> Currently, Grsecurity is a commercial product and is distributed only to paying customers. My understanding from several reliable sources is that customers are verbally or otherwise warned that if they redistribute the Grsecurity patch, as would be their right under the GPL, that they will be assessed a penalty: they will no longer be allowed to be customers, and will not be granted access to any further versions of Grsecurity. GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition.
This is a fundamental misunderstanding of the GPL. The GPL merely requires corresponding source to be made available alongside binaries, so if you get a binary from someone you have a right to the corresponding source from that person. It does not require anyone to offer you a binary; it merely says if they did, you can get the corresponding source.
GRSecurity has no obligation to provide you a binary, they can decline to offer you one because you have a silly walk or a 13-character username or you exercised your rights under the GPL. The GPL does not entitle you to product updates or to continue to be a customer of someone who doesn't want you as a customer, it merely entitles you to corresponding source for binaries.
Some would say GRSecurity's practice violates the spirit of the GPL, but the GPL is not a spiritual entity, it's a legal document, and if you want a legal document that produces a different outcome you can write one up.
Also, you should read the fine print from any other Linux vendor – RHEL, Oracle, etc. You don't have to go on "my understanding from several reliable sources", the documents actually state they'll terminate you as a customer if you redistribute their stuff.
"Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License."
The question of law is if threatening recipients who exercise their rights qualifies as a restriction on them exercising their rights. Thinking that it does is not a fundamental misunderstanding of the text.
> The question of law is if threatening recipients who exercise their rights qualifies as a restriction on them exercising their rights. Thinking that it does is not a fundamental misunderstanding of the text.
It is a fundamental misunderstanding of the law, and it is not (an open) question of law.
In the US for example, you have the right to free speech. But except in very unusual circumstances, your employer can fire you for exercising it. Whether that threat is a restriction on your rights is perhaps a question in philosophy or ethics, but from a legal point of view it's very clear: your employer is not restricting your speech, they are restricting their own hiring policy.
So it is here. Legally speaking, you are not restricted from redistributing the software. You may be restricted from GRSecurity wanting to do business with you afterwards but you don't have a right to be someone's customer under the GPL, you only have the right to corresponding binaries.
"In the US for example, you have the right to free speech. But except in very unusual circumstances, your employer can fire you for exercising it."
This is a trolling technique known as derailing. It seems to have worked a little since most of the replies are about "free speech", which isn't what this conversation is about.
You are talking nonsense. The "right to free speech" in the United States has developed over hundreds of years of jurisprudence. It is impossible to summarize here but for starters involves not only Congress but also states (Gitlow v NY) and even private parties (Snyder v. Phelps). I don't mean to suggest it is arbitrarily broad but it is certainly much broader than to say it is "only" the text of the first amendment.
Secondly, "intimidation" carries a very specific legal meaning, for example here's the Montana statute [0]:
(1) A person commits the offense of intimidation when, with the purpose to cause another to perform or to omit the performance of any act, the person communicates to another, under circumstances that reasonably tend to produce a fear that it will be carried out, a threat to perform without lawful authority any of the following acts:
(a) inflict physical harm on the person threatened or any other person;
(b) subject any person to physical confinement or restraint; or
(c) commit any felony.
Unless GRSecurity is threatening to break your legs, kidnap you, or rob your store, they are not intimidating you.
What we are talking about is refusing to do business with you, which is very legal. There are some exceptions, such as if the basis for that refusal is due to your race/sex, or if GRSecurity is a cartel, or if they are refusing in order to obstruct an investigation into some other illegal activity, but I'm not aware of those kinds of facts here.
In the US, your only "right" to free speech is protection from the government restricting your speech. Indeed, if your employer is the government, then there are significant (but not absolute) limitations on how much they can retaliate for your speech.
If that case were decided the other way, it would mean that government had a law that restricting their right to free speech. You will notice that they did not have the right to speak at the funeral, because the private entity running the funeral is not obligated to give them freedom of speech.
It is true that there are exceptions to the "congress shall make no laws ..." part of the first amendment; so by analogy, there might be some exceptions to the GPL's "no further restrictions" clause, but you have not explained why grsecurity falls into any of those hypothetical exceptions.
> In the US for example, you have the right to free speech. But except in very unusual circumstances, your employer can fire you for exercising it.
Are you sure about this? Are you an attorney? I am not.
I ask because it was my impression that, more than each individual having a right to free speech, each individual has a right to be free from a certain set of governmental restrictions or punishments for their speech, and that this is also true of the non-governmental-employer-employee relationship, but the set is smaller.
For instance, it was my impression that:
(A) People who are not governmental employees have the right to be free from the government restricting them from criticizing Congress in most locations at most times (and have the right to be free from the government punishing them for this criticism)
(B) Governmental employees have fewer rights that (A) in certain respects related to their employment
(C) People who are non-governmental employees can generally be fired for their speech, though not for certain speech, like stating that she is pregnant or whistleblowing to the federal government (under some circumstances)
Free speech applies to to public (government) entities. You can prevent someone from exercising their rights if they are within your private property. In public spaces this isn't the case, as it's public, but an employer doesn't have to allow any freedoms to their employees (minus human rights violations, which are explicitly stated in law).
So a company could say you aren't allowed to say a single word during work hours while working for them. They would also not have employees.
"Also, you should read the fine print from any other Linux vendor – RHEL, Oracle, etc. You don't have to go on "my understanding from several reliable sources", the documents actually state they'll terminate you as a customer if you redistribute their stuff."
I don't know about Oracle, but I know about Red Hat. They not only do not prohibit one from distributing source code and the patches they apply to it, they distribute it freely themselves, and help maintain a free distribution of RHEL called CentOS built from the same sources they use for RHEL.
There is no reasonable way to compare Red Hat's policies about source distribution and availability to grsecurity.
The same goes for SUSE as well. Not only that, but the openSUSE community created an entirely new distribution based on the SLE sources (openSUSE Leap).
> Red Hat. They not only do not prohibit one from distributing source code and the patches they apply to it
Of course they prohibit it. e.g. from [1]
> This EULA does not permit you to distribute the Programs or their components using Red Hat's trademarks, regardless of whether the copy has been modified. You may make a commercial redistribution of the Programs only if (a) permitted under a separate written agreement with Red Hat authorizing such commercial redistribution, or (b) you remove and replace all occurrences of Red Hat trademarks.
from [2]
> Distributing the Software and Services (or any portion) to a third party outside the Portal or using the Software and/or Services to support a third party without paying for each Instance is a material breach of this Agreement even though the open source license applicable to individual software packages may give you the right to distribute those packages
from [3]
> Any unauthorized use of the Subscription Services is a material breach of the Agreement, such as... (d) using Subscription Services in connection with any redistribution of Software
Your first quote covers trademarks. That is unrelated to source code. CentOS ships with a different set of trademarks. If you want to rebuild and redistribute the RH sources, you remove the trademarks. That's well understood and well within the terms of the GPL.
Second refers to binary builds of the software. Also well within the terms of the GPL.
Third refers to the Subscription Service which includes access to binary builds, access to a customer portal with knowledge base, private support tickets, etc.
None of these refer to distribution of source, which is explicitly permitted by Red Hat.
> Your first quote covers trademarks. That is unrelated to source code.
Source code contains trademarks, that is why CentOS has to remove them. If you distribute the source code you get from the RHEL subscription area you have violated your RHEL agreement.
You are not in violation of the GPL, but that is precisely my point: everybody does this, and nobody (except OP) believes it is a GPL violation.
I'm not interested in re-litigating the trademark discussion here. It's not relevant to the grsecurity conversation, and it's been settled for a decade or so. Trademark law is separate from copyright law and really has no place in a copyright discussion.
Red Hat places branding in their own packages, generally, which is easily replaced by distributions...they do their own re-branding in Fedora and CentOS; the trademarks are built to be removable. Red Hat went out of their way to make it easier to build a from-source RHEL without violating trademarks, despite not really having a legal obligation to do so.
My assertion had nothing to do with whether they made it easy or hard to remove their trademarks.
My assertion was that Red Hat customers make agreements with Red Hat in which they agree not to redistribute RHEL. That is directly analogous to the GRSecurity case, except there we are relying on something OP heard thirdhand and in the case of RH we can read the agreements.
"My assertion was that Red Hat customers make agreements with Red Hat in which they agree not to redistribute RHEL. That is directly analogous to the GRSecurity case, except there we are relying on something OP heard thirdhand and in the case of RH we can read the agreements."
Then your assertion is a lie. I feel like I'm talking to a wall.
Red Hat very clearly does not prohibit distribution of the source of their kernel, or any other GPL component of RHEL, and in fact they make it available for free in the form of CentOS, and they do not prohibit others from distributing it either. Everything you've quoted above says nothing about what you keep saying it means.
You don't understand the issue then (and your assertion is patently false as I outlined elsewhere).
First of all, requiring trademark removal is something the FSF considers acceptable so long as it is reasonable to do[1]. Both RHEL and SUSE have all of their branding in specifically labeled packages so it is easy to replace.
Second of all, GRSecurity will always penalise you if you distribute their sources (regardless of whether you remove any trademarks they may have in their source -- which I don't think they do).
The two issues are completely different and you're muddying the waters by bringing up Red Hat, even though the free software community has agreed that removal of trademarks is acceptable[1]. You're bringing up a non-issue in a discussion about an actual issue.
> Also, you should read the fine print from any other Linux vendor – RHEL, Oracle, etc. You don't have to go on "my understanding from several reliable sources", the documents actually state they'll terminate you as a customer if you redistribute their stuff.
While that may be true for Oracle (I doubt it), it's absolutely not true for Red Hat and SUSE. Not only are most of our projects developed in the open under free software licenses in the first place, we provide corresponding source for every package (regardless of the license terms, as long as it's a free software package) through our package manager as source RPMs.
The only restrictions that companies such as Red Hat and SUSE have is related to trademarks and distribution of the binaries that we compiled.
* Trademarks are a completely separate set of laws to copyright, and it has been long accepted in the free software community that as long as it is reasonably easy to remove trademark branding then this is acceptable (in Red Hat's and SUSE's cases, all branding is placed in separate and clearly marked packages -- so you can remove it by replacing those packages)[1].
* As for distribution of binaries, this policy exists for practical reasons and doesn't affect the community (the sources are available and we also provide an entire build service [Open Build Service[2]] that you can use directly to rebuild all of our sources and ISO images if you wished to).
openSUSE Leap is a community distribution created from the SLE sources. CentOS is similarly a distribution built from the RHEL sources.
[ I work for SUSE, and am also an FSF member -- I find spreading of misinformation like this incredibly harmful to the wider community. I would not work for SUSE if I felt that our actions were mistreating users. Opinions my own, obviously. ]
The word binary appears nowhere in this article. And indeed, the quote you quoted is saying something entirely different from what you're refuting. It is correctly claiming that the GPLv2 license prohibits one from adding additional restrictions to the redistribution of the source code. That means GRsec can't tell you not to redistribute their GPLv2 licensed code, as it's a clear violation of the kernel license.
But that's not what they're saying. If you read their statements on the subject you'll see that they explicitly permit redistribution under the rules of the GPL.
What they will do is terminate your contract and you will not receive further updates.
There GPL does not mandate that you receive updates to anything. All it says is is that no restrictions can be applied on the source code that you have received.
Let's back up for a moment just to make sure we're talking about the same "they." "They" being the author of this article, absolutely said almost verbatim what I claimed they said.
My post: "It is correctly claiming that the GPLv2 license prohibits one from adding additional restrictions to the redistribution of the source code"
The article: "This is tantamount to the addition of a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms."
>If you read their statements on the subject you'll see that they explicitly permit redistribution under the rules of the GPL.
Now it seems you're talking about GRsec and not the author of the article, but I definitely didn't claim GRsec said anything, I only made assertions about what the article said.
Then, going a step further, what you're arguing is yet another separate issue entirely, which is more relevant but still different than anything in this thread: Your claim is that their contract's rules of punishing someone for redistribution is not covered by GPL section 6. This may well be true, but I would personally guess not.
"You may not impose any further restrictions on the recipients' exercise of the rights granted herein" seems pretty clear cut to me. It implies that you can't impose any further restrictions. You can't even write a contract regarding the terms of redistributing GPLv2 software. And indeed, as far as I can tell, there's absolutely no precedence for being able to do that. If you could do that, then anyone could defeat the GPL by making a contract with sufficient punishment for redistribution.
Seems pretty clear. They cannot stop you from redistributing the binary of v1, and anyone you redistribute the binary to can demand the source if it's not already included. They can say that if they find out you redistributed v1, they're not going to give you v2 in the future, but if you get v2 some other way you can still ask for the source (and whoever distributed that one might not get v3 etc.). There may be further restrictions from trademarks to make redistribution perfectly legal (like CentOS just removing mentions of RHEL) but it can quickly become a lost battle for upstream.
This is a fundamental misunderstanding of the GPL. The GPL merely requires corresponding source to be made available alongside binaries, so if you get a binary from someone you have a right to the corresponding source from that person. It does not require anyone to offer you a binary; it merely says if they did, you can get the corresponding source.
GRSecurity has no obligation to provide you a binary, they can decline to offer you one because you have a silly walk or a 13-character username or you exercised your rights under the GPL. The GPL does not entitle you to product updates or to continue to be a customer of someone who doesn't want you as a customer, it merely entitles you to corresponding source for binaries.
Some would say GRSecurity's practice violates the spirit of the GPL, but the GPL is not a spiritual entity, it's a legal document, and if you want a legal document that produces a different outcome you can write one up.
Also, you should read the fine print from any other Linux vendor – RHEL, Oracle, etc. You don't have to go on "my understanding from several reliable sources", the documents actually state they'll terminate you as a customer if you redistribute their stuff.