nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Linux kernel hardeners Grsecurity sue open source's Bruce Perens

Our customer contract doesn't violate GPLv2, biz insists in defamation lawsuit

By Thomas Claburn, 3 Aug 2017

Updated In late June, noted open-source programmer Bruce Perens warned that using Grsecurity's Linux kernel security could invite legal trouble.

"As a customer, it's my opinion that you would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity," Perens wrote on his blog.

The following month, Perens was invited to court. Grsecurity sued the open-source doyen, his web host, and as-yet-unidentified defendants who may have helped him draft that post, for defamation and business interference.

Grsecurity offers Linux kernel security patches on a paid-for subscription basis. The software hardens kernel defenses through checks for common errors like memory overflows. Perens, meanwhile, is known for using the Debian Free Software Guidelines to draft the Open Source Definition, with the help of others.

Linus Torvalds, who oversees the Linux kernel, has called Grsecurity's patches "garbage".

Grsecurity used to allow others to redistribute its patches, but the biz ended that practice for stable releases two years ago and for test patches in April this year. It offers its GPLv2 licensed software through a subscription agreement. The agreement says that customers who redistribute the code – a right under the GPLv2 license – will no longer be customers and will lose the right to distribute subsequent versions of the software.

According to Perens, "GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition."

A legal complaint (PDF) filed on behalf of Grsecurity in San Francisco, California, insists the company's software complies with the GPLv2. Grsecurity's agreement, the lawsuit states, only applies to future patches, which have yet to be developed.

"There is no explicit or implicit term, section, or clause in the GPLv2 that is applicable over future versions or updates of the Patches that have not yet been developed, created, or released by [Grsecurity]," the complaint contends.

Perens isn't arguing that the GPLv2 applies to unreleased software. Rather, he asserts the GPLv2, under section 6, specifically forbids the addition of contractual terms.

As the GPLv2 license states, "You may not impose any further restrictions on the recipients' exercise of the rights granted herein."

In a Slashdot.org thread, excerpted in a court filing, Perens explains that merely agreeing to Grsecurity's contract violates the GPLv2 because the company doesn't have the right to distribute an unlicensed derivative of the Linux kernel.

It now falls to a judge to sort things out. ®

Updated to add

In an email to The Register, Heather Meeker, a partner at O'Melveny & Myers LLP, said:

Mr Perens is a world-renowned expert who speaks and writes about open-source software licensing and compliance in the interest of the public. This lawsuit by Open Source Security, Inc is a transparent attempt to silence Mr Perens from expressing his opinions, just because the plaintiff happens to disagree with them. It is disappointing that anyone in the open-source community would resort to such tactics.

Meanwhile, Rohit Chhabra, founder of the Chhabra Law Firm and Grsecurity's attorney, said in an email to The Register:

Mr Perens has made false statements, claiming them to be facts, and based on those statements employed fear-mongering tactics to intentionally hurt Open Source Security Inc's business. Mr Perens abused his standing in the open-source community and did so for the sole purpose of dissuading consumers from using the Grsecurity product. Mr Perens has admitted that such tactics were 'more effective than writing to' Plaintiff about his disagreement with Plaintiff's business practices.

No court of law has ever established that a statement implying a false assertion of fact is constitutionally protected speech, and we intend to hold Mr Perens accountable to the fullest extent permitted by law.

The Register - Independent news and views for the tech community. Part of Situation Publishing