Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 29 Jun 2017 04:18:09 +0530
From: Raj Brar <rarbrar.32@...il.com>
To: kernel-hardening@...ts.openwall.com
Cc: spender@...ecurity.net
Subject: My mail to the grsecurity team to expose their FUD

Dear Spender,

I would have wrote this earlier, but I didn’t sum up the patience and the
will to write this up until I read a comment on grsecurity forums. I am an
old Grsecurity user on Gentoo and Archlinux. Over the years the work you
did on grsecurity has been unparalleled and unmatched in upping the
security of the Linux Kernel, something they (The Linux Foundation &
Torvalds) have failed to address since its inception. I have always
benefited from grsecutity’s PAX features in my personal work stations and
development environments.

Now let us go back a little. Back in August 26, 2015 I hear the news that
you have decided to make the -stable patches of grsecurity unavailable for
the general public. The reasons stated by your were as follows : “It turns
out that not everyone played nice, in particular several very large
companies in the embedded Linux world who have gone beyond simply taking
advantage of our work.” – https://grsecurity.net/announce.php . The said
company did violate your registered Trademarks by using the grsecurity name
in their products and I really believed you deserved your share of respect
and appreciation and wanted an alternative paying user base for your
-stable patches. You said you had little chance to remedy the situation
through legal action against a “multi-billion dollar corporation” with a
huge legal team. You decided that it was unfair to your sponsors that the
above mentioned unlawful players can get away with their activity.
Therefore you ceased the public dissemination of the stable series and made
it available to “commercial customers only”. At that time, I did feel
sympathetic towards you as you said you spent ‘thousands of dollars on
legal fees challenging the embedded Linux industry’ and the above measure
may just compensate your efforts, yet keeping the distro community like
Gentoo and Archlinux happy with your -test patches. As a user this move
didn’t affect me as such even though I prefer to use the LTS series of the
upstream Linux Kernel for which your -stable patches were the best.

So far so good. Little did I know that this was Stage 1 to your bigger
plans. Fast forward to this day I hear you have upped your ‘blame game’ and
cut down public access to your test patches too. The whole KSPP ‘rip off’
and “billion dollar corporations” exploiting your work and expecting
additional free work out of you. Yes, I agree what the Kees/Greg/etc were
doing to you was ‘unfair’. But, given your product is under the GNU GPL,
let me take the privilege to explain you briefly what the GPL stands for.
The universal narrative behind the GPL as explained by the FSF ‘Creator
behind the license you use in your patch’ is this :

Freedom 0: The freedom to *run* the program for any purpose.

Freedom 1: The freedom to *study* how the program works, and change it to
make it do what you wish.

Freedom 2: The freedom to *redistribute* and make copies so you can help
your neighbor.

Freedom 3: The freedom to *improve* the program, and release your
improvements (and modified versions in general) to the public, so that the
whole community benefits.

I can’t help but focus on Freedom 2 and 3 in the case of grsecurity and
your accusations for other individuals and companies “stealing and
exploiting” your work. The basic essence of the GPL is to legitimise the
idea of ‘sharing’ and not demonizing or re-spinning it as ‘STEALING /
EXPLOITING /PIRATING’ as you make it sound like; be it a small individual
or by “billion dollar corporations”. Yes, I do agree ‘Misusing Trademark
and quality’ is a different debate which I am not getting into but let’s
focus on this specific aspect for now.

Let me give you few working examples of this model of ‘sharing’ / ‘a.k.a
EXPLOITING as per your interpretation’ to you from within the free software
community. As we all know the Ubuntu Linux distribution is based on
Debian’s Unstable branch. Ubuntu is a product by Canonical Ltd.. Ubuntu
somewhat cooperates with Debian by pushing changes back to the Debian
community, although there has been criticism that this does not happen
often enough. The Debian community and Late. Ian Murdock had expressed
concerns in the past regarding this too. A “million dollar corporation”
Canonical Ltd. charges by selling commercial support to Ubuntu Customers by
selling support services and training programs. But they don’t share this
revenue with the Debian community; their original upstream. Was this
‘unfair’ from Canonical’s end ? Yes, It was. Did Debian ‘whine’ about it or
shut its doors to the general public? No. Allow me to give another example.
The Fedora Distribution of Linux is a community project that a “billion
dollar corporation” like Redhat benefits from by downstreaming and selling
an enterprise product based on Fedora, The Redhat Enterprise Linux (RHEL).
Is it ‘sort of’ unfair of Redhat to profit from a community work like
Fedora? Yes. Are the developers of the Fedora Project hired Redhat
employees? No. But they don’t whine and moan and believe in their good work
over ‘recognition’. We also have Oracle Linux that is compiled entirely
from Red Hat Enterprise Linux’s source code, replacing Red Hat branding by
Oracle's. Oracle gets to profit from this product by selling support
services. Did Redhat sue Oracle for doing this? No. The cases above clearly
portray that ‘unfair’ practises do not necessarily mean ‘STEALING CODE’ or
the violation of the GPL or the spirit of free software. The GPL in
actually stands for ‘nullifying’ the very branding and terming of
‘stealing’ from the Free Software world. Tell me honestly dear Spender, do
you really connect with the idea of the GPL or do you use this as a PR
exercise to please your ‘Paid Sponsors’? You could have simply let the KSPP
project continue with their crappy rip-off by ignoring them and keep on
letting users and community benefiting from your quality work. Instead you
have used this as a long-waited Stage 2 opportunity coming from your long
awaited greed ‘Which I will explain shortly’ to do what you always wanted
to do, yet cultivate enough sympathy to avoid any backlash.

In your post ‘passing the baton’ you felt grateful and have credited the
Hardened-Gentoo linux project with your ‘all of the mostly
under-appreciated and uncredited work by Gentoo Hardened to push through
widespread use of PIE and fixing userland to handle the stricter memory
defenses of PaX (which SELinux and others were later able to benefit from).
Specifically, we'd like to thank Mike Frysinger, Anthony Basile, Ned Ludd,
Peter S. Mazinger, and Alexander Gabert for their Gentoo Hardened work and
forum user meev0 for the majority of the grsecurity wiki.’ Really? If you
are so ‘grateful’ to them for the widespread adaptation of Grsecurity that
gave you such fame and popularity to whine on, what did you give them back
in return? You also give your ‘heartfelt gratitude to the users who have
supported your public work through donations or otherwise over the past 16
years.’ What did you give them back in return? Did you give them continued
access to your test patches at the very minimum as a token of gratitude for
helping in widespread adaptation of your project? Why do you speak and
appease things you don’t actually mean? I may hate Linus Torvalds as a
person, but feel the comments he made when he said ‘When they started
talking about people taking advantage of them, I stopped trying to be
polite about their bullshit.’. Clearly people have started looking through
your facade of playing the ‘Victim Card’.

Throughout the mail I have used double quotes to refer to “multi-billion
dollar corporation”. This was done deliberately to highlight something. As
per https://grsecurity.net/purchase.php the subscription to grsecurity
patches are only for companies as it is a (** required field). To highlight
the damage you have done under the guise of your ‘Playing the Victim Card’
allow me to quote a post from the grsecurity forums which you have opted to
ignore : “I'm using test patches on my home PC. I live in country with low
average wage. I can't move to country with higher wages because of
barriers.”. Clearly by your actions you have done greater damage to users
and machines that are presently using grsec’s last patches. There are
actually users who can’t afford to pay for your unreasonable charges who do
have a ‘right’ to benefit from your work. Given your paid subscriptions are
meant for ‘Companies’ only, one can very well guess they are not cheap and
once again you prove my point. You have opted to deep throat and to be in
bed with the very same “multi-billion dollar corporations” you accuse and
whine of “stealing” and “exploiting” your project for which I constantly
kept double-quoting the very phrase. And even if some organisation or
company pays for a subscription and decides to share your patches to the
community by exercising its GPL rights, I am pretty sure you will cut off
their subscription in the pretext of ‘Exploited us’.

You may argue that grsecurity is your project and you hold the exclusive
rights to decide its fate and I have no business in dictating what you
should do with it. Sure, that’s true, I honestly have no problem with that.
The only reason I felt that ‘itch’ to write this e-mail was cause I was
disgusted by your sheer hypocrisy against “multi-billion dollar
corporations” whereas the sheer irony is you serve to them by selling the
product to Companies and playing the ‘Victim Card’ since 2015.

Here is what you should do :

a) Re-license grsecurity under a proprietary EULA as you don’t have a clear
understanding or genuine connection with the idea behind the GNU GPL, and
to not sound like a hypocrite and spare the GPL world of any
misunderstanding. You should stop insulting the free software world and the
communities behind it by doing so. I guess your hands have started itching
to do this already, all you are looking for is another excuse and careful
timing as we speak may be?

b) Amend the faq section of ‘Why are you *really* doing this?’ in
https://grsecurity.net/passing_the_baton_faq.php and clearly mention the
“Actual Reason” and regarding your long decided plan for closing your
project instead of yet another ‘advertisement’ of your product’s
superiority. Suggestions? “I have been consumed in greed and ambition and
needed a way to make money out of my project. To avoid any subsequent
backlash to me and my respected PR team, I carefully timed the decision and
the reason.”.

c) Apologise to the gentoo-hardened community and the previous users of the
grsecurity who helped your project to gain prominence for using them as a
leverage for your commercial interests.


The funny thing is, your actions will cause you more damage than you can
foresee. A crappy/ inferior project like KSPP will reign in popularity soon
due to its widespread public availability whereas you will start start
rotting down in the ash heap of history where noone gives a shit about your
whining.

I will close this mail with a suggestion, instead of trying to attack me
publicly by calling me a troll and other mechanisms of public manipulation,
take a few days, think on this mail, let it sink in and understand that
there will always be people who can look past you. I will make sure I
spread this mail in public community forums and reddit so that people start
looking past you.

Yours Not So Sincerely,

A Free User.

Content of type "text/html" skipped

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.