[go: up one dir, main page]

|
|
Log in / Subscribe / Register

Grsecurity goes private

Grsecurity goes private

Posted May 5, 2017 19:04 UTC (Fri) by linuxrocks123 (subscriber, #34648)
In reply to: Grsecurity goes private by xtifr
Parent article: Grsecurity goes private

They don't terminate the contract; they simply don't renew it. So, you get what you paid for, which is access to the current GRSecurity patches, but they'll refuse to sell you future revisions of the GRSecurity patches.

They're under no obligations to sell their work to customers they don't like, for whatever reason. They could, if they wanted, refuse to sell their work to a customer because the customer publicly supported a political candidate they don't like. I think they're in the clear.


to post comments

Grsecurity goes private

Posted May 5, 2017 20:07 UTC (Fri) by xtifr (guest, #143) [Link] (10 responses)

Like I say, the law takes intent into account. It seems pretty clear to me that the *intent* is to prevent people from redistributing the GPL'd code. Of course, they'll argue otherwise. The only thing that matters, though, is what a *judge* would think. And I tend to doubt a judge would be fooled by such an obvious trick.

What might make it harder is if they *never admit* their reasons for not doing business with certain customers. That would switch the burden of proof. But even that would be a risky strategy, since it would be fairly obvious what they were actually doing.

Stallman's pretty experienced with people trying to weasel their way around the GPL. If he says it's a violation, I'd consult my lawyer before suggesting otherwise.

Grsecurity goes private

Posted May 5, 2017 21:57 UTC (Fri) by nybble41 (subscriber, #55106) [Link]

> It seems pretty clear to me that the *intent* is to prevent people from redistributing the GPL'd code.

If so it's a lousy way to go about it, since it doesn't actually *prevent* anyone from distributing anything. There will be a cost, of course, if you wanted their ongoing cooperation in the future in the form of new patches, but the choice is still yours whether to distribute or not. If you choose to distribute you are not violating any contract and do not lose anything to which you previously had any legal right. After all, there is no guarantee that there would *be* future patches for you to purchase, and even if they are created the authors are under no obligation to sell them to you whether you distributed the prior patches or not.

I could go around offering people a million dollars cash on the condition that they don't distribute any GPL'd code, without ever distributing GPL'd code myself. The *intent* of that offer would clearly be to reduce the distribution of GPL'd code (though not actually *preventing* it), but that doesn't mean that I've violated the GPL by making the offer.

Grsecurity goes private

Posted May 6, 2017 20:10 UTC (Sat) by paulj (subscriber, #341) [Link] (7 responses)

There are many other companies using this business model.

Grsecurity goes private

Posted May 8, 2017 22:30 UTC (Mon) by mattrose (guest, #19610) [Link] (6 responses)

Charging money for GPL-derived source code? Not the RH "charge money for binaries and distribute sources", or any one of a number of "Charge for additional binaries that happen to add on or plug in to the GPL-ed source code, but actual "You have to pay money for source code that you have every right to view and modify, under the GPL"

Name one.

Grsecurity goes private

Posted May 9, 2017 20:35 UTC (Tue) by paulj (subscriber, #341) [Link] (5 responses)

Email me or /msg me on freenode and I'll give you a link to one.

BTW, the GPL is perfectly OK with charging money for source code, and/or for binaries.

The only thing is that if you distribute binaries without source at the same time, then you must make the source available on reasonable terms. You can charge as much as you want for source and/or binaries, with that restriction...

Grsecurity goes private

Posted May 10, 2017 12:40 UTC (Wed) by mattrose (guest, #19610) [Link] (2 responses)

You are absolutely right about charging for source code, however, what the GPL is explicitly NOT ok with is putting "further restrictions" on the source code distributed or modified under the GPL.

Section 6 says: "You may not impose any further restrictions on the recipients' exercise of the rights granted herein."

RedHat complies by giving the source code away, and just charging for the convenience of pre-compiled binaries, and limiting access to those binaries, which the GPL says nothing about.

Look at it this way. I could have access to RedHat sources even if RedHat itself wanted nothing to do with me. For access to the source code for the grsecurity version of the linux kernel, I need to pay money to grsecurity. What grsecurity is doing is very much not only against the text of the GPL, but against the spirit of Linus's original license decision.

Linus put the kernel under the GPL because he wanted all of the modifications to it to become publicly available. All other contributors have contributed to Linux with the same condition. If Linus had wanted people to be able to fork off their own version and not contribute back, he would have licensed it differently.

And the fact that you are not willing to name one publicly kinda proves my point.

Grsecurity goes private

Posted May 10, 2017 13:33 UTC (Wed) by paulj (subscriber, #341) [Link]

Section 6 also applies to Section 3, where recipients are given the right to redistribute binaries (modulo reasonable access to source - which one is required to follow if one has distributed binaries, but that doesn't come into play if one only distributes in source form).

open source code gone dark

Posted May 19, 2017 4:29 UTC (Fri) by Garak (guest, #99377) [Link]

Linus put the kernel under the GPL because he wanted all of the modifications to it to become publicly available. All other contributors have contributed to Linux with the same condition. If Linus had wanted people to be able to fork off their own version and not contribute back, he would have licensed it differently.
I'm guessing that there are plenty of instances of people and businesses that modify GPLd code, and use it, often commercially, without making those modifications publicly available. It's just that those instances don't involve the distribution of those modifications publicly. I.e. one can readily imagine the NSA and CIA and Google hardening (some of) the kernels that they and their cohorts use without those modifications ever seeing any public light of day. Sorry to get pedantic about the nuance, but this does seem to be the place for it. Probably the CIA/NSA use some god-mode of legaleze to get around whatever they want, but there is clearly nothing illegal about making a business out of the fact that your secret unreleased/undistributed security enhancements give your IT infrastructure an edge over competitors. I.e. imagine a dozen hypothetical GMail competitors running modified linux kernels on their servers. The ones that get hacked the least make the most $$ in the long run. Obviously the hypothetical breaks down in the real world for lots of reasons, but I do imagine there are plenty of high profile businesses running servers with various secret sauce hardenings. Which is pretty much what this is all about AFAICT.

Grsecurity goes private

Posted May 18, 2017 20:15 UTC (Thu) by Wol (subscriber, #4433) [Link] (1 responses)

> You can charge as much as you want for source and/or binaries, with that restriction...

Except, that once you have distributed the binaries, you can NOT charge as much as you want for the source ...

I believe the GPL itself explicitly says you can charge a *reasonable* fee, and $1M for an hour's work for an engineer to copy the source to a CD is clearly not reasonable...

Cheers,
Wol

Grsecurity goes private

Posted May 19, 2017 7:34 UTC (Fri) by paulj (subscriber, #341) [Link]

For primary distribution, you can charge _whatever_ you want. Be that in source or binary form.

If you have distributed in binary-only form, you must honour the §3 commitments to provide source on reasonable terms, for _finite_ amount of time.

That does not, per se, prevent one from primary distribution in source form, at whatever price. (Though, anyone who is aware the distributor is also obligated to provide source under §3 terms, or is aware to ask, obviously may prefer the §3 terms).

Grsecurity goes private

Posted May 10, 2017 1:00 UTC (Wed) by linuxrocks123 (subscriber, #34648) [Link]

Intent only matters when the intent is somehow illegal by statute. Your claim that "the intent is to stop them from doing something they're legally allowed to do, therefore they can't do that" doesn't hold up to even a rudimentary analysis. In the US, a private company can, for instance, fire someone who goes on the news and says bad stuff about the company. The employee is perfectly free to speak up about how horrible his employer is, and the company is perfectly free not to be his employer anymore afterwards. No one's legal rights are being violated.

In the US, again, anti-retaliation laws are the exception, not the rule. You can't be fired for blowing the whistle on your company to the government, like by reporting it to the EPA or whatever, because there's a specific law against companies' doing that. You can't be fired or not hired for being black because, again, there's a specific law against companies' doing that. In some but not all US jurisdictions, you can't be fired or not hired for being gay, because there's a specific law against companies' doing that; in other places, there's no such law, so a company can only hire straight people and refuse to serve gay customers if it wants to, and can fire an employee for coming out, even though it's definitely not illegal to come out.

In the law, and not just the US but pretty much everywhere, anything not prohibited is permitted. If your assertion is that the law in whatever jurisdiction you're in prohibits a company from retaliating against customers for doing a thing, you'll need to find the specific law stopping the company from retaliating against the customer for doing that thing, not just confirm that the thing the customer did isn't itself illegal to do. Just because I have the right to go on the news and talk about how horrible McDonald's is doesn't mean McDonald's still has to employ me or serve me as a customer after I do that.

Grsecurity goes private

Posted May 6, 2017 7:26 UTC (Sat) by madhatter (subscriber, #4665) [Link] (5 responses)

They're under no obligations to sell their work to customers they don't like, for whatever reason.

That seems an over-simplified analysis, to me, at least in the context of England and Wales. Cases like this one have established that, at least once you engage in business, you do not have an overriding right to refuse to make a contract with someone, that there are some reasons which the law does not permit you to use to justify a refusal so to do, and that a court may make inferences about your real reasons if you refuse without giving a justification.

Let me be clear that I'm not saying that a customer's patch re-distribution is an unlawful reason for refusal in the way that a customer's homosexuality clearly is. I'm merely starting by pointing that out that unlawful reasons for refusal to enter into a contract do exist.

So one could argue that, Grsecurity having accepted a licence which forbids them to place restrictions on the GPL-compliant redistribution activities of inter alia their customers, they do not have the right to refuse to enter into a new contract with an ex-customer simply because that customer has engaged in behaviour which (s)he was perfectly entitled to do. I have no idea if such an argument would be persuasive, but it would need a better counter-argument than "Grsecurity don't have to enter into a contract with anyone if they don't want to", because that's simply not true.

Grsecurity goes private

Posted May 6, 2017 7:57 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]

I don't know about England, but in the US companies can generally refuse service to another _company_ for any reason. Very much including "we don't want to deal with a company with a gay CEO" or "we won't sell our product to Democratic supporters".

There are certain limitations like local utilities and other regulated monopolies, and some cases of tortious interference, but they don't really apply here.

Discriminating against individuals is somewhat more complicated, the law in the US recognizes several enumerated "protected classes" ( https://en.wikipedia.org/wiki/Protected_class ). But "political opinions", for example, are not a protected class - it was absolutely legal for Hollywood to blacklist "communist supporters" during the McCarthy era.

Grsecurity goes private

Posted May 6, 2017 8:00 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link] (3 responses)

> So one could argue that, Grsecurity having accepted a licence which forbids them to place restrictions on the GPL-compliant redistribution activities of inter alia their customers, they do not have the right to refuse to enter into a new contract
No problem. We have a very special price for your new contract: $100500 for each line of code that we deliver. Very cheap! Please send pre-payment checks to: .....

Grsecurity goes private

Posted May 6, 2017 8:48 UTC (Sat) by madhatter (subscriber, #4665) [Link] (2 responses)

Cyberax, I think the points in your first comment are excellent. I'm certainly not suggesting the English approach is persuasive everywhere, and the B2B vs. B2C distinction is well-worth closer examination (though if it were found to hold water, putting up an individual as a single protected transactor who could then redistribute without fear of comeback might well be something the community thought to do). I'm merely noting that linuxrocks123's argument is over-simplistic, and may not work everywhere.

The second comment's argument is again, to me, over-simplistic. You may wish to consider whether the court in Wilkinson would have found the B&B owner/operator's conduct less infringing if she had said "your room will not be £59.90, it will be £100,500 a night" instead of "no room for you"; my guess is they would have been equally unimpressed. All attempts to treat one customer differently to another are things a court may examine; the US-style position that I run my business how I like and I'll deal with customers how I like isn't always permitted elsewhere.

Grsecurity goes private

Posted May 7, 2017 9:27 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

Hotels can't exceed publicly posted prices in the US... But within the posted limits a B&B most certainly can discriminate by, for example, political opinions or any other non-protected class. For example, a hotel can offer 99% discount to people wearing blue clothes.

Grsecurity goes private

Posted May 7, 2017 10:19 UTC (Sun) by karkhaz (subscriber, #99844) [Link]

Actual, slightly ridiculous example from the UK: a few years ago a skiing holiday provider promised a 30% discount to anybody named Sharon or Kevin. The idea was to make skiing holidays (traditionally associated with rich people) more appealing to working class folk (Kevin and Sharon are names more associated with said class in the UK).

I don't think this was ever challenged in a UK court, and wonder how it would have gone down. And if that would have changed if they discriminated the other way (offering the discount to people named Hugo or Spencer).

https://www.directski.com/shazandkev
and advertising flyer:
https://www.cheapflights.co.uk/news/wp-content/uploads/20...


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds