Originally posted by sandy8925
View Post
Announcement
Collapse
No announcement yet.
GrSecurity Kernel Patches Will No Longer Be Free To The Public
Collapse
X
-
Right, preferred form for making modifications - in other words the C and header files, the build scripts etc. I don't think it means the patches need to be exposed.
One point that I feel isn't being made clear in these discussions: Grsecurity cannot legally prevent it's customers from distributing the modified kernel source code that Grsecurity provided to it's customers. Grsecurity can penalize them (by cutting off future support - it's a scumbag move though), but can't stop them from redistributing that source code otherwise.
Comment
-
Originally posted by sandy8925 View PostRight, preferred form for making modifications - in other words the C and header files, the build scripts etc. I don't think it means the patches need to be exposed.
One point that I feel isn't being made clear in these discussions: Grsecurity cannot legally prevent it's customers from distributing the modified kernel source code that Grsecurity provided to it's customers. Grsecurity can penalize them (by cutting off future support - it's a scumbag move though), but can't stop them from redistributing that source code otherwise.
"The source code for a work means the preferred form of the work for making modifications to it."
How do you alter the Linux kernel as part of the development process. Make a patch and apply it. So the preferred form for making modification to Linux source is a patch. That line in GPLv2 end up having 8 different meanings in court.
"For an executable work" follows that text and cause the clear point that line does not just for complete works.
The patches interacting with GPL source are GPL due to the way the GPLv2 license is written. For a patch to work you have to include lines from the GPL work so it correctly aligns into the GPL work. So making a patch file using standard tools you have in fact copied the GPL work.
There are no source patching solutions I know of that don't copy parts of the work they are patching into to confirm alignment.
Comment
-
Sorry for the late reply...
Originally posted by starshipeleven View Posthttps://www.gnu.org/licenses/gpl-2.0.html
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)
There is no requirement to share your source with anyone, only with those that receive a copy of it from you. So they only need to provide source code to customers to follow GPLv2 requirements.
The only license that requires that you send sources to more or less anyone is the AGPL (Affero GPL) that forces you to provide source of the AGPLed stuff on the server to any clients requesting it.
Comment
-
Originally posted by W.Irrkopf View PostSorry for the late reply...
See my highlighting above. And that phrase got removed in GPLv3. So unless you go with option a) or c) then yes, *anyone* is entitled to the source. c) can be ruled out in this particular case which leaves option a). Actually they most likely provide the source to their customers, thus fulfilling a).
Comment
-
Originally posted by sandy8925 View PostGrsecurity can penalize them (by cutting off future support - it's a scumbag move though), but can't stop them from redistributing that source code otherwise.
Originally posted by W.Irrkopf View PostOriginally posted by starshipeleven View Postb) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
Originally posted by oiaohm View PostThere are no source patching solutions I know of that don't copy parts of the work they are patching into to confirm alignment.Last edited by chithanh; 16 May 2017, 03:54 AM.
Comment
-
Originally posted by TheBlackCat View PostIt would be "compatible" in the legal sense if it forbids distributing of the patched software since the GPL rules only come into play when you distribute the software, unless the patch is a derivative work and thus also GPL-licensed by default. If you have a citation showing that a patch is a derivative work, please provide it. As I said, I wasn't able to find any reliable source one way or the other.
https://softwareengineering.stackexc...e-same-license
https://opensource.stackexchange.com...sed-executable
https://ask.slashdot.org/story/00/03...-cover-patches
It would be pretty implausible to claim around your distributed patch that while directly intended to modify GPL source, it wouldn't itself be GPL, when that's precisely the requirement.
Just the fact that nobody's legally doing it should give you an affirmation. As explained lower down in my post you quoted, you can get around this by just forbidding your clients to redistribute the patch by requiring them to give up their rights to that GPL clause (you could say, a contract with an amendment on previous contract).Last edited by ArchLinux; 21 May 2017, 12:43 PM.
- Likes 1
Comment
-
Originally posted by chithanh View PostOn LWN, Grsecurity folks likened this to Red Hat providing broken out kernel patches only to paying customers, and threatening to cut off future access to anybody who redistributes the patches. FSF apparently said that this is allowed by the GPL, so I guess that Grsecurity is legally in the clear. But yes, even more scumbag than what Red Hat does with their kernel patches.
No, wrong. An entity is only entitled if in possession of the written offer.
You don't need to confirm alignment if you support only one precise source release.
If you use a patching solution that does not confirm alignment and it only for 1 precise source release it will fail as soon as you have to apply other fixed for hardware support or anything else. Something nasty if you don't confirm alignment is lets stay the source has been on windows and has had the carriage returns changed or been open in a ide and spaces have been changed for tabs in some places. So yes its the right source version but the patch that does not contain confirm alignment code just shoves everything in the wrong place.
Fairly much if you don't confirm alignment you patch is not dependable. Microsoft had a distributed versioning solution that did not confirm alignment and they end up migrating to git due to issues that uses diff instead that confirms alignment. I should be more clear any production quality patching solution be it binary or source patching will confirm alignment and will have snippets from what it patching.
So if grscruity wants to use garbage patching good luck to them. Any patching solution that is not confirming alignment is garbage.
<b>Just the fact that nobody's legally doing it should give you an affirmation. As explained lower down in my post you quoted, you can get around this by just forbidding your clients to redistribute the patch by requiring them to give up their rights to that GPL clause (you could say, a contract with an amendment on previous contract).</b>
GPL is a contract and demand that clients give up their GPL rights is breach of the GPL contract so making your own usage of that GPL product illegal. All you can do is refuse to give them updates to newer versions you cannot forbid them using their rights under GPL..
Comment
-
Originally posted by oiaohm View PostRedhat does not provide the patches broken into individual patches even for paying customers.
Originally posted by oiaohm View PostFairly much if you don't confirm alignment you patch is not dependable.
As long as grsecurity is the only patch provider that does this, users can just adjust the order of patching in case they need other patches too. Otherwise, turning the patch that does not confirm alignment into one that does is trivial.
Originally posted by oiaohm View PostGPL is a contract and demand that clients give up their GPL rights is breach of the GPL contract so making your own usage of that GPL product illegal. All you can do is refuse to give them updates to newer versions you cannot forbid them using their rights under GPL..
Comment
-
Originally posted by chithanh View PostOh, have they stopped doing so? Last I heard, they still gave them out if you paid enough (but with contract termination clause in case of individual redistribution of course)..
Since 2011 even if you paid they don't give you the individual patches redhat has used in RHEL. Redhat does this because companies like Orcale created shell companies to buy Redhat to get access to the patches to use in their own distributions. Of course RHEL refusing to give those companies updates made no real difference it was wash rinse repeat cycle.
1) create a shell company
2) buy 1 copy RHEL
3) get RHEL patches use GPL rights to integrate those patches into own distribution.
4) when detected and patches stop coming return to step 1.
Since the above cycle has been done against Redhat. Grsecurity should presume this will be done against them.
Originally posted by chithanh View PostYou can still confirm that e.g. a provided hash value matches against the source file, and refuse patching otherwise.
As long as grsecurity is the only patch provider that does this, users can just adjust the order of patching in case they need other patches too. Otherwise, turning the patch that does not confirm alignment into one that does is trivial.
Microsoft attempting to design a source management system that confirmed to all the legal requirements to avoid license taint. Its basically legally impossible to make a source management system that avoids GPL that is stable because there no method of validation counts have approved, hashs and snippets of code are the same thing in court. It not like Microsoft did not try very hard before giving up and going git. Microsoft GPL is a virus thing was from fear of including something and it being really viral and end up GPL it self all the way to the core so they attempt to make a windows source management system so a GPL containing part would be isolated from prior latter applied patches. There is no simple option those have all been legally checked.
Comment
Comment