Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 3 Jun 2017 23:28:13 -0400
From: Brad Spengler <spender@...ecurity.net>
To: Daniel Micay <danielmicay@...il.com>
Cc: kernel-hardening@...ts.openwall.com
Subject: Re: Stop the plagiarism

> That's what I said: at one point, it was mentioned in a changelog
> which was removed when grsecurity moved to the next major kernel
> version along with other cases. The attribution wasn't made in the
> patch and there isn't anything similar to the Linux kernel's Git
> history providing a long-term attribution. Only changelogs that were
> removed after each major release and are now entirely gone. It's as if
> you've taken ownership of the code. A third party archive of your
> changelogs hosted lesewhere and the fact that it can be found via a
> search doesn't really change that there isn't attribution in the
> patches either via available commit history or inline comments /
> documentation. I'm not saying that wrong. I'm saying that you're
> getting mad about something less than that.

What are you talking about?  This is like complaining that we don't
have a single file containing all 16 years of history, some 400MB download
if someone wanted to see what the latest changes are.  That commit message
was in changelog-stable.txt which you can still find online in the various
historical git repos and it's still present in the 3.14 changelog that
customers have access to now.  You seem to be blaming your own laziness
on me -- it'd be like me complaining I have to use extra means to find
out who authored something prior to git history.  And now you want to
use your laziness as a reason to try to claim that you don't know what
the authorship is of some code you copy and paste, so you choose to take
credit for it yourself:
https://twitter.com/CopperheadOS/status/871017018010595328
Have you ever even contacted either of us when you were unsure or too
lazy to look it up?  I know the answer to that question, and you know
the answer to that question, so quit with the BS.

> comparison with the last publicly available patch. You also took issue
> with a stack canary fix which you're adamant must have come from PaX
> but that's not what happened: it was noticed and fixed when adding a
> zero byte there to match the earlier changes changing userspace junk
> filling to zeroing and adding a zero byte to the heap canaries and
> stack canaries in userspace.

Cryptomnesia I guess, you looked at every other line of PaX to rip out
stuff like:
https://github.com/thestinger/linux-hardened/commit/e63d5e4db605e74b2d9631219dd58301be484bd7
https://github.com/thestinger/linux-hardened/commit/93b646fed97b51e62cb48e0a25c2664cc2f86e0b
but totally never saw that line that's been there ever since SSP existed
in the kernel.  It also doesn't mesh with your lengthy excuse on github
when I pointed it out to you.  Are the above changes your own work too?


> And how is grsecurity not entirely based on the work of others i.e.
> the Linux kernel, just as CopperheadOS is based on Android Open Source
> Project and all of the baseline functionality and security model
> provided by it?

These false equivalences of yours are nonsense -- anyone can look at
https://github.com/thestinger/linux-hardened/issues
and see how utterly dependent you are.  You are comparing apples and
oranges because you need to to justify your existence.  You didn't
contribute a line of code to our work in 16 years and now you're trying
to make a name for yourself off our work and reputation.  But you just
make a fool of yourself when on one hand you're desperately copy+pasting
and on the other trying to pretend you don't depend on it, or that your
dependence on copy+pasting our work is somehow equivalent to building on
top of whatever version of Linux that exists.

-Brad

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.