Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 3 Jun 2017 17:08:47 +0200
From: Lionel Debroux <lionel_debroux@...oo.fr>
To: kernel-hardening@...ts.openwall.com
Subject: Re: Stop the plagiarism

Hi Brad,

You're right to demand proper attribution for the hard work made by
the PaX Team, yourself, Emese, minipli, and other people involved into
the making of PaX + grsecurity. Though doing better than "extracted
from PaX/grsecurity" is less than straightforward in some (many?) cases.


But now that you uttered the nasty word "copyright" along with an
asserted will of enforcing yours... chances are that what you'll achieve
is lawyers at Intel, Google, the LF and friends freaking out and getting
in the way of mankind progress by ruining the day for techies (people
doing actual useful work, unlike them) and end users alike.
I mean: instead of pushing back and mandating proper attribution when
people attempt to mainline a more or less close derivative of your work,
they'll consider your organization as a _potential_ copyright troll,
your (plural) useful work - or features strongly inspired by it - as
_potentially_ toxic, and will therefore attempt to hamper its inclusion
to mainline, just in case...
Needless to say, that would further set back, for years, the security of
real-world Linux (that is: the Linux that most Linux-running computers
use, as opposed to a tiny set of computers running your commercial
PaX+grsecurity-patched Linux). At a time the main proprietary OSs, which
have other downsides, are upping their game wrt. self-defense...

BTW:
* even your organization is arguably hurt by the new patch availability
policy and now the displayed will to assert your copyright: for
instance, less mainlining work won't lower your work forward porting
the monster patch, and a narrower set of computers running your work
reduces the testing and bug reporting which users of the free patch
used to perform;
* it's absurdly counter-productive to reinvent a working wheel,
especially when said wheel is the byproduct of _many_ good ideas (so
coming up with more is harder) and a thoughtful cost / benefit risk
analysis.


Just my two cents. For once, I'm not interested into spending way too
much time on this non-technical discussion about a matter I think is
important; I just wanted to raise one of the bad, likely outcomes of
your _legitimate_ motives, and the actions that come out of these
motives.
I accept that I may be wrong on the consequences of both sides'
actions; time will tell.


Bye,
Lionel.



Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.