Date: Thu, 29 Jun 2017 04:18:09 +0530 From: Raj Brar <rarbrar.32@...il.com> To: kernel-hardening@...ts.openwall.com Cc: spender@...ecurity.net Subject: My mail to the grsecurity team to expose their FUD Dear Spender, I would have wrote this earlier, but I didn’t sum up the patience and the will to write this up until I read a comment on grsecurity forums. I am an old Grsecurity user on Gentoo and Archlinux. Over the years the work you did on grsecurity has been unparalleled and unmatched in upping the security of the Linux Kernel, something they (The Linux Foundation & Torvalds) have failed to address since its inception. I have always benefited from grsecutity’s PAX features in my personal work stations and development environments. Now let us go back a little. Back in August 26, 2015 I hear the news that you have decided to make the -stable patches of grsecurity unavailable for the general public. The reasons stated by your were as follows : “It turns out that not everyone played nice, in particular several very large companies in the embedded Linux world who have gone beyond simply taking advantage of our work.” – https://grsecurity.net/announce.php . The said company did violate your registered Trademarks by using the grsecurity name in their products and I really believed you deserved your share of respect and appreciation and wanted an alternative paying user base for your -stable patches. You said you had little chance to remedy the situation through legal action against a “multi-billion dollar corporation” with a huge legal team. You decided that it was unfair to your sponsors that the above mentioned unlawful players can get away with their activity. Therefore you ceased the public dissemination of the stable series and made it available to “commercial customers only”. At that time, I did feel sympathetic towards you as you said you spent ‘thousands of dollars on legal fees challenging the embedded Linux industry’ and the above measure may just compensate your efforts, yet keeping the distro community like Gentoo and Archlinux happy with your -test patches. As a user this move didn’t affect me as such even though I prefer to use the LTS series of the upstream Linux Kernel for which your -stable patches were the best. So far so good. Little did I know that this was Stage 1 to your bigger plans. Fast forward to this day I hear you have upped your ‘blame game’ and cut down public access to your test patches too. The whole KSPP ‘rip off’ and “billion dollar corporations” exploiting your work and expecting additional free work out of you. Yes, I agree what the Kees/Greg/etc were doing to you was ‘unfair’. But, given your product is under the GNU GPL, let me take the privilege to explain you briefly what the GPL stands for. The universal narrative behind the GPL as explained by the FSF ‘Creator behind the license you use in your patch’ is this : Freedom 0: The freedom to *run* the program for any purpose. Freedom 1: The freedom to *study* how the program works, and change it to make it do what you wish. Freedom 2: The freedom to *redistribute* and make copies so you can help your neighbor. Freedom 3: The freedom to *improve* the program, and release your improvements (and modified versions in general) to the public, so that the whole community benefits. I can’t help but focus on Freedom 2 and 3 in the case of grsecurity and your accusations for other individuals and companies “stealing and exploiting” your work. The basic essence of the GPL is to legitimise the idea of ‘sharing’ and not demonizing or re-spinning it as ‘STEALING / EXPLOITING /PIRATING’ as you make it sound like; be it a small individual or by “billion dollar corporations”. Yes, I do agree ‘Misusing Trademark and quality’ is a different debate which I am not getting into but let’s focus on this specific aspect for now. Let me give you few working examples of this model of ‘sharing’ / ‘a.k.a EXPLOITING as per your interpretation’ to you from within the free software community. As we all know the Ubuntu Linux distribution is based on Debian’s Unstable branch. Ubuntu is a product by Canonical Ltd.. Ubuntu somewhat cooperates with Debian by pushing changes back to the Debian community, although there has been criticism that this does not happen often enough. The Debian community and Late. Ian Murdock had expressed concerns in the past regarding this too. A “million dollar corporation” Canonical Ltd. charges by selling commercial support to Ubuntu Customers by selling support services and training programs. But they don’t share this revenue with the Debian community; their original upstream. Was this ‘unfair’ from Canonical’s end ? Yes, It was. Did Debian ‘whine’ about it or shut its doors to the general public? No. Allow me to give another example. The Fedora Distribution of Linux is a community project that a “billion dollar corporation” like Redhat benefits from by downstreaming and selling an enterprise product based on Fedora, The Redhat Enterprise Linux (RHEL). Is it ‘sort of’ unfair of Redhat to profit from a community work like Fedora? Yes. Are the developers of the Fedora Project hired Redhat employees? No. But they don’t whine and moan and believe in their good work over ‘recognition’. We also have Oracle Linux that is compiled entirely from Red Hat Enterprise Linux’s source code, replacing Red Hat branding by Oracle's. Oracle gets to profit from this product by selling support services. Did Redhat sue Oracle for doing this? No. The cases above clearly portray that ‘unfair’ practises do not necessarily mean ‘STEALING CODE’ or the violation of the GPL or the spirit of free software. The GPL in actually stands for ‘nullifying’ the very branding and terming of ‘stealing’ from the Free Software world. Tell me honestly dear Spender, do you really connect with the idea of the GPL or do you use this as a PR exercise to please your ‘Paid Sponsors’? You could have simply let the KSPP project continue with their crappy rip-off by ignoring them and keep on letting users and community benefiting from your quality work. Instead you have used this as a long-waited Stage 2 opportunity coming from your long awaited greed ‘Which I will explain shortly’ to do what you always wanted to do, yet cultivate enough sympathy to avoid any backlash. In your post ‘passing the baton’ you felt grateful and have credited the Hardened-Gentoo linux project with your ‘all of the mostly under-appreciated and uncredited work by Gentoo Hardened to push through widespread use of PIE and fixing userland to handle the stricter memory defenses of PaX (which SELinux and others were later able to benefit from). Specifically, we'd like to thank Mike Frysinger, Anthony Basile, Ned Ludd, Peter S. Mazinger, and Alexander Gabert for their Gentoo Hardened work and forum user meev0 for the majority of the grsecurity wiki.’ Really? If you are so ‘grateful’ to them for the widespread adaptation of Grsecurity that gave you such fame and popularity to whine on, what did you give them back in return? You also give your ‘heartfelt gratitude to the users who have supported your public work through donations or otherwise over the past 16 years.’ What did you give them back in return? Did you give them continued access to your test patches at the very minimum as a token of gratitude for helping in widespread adaptation of your project? Why do you speak and appease things you don’t actually mean? I may hate Linus Torvalds as a person, but feel the comments he made when he said ‘When they started talking about people taking advantage of them, I stopped trying to be polite about their bullshit.’. Clearly people have started looking through your facade of playing the ‘Victim Card’. Throughout the mail I have used double quotes to refer to “multi-billion dollar corporation”. This was done deliberately to highlight something. As per https://grsecurity.net/purchase.php the subscription to grsecurity patches are only for companies as it is a (** required field). To highlight the damage you have done under the guise of your ‘Playing the Victim Card’ allow me to quote a post from the grsecurity forums which you have opted to ignore : “I'm using test patches on my home PC. I live in country with low average wage. I can't move to country with higher wages because of barriers.”. Clearly by your actions you have done greater damage to users and machines that are presently using grsec’s last patches. There are actually users who can’t afford to pay for your unreasonable charges who do have a ‘right’ to benefit from your work. Given your paid subscriptions are meant for ‘Companies’ only, one can very well guess they are not cheap and once again you prove my point. You have opted to deep throat and to be in bed with the very same “multi-billion dollar corporations” you accuse and whine of “stealing” and “exploiting” your project for which I constantly kept double-quoting the very phrase. And even if some organisation or company pays for a subscription and decides to share your patches to the community by exercising its GPL rights, I am pretty sure you will cut off their subscription in the pretext of ‘Exploited us’. You may argue that grsecurity is your project and you hold the exclusive rights to decide its fate and I have no business in dictating what you should do with it. Sure, that’s true, I honestly have no problem with that. The only reason I felt that ‘itch’ to write this e-mail was cause I was disgusted by your sheer hypocrisy against “multi-billion dollar corporations” whereas the sheer irony is you serve to them by selling the product to Companies and playing the ‘Victim Card’ since 2015. Here is what you should do : a) Re-license grsecurity under a proprietary EULA as you don’t have a clear understanding or genuine connection with the idea behind the GNU GPL, and to not sound like a hypocrite and spare the GPL world of any misunderstanding. You should stop insulting the free software world and the communities behind it by doing so. I guess your hands have started itching to do this already, all you are looking for is another excuse and careful timing as we speak may be? b) Amend the faq section of ‘Why are you *really* doing this?’ in https://grsecurity.net/passing_the_baton_faq.php and clearly mention the “Actual Reason” and regarding your long decided plan for closing your project instead of yet another ‘advertisement’ of your product’s superiority. Suggestions? “I have been consumed in greed and ambition and needed a way to make money out of my project. To avoid any subsequent backlash to me and my respected PR team, I carefully timed the decision and the reason.”. c) Apologise to the gentoo-hardened community and the previous users of the grsecurity who helped your project to gain prominence for using them as a leverage for your commercial interests. The funny thing is, your actions will cause you more damage than you can foresee. A crappy/ inferior project like KSPP will reign in popularity soon due to its widespread public availability whereas you will start start rotting down in the ash heap of history where noone gives a shit about your whining. I will close this mail with a suggestion, instead of trying to attack me publicly by calling me a troll and other mechanisms of public manipulation, take a few days, think on this mail, let it sink in and understand that there will always be people who can look past you. I will make sure I spread this mail in public community forums and reddit so that people start looking past you. Yours Not So Sincerely, A Free User. Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.