Announcement

Collapse
No announcement yet.

GrSecurity Kernel Patches Will No Longer Be Free To The Public

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • oiaohm
    replied
    Originally posted by chithanh View Post
    grsecurity has no direct Oracle-like competitor.

    The reality is with Kernel Self Protection Project fund by Linux Foundation they do have an Oracle like competitor now so they better get use to i.

    Originally posted by chithanh View Post
    Even assuming that the hash value of a copyrighted work is also copyrighted (debatable; see .torrent controversy) this is no problem:
    The GPL code from which the hash is derived is already public. So there is no conflict between GPL and anything else.
    .torrent hash gets out under fair usage clauses that allows you to checksum something because a torrent could be used to validate something you legally own. A .torrent is not being used to modify the content.

    Code being in the public does not alter it copyright status or the copyright status of anything you generate from it. GPL is not public domain. So claim of no conflict is wrong and you logic is how people get caught.

    Modifying a copyright protected work you need to meet at 1 of the following conditions to be legal.
    1) Have permission from the copyright holder with GPL that permission is modify as GPL.
    2) You actions be inside what is classed as fair use under copyright law.

    Problem with number 2 is fair use is up to the court you end up in front of.

    These rules don't change no matter what. People forgot public domain means the copyright holder is everyone so you have permission. Out of copyright is in fact wrong. Out of copyright means the copyright has transferred to everyone.

    Already in public is also wrong. 70+ years from the death of the last author is when a GPL work comes technically in the public. GPL works are published not public. Miss using the term public means you totally end up miss understanding what the copyright status is.

    There is no loop hole here. People only think there is a loop hole when they don't understand what public means in a copyright sense. A public work is a public domain work where everyone is the copyright holder and that is not GPL. Already public that people look up conditions are only for public domain works. Published works like GPL. Apache.... have conditions that must be followed.

    Some of the confusing comes from GPL name. General Public License. The problem here is "General Public" has to be taken as one thing. General Public in fact means a section of Public not everyone like Public domain. Companies have attempt to argue the Public word in GPL before only to have head handed to them in court as they are pointed out what General Public means. The General Public in GPL are the people who obey the GPL license anyone else is not the General Public is referring to.

    Leave a comment:


  • chithanh
    replied
    Originally posted by oiaohm View Post
    Since the above cycle has been done against Redhat. Grsecurity should presume this will be done against them.
    grsecurity has no direct Oracle-like competitor.

    Originally posted by oiaohm View Post
    You have got a trap here. That hash value its made from GPL source right. By contract/copyright no matter how you look at GPL the hash value is directly derived from the GPL work so is GPL itself.
    Even assuming that the hash value of a copyrighted work is also copyrighted (debatable; see .torrent controversy) this is no problem:
    The GPL code from which the hash is derived is already public. So there is no conflict between GPL and anything else.

    Leave a comment:


  • oiaohm
    replied
    Originally posted by chithanh View Post
    Oh, have they stopped doing so? Last I heard, they still gave them out if you paid enough (but with contract termination clause in case of individual redistribution of course)..

    Since 2011 even if you paid they don't give you the individual patches redhat has used in RHEL. Redhat does this because companies like Orcale created shell companies to buy Redhat to get access to the patches to use in their own distributions. Of course RHEL refusing to give those companies updates made no real difference it was wash rinse repeat cycle.
    1) create a shell company
    2) buy 1 copy RHEL
    3) get RHEL patches use GPL rights to integrate those patches into own distribution.
    4) when detected and patches stop coming return to step 1.

    Since the above cycle has been done against Redhat. Grsecurity should presume this will be done against them.

    Originally posted by chithanh View Post
    You can still confirm that e.g. a provided hash value matches against the source file, and refuse patching otherwise.

    As long as grsecurity is the only patch provider that does this, users can just adjust the order of patching in case they need other patches too. Otherwise, turning the patch that does not confirm alignment into one that does is trivial.
    You have got a trap here. That hash value its made from GPL source right. By contract/copyright no matter how you look at GPL the hash value is directly derived from the GPL work so is GPL itself. Only option to avoid GPL is not confirm and insert at X line numbers and pray. hash is no different legally than including sample lines both have to be argued under fair usage and both you can lose in court. People patching closed source rom to bypass copy protection stuff have used this hash method and been done for DCMA and copyright violation on the rom itself. Those that did not hash and just altered some random point only got done for DMCA breach.

    Microsoft attempting to design a source management system that confirmed to all the legal requirements to avoid license taint. Its basically legally impossible to make a source management system that avoids GPL that is stable because there no method of validation counts have approved, hashs and snippets of code are the same thing in court. It not like Microsoft did not try very hard before giving up and going git. Microsoft GPL is a virus thing was from fear of including something and it being really viral and end up GPL it self all the way to the core so they attempt to make a windows source management system so a GPL containing part would be isolated from prior latter applied patches. There is no simple option those have all been legally checked.

    Leave a comment:


  • chithanh
    replied
    Originally posted by oiaohm View Post
    Redhat does not provide the patches broken into individual patches even for paying customers.
    Oh, have they stopped doing so? Last I heard, they still gave them out if you paid enough (but with contract termination clause in case of individual redistribution of course).

    Originally posted by oiaohm View Post
    Fairly much if you don't confirm alignment you patch is not dependable.
    You can still confirm that e.g. a provided hash value matches against the source file, and refuse patching otherwise.

    As long as grsecurity is the only patch provider that does this, users can just adjust the order of patching in case they need other patches too. Otherwise, turning the patch that does not confirm alignment into one that does is trivial.

    Originally posted by oiaohm View Post
    GPL is a contract and demand that clients give up their GPL rights is breach of the GPL contract so making your own usage of that GPL product illegal. All you can do is refuse to give them updates to newer versions you cannot forbid them using their rights under GPL..
    Indeed, neither Red Hat nor grsecurity take away any right that a recipient of the code has under the GPL. This cannot be emphasized enough.

    Leave a comment:


  • oiaohm
    replied
    Originally posted by chithanh View Post
    On LWN, Grsecurity folks likened this to Red Hat providing broken out kernel patches only to paying customers, and threatening to cut off future access to anybody who redistributes the patches. FSF apparently said that this is allowed by the GPL, so I guess that Grsecurity is legally in the clear. But yes, even more scumbag than what Red Hat does with their kernel patches.

    No, wrong. An entity is only entitled if in possession of the written offer.

    You don't need to confirm alignment if you support only one precise source release.
    Redhat does in fact provide the source to there kernel with patches included. Redhat does not provide the patches broken into individual patches even for paying customers.

    If you use a patching solution that does not confirm alignment and it only for 1 precise source release it will fail as soon as you have to apply other fixed for hardware support or anything else. Something nasty if you don't confirm alignment is lets stay the source has been on windows and has had the carriage returns changed or been open in a ide and spaces have been changed for tabs in some places. So yes its the right source version but the patch that does not contain confirm alignment code just shoves everything in the wrong place.

    Fairly much if you don't confirm alignment you patch is not dependable. Microsoft had a distributed versioning solution that did not confirm alignment and they end up migrating to git due to issues that uses diff instead that confirms alignment. I should be more clear any production quality patching solution be it binary or source patching will confirm alignment and will have snippets from what it patching.

    So if grscruity wants to use garbage patching good luck to them. Any patching solution that is not confirming alignment is garbage.

    <b>Just the fact that nobody's legally doing it should give you an affirmation. As explained lower down in my post you quoted, you can get around this by just forbidding your clients to redistribute the patch by requiring them to give up their rights to that GPL clause (you could say, a contract with an amendment on previous contract).</b>

    GPL is a contract and demand that clients give up their GPL rights is breach of the GPL contract so making your own usage of that GPL product illegal. All you can do is refuse to give them updates to newer versions you cannot forbid them using their rights under GPL..

    Leave a comment:


  • ArchLinux
    replied
    Originally posted by TheBlackCat View Post
    It would be "compatible" in the legal sense if it forbids distributing of the patched software since the GPL rules only come into play when you distribute the software, unless the patch is a derivative work and thus also GPL-licensed by default. If you have a citation showing that a patch is a derivative work, please provide it. As I said, I wasn't able to find any reliable source one way or the other.
    Can't say I have a clue of your Googling skills, or your level for a "reliable" source, but for some reading:

    https://softwareengineering.stackexc...e-same-license
    https://opensource.stackexchange.com...sed-executable
    https://ask.slashdot.org/story/00/03...-cover-patches

    It would be pretty implausible to claim around your distributed patch that while directly intended to modify GPL source, it wouldn't itself be GPL, when that's precisely the requirement.

    Just the fact that nobody's legally doing it should give you an affirmation. As explained lower down in my post you quoted, you can get around this by just forbidding your clients to redistribute the patch by requiring them to give up their rights to that GPL clause (you could say, a contract with an amendment on previous contract).
    Last edited by ArchLinux; 21 May 2017, 12:43 PM.

    Leave a comment:


  • chithanh
    replied
    Originally posted by sandy8925 View Post
    Grsecurity can penalize them (by cutting off future support - it's a scumbag move though), but can't stop them from redistributing that source code otherwise.
    On LWN, Grsecurity folks likened this to Red Hat providing broken out kernel patches only to paying customers, and threatening to cut off future access to anybody who redistributes the patches. FSF apparently said that this is allowed by the GPL, so I guess that Grsecurity is legally in the clear. But yes, even more scumbag than what Red Hat does with their kernel patches.

    Originally posted by W.Irrkopf View Post
    Originally posted by starshipeleven View Post
    b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
    c) then yes, *anyone* is entitled to the source.
    No, wrong. An entity is only entitled if in possession of the written offer.

    Originally posted by oiaohm View Post
    There are no source patching solutions I know of that don't copy parts of the work they are patching into to confirm alignment.
    You don't need to confirm alignment if you support only one precise source release.
    Last edited by chithanh; 16 May 2017, 03:54 AM.

    Leave a comment:


  • starshipeleven
    replied
    Originally posted by W.Irrkopf View Post
    Sorry for the late reply...

    See my highlighting above. And that phrase got removed in GPLv3. So unless you go with option a) or c) then yes, *anyone* is entitled to the source. c) can be ruled out in this particular case which leaves option a). Actually they most likely provide the source to their customers, thus fulfilling a).
    Yeah, I was pointing out that they were 100% likely to chose "a" so they are not forced to give it out to everyone asking for it.

    Leave a comment:


  • W.Irrkopf
    replied
    Sorry for the late reply...

    Originally posted by starshipeleven View Post
    https://www.gnu.org/licenses/gpl-2.0.html

    3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

    a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
    b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
    c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)



    There is no requirement to share your source with anyone, only with those that receive a copy of it from you. So they only need to provide source code to customers to follow GPLv2 requirements.

    The only license that requires that you send sources to more or less anyone is the AGPL (Affero GPL) that forces you to provide source of the AGPLed stuff on the server to any clients requesting it.
    See my highlighting above. And that phrase got removed in GPLv3. So unless you go with option a) or c) then yes, *anyone* is entitled to the source. c) can be ruled out in this particular case which leaves option a). Actually they most likely provide the source to their customers, thus fulfilling a).

    Leave a comment:


  • oiaohm
    replied
    Originally posted by sandy8925 View Post
    Right, preferred form for making modifications - in other words the C and header files, the build scripts etc. I don't think it means the patches need to be exposed.

    One point that I feel isn't being made clear in these discussions: Grsecurity cannot legally prevent it's customers from distributing the modified kernel source code that Grsecurity provided to it's customers. Grsecurity can penalize them (by cutting off future support - it's a scumbag move though), but can't stop them from redistributing that source code otherwise.
    GPL is clear that you only need to provide source code to your customers you don't have to provide it to everyone.

    "The source code for a work means the preferred form of the work for making modifications to it."

    How do you alter the Linux kernel as part of the development process. Make a patch and apply it. So the preferred form for making modification to Linux source is a patch. That line in GPLv2 end up having 8 different meanings in court.

    "For an executable work" follows that text and cause the clear point that line does not just for complete works.

    The patches interacting with GPL source are GPL due to the way the GPLv2 license is written. For a patch to work you have to include lines from the GPL work so it correctly aligns into the GPL work. So making a patch file using standard tools you have in fact copied the GPL work.

    There are no source patching solutions I know of that don't copy parts of the work they are patching into to confirm alignment.

    Leave a comment:

Working...
X