does engage in will be cleared through his lawyer. But that costs money, so he won't do any more of it than is absolutely necessary.

        • I thought Bruce Perens is a lawyer as well, but probably respects the old saying "a man who represents himself in court has a fool for a lawyer and a fool for a client"

          He is not. In this situation he has consistently presented himself as an expert witness.

          The problem here is that GRSecurity grants their customers patches under the GPL2, but then explicitly states that if the customers redistribute the patches to other people, then GRSecurity will punish them by not giving them any more patches in the future. This obviously contrary to the spirit of the GPL, but GRSecurity claims the exact wording of the GPL, "You may not impose any further restrictions on the recipients

        • What he said is "It is my strong opinion..." which I think stops what he says from being libel.

          No, merely stating "this is my opinion" is not enough to stop a statement from being libel. The lawsuit pre-emptively makes an argument against that, quoting another judgement:

          If a speaker says, ‘In my opinion John Jones is a liar,’ he implies a knowledge of facts which lead to the conclusion that Jones told an unt ruth. Even if the speaker states the facts upon which he bases his opinion, if those facts are either incorrect or incomplete, or if his assessment of them is erroneous , the statement may still imply a false assertion of fact.” Milkovich v. Lorain Journal Co. 497 U.S. 1, 18 (1990)

      • Anti-SLAPP (Score:2, Informative)

        by Anonymous Coward

        In California, SLAPP stops all discovery and requires the plaintiff to pay the defendant's expenses if they lose.

    • These are the two quotes GRSecurity singled out as being false. If they can be trivially proven true, then GRSecurity will be thrown out of court:

      Defendants, in the Posting, stated that "[Customers] should avoid the Grsecurity product sold at grsecurity.net because it presents a contributory infringement and breach of contract risk.”

      Defendants further stated that Plaintiff was in violation of the GPLv2, and thus “[a]s a customer, ... [Plaintiff’s clients] would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity.”

    • from the summary, their attack will be "our current modules can be distributed, that's why we made them gpl2. our announcements were for future modules, which will not be gpl2. the acused told everyone they would be criminals by being our clients because we would release the new modules as gpl2, which we won't. hence he is disrupting our business. "

      to help the truth come out, everyone here who is their clients and never distributed the current modules because everyone knows that is what they were s

  • Perens vindicated.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      It's defamation to claim we're likely to launch a spurious lawsuit! ...

      We're suing!

  • pissing contest.. (Score:5, Interesting)

    by lkcl ( 517947 ) <lkcl@lkcl.net> on Saturday August 05, 2017 @05:34AM (#54945673) Homepage

    this is going to be interesting to watch. one of the world's best-informed advocates of software libre, who has studied the GPL for many years, versus some idiots who will have been ill-advised by some moron whose only saving grace is the indemnification insurance provided as a sop to corporate madness. for those people not familiar with what indemnification insurance is: it's where lawyers can basically get away with making fundamental errors, and the corporation to whom they give the advice can sue their company quite safely, *as long as they follow that advice*.

    i really look forward to seeing how this turns out.

  • by bradley13 ( 1118935 ) on Saturday August 05, 2017 @05:59AM (#54945693) Homepage

    This is a stupid lawsuit. According to the attorneys for the plaintiff company:

    "Mr Perens has made false statements, claiming them to be facts, and based on those statements employed fear-mongering tactics to intentionally hurt Open Source Security Inc's business."

    Perens actually wrote: "it's my opinion that..."

    Opinion, not assertion of fact. This lawsuit will be thrown out almost immediately. However, it is useful in helping the community identify a company that we should never do business with. So thanks for that, at least...

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Maybe we'll get another one of these [scribd.com] ("ACLU Brief on Behalf of John Oliver").

      Opinions, too, are protected speech, and “[u]nder the First Amendment, there is no such thing as a false idea. However pernicious an opinion may seem, we depend for its correction not on the conscience of judges and juries but on the competition of other ideas.” Gertz v. Robert Welch, Inc., 418 U.S. 323, 339-40 (1974)

    • An assertion of a fact does not legally become an opinion merely by adding "in my opinion" or "I believe". For example, "I believe X molests his child" is actionable.

      • An assertion of a fact does not legally become an opinion merely by adding "in my opinion" or "I believe". For example, "I believe X molests his child" is actionable.

        Bruce is not a lawyer, so he's not giving legal advice, so he's allowed to have an opinion and express it. That right is explicitly legally (constitutionally!) protected! It's more likely that they are attacking not the part following "As a customer, it's my opinion" but other ancillary statements, since nobody looks good if they attack opinions. Surely they have something slightly more clever in the fire.

        • by arth1 ( 260657 )

          Bruce is not a lawyer, so he's not giving legal advice, so he's allowed to have an opinion and express it. That right is explicitly legally (constitutionally!) protected!

          True, but he is also the CEO of Legal Engineering, "which specializes in resolving copyright infringement in relation to open source software" (Wikipedia). Unless he's clear about it being a personal opinion, his opinion could potentially be seen as a legal opinion, or gratis expert advice from Legal Engineering.

          Either way, I don't think (as a private person) that this lawsuit has much merit, even in a common law system that doesn't pay much attention to the intent of contracts. But it must be an embugger

          • Unless he's clear about it being a personal opinion, his opinion could potentially be seen as a legal opinion,

            No, no it cannot. Because he is not a lawyer, he cannot give legal advice. And unless he explicitly claims that he is giving legal advice, he's not giving legal advice, because he is not a lawyer. It works coming and going. Only lawyers have to give disclaimers about each little thing not being legal advice, because only lawyers can give legal advice.

            or gratis expert advice from Legal Engineering.

            He said he was willing to discuss the issue with companies under NDA, but this is just something he said in the public sphere, so he has not created any expect

    • Uh, no, it doesn't work like that. "It's my opinion" is not a magic phrase that wards off all charges of defamation. If I say "It's my opinion that John Smith is a child rapist," John Smith can still sue me for defamation. Mind you, I think this is an utterly invalid suit, but not because Bruce Perens said "it's my opinion."

    • They filed in California where anti-SLAPP laws provide for heavy penalties? Oh, dear.

      Bruce, do you need a gofundme?

    • Perens actually wrote: "it's my opinion that..."

      I suppose if they could prove that this was not actually his opinion, but that he lied about it, they might be able to win.

    • Perens actually wrote: "it's my opinion that..." Opinion, not assertion of fact. This lawsuit will be thrown out almost immediately.

      FWIW the lawsuit deals specifically with your point, by quoting another case:

      “If a speaker says, ‘In my opinion John Jones is a liar,’ he implies a knowledge of facts which lead to the conclusion that Jones told an untruth. Even if the speaker states the facts upon which he bases his opinion, if those facts are either incorrect or incomplete, or if his assessment of them is erroneous, the statement may still imply a false assertion of fact.” Milkovich v. Lorain Journal Co. 497 U.S. 1, 18 (1990)

      There are two quotes from Bruce that the lawsuit specifically states as false:

      [Customers] should avoid the Grsecurity product sold at grsecurity.net because it presents a contributory infringement and breach of contract risk.”

      Defendants further stated that Plaintiff was in violation of the GPLv2, and thus “[a]s a customer, ... [Plaintiff’s clients] would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity.”

  • Comment removed (Score:3, Informative)

    by account_deleted ( 4530225 ) on Saturday August 05, 2017 @06:04AM (#54945703)
    Comment removed based on user account deletion
  • by Anonymous Coward

    If anyone was still wondering why their patches never made it in the kernel...
    It shows a lot about their attitude and delusions, there are good reasons not to want code from people not able to objectively judge their own work, especially when they are asses on top...

  • by molnarcs ( 675885 ) <csabamolnarNO@SPAMgmail.com> on Saturday August 05, 2017 @06:21AM (#54945751) Homepage Journal

    Linus Torvalds called grsecurity patches garbage earlier this year. https://www.theregister.co.uk/... [theregister.co.uk]

  • The key word/phrase is "it's my opinion".

    Grsecurity needs to be hit with a SLAPP countersuit.

  • Streissand effect. Grsecurity should hire another lawyer, if they survive this one.
    Not only what Perens wrote is always reason for precaution, even if it wasn't, he repeatedly states in his blog post that this is his opinion, and that furthermore, he's open to discussion and that he's not a lawyer.
    https://perens.com/blog/2017/0... [perens.com]

    Lawsuit won't pass because it has no grounds. Courts can't define opinions as "false statements", he explicitly claimed several times that this is his opinion, and it's a huge stre

  • And I don't Title this post just to flamebait.

    The subscription agreement they use is definitely against the spirit of the GPL, but could be within the letter if they were distributing a completely original work, for which they held all copyrights and had the correct sort of patent licenses to distribute code that way. But the question naturally arises why the hell wouldn't they just outright pick a restrictive license if they just outright held all rights to an original work and wanted to restrict redistrib

If all else fails, lower your standards.

Working...