As a general rule, smaller companies that release their code under the GPL have almost no recourse against huge companies violating their copyrights. One of the big flash drive makers released their own portable browser based on PortableApps.com's Firefox Portable a few years back and distributed it on millions of drives with my name and all copyrights stripped off of it. This happened after I'd been in negotiations with them about using our software platform and fully informed their subsidiary in charge of their resulting software platform of the legal obligations of the GPL including a direct call with the subsidiary's CEO. The most I could do was send them a C&D.
To add insult to injury, the subsidiary released a hardware product years later and another company released a similar but different product in the same segment. The subsidiary sued the other company and had this PR story published about how the CEO was so offended by the "theft" and had to sue them to be able to look his kids in the face.
This is not at all true. They are liable for significant monetary damages for violating copyright, and you can find a lawyer to take up the case if you own the copyright. There are a couple well known organizations who have gotten paid more than their expenses from lawsuits against gpl violating companies: sfconservancy.org, sflc.org., fsf.org.
What about the DMCA? It seems like people cower in fear of it, but only with regards to the entertainment industry. Is that only because it's dangerous when the copyright holder is a huge corporation, but remains effectively toothless for those unable to support years of litigation?
Industry called out specifically: "Not only has the entire embedded industry as a whole not contributed a single dime toward our continued development and maintenance (despite our work being critical to the security of the millions of devices using our code: streaming media players, credit card processing systems, etc), the companies we've identified have actively violated the GPL and even our trademark. These transgressions have continued despite their awareness and our legal action."
"Since our lawyer has advised us not to mention the companies by name"
Yeah, uh, they're lawyers, they always say that, it's not a signal with any information in it.
As you said, this company can outspend you, and it's not worth it for you to try litigating. Public shaming is all you have! And, since the primary issue was them claiming their kernel has "grsecurity", public shaming is actually a great solution: try to make the technical community aware that this company's security hardening doesn't deserve the "grsecurity" description. You may even get more business from competitors who want to be able to say they worked with you on their grsecurity integration.
The lawyers say that because they're advising their clients not to set themselves up for a libel suit, not because they're buzzkills. In other news, doctors recommend you eat healthy, but don't they always say that?
This is such a bummer! I just recently switched over to grsec (on Arch) and I could not be happier with the results; seriously, it has made such a huge increse in security so simple to navigate. The Grsec team does incredible work; that no lawyer is willing to pursue this case saddens me, but that's a secondary issue. The core problem here is the corporations with money have functionally unlimited legal authority. It is so far beyond me that society has allowed this to come to be and continues to do nothing to stop it.
To Brad and the PaX team directly (if you read this): You do incredible work and I sincerely hope this move leads to an inundation of sponsorship so that even more people can benefit from your hard work and innovation. Till then, know that there are those of us that stand behind you 100 percent!
This angers me. I mean, they're doing the right thing, but it should never have come to this.
volunteers shouldn't be shelling out thousands in copyright and licensing violations- even if they won in court, the amount awarded back would probably be a pittance compared to what these manufacturers make by using their code/trademarks.
I love what the pax guys do, almost every major exploit in the last year is mitigated in some form by grsec.. I wonder what becoming a sponsor entails.. I mean, I wish I could support all the FOSS I use, but I'd go broke pretty quick. :(
> I mean, I wish I could support all the FOSS I use, but I'd go broke pretty quick. :(
Yeah I seem to have that a lot as well.
What I figured a while ago, in summary, is this: we will always use more than we can contribute back. As a silly example, I am grateful for the invention of the wheel but in no way could I pay someone back (living or dead) for every single thing like that. The important thing is that we do something. Contribute either with time and skill or with money to a few projects you care about and which you feel can actually use your help. That's still tricky, though, I wouldn't know which of the 2100 installed apt-get packages need my support the most, but realizing this (rather than feeling indebted) gives me some peace of mind.
Most, but not all, companies generally don't donate any money to server OSes and open source they deploy by the hundreds of thousands. It sucks but it's the current state of affairs. (I think more FOSS should be be less free and monetized more in the context of large-scale enterprise purposes, in order to keep developers' bills paid and support quality up. The honor system doesn't work because most corporate choose to "cheat" where possible.)
If a project releases open source totally for free, it cannot realistically expect sponsorship to magically appear.
If a project needs sponsorship to keep the lights on, the we're closing up shop, unless ... routine works.
If a project prefers to become a commercial product with a freemium option, they should do such.
Otherwise, don't slave away on a project and resent what you cannot afford to give away. Just don't do it, if you can't live with it being exploited by companies for free.
Punishing everyone for the sin of a few rogue companies is the kindergarteners routine and childish. It doesn't work and it just angers people without solving the licensing issue at a core level.
PS: Perhaps grsecurity may want to instead consider a sensible noncommercial license similar to somewhere between AGPL and something like what good ol' evil Oracle would license their DBMS, i.e., companies over X employees or Y revenue need a license; hobbyists, academics and individual developers exempted. Drama resolved.
> PS: Perhaps grsecurity may want to instead consider a sensible noncommercial license similar to somewhere between AGPL and something like what good ol' evil Oracle would license their DBMS, i.e., companies over X employees or Y revenue need a license; hobbyists, academics and individual developers exempted. Drama resolved.
Being a set of Linux patches, it would be hard for them not to make their code available under GPLv2.
They can do the Red Hat thing of making code available only to paying customers, and terminating their customers' accounts if they redistribute things publicly. They mention that in the post.
The real problem here is not companies abusing the GPL (good luck with that), but grsecurity not being integrated with mainline after more than a decade.
You see, if Spender really cared about security he would work with the kernel developers in order to get grsecurity into the kernel but of course being such a famewhore, he never did that. Everything is fine as long as he is the center of attention, actual security be damned.
Spender: I among many have little sympathy for you, you've long exhausted our patience with your antics. Grsecurity is a niche project with minimal actual security impact in the "real world", all because of the deranged way you choose to manage it. Your primary concern, your _ONLY_ concern should be getting grsecurity into the kernel, not companies ripping you off, not companies abusing your trademark, not companies "not playing nice". In the grand scheme of things, these are irrelevant.
I can appreciate that it's been a bit like that, but isn't the truth really somewhere in between?
Oversized egos are a problem at the best of times in open source, especially in the kernel. Which has traditionally had a culture of casual indifference toward the security priorities of PaX/grsec, and some would say toward security generally (I don't buy that - there's a lot of concern for integrity in the kernel, and that at least buys you some security).
Whilst it would have been great if Spender could have completely changed his personality, outlook and perspective on the world so that he could commandeer the linux kernel from the outside-in toward his vision of a safer kernel, is that really compatible with the wider project? And so, it's equally depressing there hasn't been more recruitment from the kernel side - the side that actually has resources - to figure out a path toward getting PaX stuff mainlined from the inside-out.
I guess my point is: grsec has one focus, one priority. But the Linux kernel is a project that has a much more vast, broader scope of competing priorities to untangle, and I just can't see that such an enormous, busy and byzantine project ecosystem truly will ever see a clear mandate to get something as disruptive and single-minded as grsec mainlined.
Not only would Spender have to become a different person, but the core kernel teams as well.
In any case, I've reduced my patreon donations and put what little that is towards grsecurity. It's certainly that important and useful to me.
I'm obviously misunderstanding something about this.
Since grsecurity is GPL'd (being modifications to the GPL'd kernel), anyone that is "a customer of any product that uses grsecurity in binary form, [is] entitled to the complete corresponding source code." Which means their stable patches will get requested and released by someone anyway.
Help me understand how this will have any effect on the actual availability of their stable series?
It basically just adds a level of indirection. Rather than going straight to the grsecurity folks, you now have to go to whichever downstream is disseminating the kernel based on that patch. Bummer.
Really, it's just weakening the brand they've created for themselves. It always sounds really great in theory, but it's almost never worth it. It's the GPL, they've literally signed up for this type of code (ab)use. I'm not sure why people have trouble understanding this concept.
(Though if they wanted to be really snarky, they'd relicense their code GPLv3 and watch these companies go into complete hysterics.)
> We decided that it is unfair to _our sponsors_ that the above mentioned unlawful players can get away with their activity.
How is that unfair to them specifically? The purpose of this is to protect them by raising a paywall for anyone that isn't their 'sponsor'? (tangentially, that's why I prefer BSD/MIT, because people aren't as obsessed with other people doing dirty, nasty things with their free code.)
It's bad enough that these patches aren't integrated into the kernel like they ought to be or that they aren't included into mainline distros and are only ever present on custom built machines, now they are behind paywall as well. Damit, I don't want to move to OpenBSD.
I think he means that it is unfair because the abusive companies are releasing an insecure and untested version of grsecurity, while using the grsecurity brand name in their advertising. This means that any vulnerabilities discovered will hurt the grsecurity brand, making customers trust it less, and hurting the actual legit sponsors using a real secure version of grsecurity.
It is similar to how any knock-off of a brand could hurt the brand; a crappier version of something that people will now associate with the real brand.
I'm going to guess it's the top result from the Google search of the forums for EFI and grsecurity? That or the wind is blowing me the wrong way down the river.
It's not clear to me that he has any case at all with the trademark. You don't get to dictate how everyone uses your trademark. Some uses are acceptable without permission:
"Usually it is permissible to use another person’s or company’s trademark or service mark when referring to a product or service of that person or company, provided it is clear that the mark is being used truthfully to refer to that specific product or service. It may not be used in a way that might mislead others as to that person’s or company’s affiliation with, sponsorship of or endorsement of your company or its products or services—for example, using a logo instead of simply the word form of the mark, or using the mark more prominently or frequently than necessary." [1]
Wind River isn't using grsecurity. They're using their own variant / port of it and advertising it as grsecurity.
spender just wants them to say they have an "unofficial port of grsecurity" if they're unwilling to pay for it to be done properly (i.e. a well-done port, auditing of code specific to that kernel, backporting of all relevant fixes, etc.).
I believe the point is that by modifying their code and making use of unsupported versions that they are no longer using the product and therefore lose their right to use the trademark under those rules?
Agreed. I could see this being possible with a pre-existing trademark policy, and an explicitly different trademark for "test quality" code, and being very careful about it all, but otherwise I just don't see it. Trademark is to correctly identify the source of a good, and the source here is identified correctly. If it was creative commons licensed, they would be required to do what they have done.
Not only all that, it seems like this is a bit strange that their complaint is that they called it grsecurity without using a blessed version, so their response is to stop giving out blessed versions publicly. Won't that just encourage more companies to do exactly what they are complaining about?
Also a shame that it's probably going to be way too expensive to lawyer up something like the Firefox an RedHat style of trademark protection (where forks (or even re-compiles) must use off-label branding). :(
Also a shame that the companies in question can't even be named (and shamed)...
There are a lot of people complaining about a future w/o grsecurity and I share your feelings. However I was surprised to see that nobody has mentioned that you and I can also donate to the project.
Yes, it sucks that MegaCorp and InnoTrode are not compensating Grsecurity for the work. Its probably just as shitty that I have used grsecurity for as long as I have and just got around to donating to the project. If you use grsecurity and don't want to see it disappear go donate. Grsecurity accepts paypal/bitcoin/dwolla:
I want to add something. I am sure that it will get obliterated by other people. I am not with anyone that uses grsecurity.
On the one hand I can imagine nothing more bitter than other people making money on your hard work.
However, isnt this how the whole thing goes? I mean there wouldn't be a linux kernel without the work of a whole bunch of companies. Did they get sponsorship money from you? grsecurity wouldn't exist without the work of a bunch of other people. Did grsecurity pass on money to other vendors that they rely on? What about people that wrote the drivers that grsecurity use when they did development.
Open source only works because people contribute to a shared base. In return for their contributions they get to use what others already contributed.
It seems like you've missed the point. The problem isn't that companies are using the work without paying. The problem is that the unnamed companies are essentially lying in their marketing and violating the grsec trademark in the process.
Actual GPL violations are bad. If actual trademark infringement happened (the blog post presents the company's counterarguement as to whether or not that happened, and I neither know enough about the law to assess the competing claims or know enough about the situation to know whether or not the blogpost fairly represented the counterarguement), that's bad.
But "[not] bother[ing] to hire us to perform the port properly for them or to actively maintain the security of the kernel they're providing to their paid customers" isn't ripping off the developers or stealing from artisans. Nor is "not contribut[ing] a single dime toward our continued development and maintenance." None of those things are required by the GPL. If you want to sell software, and if you want to get pissed when people use your software without paying you for it, choose a license that requires people to pay you for your software.
(And exactly how much money has GRsecurity paid to the developers of the kernel they're patching? The unmitigated gall factor here is stronger than most of these kinds of rants that I've seen, because they're not even the upstream.)
Yeah, we just have to find their project page, hope they have a PayPal or Stripe or other donation link (that accepts a currency we already have, sorry I own no Bitcoin)...
And then donate.
For every developer or project. I don't know about most of the engineers whose work powers my internet use. How do I donate to people I don't know about?
[+] [-] AaronFriel|10 years ago|reply
Here's the forum post on backporting an EFI fix:
https://forums.grsecurity.net/viewtopic.php?f=3&t=3713
And products with Wind River Linux prominently mentions GRSecurity advertisements:
https://www.google.com/search?q=wind+river+linux+grsecurity
Edit: It looks like I wasn't the only one to find this. I'll keep this post at the top for other people to reply to.
[+] [-] na85|10 years ago|reply
[+] [-] chowder|10 years ago|reply
[+] [-] JohnTHaller|10 years ago|reply
To add insult to injury, the subsidiary released a hardware product years later and another company released a similar but different product in the same segment. The subsidiary sued the other company and had this PR story published about how the CEO was so offended by the "theft" and had to sue them to be able to look his kids in the face.
[+] [-] randx838|10 years ago|reply
[+] [-] themartorana|10 years ago|reply
[+] [-] performa|10 years ago|reply
http://global.verifone.com/products/software/v-os/ - Says its Linux Based.
http://www.verifone.com/products/hardware/multimedia/ - Have an MX 900 series of products.
http://www.verifone.com/products/hardware/petro-pos-systems/ - Have a Petro series of Products
NYSE:PAY - are a multi-billion dollar company.
Employee asking for help: https://forums.grsecurity.net/viewtopic.php?f=3&t=3938&p=139...
GRsec saying its verifone: https://twitter.com/grsecurity/status/450995354972864513
Thread indicating they are using an old unmaintained kernel: https://twitter.com/grsecurity/status/424914478912651264
Industry called out specifically: "Not only has the entire embedded industry as a whole not contributed a single dime toward our continued development and maintenance (despite our work being critical to the security of the millions of devices using our code: streaming media players, credit card processing systems, etc), the companies we've identified have actively violated the GPL and even our trademark. These transgressions have continued despite their awareness and our legal action."
[+] [-] ploxiln|10 years ago|reply
Yeah, uh, they're lawyers, they always say that, it's not a signal with any information in it.
As you said, this company can outspend you, and it's not worth it for you to try litigating. Public shaming is all you have! And, since the primary issue was them claiming their kernel has "grsecurity", public shaming is actually a great solution: try to make the technical community aware that this company's security hardening doesn't deserve the "grsecurity" description. You may even get more business from competitors who want to be able to say they worked with you on their grsecurity integration.
[+] [-] michael_storm|10 years ago|reply
[+] [-] ars|10 years ago|reply
That way they said it, without actually saying it.
[+] [-] halosghost|10 years ago|reply
To Brad and the PaX team directly (if you read this): You do incredible work and I sincerely hope this move leads to an inundation of sponsorship so that even more people can benefit from your hard work and innovation. Till then, know that there are those of us that stand behind you 100 percent!
[+] [-] dijit|10 years ago|reply
volunteers shouldn't be shelling out thousands in copyright and licensing violations- even if they won in court, the amount awarded back would probably be a pittance compared to what these manufacturers make by using their code/trademarks.
I love what the pax guys do, almost every major exploit in the last year is mitigated in some form by grsec.. I wonder what becoming a sponsor entails.. I mean, I wish I could support all the FOSS I use, but I'd go broke pretty quick. :(
[+] [-] lucb1e|10 years ago|reply
Yeah I seem to have that a lot as well.
What I figured a while ago, in summary, is this: we will always use more than we can contribute back. As a silly example, I am grateful for the invention of the wheel but in no way could I pay someone back (living or dead) for every single thing like that. The important thing is that we do something. Contribute either with time and skill or with money to a few projects you care about and which you feel can actually use your help. That's still tricky, though, I wouldn't know which of the 2100 installed apt-get packages need my support the most, but realizing this (rather than feeling indebted) gives me some peace of mind.
(If anyone cares, I actually blogged about this: http://lucb1e.com/?p=post&id=121 )
[+] [-] bmir-alum-007|10 years ago|reply
If a project releases open source totally for free, it cannot realistically expect sponsorship to magically appear.
If a project needs sponsorship to keep the lights on, the we're closing up shop, unless ... routine works.
If a project prefers to become a commercial product with a freemium option, they should do such.
Otherwise, don't slave away on a project and resent what you cannot afford to give away. Just don't do it, if you can't live with it being exploited by companies for free.
Punishing everyone for the sin of a few rogue companies is the kindergarteners routine and childish. It doesn't work and it just angers people without solving the licensing issue at a core level.
PS: Perhaps grsecurity may want to instead consider a sensible noncommercial license similar to somewhere between AGPL and something like what good ol' evil Oracle would license their DBMS, i.e., companies over X employees or Y revenue need a license; hobbyists, academics and individual developers exempted. Drama resolved.
[+] [-] geofft|10 years ago|reply
Being a set of Linux patches, it would be hard for them not to make their code available under GPLv2.
They can do the Red Hat thing of making code available only to paying customers, and terminating their customers' accounts if they redistribute things publicly. They mention that in the post.
[+] [-] stevejones|10 years ago|reply
[+] [-] armitron|10 years ago|reply
The real problem here is not companies abusing the GPL (good luck with that), but grsecurity not being integrated with mainline after more than a decade.
You see, if Spender really cared about security he would work with the kernel developers in order to get grsecurity into the kernel but of course being such a famewhore, he never did that. Everything is fine as long as he is the center of attention, actual security be damned.
Spender: I among many have little sympathy for you, you've long exhausted our patience with your antics. Grsecurity is a niche project with minimal actual security impact in the "real world", all because of the deranged way you choose to manage it. Your primary concern, your _ONLY_ concern should be getting grsecurity into the kernel, not companies ripping you off, not companies abusing your trademark, not companies "not playing nice". In the grand scheme of things, these are irrelevant.
[+] [-] csirac2|10 years ago|reply
Oversized egos are a problem at the best of times in open source, especially in the kernel. Which has traditionally had a culture of casual indifference toward the security priorities of PaX/grsec, and some would say toward security generally (I don't buy that - there's a lot of concern for integrity in the kernel, and that at least buys you some security).
Whilst it would have been great if Spender could have completely changed his personality, outlook and perspective on the world so that he could commandeer the linux kernel from the outside-in toward his vision of a safer kernel, is that really compatible with the wider project? And so, it's equally depressing there hasn't been more recruitment from the kernel side - the side that actually has resources - to figure out a path toward getting PaX stuff mainlined from the inside-out.
I guess my point is: grsec has one focus, one priority. But the Linux kernel is a project that has a much more vast, broader scope of competing priorities to untangle, and I just can't see that such an enormous, busy and byzantine project ecosystem truly will ever see a clear mandate to get something as disruptive and single-minded as grsec mainlined.
Not only would Spender have to become a different person, but the core kernel teams as well.
In any case, I've reduced my patreon donations and put what little that is towards grsecurity. It's certainly that important and useful to me.
[+] [-] dewyatt|10 years ago|reply
[+] [-] NeutronBoy|10 years ago|reply
This is such a shit situation to be in. Hopefully this publicity gains them some traction with the companies and communities who do care about it.
[+] [-] coderjames|10 years ago|reply
Since grsecurity is GPL'd (being modifications to the GPL'd kernel), anyone that is "a customer of any product that uses grsecurity in binary form, [is] entitled to the complete corresponding source code." Which means their stable patches will get requested and released by someone anyway.
Help me understand how this will have any effect on the actual availability of their stable series?
[+] [-] awalton|10 years ago|reply
Really, it's just weakening the brand they've created for themselves. It always sounds really great in theory, but it's almost never worth it. It's the GPL, they've literally signed up for this type of code (ab)use. I'm not sure why people have trouble understanding this concept.
(Though if they wanted to be really snarky, they'd relicense their code GPLv3 and watch these companies go into complete hysterics.)
[+] [-] ars|10 years ago|reply
Since they don't distribute it, they also don't distribute the patches.
[+] [-] RaleyField|10 years ago|reply
How is that unfair to them specifically? The purpose of this is to protect them by raising a paywall for anyone that isn't their 'sponsor'? (tangentially, that's why I prefer BSD/MIT, because people aren't as obsessed with other people doing dirty, nasty things with their free code.)
It's bad enough that these patches aren't integrated into the kernel like they ought to be or that they aren't included into mainline distros and are only ever present on custom built machines, now they are behind paywall as well. Damit, I don't want to move to OpenBSD.
[+] [-] cortesoft|10 years ago|reply
It is similar to how any knock-off of a brand could hurt the brand; a crappier version of something that people will now associate with the real brand.
[+] [-] yellowapple|10 years ago|reply
Why not? OpenBSD's awesome.
[+] [-] Animats|10 years ago|reply
[+] [-] Animats|10 years ago|reply
[1] http://www.windriver.com/products/product-overviews/PO_LINUX... [2] https://web.archive.org/web/20150403191546/http://www.windri...
[+] [-] crazysim|10 years ago|reply
[+] [-] fotcorn|10 years ago|reply
https://forums.grsecurity.net/viewtopic.php?f=3&t=3713&p=134...
[+] [-] Asbostos|10 years ago|reply
"Usually it is permissible to use another person’s or company’s trademark or service mark when referring to a product or service of that person or company, provided it is clear that the mark is being used truthfully to refer to that specific product or service. It may not be used in a way that might mislead others as to that person’s or company’s affiliation with, sponsorship of or endorsement of your company or its products or services—for example, using a logo instead of simply the word form of the mark, or using the mark more prominently or frequently than necessary." [1]
This appears to be how Wind River is using it.
[1] http://www.inta.org/TrademarkBasics/FactSheets/Pages/Tradema...
[+] [-] strcat|10 years ago|reply
spender just wants them to say they have an "unofficial port of grsecurity" if they're unwilling to pay for it to be done properly (i.e. a well-done port, auditing of code specific to that kernel, backporting of all relevant fixes, etc.).
[+] [-] foota|10 years ago|reply
[+] [-] randx838|10 years ago|reply
Not only all that, it seems like this is a bit strange that their complaint is that they called it grsecurity without using a blessed version, so their response is to stop giving out blessed versions publicly. Won't that just encourage more companies to do exactly what they are complaining about?
[+] [-] vini|10 years ago|reply
[+] [-] 0x0|10 years ago|reply
Also a shame that it's probably going to be way too expensive to lawyer up something like the Firefox an RedHat style of trademark protection (where forks (or even re-compiles) must use off-label branding). :(
Also a shame that the companies in question can't even be named (and shamed)...
[+] [-] zobzu|10 years ago|reply
There, shamed. Easy.
[+] [-] dfc|10 years ago|reply
Yes, it sucks that MegaCorp and InnoTrode are not compensating Grsecurity for the work. Its probably just as shitty that I have used grsecurity for as long as I have and just got around to donating to the project. If you use grsecurity and don't want to see it disappear go donate. Grsecurity accepts paypal/bitcoin/dwolla:
https://grsecurity.net/contribute.php
[+] [-] CodeMage|10 years ago|reply
[+] [-] RaleyField|10 years ago|reply
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] blm|10 years ago|reply
On the one hand I can imagine nothing more bitter than other people making money on your hard work.
However, isnt this how the whole thing goes? I mean there wouldn't be a linux kernel without the work of a whole bunch of companies. Did they get sponsorship money from you? grsecurity wouldn't exist without the work of a bunch of other people. Did grsecurity pass on money to other vendors that they rely on? What about people that wrote the drivers that grsecurity use when they did development.
Open source only works because people contribute to a shared base. In return for their contributions they get to use what others already contributed.
[+] [-] halosghost|10 years ago|reply
This is not how FLOSS is supposed to go.
[+] [-] sarciszewski|10 years ago|reply
Companies that do are essentially stealing from artisans to build infrastructure to defraud the poor so they can horde wealth.
[+] [-] cwyers|10 years ago|reply
But "[not] bother[ing] to hire us to perform the port properly for them or to actively maintain the security of the kernel they're providing to their paid customers" isn't ripping off the developers or stealing from artisans. Nor is "not contribut[ing] a single dime toward our continued development and maintenance." None of those things are required by the GPL. If you want to sell software, and if you want to get pissed when people use your software without paying you for it, choose a license that requires people to pay you for your software.
(And exactly how much money has GRsecurity paid to the developers of the kernel they're patching? The unmitigated gall factor here is stronger than most of these kinds of rants that I've seen, because they're not even the upstream.)
[+] [-] stephengillie|10 years ago|reply
And then donate.
For every developer or project. I don't know about most of the engineers whose work powers my internet use. How do I donate to people I don't know about?