grsecurity is no longer open source.
grsecurity.net
Is this legal? pls email stallman
grsecurity is no longer open source.
grsecurity.net
Is this legal? pls email stallman
So? The open source community will probably mantain patches for future kernel versions.
So? Use selinux. It is much better and much easier to use today.
/s? selinux isn't comparable to grsecurity
What a crock of shit.
Anyway this has always been a grey area in regards to the subscriber only patches even before this announcement.
The GPL requires you to grant the customers/users of your product the same terms under the GPL which means that if you use the commercial patches, you are free to release/distribute the source code under the same GPL license.
However if you distribute the grsecurity patches to people who aren't your own end users/customers exercising their GPL rights then they won't sell you the next set of patches.
There's nothing in the GPL stating that you can't refuse service to people who exercised their full GPL rights by distributing the patches. As long as they can use/distribute the code in the current patchset under the GPL then there's no violation.
Not that it counts for much legally but this isn't in the spirit of the GPL if you can't fully exercise your rights without retaliation.
I think RMS is aware of this issue already, lkml.org
Why can't some commercial distro just buy them?
Or maybe we could crowd fund a buyout and force them to become a non-profit like Mozilla?
Yeah, look how well that turned out for mozilla
It could still be open source (and free software, for that matter) as long as the people they distribute grsecurity to get the required freedoms. The requirements for open source are actually nearly equivalent to those for free software (they're based on a set of guidelines Debian uses to test whether something is free software), so grsecurity remains open source and free software so long as subscribers get these four freedoms:
- The freedom to use grsecurity for any purpose
- The freedom to study and modify grsecurity
- The freedom to redistribute grsecurity
- The freedom to redistribute their modified versions of grsecurity
The third and fourth freedoms could be a problem. It depends on how exactly they plan to react to redistribution.
Okay, what about just folding them into the linux foundation then?
You mean, rewarding them for violation of (the spirit of) the GPLv2?
Do you mean the spirit according to Torvalds or the spirit according to Stallman?
It definitely violates the spirit according to Linus, but it's not so clear for the spirit according to Stallman, and he's the person who originally created the GPL.
SELinux is different than Grsecurity it does different things and is better by default.
Sadly there is no violation GPLv2, it's all in their rights to do.
Good riddance.
t. NSA
I wish Linus & co took security seriously. It's ridiculous that we have to rely on third party patches to get decent kernel security.
Since this has nothing to do with TiVoization, which the GPLv2- permits, but with sharing the source code which has been a staple of the GPL since version 1, this is (almost) certainly against the spirit of the GPL according to both Torvalds and Stallman.
Maybe I should have been clearer by distinguishing the spirit of the GPL from actual copyright violation of GPL-covered software. If you ask Stallman, using GPLv2 software in Tivoized hardware is violationg the spirit of the GPLv2 but not the GPLv2 itself. If you ask Torvalds, you get a different answer.
They are really in a grey area here. If the Linux foundation, Torvalds, GKH, and all the others started a legal offence against the grsecurity publishers, it's not cerain what a judge would do. It's not that they ask for 6 gorillion shekkels to release patches, it's that they threaten paying customers with termination of their subscription if they redistribute said patches thus not permitting freedom 2:
If Stallman thinks they may be in violation of the GPLv2, then there's a good chance they might be. But Ianal, so the only thing I can say conclusively, is that people like the grsecurity team should be shunned from the free software community.
Agreed. They should have a more de Raadtian attitude towards security where you start secure but inconveinent and add more services as you need them NOT in advance as someone might need them someday.
The spirit of the GPL is freedom for the user, which means source code access for the user, not accessibility of source code to the original developer. Stallman might mind this practice because it limits the freedom to redistribute, but he wouldn't mind that the source code isn't public because the source code only has to be available to people who have access to the software in the first place.
Any license that requires source code to be public under circumstances where no other form of the software is already public is not a free software license. See the Open Watcom Public License for an example.
I think you meant of, not to.
The spirit of the GPL also says that users should be able to redistribute copies to others and share improvements (freedoms 2 and 3). While you aren't entitled to someone's software, you can still get it from another user willing to share.
The actual point of contention is whether a project should be able to require you to sign an agreement that terminates your access to future versions, support, etc. if you exercise freedoms 2 or 3, thus deterring sharing.
The above, in combination with a fee, can be used to paywall software (i.e. you pay, you share once, you're out (or pay full price again if applicable)).
In the end, you only have rights to the version you were distributed, and denying updates or support doesn't violate the 4 freedoms; software being free doesn't entitle you to updates or support. However, the licensor shouldn't take measures to deter you from sharing either.
This reminds me of Patreon whores who paywall everything and ban you if you share, with the difference that in this case the license lets you share.
- Linus Torvalds
- Linus Torvalds
There is literally only one thing Linus asks of you if you make modifications to the Linux kernel.
Torvalds is a brilliant programmer, but he is very wrong about this. The way I see it, tivoization is the single greatest threat to free software, and we have to recognize that. If you can't use a different version of the software you have been provided by the hardware seller, then it's in practice no better than source-available gratis ware. I know from experience that installing/uninstalling non-Google approved software on an android tablet is a pain in the ass. Otherwise, I agree with him.
This.
Jesus christ! Biting the hand that feeds you is a græt idea. Pic related.
fug. now what am I supposed to use?
Here is 100,000 stop providing anons with security,thx
Do you think this is fucking Reddit or something?
...
>Is there another project, which has all the protections listed at grsecurity.net
The Windows 10 kernel.
>Is there another open-source project, which has all the protections listed at grsecurity.net
No, but the OpenBSD kernel seems to be the closest one. (with very limited Mandatory Access Control features)
Nobody wants to enforce the GPL anymore after the vmware lawsuit.
Nvidia also breaks the GPL but nobody seems to care, and there are more out there that do it.
Honestly GPLv2 is pretty useless if nobody is going to enforce it.
That said they take huge patches from vendors but don't want to get the grsecurity patches in without making it weaker and shittier.
Also alot of things will probably never be upstreamed because it "can" break userland if you don't set PaXflags, unless you have to opt-in.
Nvidia has never broken the GPL2. The GPL2 is a distribution license and it only covers a specific copyrighted work. The work that Nvidia distributes under GPL2 remains under GPL2.
pick 1
I tried reading this report of the situation to find out what's happening.
theregister.co.uk
As long as the patches remain GPLv2 compatible there is no problem. There is absolutely nothing wrong with charging people money and selling free software.
Spengler is a greedy fuck so he'll just terminate your subscription agreement. In fact, he has basically admitted that this was the case. Red Hat doesn't have problems because they redistribute the source, and only charge for binaries basically. This is most likely a GPL violation, because the GPL does not allow any other further "restrictive" conditionals tacked on to source redistribution.
The subscription is very expensive, and if you release the code, you get blacklisted from future patches.
lol just like mediakek
I don't understand. Can't the community take the code of an older version and fork it, or is the license change retroactive?
They can, but I expect it takes significant developer effort just to keep it up-to-date with mainline kernel releases.
Didn't they already do this like a year ago? Did I just dream it?
Only for stable kernels, if I remember correctly. Patches for cutting edge releases stayed public, probably because the people interested in spending money on grsecurity in the first place are more likely to run stable systems.
who buys this shit? how much can something like this be worth
If you have a crippling paranoia it's worth a lot.
definitely breaks gpl-2
hope they get sued, at least redhat releases something even with their patch model, spengler is such a kike
Lots of vendors broke or break the GPL only retards don't know about it.
You should read up a few things and start with Linux Foundation turning it's back to the community.
It's all corporate bullshit and one big circlejerk.
Just look at vmware lawsuit and wonder why there hasn't been any more action.
End of official PaX and grsecurity support in Arch Linux
lists.archlinux.org
How do they know who to blacklist? Is it something simple as law of probably/monitoring socal media and such or custom patches that can be used unqiuely ID the sharer?
It was Libre (Free) Software.
Yes, the owner of the code, as in the original author, can reissue his code under any license.
The licenses on the old code does not expire so previous releases are still GPL.
grsecurity is a derivative work. It's based on Linux. Linux uses GPLv2, which requires that derivatives also use GPLv2, so grsecurity has to be issued under GPLv2.
But grsecurity wasn't relicensed, it's just no longer public. The people who do get copies get them under GPLv2.
As long as it's GPL2, it's good.
It's not illegal to say, distribute it only to people who purchase media or online access, so long as they are in turn allowed to enjoy the 4 freedoms (which includes redistributing).
Guess this means that anyone who wants to use a secure operating system needs to move to either OpenBSD or Qubes.
What a shame. The leader of Grsec was a douche anyway.
...
Literally every piece of code has been given away for free to whomever so chooses to use it. If you don't like the available BSD's, fork your own version. Some security mitigations have been used by other Linux forks, most prefer to insult us when we call them on their cancer code while they deal with horrible insecure systems. They give up security so their 'contributing devs' can write pajeet level code that works but is full with errors and thus security vulnerabilities. If you have a secure os that demands correct code, you teach a programmer to code properly.
Until governments start bankrubting bussines with lawsuits for leaking userdata due to using insecure cancer this isn't going to fix itself. They want the time constraints of correctly written code gone and simply have something functional, never mind the errors.
Keep writing shit code that argentinians, ruskis and chinks thrive in. Google literally made the hack the planet possible with their cancer android. Anyone who has a 'smart'phone is easily popped.
I have yet to meet a hacker to get into my employers fortune 500s hardened OBSD server boxes.
Allot of target rich power users have been hopping to linux in the past few years, i see new 0days almost weekly now on the darknet. It's the same insecure pile of garbage as windows since these fuckers compile the kernel while disabling most of the measure available as a stack protector.
guessing someone put the squeeze on them to put in some backdoors
same can be said of any license m8
just swap some variable names around to create unique versions and voila. Just like that crappy SiDiM book DRM.
you're forgetting the part where they can blacklist you from future versions if you redistribute.
one of these seems out of place
...
What a joke, Linus wouldn't even mainstream their shit. Then they get angry at him and OpenBSD. Popcorn time.
How much does grsec cost? Their site say "email us for a price" so it's probably sky high. But even if it was $10 I still wouldn't buy it tbh
Back when they locked down the stable kernels, it was $200/month. These days, it looks like they find out how much you have in your bank account and jew you accordingly.
Looks like gentoo hardened will be maintaining grsecurity patches for the LTS 4.9 Linux Kernel. If you stick with 4.9, you'll have grsecurity for years.
I was with you until you shat on Android. Not because you are wrong, but because Android leverages much of the OpenBSD libc code.
It just seems weird to shit on an OS that is actually openly using OpenBSD stuff when you are shilling for OpenBSD.
Does grsecurity even matter for desktop users? A userland application compromise for desktop users = gameover.
Unless you are running containers or sandboxes, a hardened kernel doesn't matter for desktop users.
this better be b8
It doesn't. There is always SELinux if users are too poor to pay for their free software.
SELinux/Apparmor relies on the security of the kernel, it can be bypassed with a kernel exploit.
It does matter for desktop usage, even Tails was on its way to have grsecurity/PaX.
Shitty SELinux doesn't prevent shit unless you setup mls and harden the policies yourself and even then its shit.
The chance that a userland application can be compromised is alot easier without grsecurity/PaX because no MPROTECT and strong ASLR and exploit bruteforce prevention.
There are alot of mitigations under the hood of grsecurity/PaX.