top | item 14732240

(no title)

> Currently, Grsecurity is a commercial product and is distributed only to paying customers. My understanding from several reliable sources is that customers are verbally or otherwise warned that if they redistribute the Grsecurity patch, as would be their right under the GPL, that they will be assessed a penalty: they will no longer be allowed to be customers, and will not be granted access to any further versions of Grsecurity. GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition.

This is a fundamental misunderstanding of the GPL. The GPL merely requires corresponding source to be made available alongside binaries, so if you get a binary from someone you have a right to the corresponding source from that person. It does not require anyone to offer you a binary; it merely says if they did, you can get the corresponding source.

GRSecurity has no obligation to provide you a binary, they can decline to offer you one because you have a silly walk or a 13-character username or you exercised your rights under the GPL. The GPL does not entitle you to product updates or to continue to be a customer of someone who doesn't want you as a customer, it merely entitles you to corresponding source for binaries.

Some would say GRSecurity's practice violates the spirit of the GPL, but the GPL is not a spiritual entity, it's a legal document, and if you want a legal document that produces a different outcome you can write one up.

Also, you should read the fine print from any other Linux vendor – RHEL, Oracle, etc. You don't have to go on "my understanding from several reliable sources", the documents actually state they'll terminate you as a customer if you redistribute their stuff.

discuss

gizmo686|8 years ago

GPLv2, section 6:

"Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License."

The question of law is if threatening recipients who exercise their rights qualifies as a restriction on them exercising their rights. Thinking that it does is not a fundamental misunderstanding of the text.

drewcrawford|8 years ago

> The question of law is if threatening recipients who exercise their rights qualifies as a restriction on them exercising their rights. Thinking that it does is not a fundamental misunderstanding of the text.

It is a fundamental misunderstanding of the law, and it is not (an open) question of law.

In the US for example, you have the right to free speech. But except in very unusual circumstances, your employer can fire you for exercising it. Whether that threat is a restriction on your rights is perhaps a question in philosophy or ethics, but from a legal point of view it's very clear: your employer is not restricting your speech, they are restricting their own hiring policy.

So it is here. Legally speaking, you are not restricted from redistributing the software. You may be restricted from GRSecurity wanting to do business with you afterwards but you don't have a right to be someone's customer under the GPL, you only have the right to corresponding binaries.

SwellJoe|8 years ago

"Also, you should read the fine print from any other Linux vendor – RHEL, Oracle, etc. You don't have to go on "my understanding from several reliable sources", the documents actually state they'll terminate you as a customer if you redistribute their stuff."

I don't know about Oracle, but I know about Red Hat. They not only do not prohibit one from distributing source code and the patches they apply to it, they distribute it freely themselves, and help maintain a free distribution of RHEL called CentOS built from the same sources they use for RHEL.

There is no reasonable way to compare Red Hat's policies about source distribution and availability to grsecurity.

cyphar|8 years ago

The same goes for SUSE as well. Not only that, but the openSUSE community created an entirely new distribution based on the SLE sources (openSUSE Leap).

drewcrawford|8 years ago

> Red Hat. They not only do not prohibit one from distributing source code and the patches they apply to it

Of course they prohibit it. e.g. from [1]

> This EULA does not permit you to distribute the Programs or their components using Red Hat's trademarks, regardless of whether the copy has been modified. You may make a commercial redistribution of the Programs only if (a) permitted under a separate written agreement with Red Hat authorizing such commercial redistribution, or (b) you remove and replace all occurrences of Red Hat trademarks.

from [2]

> Distributing the Software and Services (or any portion) to a third party outside the Portal or using the Software and/or Services to support a third party without paying for each Instance is a material breach of this Agreement even though the open source license applicable to individual software packages may give you the right to distribute those packages

from [3]

> Any unauthorized use of the Subscription Services is a material breach of the Agreement, such as... (d) using Subscription Services in connection with any redistribution of Software

[1] https://www.redhat.com/f/pdf/licenses/GLOBAL_EULA_RHEL_Engli...

[2] https://www.redhat.com/licenses/cloud_CSSA/Red_Hat_Cloud_Sof...

[3] https://www.redhat.com/licenses/GLOBAL_Appendix_one_English_...

cyphar|8 years ago

> Also, you should read the fine print from any other Linux vendor – RHEL, Oracle, etc. You don't have to go on "my understanding from several reliable sources", the documents actually state they'll terminate you as a customer if you redistribute their stuff.

While that may be true for Oracle (I doubt it), it's absolutely not true for Red Hat and SUSE. Not only are most of our projects developed in the open under free software licenses in the first place, we provide corresponding source for every package (regardless of the license terms, as long as it's a free software package) through our package manager as source RPMs.

The only restrictions that companies such as Red Hat and SUSE have is related to trademarks and distribution of the binaries that we compiled.

* Trademarks are a completely separate set of laws to copyright, and it has been long accepted in the free software community that as long as it is reasonably easy to remove trademark branding then this is acceptable (in Red Hat's and SUSE's cases, all branding is placed in separate and clearly marked packages -- so you can remove it by replacing those packages)[1].

* As for distribution of binaries, this policy exists for practical reasons and doesn't affect the community (the sources are available and we also provide an entire build service [Open Build Service[2]] that you can use directly to rebuild all of our sources and ISO images if you wished to).

openSUSE Leap is a community distribution created from the SLE sources. CentOS is similarly a distribution built from the RHEL sources.

[ I work for SUSE, and am also an FSF member -- I find spreading of misinformation like this incredibly harmful to the wider community. I would not work for SUSE if I felt that our actions were mistreating users. Opinions my own, obviously. ]

[1]: https://www.gnu.org/distros/free-system-distribution-guideli... [2]: https://build.opensuse.org/

jchw|8 years ago

The word binary appears nowhere in this article. And indeed, the quote you quoted is saying something entirely different from what you're refuting. It is correctly claiming that the GPLv2 license prohibits one from adding additional restrictions to the redistribution of the source code. That means GRsec can't tell you not to redistribute their GPLv2 licensed code, as it's a clear violation of the kernel license.

lokedhs|8 years ago

But that's not what they're saying. If you read their statements on the subject you'll see that they explicitly permit redistribution under the rules of the GPL.

What they will do is terminate your contract and you will not receive further updates.

There GPL does not mandate that you receive updates to anything. All it says is is that no restrictions can be applied on the source code that you have received.

Jach|8 years ago

Seems pretty clear. They cannot stop you from redistributing the binary of v1, and anyone you redistribute the binary to can demand the source if it's not already included. They can say that if they find out you redistributed v1, they're not going to give you v2 in the future, but if you get v2 some other way you can still ask for the source (and whoever distributed that one might not get v3 etc.). There may be further restrictions from trademarks to make redistribution perfectly legal (like CentOS just removing mentions of RHEL) but it can quickly become a lost battle for upstream.