Re: Is this Grsecurity patch issue going to harm IPFire going forward?

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2555 bytes --]

On Fri, 2015-08-28 at 10:46 -0400, William Pechter wrote:
> Michael Tremer wrote:
> > Sure it is free software in the end and we all wouldn't do free
> > software if we didn't know this from the beginning. We do not
> > expect
> > money from every single user, because other things are even more
> > important. But at the end of the day money is needed to run the
> > project. If someone is paying that from their own pocket and an
> > other
> > one is making the huge profit, something is *clearly* wrong.
> Thank you for the in depth answer...
> 
> I hope there's someone out there who will leak the name of the large
> company so there's a change in their behavior and a loss of
> at least a little of their customer base.

There are various speculations out there who it could have been.

Probably every big business is guilty of not supporting the software
they use. Remember when Heartbleed "uncovered" that two guys did
OpenSSL in their spare time? Many companies relied on this software and
no one really supported the project. After that they got ridiculous
amounts of money. I am not convinced that this is the solution to throw
this money onto the project in that case a severe issue is discovered. 

> Unfortunately, there's big money in computer security these days and
> some large companies have been buying up the Open Source
> products.

I don't think that this money is invested in real security. People buy
solutions that look like security but they are not. People like
scanning proxies that search for viruses and forget about making TLS
completely useless. These are the products that sell for money. Under
-the-hood improvements like grsecurity do not look as nice on a flyer
and won't convince the customer to buy anything.

>  I remember when Cisco replaced their sensor box under Solaris
> (IIRC it was Solaris, not SCO) with a Linux customized box
> with Snort...
> 
> Perhaps the Open Source community needs to pool resources in some
> kind
> of cooperative to keep these projects going.
> 
> At least Snort is still available after the Cisco buyout.  It could
> have
> been worse and been an Oracle purchase which usually causes a pull of
> the open source version from the net.

Snort is still available, but I think that development has not really
advanced much since then. They are commercially exploiting a nice Open
Source project. I am not too deep in this - this is just my impression.
Some projects are better if they are left independent and big companies
sponsor them instead of owning them.

-Michael

> 
> Bill
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]