It's wonderful of grsecurity to produce a review like this - it'll be extremely helpful in addressing any issues in the development and patch management process. One can only think what improvements we might see in regards to Linux security, as a whole, if they'd work more proactively with the rest of the community. Of course, they're under no obligation to do so.
Unfortunately, I doubt that we'll ever have their participation - or even see or review any of grsecurity's modifications - all because of grsecurity's "Access Agreement". [0] Essentially, if I understand it correctly, even if grsecurity's customers wanted to, by sharing grsecurity's work with us or anyone else, those customers stand to have their access to the latest grsecurity created derivatives of the Linux kernel revoked. Of course, if that's true, facing a penalty for sharing code grsecurity received and modified per the GPL just doesn't sound right or just to me.
It seems obvious to me that one must carefully consider the wider picture when evaluating linux security posture evaluations, as presented by grsecurity, as there may be conflicts of interest in effect. I take what grsecurity says about the security of the Linux Kernel with a very large grain of salt, and you should as well.
Further, I'm not a legal expert and I use measured tones as grsecurity have taken legal action against open source community members in the past for expressing their opinions [1] on the matter of the access agreement [2]. While those matters were dismissed by the court [3], I am still hesistant to say anything, but find speaking on this matter a neccessary thing to do, for what I perceive to be the good of the community.
> Of course, if that's true, facing a penalty for sharing code grsecurity received and modified per the GPL just doesn't sound right or just to me.
The GPL requires distributing the modified source to people you distributed a binary to.
If grsecurity's clients don't distributed a binary, they don't have to distribute a source.
EDIT: though there's this clause, and I'm not quite sure what to make of it:
> Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein.
GRSecurity has the same, odious, if legal posturing as RedHat - the GPL requires the current version's source (which customers have access to), be made available to customers. Upon sharing of the current version's source in a useful format to the public, licensing for future version is denied - ie, you cannot be a future customer of RedHat. Thus you don't have a right to the binaries and thus neither the source.
RedHat, gets away with distributing the source to their modified kernel as a giant patch file to the vanilla kernel because adheres to the letter of the GPL but not the "spirit", insofar as a law can have a spirit, and insofar as I can claim what the spirit even is. Business-wise though, RedHat is able to get away with it as a billion dollar company. Spender (of GRSecurity) is smarter than I, but has tried to build his product upon something that requires more smarts and more resources - that he is too fiercrely protective of - than he is willing to trade rights to, in order for his contributions to be available to the wider community, as he purports to desire. Facebook's kernel modifications, nor Google's "interesting" kernel modifications (as defined by those requisite for running Google.com and other properties) aren't made available, nor are they t
required to, by the GPL. (Android's Linux kernel sources and select other kernel changes are made available.)
The GPL allows building a business by providing support, and/or tuning of kernel parameters (eg VM swappiness, or disk scheduler deadlines) for running highly specialized workloads, eg Oracle DB. If providing a highly successful product, eg Google.com or Facebook internal knowledge will naturally follow. External benefits not necessarily so. The fat client of the pre and early Internet made the GPL (and LGPL) sufficient for the time, but things are different on the cloudy Internet, and arguably the broader community suffers for it.
Redhat distributes it's sources to everyone, thus making any violation of the no-restrictions-on-redistribution clause acedemic to the linux copyright holders who would be the claimants.
GRSecurity successfully prevents redistribution: it's violation is blatant and NOT academic.
A court can be shown the attempt and it's successful conclusion.
Quite different in substance from RedHat's possible violation.
The recipients have the right without further restrictions for each copy they receive, but the workaround is that if that right is exercised, grsecurity will never send them anything again. Thus, if one values the patchset, which their customers who are paying real money presumably do, they'll refrain from exercising their right to redistribute in order to stay off the blacklist.
That is not a "work around". That is a BLATANT in-writing VIOLATION of the no-restrictions-on-redistribution clause GRSecurity MUST follow in-order to have the PERMISSION to create derivative works.
GRSecurity IS violating the copyrights of the linux copyright holders upon whom it's derivative work is derived from.
They are blatantly violating the copyrights of the linux licensors, as far as we know. The linux licensors should sue.
Another option is to simply revoke the license: Brad Spengler has (as far as we know) a gratis (free) license from the many linux licensors.
Such a license is NOT secured: it's similar to a gratis property license where one can have their permission to use land ended at any time by the property owner (in this case the linux licensors (copyright holders).
According to the GPL text itself: the license has been withdrawn upon violation (note: with a gratis license a violation is /not/ required for revocation: the licensor can simply /decide/ he doesn't want you to continue using his property. A paid GPL license would be an example of a non-gratis free-software license situation where the licensees "rights" are secured and irrevocable (generally), a gratis free-software license simply extends /requirements/ onto the licensee and no /duties/ upon the licensor)
Unfortunately, I doubt that we'll ever have their participation - or even see or review any of grsecurity's modifications - all because of grsecurity's "Access Agreement". [0] Essentially, if I understand it correctly, even if grsecurity's customers wanted to, by sharing grsecurity's work with us or anyone else, those customers stand to have their access to the latest grsecurity created derivatives of the Linux kernel revoked. Of course, if that's true, facing a penalty for sharing code grsecurity received and modified per the GPL just doesn't sound right or just to me.
It seems obvious to me that one must carefully consider the wider picture when evaluating linux security posture evaluations, as presented by grsecurity, as there may be conflicts of interest in effect. I take what grsecurity says about the security of the Linux Kernel with a very large grain of salt, and you should as well.
Further, I'm not a legal expert and I use measured tones as grsecurity have taken legal action against open source community members in the past for expressing their opinions [1] on the matter of the access agreement [2]. While those matters were dismissed by the court [3], I am still hesistant to say anything, but find speaking on this matter a neccessary thing to do, for what I perceive to be the good of the community.
[0] https://grsecurity.net/agree/agreement_faq.php
[1] https://perens.com/2017/06/28/warning-grsecurity-potential-c...
[2] https://www.theregister.co.uk/2017/08/03/linux_kernel_grsecu...
[3] https://perens.com/wp-content/uploads/sites/4/2017/12/file0....