Is this Grsecurity patch issue going to harm IPFire going forward?

Is this Grsecurity patch issue going to harm IPFire going forward?

[William Pechter]

[-- Attachment #1: Type: text/plain, Size: 607 bytes --]


      Important Notice Regarding Public Availability of Stable Patches
      <https://www.grsecurity.net/index.php#>

Due to continued violations by several companies in the embedded
industry of grsecurity^® 's trademark and registered copyrights,
effective September 9th 2015 stable patches of grsecurity will be
permanently unavailable to the general public. *For more information,
read the full announcement. <https://www.grsecurity.net/announce.php>

https://www.grsecurity.net/announce.php
*

-- 
Digital had it then.  Don't you wish you could buy it now!
pechter-at-gmail.com  http://xkcd.com/705/

Re: Is this Grsecurity patch issue going to harm IPFire going forward?

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2359 bytes --]

Hi,

the short answer is: Probably not.

The long answer is: Yes, it will certainly have an impact on the
security of many Linux-based systems. IPFire is only one of them.

The technical issue for us will be that kernel updates won't be as easy
for us since we will need to make work that is usually done in the
grsecurity project. Frankly we do not have the expertise for that. Even
if we had we would have the time and it won't make sense to do the same
work multiple times.

I find that this is a great loss for the free software world. If all
free software projects see themselves forced to remove their code from
"the market" there would not be much left. We all fight the same issues
here, since our software is used by companies which make lots of money
out of it and do development work based on IPFire but do not give
anything back.

The grsecurity case is a very severe case though.

Sure it is free software in the end and we all wouldn't do free
software if we didn't know this from the beginning. We do not expect
money from every single user, because other things are even more
important. But at the end of the day money is needed to run the
project. If someone is paying that from their own pocket and an other
one is making the huge profit, something is *clearly* wrong.

Therefore I can personally understand Brad and the PaX team very well
and I understand that they see this is a threat to their name and
future work.

So we dearly *hope* that this entire dispute can be settled and Brad is
not forced to make the stable patches only available for the "sponsors"
which are paying customers then. This will be a huge loss for IPFire
and all its users as well as many other projects that rely on
grsecurity.

Hope this answers your question.

Best,
-Michael

On Thu, 2015-08-27 at 14:42 -0400, William Pechter wrote:
>       Important Notice Regarding Public Availability of Stable
> Patches
>       <https://www.grsecurity.net/index.php#>
> 
> Due to continued violations by several companies in the embedded
> industry of grsecurity^® 's trademark and registered copyrights,
> effective September 9th 2015 stable patches of grsecurity will be
> permanently unavailable to the general public. *For more information,
> read the full announcement. <https://www.grsecurity.net/announce.php>
> 
> https://www.grsecurity.net/announce.php
> *
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Is this Grsecurity patch issue going to harm IPFire going forward?

[William Pechter]

[-- Attachment #1: Type: text/plain, Size: 1323 bytes --]

Michael Tremer wrote:
> Sure it is free software in the end and we all wouldn't do free
> software if we didn't know this from the beginning. We do not expect
> money from every single user, because other things are even more
> important. But at the end of the day money is needed to run the
> project. If someone is paying that from their own pocket and an other
> one is making the huge profit, something is *clearly* wrong.
Thank you for the in depth answer...

I hope there's someone out there who will leak the name of the large
company so there's a change in their behavior and a loss of
at least a little of their customer base.

Unfortunately, there's big money in computer security these days and
some large companies have been buying up the Open Source
products.  I remember when Cisco replaced their sensor box under Solaris
(IIRC it was Solaris, not SCO) with a Linux customized box
with Snort...

Perhaps the Open Source community needs to pool resources in some kind
of cooperative to keep these projects going.

At least Snort is still available after the Cisco buyout.  It could have
been worse and been an Oracle purchase which usually causes a pull of
the open source version from the net.

Bill

-- 
Digital had it then.  Don't you wish you could buy it now!
pechter-at-gmail.com  http://xkcd.com/705/

Re: Is this Grsecurity patch issue going to harm IPFire going forward?

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2555 bytes --]

On Fri, 2015-08-28 at 10:46 -0400, William Pechter wrote:
> Michael Tremer wrote:
> > Sure it is free software in the end and we all wouldn't do free
> > software if we didn't know this from the beginning. We do not
> > expect
> > money from every single user, because other things are even more
> > important. But at the end of the day money is needed to run the
> > project. If someone is paying that from their own pocket and an
> > other
> > one is making the huge profit, something is *clearly* wrong.
> Thank you for the in depth answer...
> 
> I hope there's someone out there who will leak the name of the large
> company so there's a change in their behavior and a loss of
> at least a little of their customer base.

There are various speculations out there who it could have been.

Probably every big business is guilty of not supporting the software
they use. Remember when Heartbleed "uncovered" that two guys did
OpenSSL in their spare time? Many companies relied on this software and
no one really supported the project. After that they got ridiculous
amounts of money. I am not convinced that this is the solution to throw
this money onto the project in that case a severe issue is discovered. 

> Unfortunately, there's big money in computer security these days and
> some large companies have been buying up the Open Source
> products.

I don't think that this money is invested in real security. People buy
solutions that look like security but they are not. People like
scanning proxies that search for viruses and forget about making TLS
completely useless. These are the products that sell for money. Under
-the-hood improvements like grsecurity do not look as nice on a flyer
and won't convince the customer to buy anything.

>  I remember when Cisco replaced their sensor box under Solaris
> (IIRC it was Solaris, not SCO) with a Linux customized box
> with Snort...
> 
> Perhaps the Open Source community needs to pool resources in some
> kind
> of cooperative to keep these projects going.
> 
> At least Snort is still available after the Cisco buyout.  It could
> have
> been worse and been an Oracle purchase which usually causes a pull of
> the open source version from the net.

Snort is still available, but I think that development has not really
advanced much since then. They are commercially exploiting a nice Open
Source project. I am not too deep in this - this is just my impression.
Some projects are better if they are left independent and big companies
sponsor them instead of owning them.

-Michael

> 
> Bill
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Is this Grsecurity patch issue going to harm IPFire going forward?

[Paul Simmons]

[-- Attachment #1: Type: text/plain, Size: 1695 bytes --]

On Fri, 2015-08-28 at 10:46 -0400, William Pechter wrote:
> Michael Tremer wrote:
> > Sure it is free software in the end and we all wouldn't do free
> > software if we didn't know this from the beginning. We do not expect
> > money from every single user, because other things are even more
> > important. But at the end of the day money is needed to run the
> > project. If someone is paying that from their own pocket and an other
> > one is making the huge profit, something is *clearly* wrong.
> Thank you for the in depth answer...
> 
> I hope there's someone out there who will leak the name of the large
> company so there's a change in their behavior and a loss of
> at least a little of their customer base.
> 
> Unfortunately, there's big money in computer security these days and
> some large companies have been buying up the Open Source
> products.  I remember when Cisco replaced their sensor box under Solaris
> (IIRC it was Solaris, not SCO) with a Linux customized box
> with Snort...
> 
> Perhaps the Open Source community needs to pool resources in some kind
> of cooperative to keep these projects going.
> 
> At least Snort is still available after the Cisco buyout.  It could have
> been worse and been an Oracle purchase which usually causes a pull of
> the open source version from the net.
> 
> Bill
> 

I was about to suggest a "grsecurity sponsorship funding drive" for
IPFire, until I found that sponsorship costs $200USD/month.

https://grsecurity.net/sponsors.php

Crappola - I can't even come up with $10USD to send to IPFire, so I
suppose that's a bad idea.  If I win a sweepstakes, I'll send the
money :-).

Paul
-- 
Today is the last day of your life so far.

Re: Is this Grsecurity patch issue going to harm IPFire going forward?

[William Pechter]

[-- Attachment #1: Type: text/plain, Size: 2011 bytes --]

Paul Simmons wrote:
> On Fri, 2015-08-28 at 10:46 -0400, William Pechter wrote:
>> Michael Tremer wrote:
>>> Sure it is free software in the end and we all wouldn't do free
>>> software if we didn't know this from the beginning. We do not expect
>>> money from every single user, because other things are even more
>>> important. But at the end of the day money is needed to run the
>>> project. If someone is paying that from their own pocket and an other
>>> one is making the huge profit, something is *clearly* wrong.
>> Thank you for the in depth answer...
>>
>> I hope there's someone out there who will leak the name of the large
>> company so there's a change in their behavior and a loss of
>> at least a little of their customer base.
>>
>> Unfortunately, there's big money in computer security these days and
>> some large companies have been buying up the Open Source
>> products.  I remember when Cisco replaced their sensor box under Solaris
>> (IIRC it was Solaris, not SCO) with a Linux customized box
>> with Snort...
>>
>> Perhaps the Open Source community needs to pool resources in some kind
>> of cooperative to keep these projects going.
>>
>> At least Snort is still available after the Cisco buyout.  It could have
>> been worse and been an Oracle purchase which usually causes a pull of
>> the open source version from the net.
>>
>> Bill
>>
> I was about to suggest a "grsecurity sponsorship funding drive" for
> IPFire, until I found that sponsorship costs $200USD/month.
>
> https://grsecurity.net/sponsors.php
>
> Crappola - I can't even come up with $10USD to send to IPFire, so I
> suppose that's a bad idea.  If I win a sweepstakes, I'll send the
> money :-).
>
> Paul
I was going to suggest the same thing. 
Pitching in together to send some cash would be a good thing to do, but
when the bar is set too high they won't get small
contributions from the community.

Bill

-- 
Digital had it then.  Don't you wish you could buy it now!
pechter-at-gmail.com  http://xkcd.com/705/

Re: Is this Grsecurity patch issue going to harm IPFire going forward?

[Larsen]

[-- Attachment #1: Type: text/plain, Size: 414 bytes --]

>> I was about to suggest a "grsecurity sponsorship funding drive" for
>> IPFire, until I found that sponsorship costs $200USD/month.

I suppose the author would be willing to support other open source  
projects like IPFire without sponsoring. The problem is companies, but I  
am pretty sure that Brad Spengler could be contacted to talk about this.

@Michael: As the project lead, would you contact him?


Lars

Re: Is this Grsecurity patch issue going to harm IPFire going forward?

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1070 bytes --]

On Fri, 2015-08-28 at 19:04 +0200, Larsen wrote:
> > > I was about to suggest a "grsecurity sponsorship funding drive"
> > > for
> > > IPFire, until I found that sponsorship costs $200USD/month.
> 
> I suppose the author would be willing to support other open source  
> projects like IPFire without sponsoring. The problem is companies,
> but I  
> am pretty sure that Brad Spengler could be contacted to talk about
> this.

Brad and the PaX team have always been very helpful if we had any
issues that may have been related to the patch. I have been reporting
build issues with almost every single patch.

This is not much, but at least something that we can give back.

> @Michael: As the project lead, would you contact him?

I did that already shortly after I saw the announcement and offered him
to get in touch with me if there is anything we can do to help.

I also commented that I do not really approve the approach he has
chosen to resolve the issue, but that I certainly understand where he
is coming from and that he has my support.

-Michael

> 
> 
> Lars

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Is this Grsecurity patch issue going to harm IPFire going forward?

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2191 bytes --]

On Fri, 2015-08-28 at 11:32 -0500, Paul Simmons wrote:
> On Fri, 2015-08-28 at 10:46 -0400, William Pechter wrote:
> > Michael Tremer wrote:
> > > Sure it is free software in the end and we all wouldn't do free
> > > software if we didn't know this from the beginning. We do not
> > > expect
> > > money from every single user, because other things are even more
> > > important. But at the end of the day money is needed to run the
> > > project. If someone is paying that from their own pocket and an
> > > other
> > > one is making the huge profit, something is *clearly* wrong.
> > Thank you for the in depth answer...
> > 
> > I hope there's someone out there who will leak the name of the
> > large
> > company so there's a change in their behavior and a loss of
> > at least a little of their customer base.
> > 
> > Unfortunately, there's big money in computer security these days
> > and
> > some large companies have been buying up the Open Source
> > products.  I remember when Cisco replaced their sensor box under
> > Solaris
> > (IIRC it was Solaris, not SCO) with a Linux customized box
> > with Snort...
> > 
> > Perhaps the Open Source community needs to pool resources in some
> > kind
> > of cooperative to keep these projects going.
> > 
> > At least Snort is still available after the Cisco buyout.  It could
> > have
> > been worse and been an Oracle purchase which usually causes a pull
> > of
> > the open source version from the net.
> > 
> > Bill
> > 
> 
> I was about to suggest a "grsecurity sponsorship funding drive" for
> IPFire, until I found that sponsorship costs $200USD/month.
> 
> https://grsecurity.net/sponsors.php
> 
> Crappola - I can't even come up with $10USD to send to IPFire, so I
> suppose that's a bad idea.  If I win a sweepstakes, I'll send the
> money :-).

I certainly like the idea to help funding the project. However I do not
see any point in raising money to give to the lawyers to defend the
trademark or to sue because of the GPL violation. That money could
certainly be used better than being given to the lawyers.

Just donate to the projects you use and love. Every single bit does
help. It will sum up soon.

-Michael

> 
> Paul

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Is this Grsecurity patch issue going to harm IPFire going forward?

[IT Superhack]

[-- Attachment #1: Type: text/plain, Size: 2549 bytes --]

Michael Tremer:
> On Mon, 2015-08-31 at 12:08 +0200, IT Superhack wrote:
>> Michael Tremer:
>>> I certainly like the idea to help funding the project. However I do
>>> not
>>> see any point in raising money to give to the lawyers to defend the
>>> trademark or to sue because of the GPL violation. That money could
>>> certainly be used better than being given to the lawyers.
>> I agree with Michael. Raising money just for giving them to lawyers
>> is
>> not a very good solution in my point of view.
>>
>> In the past, I noticed that there were patches send to grsecurity
>> coming
>> from the IPFire team. Therefore, I guess there might be a way to get
>> out
>> of this situation.
> 
> What does that change?
It is usually much easier to solve a conflict if both sides already know
each other and cooperated in the past... (Not sure if it works here, but
usually, it does.)
> 
>> Remember Transifex? On their website, they said that open-source
>> projects don't need to pay anything, commercial projects need to do
>> so.
>> I like this idea because it takes the money from those who can afford
>> to
>> pay it, and not from everybody. Maybe Brad and the PaX team would
>> agree
>> to this...
> 
> This is very easy to do with services and not so easy with software. We
> don't have a license for that, either. I personally would not consider
> this being a good option because free software should be free for every
> one.
Of course, it would conflict with the definition of "free" software. But
in my opinion, it is better to restrict the freedom than to ruin your
project, and I think that's what the grsecurity team did (which is
understandable to me).
> 
>>>
>>> Just donate to the projects you use and love. Every single bit does
>>> help. It will sum up soon.
>> I have a general question here: How much users does IPFire has? (Once
>> Michael said if everybody running an IPFire system would donate 1€
>> per
>> month, worries about funding would become obsolete.)
> 
> We do not know exactly how many systems are out there. If you count
> users that would be an extremely higher number than instances, because
> we know that there are many with hundreds and thousands of users.
Of course, but I'm sure there is a way of telling the amount (1 000? 100
000? 1 Million?) of systems, isn't it?
> 
> I said that in my talk at the last IPFire summit, that if we had one
> Euro for each running system a month, we would have enough money to run
> the project in a different way :)
Ah, okay, that was it.
> 
Best regards,
Timmothy Wilson



[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

Re: Is this Grsecurity patch issue going to harm IPFire going forward?

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 4284 bytes --]

On Wed, 2015-09-09 at 18:35 +0200, IT Superhack wrote:
> Michael Tremer:
> > On Mon, 2015-08-31 at 12:08 +0200, IT Superhack wrote:
> > > Michael Tremer:
> > > > I certainly like the idea to help funding the project. However
> > > > I do
> > > > not
> > > > see any point in raising money to give to the lawyers to defend
> > > > the
> > > > trademark or to sue because of the GPL violation. That money
> > > > could
> > > > certainly be used better than being given to the lawyers.
> > > I agree with Michael. Raising money just for giving them to
> > > lawyers
> > > is
> > > not a very good solution in my point of view.
> > > 
> > > In the past, I noticed that there were patches send to grsecurity
> > > coming
> > > from the IPFire team. Therefore, I guess there might be a way to
> > > get
> > > out
> > > of this situation.
> > 
> > What does that change?
> It is usually much easier to solve a conflict if both sides already
> know
> each other and cooperated in the past... (Not sure if it works here,
> but
> usually, it does.)

Yes, we try out best, but I am afraid that in the end we cannot make a
huge difference to this whole mess. Haven't heard anything from Brad in
the mean time...

> > > Remember Transifex? On their website, they said that open-source
> > > projects don't need to pay anything, commercial projects need to
> > > do
> > > so.
> > > I like this idea because it takes the money from those who can
> > > afford
> > > to
> > > pay it, and not from everybody. Maybe Brad and the PaX team would
> > > agree
> > > to this...
> > 
> > This is very easy to do with services and not so easy with
> > software. We
> > don't have a license for that, either. I personally would not
> > consider
> > this being a good option because free software should be free for
> > every
> > one.
> Of course, it would conflict with the definition of "free" software.
> But
> in my opinion, it is better to restrict the freedom than to ruin your
> project, and I think that's what the grsecurity team did (which is
> understandable to me).

The grsecurity project is not ruined. At least not the software. That
the situation is not making things easier is undoubtedly true.

I just do not see a way that makes it possible to run a project "half
-open". Either you publish the code or not. If you open it for one
group, what would stop an other group from taking it? We have seen that
this company in question does not really about any licensing any way.

I am also not entirely sure if that what Brad does is a good solution.
First of all grsecurity is not usable for most of its users since most
likely they will all use the "stable" version. But this patch modifies
lots of kernel code which is licensed under the terms of the GPL.
Modifications of that must be made public. I do not know what will be
released and when, but I think that this cannot be a permanent solution
any way.

> > 
> > > > 
> > > > Just donate to the projects you use and love. Every single bit
> > > > does
> > > > help. It will sum up soon.
> > > I have a general question here: How much users does IPFire has?
> > > (Once
> > > Michael said if everybody running an IPFire system would donate
> > > 1€
> > > per
> > > month, worries about funding would become obsolete.)
> > 
> > We do not know exactly how many systems are out there. If you count
> > users that would be an extremely higher number than instances,
> > because
> > we know that there are many with hundreds and thousands of users.
> Of course, but I'm sure there is a way of telling the amount (1 000?
> 100
> 000? 1 Million?) of systems, isn't it?

We do have fireinfo and based on the data of that an estimation of how
many systems there are out there. However we do not know how accurate
that is. Probably not very much.

> > 
> > I said that in my talk at the last IPFire summit, that if we had
> > one
> > Euro for each running system a month, we would have enough money to
> > run
> > the project in a different way :)
> Ah, okay, that was it.

I am not sure if that is obvious or not: Our situation has not improved
a single bit since then. It has even become slightly worse. So if you
know someone who can become a sponsor, ask them to get in touch with
us.

Best,
-Michael

> > 
> Best regards,
> Timmothy Wilson
> 
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]