back to article Maker of Linux patch batch grsecurity can't duck $260,000 legal bills, says Cali appeals court in anti-SLAPP case

Open Source Security – the maker of the grsecurity patches that harden Linux kernels against attack – must cough up $260,000 to foot the legal bills of software industry grandee Bruce Perens. So ruled California's Ninth Circuit Court of Appeals today, affirming a lower court's ruling against Open Source Security (OSS). In …

  1. HildyJ Silver badge
    Holmes

    Walled Source

    The decision by the court is good, but unfortunately the idea that a company can create a walled garden within the open source space is still alive and well .

    1. a_yank_lurker Silver badge

      Re: Walled Source

      What you are allowed to do depends on the specific license wording with any license. GPLv2 has specific wording about what some cannot do to restrict downstream rights. This was do deliberately.

      1. Version 1.0 Silver badge

        Re: Walled Source

        Sure, but what corporations do is what they think they can get away with.

        1. teknopaul Silver badge

          Re: Walled Source

          I think this case indicates that they might not win such a case even in their home jurisdiction.

          That might make them think twice.

          Clearly they dont care about bad press and have expressed intent to sue their own customers.

  2. Cheshire Cat

    Whether or not the OSS contract is illegal probably depends on the wording. Saying "we won't do business with you in the future if you do X" is very different from "Accepting the contract means you promise to never do X"

    Perens clearly thinks they said the latter. However the judgement is solely on the belief that he has every right to state his opinion, and OSS were trying to shut him up. Too often it seems that US companies use legal threats to prevent people discussing or stating opinions.

    1. JakeMS
      Mushroom

      Both of those options still go against the core reasons behind the GPL and open source in general.

      Aside from this, they tried to claim defamation, however in this case that was simply not the case. He didn't point out something they were not really doing. He simply wrote about his dislike to something they were actually doing. Thus, because he didn't lie or tell a false story, it is not defamation.

      For the most part it was just his opinion about something they are doing. They didn't like that his opinion put them in a bad light, so they attempted legal action which failed.

      I believe his judgment was in has favour for two reasons:

      1) It's not a valid defamation case

      2) He has a right to express his opinion

      To be honest, grsecurity didn't stand a chance in this case.

      1. Anonymous Coward
        Anonymous Coward

        Both of those options still go against the core reasons behind the GPL and open source in general.

        We have to distinguish between what many think GPL2 says, and what it actually says.

        All it actually says is that if you distribute a binary you have to provide (if asked) the source code for that binary. It does not say anything whatsoever about future versions of that binary or the source code for that.

        If people want a license that compels source code disclosure for all future versions too then it needs to be some license other than GPL2.

        In this particular case I think that Perens is wrong. For Perens to be right he’s basically saying that it’s possible for phrases like “I won’t do business with you in the future” to be a contractual term. But that’s clearly not logical. It might be written on the same piece of paper as a contract, in the same font and colour, but clearly such a phrase cannot ever be considered part of that contract because it’s not talking about anything else on the same piece of paper. It’s talking about an entirely different contract which, as yet, doesn’t exist. It’s impossible for a contract to compel anyone to enter or not enter into another contract. Contracts are atomic.

        Even more logically, in this specific situation if that future contract does actually come into existence then it won’t Be able to prevent the purchaser exercising their GPL2 obligations wrt that binary version either.

        I’m slightly mystified as to why Perens chose to start this row in the first place. It’s largely an irrelevance, and there are far, far bigger problems with Linux licensing than this. I mean, there’s ZFS for a start; clearly, absorbing ZFS into Linux properly is far more important than bitching about a small outfit doing things with Linux that, for entirely subjective reasons, some in the Linux community dislike. Clearly no one else cares, there’s not been any enforcement action launched against OSS.

        1. Anonymous Coward
          Anonymous Coward

          I’m slightly mystified as to why Perens chose to start this row in the first place

          AFAIK, he didn't start a row, he voiced an opinion. The best way to prove or disprove that opinion would be to engage in public discussion with people who are legally qualified to shore up a for or against with actual points of law.

          Taking him to court for defamation was the wrong choice, and that's a fight Perens did not start. He did finish it, though, and rightly so.

          Slight aside: I'm no fan of the apparent viral nature of GPL v2 either, but if I were to go near it I'd get a proper independent lawyer to assess the matter (asking the likes of Stallman, for instance, will get you a lot of zealotry and spittle but not much real world information). As far as I can tell, companies like Netgear seem to have found a happy medium they can live with. No idea if (and how) they contribute back, though, if anyone knows I'd love to hear it.

        2. Flocke Kroes Silver badge

          Future versions of a binary

          The GPL does cover future versions of a binary - that still includes GPL components.

          Option A) You created the source code or hired someone to create it for you. You choose to release version 1 with the GPL license. You could choose to release version 2 (or version 1 for that matter) under any other license or not distribute it at all but the GPL version 1 would be out there and you could not prevent others from distributing it (with or without their own improvements) unless they violate the terms of the GPL.

          Option B) The software is made of various components with different copyright holders and some of the components are GPL created by others you did not hire. If any of the components are not available with a GPL compatible license you cannot distribute at all.

          Option C) You can create a new version by re-writing or hire others to re-write GPL components and by buying a non-GPL license from the copyright holders of the GPL components. When you have a non-GPL license for every component you do not have the copyright for you can distribute with a license that is not the GPL.

          There is a way to prevent others from distributing GPL software: get control of something they need and withhold it from them if they distribute GPL software. Watch out for abuse of monopoly laws and your license to use GPL software may become invalid.

          1. bazza Silver badge

            Re: Future versions of a binary

            AFAIK GPL2 does not (and indeed nothing can) oblige distribution of a future version of a binary to recipients of a prior version. And if there's no distribution, there's no obligation to pass on the source code. You can get a piece of GPL2 source code, change it and compile it, do whatever you like with it, but until you pass it on to someone else no one can demand to see the source code. GPL2 explicitly confers this, and I believe I have read it carefully and accurately several times now.

            If you do pass on the binary to someone else, you're compliant with GPL2 if you give (if asked) the source code only to the people you gave the binary to. If they pass it on, they're breaking GPL2 if asked for the source code because they've not got it to be able to supply it. Of course, they can ask for that from you, but you're perfectly entitled to supply it on paper tape, floppy disks, or something equally inconvenient (but still machine readable).

            I hasten to add that I don't in the least advocate that type of antique media or such limited distribution, but it is an unfortunate consequence arising from the fact that GPL2 is now very old and the WWW hadn't been invented back then and postage was expensive. One feels that GPL2 now is very unfit for purpose and doesn't actually live up to what many perceive open source software to be these days, but its own viral nature prevents anything being done about it for codebases already on GPL2. Linus didn't think there was a cat in hell's chance of putting Linux on another license.

        3. heyrick Silver badge

          It does not say anything whatsoever about future versions of that binary or the source code for that.

          It doesn't need to. If a binary is released using GPL derived code, the users can ask for the source code. Which version it may be is not relevant. If you have the binary, you have the right to the corresponding source. Today, tomorrow, and for as long as it uses GPL code...

          1. Anonymous Coward
            Anonymous Coward

            Sorry heyrick, I think your missing the point. Sure, under GPL2 if you do receive a binary, you're entitled to receive the corresponding source on request. However, you're not entitled to receive any other binary, even if that's another version of the same software.

            If the supplier chooses to not send that newer binary to you, there's nothing within the terms of GPL2 you can do to compel them to do so, even if you know they have sent that newer version to someone else. And no new binary for you, no new source for you, even if someone else does have both.

            It's this coupling between the act of supplying a binary leading to the obligation to supply the source on request that is the weakness of GPL2. I suspect this is relied upon by a number of companies who choose their customers very, very carefully.

            What is commonplace today - source and binaries readily available on websites - is in no way demanded by GPL2. It's done because it's friendly and convenient. Other GPL's may insist on these things, but GPL2 (which is what the Linux kernel comes under) certainly does not.

            Problem: Big Corps Not Contributing

            On the whole I think the issue with the GR kernel is a symptom of a widely recognised problem. Once upon a time the guy who maintains it simply made it available for download. Trouble was that some big corporations, including Intel, were perfectly content to swipe that code, plaster his trademark (well, at least the name he gave it, trademarked or not) all over their advertising, etc. and never contribute anything back to him. This is exactly the same situation a lot of people have an issue with vis a vis the extensive use of Linux by several large companies. They too are making free use of Linux, benefitting from it to the tune of N x $100billions, but aren't necessarily putting much back in to the community.

            Theoretical Linux Takeover

            Linux is theoretically vulnerable in this way to a take over. All it takes is for some corporation to stand up a large team of really crack coders, start issuing updates for Linux outside of the auspices of the Linux kernel community, and generally outpace the current volunteer community.

            The result is that their useful, more advanced fork becomes dominant in the user base, and the community "original" drops off in use and investment. And, when everyone is hooked, that corporation starts providing a binary only version, source code'll be in the post if asked, perhaps wrapped up in a tempting distro. At that point those hooked users either pay to keep getting binary updates that GPL2 does not oblige the corporation to supply, or go without. The forked Linux with the most desirable, useful features is effectively then a closed source product. The large corporation can even make this very robust but still GPL2 compliant by, entirely legally, supplying the source on tons of punched paper tape. Who has a tape reader these days? Or floppies.

            To undo that damage and restore the situation to today's state of grace would then require a lot of catch up work to be done to bring the moribund original up to date with clones of all the corporately gifted features that people had become dependent on.

            This sort of take over is presently somewhat hampered because the "volunteers" actually include quite a lot of people employed by companies like IBM who've decided to make decent, honest contributions over the decades, making it expensive for someone else to pull this trick. But if these large corporate contributors pull out, well, beware grand offers of enticing features from shady outfits.

            ZFS

            Arguably, the current fuss over ZFS is mighty dangerous to the Linux kernel community. ZFS is becoming the killer application for anyone using Linux and having storage requirements (and a lot of server farm users are in that position). The kernel community clearly hasn't got the resources to be able to compete against ZFS - btrfs is no where near competitive - and users are voting with their feet and installing ZFS themselves, or getting it from Ubuntu. And the only outfit that can really do big things with ZFS is Oracle.

            Perhaps we should beware of Oracle bearing gifts in the shape of a fork of Linux with GPL2'd ZFS included. It would take a lot of effort by the rest of the Linux community to then keep their re-forked version with ZFS as the leading fork that everyone wants to run.

            Is This Really Possible?

            That depends entirely on whether or not what GR have done is in fact legal. Perens opined that it is not, but that's far from being definitive finding.

            Worryingly, the EFF hasn't (AFAIK) launched any enforcement action against GR. This is worrying because I'm sure that the EFF will have at least considered the matter. If they thought they could win, they're kind of obligated to launch an action, especially against a small outfit like GR. If they thought they'd not win, then they might be worried about highlighting this by launching a court case and losing. Perens came close to provoking a court case of this sort all on his own...

            1. eldakka Silver badge

              ZFS

              Arguably, the current fuss over ZFS is mighty dangerous to the Linux kernel community. ZFS is becoming the killer application for anyone using Linux and having storage requirements (and a lot of server farm users are in that position). The kernel community clearly hasn't got the resources to be able to compete against ZFS - btrfs is no where near competitive - and users are voting with their feet and installing ZFS themselves, or getting it from Ubuntu. And the only outfit that can really do big things with ZFS is Oracle.

              Perhaps we should beware of Oracle bearing gifts in the shape of a fork of Linux with GPL2'd ZFS included. It would take a lot of effort by the rest of the Linux community to then keep their re-forked version with ZFS as the leading fork that everyone wants to run.

              I think you are a bit confused here. There is a ZFS fork, called OpenZFS, that is the primary 'ZFS' on Linux and BSD systems that use 'ZFS'. This ZFS fork, OpenZFS, is maintained separate from Oracle ZFS (aka ZFS). It (OpenZFS) is being continually updated with new features being added quite frequently, completely separate from and ouside Oracle's control, and has been for years. This is the 'ZFS' you get with Ubuntu, OpenZFS, not ZFS (aka Oracle ZFS).

              I believe that Oracle actually has a trademark on ZFS, therefore technically only Oracle ZFS can be called just straight ZFS, while technically OpenZFS should be referred to as OpenZFS and not just ZFS.

              OpenZFS is open source (CDDL), and Oracle have no control or say in it - beyond any other OpenZFS developer that is. The issue is that while OpenZFS is open source, the license isn't compatible with GPLv2, therefore it can't be included (well, Ubuntu seems to disagree with that) with 'stock' kernel releases. But OpenZFS (not Oracle ZFS, unless you get a license from Oracle) can be included as 3rd-party software/kernel modules that can be installed and run, just as with other non-GPL'ed but still opensource software, such as Apache software under the Apache license, or GPL3 software, etc.

              You do need to be carfeul with the use of the term ZFS, as while it is often used to encompass the original ZFS file system and its descendants, Oracle ZFS and OpenZFS, if you start talking licensing, support, feature sets, availability and so on, then you must distinguish between Oracle ZFS and OpenZFS (aka a non-Oracle ZFS that was forked off of Oracle ZFS prior to Oracle ZFS being closed-sourced, when it was still open).

        4. Sitaram Chamarty

          Why so many downvotes?

          I don't understand why your post was downvoted so many times. I was going to write pretty much what you wrote, albeit in different words.

          Whether Perens was wrong or right would depend on the actual contract. After all, since payment is involved, there has to be *some* contract above and beyond the GPL (i.e., the GPL cannot be the only contract involved). As long as that contract does not impose restrictions on the software that the client *already has*, GPL is not violated anyway.

          And whether Perens was right or wrong, it was clearly an *opinion*. OSS were foolish to take it to court, and got rightfully smacked down.

        5. teknopaul Silver badge

          I believe you have to make source available enen if not asked. I would not try to close source gpl code.

          You piss off current customers.

          Piss off oss advocates, which might include future customers or advisors to future customers.

          If you dont grok oss _principals_ you probably should not start a project based on gpl code.

  3. VanguardG

    One of the basic tenets of defamation is that the person making (or writing) the defamatory material *must know its false* at the time the statements are made/written. With OSS's own lawyer admitting that the blog was Perens's opinion, they cut their own argument off at the knees. By definition, people will believe their own opinions to be true..

    Just a shut'em'up case against someone who decided to fight back. And since this was in the US, there's that pesky First Amendment thing too.

  4. Lee D Silver badge

    Couldn't happen to a nicer guy. grsecurity is, basically, just one guy.

    From conversations online, he comes across as the biggest twat since Joerg Schilling and his cdrtools "why can't ordinary people just specify every device by it's full SCSI path, no we'll never accept a patch to take a normal device name".

    Last time I looked into it, he had to declare how large that organisation is for a Navy software contract... and it's basically one guy without even the money to pay these kinds of legal bills. I'd like to know where he's getting the money from.

    And though it doesn't establish Bruce's assertions to be fact, it does prove that they aren't *categorically wrong*. They are just an untested opinion. And, as far as anyone I know is concerned, Bruce is right. You can't impose additional conditions on GPLv2 contracts. And he can't offer the code under *any* other contract as it's a straight derivative of the kernel code. What he tried to do was make a HUGE patch to the kernel to "secure" every single avenue, which is highly tied into the kernel code. A patch which he has thus far refused to break down properly and submit to the usual Linux kernel approval paths. He just expects everyone to take his mega-patch and put it in the kernel outright in one lump. But they won't. So people started breaking it down for him, and taking bits to put into Linux (which is perfectly viable - it has to be GPLv2). He took exception, threatened to cut people off from his code if they did that, including removing their access to it. Then prohibited people distributing his (GPLv2) code.

    When someone called him on it and offered a legal opinion, he tried to sue them for defamation.

    The guy's a moron who just wants everything his way and must always be right. $260k is a small price to pay for such action, when he could have just said "I disagree".

    There. Sue me for that.

    1. bazza Silver badge

      Strictly speaking I believe he promised to cut people off from future version of his code. It's disappointing that there's not been a good relationship between the various parties. But on the whole I agree, and it wad definitely unwise to take it to court, though I think Peren's opinion would be still more convincing if someone actually stood up an enforcement action.

      The model I admire is the work that was done on the PREEMPT RT patch set that has now been absorbed into the kernel mainstream (anyone told Linus that!? I'm sure he used to swear about it). Though in that case the original patch author AFAIK wasn't trying to make a personal living out of it, and the patch set coexisted in a tolerated way alongside the mainstream, easing it's eventual transition from separate project to the mainstream.

      There's clearly a market for a "high security" Linux kernel; grsecurity has been round for a while and has presumably making something of it all that time. It could be good if the mainstream had a good way of meeting that demand. I don't know whether the best way forward to do that is to stand up an alternative / better project, or to arrange for proper support for GR in the hope of engendering positive reciprocity and better cooperation all round, or something else. But the current situation is ugly at the very least, even if it is largely irrelevant to the bulk of the Linux world.

  5. jms222

    No actual damage

    So that’s half a million to pay lawyers when there was no actual damage to anyone or anything in the first place.

    The GPL is madness.

    Please remember Linux is just a mediocre UNIX family kernel and there are several perfectly good alternatives. Hell even Windows 10 is a good base these days.

    1. Tomato42 Silver badge
      Happy

      Re: No actual damage

      hahahhahaha

      oh, wait, you're serious

      HAHAHAHAHAHAHAHA

    2. DavCrav Silver badge

      Re: No actual damage

      " No actual damage

      So that’s half a million to pay lawyers when there was no actual damage to anyone or anything in the first place."

      The damage was that the company took a guy to court for expressing an opinion. He had to defend himself, which cost money. What?

      "The GPL is madness."

      What the hell does GPL have to do with the fact that some company tried to use the law to silence a critic and (for once) lost?

    3. Lee D Silver badge

      Re: No actual damage

      You know that the case has NOTHING to do with the GPL, right?

      One guy said "I'm gonna do this".

      Another (world expert) said "I don't think you can do that".

      The first guy then threatened to sue.

      The expert then said "Please don't. I will fight it, it won't go your way. It's an opinion. I'm happy to just drop this now."

      The first guy still sued.

      Expert won the case. Filed counter-claim for, basically, being a frivolous lawsuit.

      Guy appealed.

      Expert won the appeal.

      Guy now on the line for $250k for his own stupidity.

      That the opinion was about the GPL is literally nothing to do with the case - the courts have literally said that the merits of that argument are nothing to do with the case at all, it's whether an expert was expressing his opinion or not. And they ruled it was just an opinion.

      However, the GPL is quite literally the most popular open-source licence for a reason. If you want to benefit from code under the GPL, it says that have to give that benefit back to everyone else who uses that code. If you don't like it, don't contribute to GPL code. Hell, you can still use it, it doesn't change the way you use it - only the way you *distribute* it or the way you *contribute* it.

      It's quite clear and obvious.

      There's a reason that Linux is supported by the world's largest IT companies despite that "payback" clause, and not FreeBSD, etc. They don't like paying back any more than anyone else. But they use it for a reason. My IBM Bladecenter server officially supports Linux, on an equal par with Windows Server. It doesn't have *any* official support for any BSD whatsoever.

      Don't like it? Don't use it. Or use it but don't distribute or contribute to it. Strangely, even with that restriction, THOUSANDS of times more people choose to contribute to Linux than to the "open" BSD.

    4. jason_derp
      Meh

      Re: No actual damage

      "Please remember Linux is just a mediocre UNIX family kernel and there are several perfectly good alternatives. Hell even Windows 10 is a good base these days."

      I disagree strongly.

  6. heyrick Silver badge

    Link to https://www.clfip.com/ip/blog/the-gpl-and-a-condition-[etc]

    I have to compete a captcha just to read your blog?

    Bugger off.

    1. DavCrav Silver badge

      Re: Link to https://www.clfip.com/ip/blog/the-gpl-and-a-condition-[etc]

      I don't. What have you been up to that a random blog distrusts you?

      1. karlkarl Silver badge

        Re: Link to https://www.clfip.com/ip/blog/the-gpl-and-a-condition-[etc]

        He might be using Tor?

        It is a fantastic eye opener just to see how utterly horrific the internet is when accessed from "less rich" countries. Almost nothing works and you have to fill out a captcha pretty much every time you do a Google search.

      2. heyrick Silver badge

        Re: Link to https://www.clfip.com/ip/blog/the-gpl-and-a-condition-[etc]

        What have you been up to that a random blog distrusts you?

        From me, at this IP address? Switched on mobile data [*], read The Register, followed link. I'm with Orange and I live in France. I suspect the last part of that may be a factor. I'm "foreign" so complete a test. In which case...bugger off with prejudice.

        * - 4G doesn't work in my locker, phone reverts to 2G, and that barely works. End result? A lot of battery spent doing very little background data transfer. Best to just turn data off until it is needed.

    2. Throatwarbler Mangrove Silver badge
      Meh

      Re: Link to https://www.clfip.com/ip/blog/the-gpl-and-a-condition-[etc]

      Don't worry, you're not missing anything. It is my opinion that the lawyer is a worthless ambulance chaser trolling for business.

  7. a_yank_lurker Silver badge

    A couple of points

    Most FOSS licenses, as best I know, are written/reviewed by legal beagles. But what has not been well tested is whether they are binding on developers who are using the code. In particular, what parts of the specific license are legally problematic. But there a couple of points. The copyright owner has the ultimate authority to specify the conditions something is released under as long as it does not exceed their legal rights. Now the tricky part is whether the FOSS license constitutes a contract with binding terms. This gets into whether EULAs which they really are valid and what areas legally void. Again, EULAs have not been well tested.

    Now to Bruce Perens, there is a general understanding that the GPL is a viral license that does not allow closely off extensions or additions to the code. This is Bruce's position. But it has not been litigated to the best of my knowledge. Suing Bruce because he stated their actions violated a commonly and widely accepted view is rather idiotic.

    1. Anonymous Coward
      Anonymous Coward

      Re: A couple of points

      Yes, it looks like GR made a mistake taking this to court. But then again, AFAIK no one has launched enforcement action against GR. Probably it's just best all round if everyone left everyone else to it to get on with their tinkerings in peace and quiet, lest some bigger demon emerge if a definitive finding were given by a court.

      It's going to be interesting to see if Google's case with Oracle establishes a "fair use" situation. What'd be the extent of "fair use", and what'd be the consequences of that. It might open up a "meh, it's available everywhere, there's no need for me to bother uploading it myself" situation, or then again, it might not.

  8. OzBob

    Whats all this law shit?

    I just came here to write code.

  9. Rich 2 Silver badge

    Who's right?

    I can't help thinking OSS are actually correct in this. I'm no lawyer, and I'm not saying it's right, but...

    The GPL says you CAN redistribute the code if you want. OSS are not preventing anyone from doing so. They are just saying that if you do then you've burnt your bridges with them and they won't give you any more. And, as they point out, there is no law to say you MUST do business within someone.

    Also, OSS are providing the code to their customers in (apparently) source form. So in this respect, they are compliant with the GPL. The GPL doesn't say that the customer must then pass-on the code to whoever asks for it.

    I think OSS are correct in doing what the are doing.

    The defamation thing is another thing entirely - you can't go round throwing sue-balls at someone for expressing an opinion (well, at least that how it used to be. These days, you can find yourself in court for any number of opinion-based comments)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020