Announcement

Collapse
No announcement yet.

GrSecurity Kernel Patches Will No Longer Be Free To The Public

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #61
    Originally posted by oiaohm View Post
    Since the above cycle has been done against Redhat. Grsecurity should presume this will be done against them.
    grsecurity has no direct Oracle-like competitor.

    Originally posted by oiaohm View Post
    You have got a trap here. That hash value its made from GPL source right. By contract/copyright no matter how you look at GPL the hash value is directly derived from the GPL work so is GPL itself.
    Even assuming that the hash value of a copyrighted work is also copyrighted (debatable; see .torrent controversy) this is no problem:
    The GPL code from which the hash is derived is already public. So there is no conflict between GPL and anything else.

    Comment


    • #62
      Originally posted by chithanh View Post
      grsecurity has no direct Oracle-like competitor.
      https://kernsec.org/wiki/index.php/K...ection_Project
      The reality is with Kernel Self Protection Project fund by Linux Foundation they do have an Oracle like competitor now so they better get use to i.

      Originally posted by chithanh View Post
      Even assuming that the hash value of a copyrighted work is also copyrighted (debatable; see .torrent controversy) this is no problem:
      The GPL code from which the hash is derived is already public. So there is no conflict between GPL and anything else.
      .torrent hash gets out under fair usage clauses that allows you to checksum something because a torrent could be used to validate something you legally own. A .torrent is not being used to modify the content.

      Code being in the public does not alter it copyright status or the copyright status of anything you generate from it. GPL is not public domain. So claim of no conflict is wrong and you logic is how people get caught.

      Modifying a copyright protected work you need to meet at 1 of the following conditions to be legal.
      1) Have permission from the copyright holder with GPL that permission is modify as GPL.
      2) You actions be inside what is classed as fair use under copyright law.

      Problem with number 2 is fair use is up to the court you end up in front of.

      These rules don't change no matter what. People forgot public domain means the copyright holder is everyone so you have permission. Out of copyright is in fact wrong. Out of copyright means the copyright has transferred to everyone.

      Already in public is also wrong. 70+ years from the death of the last author is when a GPL work comes technically in the public. GPL works are published not public. Miss using the term public means you totally end up miss understanding what the copyright status is.

      There is no loop hole here. People only think there is a loop hole when they don't understand what public means in a copyright sense. A public work is a public domain work where everyone is the copyright holder and that is not GPL. Already public that people look up conditions are only for public domain works. Published works like GPL. Apache.... have conditions that must be followed.

      Some of the confusing comes from GPL name. General Public License. The problem here is "General Public" has to be taken as one thing. General Public in fact means a section of Public not everyone like Public domain. Companies have attempt to argue the Public word in GPL before only to have head handed to them in court as they are pointed out what General Public means. The General Public in GPL are the people who obey the GPL license anyone else is not the General Public is referring to.

      Comment


      • #63
        Oracle was directly poaching customers from Red Hat and a threat to their business model. OEL is equivalent to RHEL in a number of ways.

        The Kernel Self Protection project are a group of bright folks that have however failed to produce anything similar to grsecurity even after 1.5 years of trying, and with all the code available in front of them.

        Originally posted by oiaohm View Post
        Code being in the public does not alter it copyright status or the copyright status of anything you generate from it. GPL is not public domain. So claim of no conflict is wrong and you logic is how people get caught.
        There is still not problem in making and openly distributing hashes of GPL'ed source code. Even if they were copyrightable.

        Comment


        • #64
          Originally posted by chithanh View Post
          Oracle was directly poaching customers from Red Hat and a threat to their business model. OEL is equivalent to RHEL in a number of ways.

          The Kernel Self Protection project are a group of bright folks that have however failed to produce anything similar to grsecurity even after 1.5 years of trying, and with all the code available in front of them.
          The reality is the Kernel Self Protection project will take a while to go through and audit everything grsecruity had done.
          https://lwn.net/Articles/724319/
          Lot of the time the method is being modified.

          Originally posted by chithanh View Post
          There is still not problem in making and openly distributing hashes of GPL'ed source code. Even if they were copyrightable.
          If you bundle that hash with something doing a modification to a GPL source the copyright status of the hash becomes important. Google using tools auto-generating code off of JAR files and this being declared copyrightable in oracles favour so forcing google to fight fair usage.

          Attempting to patch a GPL source avoiding GPL is a possible path to hell. Either you will have snippets of the GPL source or you will have something generated from the GPL source either way your work will be connected to the GPL license so has to get out under the terms of GPL. Like being able to prove not a derived work in that case GPL does not apply. So there are ways to connect GPL to non GPL code but you have to be insanely careful.

          Comment


          • #65
            The Oracle vs. Google case does not apply here. That case was (in the end) about APIs which Google copied verbatim into their code.

            GPL does not restrict mere aggregation with non-GPL software. And even if it did, the hash could be shipped as a separate download, possibly from a separate entity.

            The patch is done by the user, not by the software vendor. So not a problem even in the extremely unlikely case that distributing hash values of GPL source gets you in trouble with the license, and shipping that hash along with your software causes it to become a derived work rather than an aggregation.

            Comment


            • #66
              Originally posted by chithanh View Post
              The Oracle vs. Google case does not apply here. That case was (in the end) about APIs which Google copied verbatim into their code.
              You need to read the Google case again. They were not verbatim copies. Google go a equally stupid idea that they could run automated bit software over the jar and spit out the structures and this would avoid the copyright. Only to find out they had made a derived work from the binary that was LGPL. So the generated source code by automated tool had to have the same license as the binary the automated tool was working on.

              Originally posted by chithanh View Post
              GPL does not restrict mere aggregation with non-GPL software. And even if it did, the hash could be shipped as a separate download, possibly from a separate entity.

              The patch is done by the user, not by the software vendor. So not a problem even in the extremely unlikely case that distributing hash values of GPL source gets you in trouble with the license, and shipping that hash along with your software causes it to become a derived work rather than an aggregation.
              GPL is also a Contract. This is the big catch. Those hash are derived works. The fact your code patches will not work without the hash to apply then they are derived works of the hashes. So all you have done is added more derived layers of abstractions and changed nothing legally. Instead it would be better working on proving true independent work status.

              GPL is also a Contract. This means vendor makes patch vendor has to follow terms of contract. Patch done by user does not protect vendor from contract GPL. Nvidia and a few closed source drivers for Linux is safe because they can prove independent work status.

              Yes the idea of get the user to do it was only an option until GPL got declared a contract. Read closer you will notice that you don't have the right to modify the GPL work or provide modifications to a GPL work unless you agree to the terms of the GPL Contract. Attempting to loop hole a contract has worst punishments than copyright infringement.

              So far all your ideas is a fools path.

              Attempt to use the hash or the source means you stuffed. Does not matter if the hash comes in a separate source. Terms of the GPL license does not give you protection by have the parts from different parties.


              You need to understand that derived can cascade and GPL says all derived is GPL license.

              You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

              This is from GPLv2 . Note "any part thereof". This is the line you are attempting to bypass. Making a hash is directly derived so is covered by GPL. A line modification falls under derived unless you can prove other wise.

              GPLv3 make it more plain english by using modifications instead of derived. In fact GPLv3 is lot harder to legal avoid than GPLv2.

              Comment


              • #67
                Originally posted by oiaohm View Post
                You need to read the Google case again. They were not verbatim copies.
                I followed the Oracle vs. Google case closely. In the end, the remaining question was about the copyrightability of APIs copied verbatim from Java into Android. Everything else had been decided earlier in favor of Google.

                As I wrote, whether the hash is covered by GPL or not (which is highly doubtful, but let's assume for the sake of the argument) does not matter at all. In fact, grsecurity does not even need to create or provide the hash themselves, they can tell their customers to download something from third party like https://cdn.kernel.org/pub/linux/ker...-4.11.tar.sign.

                Originally posted by oiaohm View Post
                Patch done by user does not protect vendor from contract GPL.
                Yes it does. Because GPL is only restricting distribution, not usage and modification. So the user can legally combine even GPL-incompatible stuff with GPL code.

                Comment


                • #68
                  Originally posted by chithanh View Post

                  I followed the Oracle vs. Google case closely. In the end, the remaining question was about the copyrightability of APIs copied verbatim from Java into Android. Everything else had been decided earlier in favor of Google.
                  You are getting words wrong. You are missing copied verbatim from the JAR binary not copied verbatim from the java source. The fact copied verbatim from the binary kept the same license as the binary does does change things. It was presume going this path would avoid the license google case came clear this does not avoid the license.

                  The recent case against pirate bay says the only thing protecting pirate bay would be safe harbour provisions and .torrent have the same restrictions as the whole work and that is due to oracle vs google ruling.

                  Originally posted by chithanh View Post
                  As I wrote, whether the hash is covered by GPL or not (which is highly doubtful, but let's assume for the sake of the argument) does not matter at all. In fact, grsecurity does not even need to create or provide the hash themselves, they can tell their customers to download something from third party like https://cdn.kernel.org/pub/linux/ker...-4.11.tar.sign.

                  Yes it does. Because GPL is only restricting distribution, not usage and modification. So the user can legally combine even GPL-incompatible stuff with GPL code.
                  GPL effects >>derived from the Program<< So yes it does cover some modifications. If your modifications are classed as derived they still have to be under GPL or you cannot give they to any other party.

                  Distribution is the problem. That GPL is contract means the question of distribution does not apply just at the point the two parts are combined. Telling user to use the kernel provide signature that is GPL and then your source this is Distribution of a know derived so breach of contract. Instruct a person to breach a contract is an offence.

                  Aiding and Abetting Breach of Fiduciary Duty is what instructing a person to breach contract fall under. This has worse punishments than breaching copyright. So yes tell end user to get checksum from X and add your modification if it passed you have now broken another bit of law because GPL is contract and you have just giving instructions to attempt to bypass the terms. You cannot direct a person with a contract to break it particularly if you know about the restrictions of the contract.

                  Nvidia closed source graphics drivers should be shipped built because that would breach GPL distribution. But it legal for end user to build Nvidia closed source drivers because non derived status can be proven.

                  Failure to prove non derived status and attempt to bypass GPL will just get you more charges and more fines.

                  If GPL was only copyright your idea would stand a chance. The fact GPL is copyright and contract alters things a lot. Copyright only effects when you distribute. Contract effects you all the time when you are interacting with the stuff.

                  None of what you are suggesting is even an option any more. GPL being declared a valid contract changed a lot. Add in the recent pirate bay ruling attempt to sneak around GPL is really playing with fire.

                  Comment


                  • #69
                    Originally posted by oiaohm View Post
                    The recent case against pirate bay says the only thing protecting pirate bay would be safe harbour provisions and .torrent have the same restrictions as the whole work and that is due to oracle vs google ruling.
                    What recent case agains The Pirate Bay? There was a case in the EU where it was ruled that TPB provides access to copyrighted works and therefore is responsible. But the Oracle vs. Google case wasn't in the EU.


                    Originally posted by oiaohm View Post
                    Distribution is the problem. That GPL is contract means the question of distribution does not apply just at the point the two parts are combined. Telling user to use the kernel provide signature that is GPL and then your source this is Distribution of a know derived so breach of contract. Instruct a person to breach a contract is an offence.
                    That is wrong. The user does not beach any contract by combining GPL and GPL-incompatible sources. This is an often held misconception; GPL does provide full and unrestricted freedom 0 and 1. This makes the rest of your post moot.

                    Comment


                    • #70
                      Originally posted by chithanh View Post
                      What recent case agains The Pirate Bay? There was a case in the EU where it was ruled that TPB provides access to copyrighted works and therefore is responsible. But the Oracle vs. Google case wasn't in the EU.
                      Some of ruling is both cases were on international conventions what those conventions in fact meant.

                      Originally posted by chithanh View Post
                      That is wrong. The user does not beach any contract by combining GPL and GPL-incompatible sources. This is an often held misconception; GPL does provide full and unrestricted freedom 0 and 1. This makes the rest of your post moot.
                      The combining GPL and GPL-incompatible sources depend on fair usage conditions in copyright law. The recent case running GPL under contract law means copyright limitations do not apply if someone takes you under breach of contract instead of breach of copyright. So it now has to be read like a NDA contract on a source code. GPL has always been a contract but most enforcement has been done under copyright legal hearings.

                      So it was not exactly a misconception it a question is what law is GPL enforceable under. Its GPL enforceable under copyright where you have fair usage conditions or is GPL enforceable under pure contract law were you don't have fair usage allowances.

                      https://qz.com/981029/a-federal-cour...able-contract/
                      Basically this case throws everything up in the air since the ruled enforceable as a contract since enforcement now can avoid limitations of copyright law.

                      The user does not beach any contract by combining GPL and GPL-incompatible sources.
                      This is only true if non-derived status can be proven or if the case is being held under Copyright law with it limitations. It copyright law that says you can include information from headers and the like as fair usage. Contract like NDA using header files from the source is direct taint.

                      There is a lot of confusing because enforcing GPL using contract is rare.

                      https://www.gnu.org/licenses/200104_seminar.en.html
                      Most people reference GNU and FSF there is a problem that have got what GPL is wrong and written what is allowed based on a mistake.
                      GPL is not a contract, so acceptance of the license works differently than it does for contracts. We discuss how this acceptance works under the copyright rules that govern the GPL.
                      This belief of the FSF does not agree with recent court ruling that GPL is a contract. Most of what people are believing is allowed is based on this error of declaring GPL not a contract when it fact it is. Being a contract changes what is a allowed big time. So like using snippets or bits out of header files nothing in GPL document it self grants this so you are depending on copyright fair usage to-do that. Contract no fair usage allowance so what is allowed align exactly to terms in the GPL conditions.

                      Comment

                      Working...
                      X