It's kind of normal for a lot of B2B contracts, it's not amazing but there are FAR more shady practices.

They can strongly dissuade them by terminating the contract and never selling to them in the future, and also by making them sign an agreement where if they were to redistribute the patch they would pay a lot of money to GrSecurity.

Sure about this? Afaik the GPL only forces them to provide the source of their patch to clients, not to everyone asking. And it's reasonably easy to ensure the clients aren't going to redistribute it themselves by just terminating the contract if they do so.

That second part would violate GPL and therefore be illegal.

No it would not as it is a sales or services agreement that is signed between the two entities, it's completely unrelated to the license.

For their client the value of the patches alone is low, they are paying for a service (support, updates and improvements as security landscape changes), and this service has an agreement and its own conditions just like any other service.

It would not be hard to just say that distributing the code without paying a load of cash (or at all) would violate the terms of this agreement, and terminate the contract.

Then they would have GPL code so they can do what they want with it, but they paid for a service that is more than just bare kernel patches with no warranty or support.

This isn't uncommon in businness, see https://www.legalmatch.com/law-libra...tributors.html

The patches shipped by GRSecurity are derivative works of the Linux kernel. They don't function as a standalone product without the Linux Kernel. Therefore they need to abide by the terms of the GPL because they are just a modification to the Linux kernel.

"You may convey a work based on the Program, or the modifications to produce it from the Program...

• c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy."

This is the bit that they violate. They have made modifications, and they are attempting to use a different license via the "sales agreement".

Note that sales and services are explicitly separate when RedHat does it. They do provide all source code (except for the RedHat trademarked logos which are explicitly exempt) and is why we have CentOS. CentOS can't use GrSecurity patches, because they "forbid redistribution".

Unless you can show me where they are changing the license of the patches it's 99% likely to be as I said above.

The patches are GPL, and they are legally circumventing the GPL by using a service/sales agreement with their clients that prevents the client from distributing the patch if they still want to use the service.

This is legal. The GPL does not say "you MUST redistribute", but "you CAN redistribute". The client CAN redistribute the patches, so the freedom granted by the GPL is not infringed.

The GrSecurity service though (providing the clients updates to the patches as time goes on, support, or anything else) is NOT bound by GPL but by a commercial contract that can very well state that any redistribution of the patches would result in its termination.

Since the value here is the service (the updates and the support) and not just the patches on their own, any client does not really have much incentive to use their GPL-granted rights to redistribute the patches.

That's two very different products though. RHEL is a fully-fledged server operating system that can do a lot of different roles in complex environments. GrSecurity patches is just security hardening for a Linux kernel.

Clients actually buying RHEL are likely to need much more support than clients that pay for GrSecurity hardening. So RedHat can assume that most serious clients will pay for a subscription even if they can get more or less the same stuff (not really, there is some proprietary stuff in RHEL too, mostly in the userspace, server management) with CentOS.

I don't think that you understand legal terminology. If they are not using the terms of the GPL as specified in the bit I quoted, what license are they using?

I'll keep it simple: if you are distributing or modifying GPL software you *MUST* license it under the terms of the GPL - which means the receiver must get the same rights as you had. You can't add your own restrictions, unless you get that agreed with the original Copyright owners - Linus/IBM and so on. What you are describing is MIT or BSD licenses where anyone can make changes and not distribute the source..

What about updates? Does the GPL state that any updates I make to GPLed code must be shared with anyone that has the previous version? No it does not. This is the point .

They can freely decide to give updates to you or not without violating the GPL.

They are selling a subscription service where they give the patches, and then keep them updated over time and give other support.

The GPL gives the client the freedom to redistribute the code. The subscription service agreement does not.

But these are two different things, both exist at the same time.

-Code license of the code.

-Service agreement for the updates and support to the patches.

Due to the code license, the client can take the code, or redistribute it freely. Because it is GPL.

But if they do so they break the service agreement, and they will not get any more updates and support.

Now, for a client what is more useful of the two things?

1. Having some source code with no support, that will become useless in a few months as security evolves
2. Having full updates and support for the product, must pay money to GrSecurity

Most likely the latter. So they chose to just pay and not redistribute the patches.

This is a similar situation with RedHat or SUSE, and also Google (Android) for that matter as neither are selling the code directly ala Microsoft.

The whole software product (without some smaller parts) is available for free, but it is a behemoth that requires significant resources to maintain and skills to master.

For the client, just getting the source (or a free distro like CentOS or OpenSUSE Leap ) is quite frankly completely useless.

They lack the skills to maintain it themselves, or need skilled support to deal with their issues in a short time, or need training for their admins.

So they pay for a businness license, and pay for the service.

GrSecurity is doing it in the reverse. They use the service to force the clients to not leak the code, fully knowing that the clients need the service and can't do much with the code alone.

If I create a derived work based on GPL:ed code, and let my customers use, then that derived work must follow the GPL license.

I don't need to hand out my patches to anyone who asks. But if any of my customers asks, I must hand out my code changes to them. That's all part of the GPL license. And my customers are then free to further distribute the patches to whoever wants them.

I can't write a contract with my customers where they have to agree to not republish my changes - that would violate the original GPL license.

When GrS adds a clause that their services are terminated if a customer redistributes the changes, then they are added an additional clause on top of the GPL license. And the GPL doesn't allow any additional limitation to be added.

If a client released the code and get their service terminated, I think it could result in a very interesting case in court. A case that just could completely shatter their business model.