Important Notice Regarding Public Availability of Stable Patches https://www.grsecurity.net/index.php#
Due to continued violations by several companies in the embedded industry of grsecurity^® 's trademark and registered copyrights, effective September 9th 2015 stable patches of grsecurity will be permanently unavailable to the general public. *For more information, read the full announcement. https://www.grsecurity.net/announce.php
https://www.grsecurity.net/announce.php *
Hi,
the short answer is: Probably not.
The long answer is: Yes, it will certainly have an impact on the security of many Linux-based systems. IPFire is only one of them.
The technical issue for us will be that kernel updates won't be as easy for us since we will need to make work that is usually done in the grsecurity project. Frankly we do not have the expertise for that. Even if we had we would have the time and it won't make sense to do the same work multiple times.
I find that this is a great loss for the free software world. If all free software projects see themselves forced to remove their code from "the market" there would not be much left. We all fight the same issues here, since our software is used by companies which make lots of money out of it and do development work based on IPFire but do not give anything back.
The grsecurity case is a very severe case though.
Sure it is free software in the end and we all wouldn't do free software if we didn't know this from the beginning. We do not expect money from every single user, because other things are even more important. But at the end of the day money is needed to run the project. If someone is paying that from their own pocket and an other one is making the huge profit, something is *clearly* wrong.
Therefore I can personally understand Brad and the PaX team very well and I understand that they see this is a threat to their name and future work.
So we dearly *hope* that this entire dispute can be settled and Brad is not forced to make the stable patches only available for the "sponsors" which are paying customers then. This will be a huge loss for IPFire and all its users as well as many other projects that rely on grsecurity.
Hope this answers your question.
Best, -Michael
On Thu, 2015-08-27 at 14:42 -0400, William Pechter wrote:
Important Notice Regarding Public Availability of StablePatches https://www.grsecurity.net/index.php#
Due to continued violations by several companies in the embedded industry of grsecurity^® 's trademark and registered copyrights, effective September 9th 2015 stable patches of grsecurity will be permanently unavailable to the general public. *For more information, read the full announcement. https://www.grsecurity.net/announce.php
https://www.grsecurity.net/announce.php
Michael Tremer wrote:
Sure it is free software in the end and we all wouldn't do free software if we didn't know this from the beginning. We do not expect money from every single user, because other things are even more important. But at the end of the day money is needed to run the project. If someone is paying that from their own pocket and an other one is making the huge profit, something is *clearly* wrong.
Thank you for the in depth answer...
I hope there's someone out there who will leak the name of the large company so there's a change in their behavior and a loss of at least a little of their customer base.
Unfortunately, there's big money in computer security these days and some large companies have been buying up the Open Source products. I remember when Cisco replaced their sensor box under Solaris (IIRC it was Solaris, not SCO) with a Linux customized box with Snort...
Perhaps the Open Source community needs to pool resources in some kind of cooperative to keep these projects going.
At least Snort is still available after the Cisco buyout. It could have been worse and been an Oracle purchase which usually causes a pull of the open source version from the net.
Bill
On Fri, 2015-08-28 at 10:46 -0400, William Pechter wrote:
Michael Tremer wrote:
Sure it is free software in the end and we all wouldn't do free software if we didn't know this from the beginning. We do not expect money from every single user, because other things are even more important. But at the end of the day money is needed to run the project. If someone is paying that from their own pocket and an other one is making the huge profit, something is *clearly* wrong.
Thank you for the in depth answer...
I hope there's someone out there who will leak the name of the large company so there's a change in their behavior and a loss of at least a little of their customer base.
There are various speculations out there who it could have been.
Probably every big business is guilty of not supporting the software they use. Remember when Heartbleed "uncovered" that two guys did OpenSSL in their spare time? Many companies relied on this software and no one really supported the project. After that they got ridiculous amounts of money. I am not convinced that this is the solution to throw this money onto the project in that case a severe issue is discovered.
Unfortunately, there's big money in computer security these days and some large companies have been buying up the Open Source products.
I don't think that this money is invested in real security. People buy solutions that look like security but they are not. People like scanning proxies that search for viruses and forget about making TLS completely useless. These are the products that sell for money. Under -the-hood improvements like grsecurity do not look as nice on a flyer and won't convince the customer to buy anything.
I remember when Cisco replaced their sensor box under Solaris (IIRC it was Solaris, not SCO) with a Linux customized box with Snort...
Perhaps the Open Source community needs to pool resources in some kind of cooperative to keep these projects going.
At least Snort is still available after the Cisco buyout. It could have been worse and been an Oracle purchase which usually causes a pull of the open source version from the net.
Snort is still available, but I think that development has not really advanced much since then. They are commercially exploiting a nice Open Source project. I am not too deep in this - this is just my impression. Some projects are better if they are left independent and big companies sponsor them instead of owning them.
-Michael
Bill
On Fri, 2015-08-28 at 10:46 -0400, William Pechter wrote:
Michael Tremer wrote:
Sure it is free software in the end and we all wouldn't do free software if we didn't know this from the beginning. We do not expect money from every single user, because other things are even more important. But at the end of the day money is needed to run the project. If someone is paying that from their own pocket and an other one is making the huge profit, something is *clearly* wrong.
Thank you for the in depth answer...
I hope there's someone out there who will leak the name of the large company so there's a change in their behavior and a loss of at least a little of their customer base.
Unfortunately, there's big money in computer security these days and some large companies have been buying up the Open Source products. I remember when Cisco replaced their sensor box under Solaris (IIRC it was Solaris, not SCO) with a Linux customized box with Snort...
Perhaps the Open Source community needs to pool resources in some kind of cooperative to keep these projects going.
At least Snort is still available after the Cisco buyout. It could have been worse and been an Oracle purchase which usually causes a pull of the open source version from the net.
Bill
I was about to suggest a "grsecurity sponsorship funding drive" for IPFire, until I found that sponsorship costs $200USD/month.
https://grsecurity.net/sponsors.php
Crappola - I can't even come up with $10USD to send to IPFire, so I suppose that's a bad idea. If I win a sweepstakes, I'll send the money :-).
Paul
Paul Simmons wrote:
On Fri, 2015-08-28 at 10:46 -0400, William Pechter wrote:
Michael Tremer wrote:
Sure it is free software in the end and we all wouldn't do free software if we didn't know this from the beginning. We do not expect money from every single user, because other things are even more important. But at the end of the day money is needed to run the project. If someone is paying that from their own pocket and an other one is making the huge profit, something is *clearly* wrong.
Thank you for the in depth answer...
I hope there's someone out there who will leak the name of the large company so there's a change in their behavior and a loss of at least a little of their customer base.
Unfortunately, there's big money in computer security these days and some large companies have been buying up the Open Source products. I remember when Cisco replaced their sensor box under Solaris (IIRC it was Solaris, not SCO) with a Linux customized box with Snort...
Perhaps the Open Source community needs to pool resources in some kind of cooperative to keep these projects going.
At least Snort is still available after the Cisco buyout. It could have been worse and been an Oracle purchase which usually causes a pull of the open source version from the net.
Bill
I was about to suggest a "grsecurity sponsorship funding drive" for IPFire, until I found that sponsorship costs $200USD/month.
https://grsecurity.net/sponsors.php
Crappola - I can't even come up with $10USD to send to IPFire, so I suppose that's a bad idea. If I win a sweepstakes, I'll send the money :-).
Paul
I was going to suggest the same thing. Pitching in together to send some cash would be a good thing to do, but when the bar is set too high they won't get small contributions from the community.
Bill
I was about to suggest a "grsecurity sponsorship funding drive" for IPFire, until I found that sponsorship costs $200USD/month.
I suppose the author would be willing to support other open source projects like IPFire without sponsoring. The problem is companies, but I am pretty sure that Brad Spengler could be contacted to talk about this.
@Michael: As the project lead, would you contact him?
Lars
On Fri, 2015-08-28 at 19:04 +0200, Larsen wrote:
I was about to suggest a "grsecurity sponsorship funding drive" for IPFire, until I found that sponsorship costs $200USD/month.
I suppose the author would be willing to support other open source projects like IPFire without sponsoring. The problem is companies, but I am pretty sure that Brad Spengler could be contacted to talk about this.
Brad and the PaX team have always been very helpful if we had any issues that may have been related to the patch. I have been reporting build issues with almost every single patch.
This is not much, but at least something that we can give back.
@Michael: As the project lead, would you contact him?
I did that already shortly after I saw the announcement and offered him to get in touch with me if there is anything we can do to help.
I also commented that I do not really approve the approach he has chosen to resolve the issue, but that I certainly understand where he is coming from and that he has my support.
-Michael
Lars
On Fri, 2015-08-28 at 11:32 -0500, Paul Simmons wrote:
On Fri, 2015-08-28 at 10:46 -0400, William Pechter wrote:
Michael Tremer wrote:
Sure it is free software in the end and we all wouldn't do free software if we didn't know this from the beginning. We do not expect money from every single user, because other things are even more important. But at the end of the day money is needed to run the project. If someone is paying that from their own pocket and an other one is making the huge profit, something is *clearly* wrong.
Thank you for the in depth answer...
I hope there's someone out there who will leak the name of the large company so there's a change in their behavior and a loss of at least a little of their customer base.
Unfortunately, there's big money in computer security these days and some large companies have been buying up the Open Source products. I remember when Cisco replaced their sensor box under Solaris (IIRC it was Solaris, not SCO) with a Linux customized box with Snort...
Perhaps the Open Source community needs to pool resources in some kind of cooperative to keep these projects going.
At least Snort is still available after the Cisco buyout. It could have been worse and been an Oracle purchase which usually causes a pull of the open source version from the net.
Bill
I was about to suggest a "grsecurity sponsorship funding drive" for IPFire, until I found that sponsorship costs $200USD/month.
https://grsecurity.net/sponsors.php
Crappola - I can't even come up with $10USD to send to IPFire, so I suppose that's a bad idea. If I win a sweepstakes, I'll send the money :-).
I certainly like the idea to help funding the project. However I do not see any point in raising money to give to the lawyers to defend the trademark or to sue because of the GPL violation. That money could certainly be used better than being given to the lawyers.
Just donate to the projects you use and love. Every single bit does help. It will sum up soon.
-Michael
Paul
Michael Tremer:
I certainly like the idea to help funding the project. However I do not see any point in raising money to give to the lawyers to defend the trademark or to sue because of the GPL violation. That money could certainly be used better than being given to the lawyers.
I agree with Michael. Raising money just for giving them to lawyers is not a very good solution in my point of view.
In the past, I noticed that there were patches send to grsecurity coming from the IPFire team. Therefore, I guess there might be a way to get out of this situation.
Remember Transifex? On their website, they said that open-source projects don't need to pay anything, commercial projects need to do so. I like this idea because it takes the money from those who can afford to pay it, and not from everybody. Maybe Brad and the PaX team would agree to this...
Just donate to the projects you use and love. Every single bit does help. It will sum up soon.
I have a general question here: How much users does IPFire has? (Once Michael said if everybody running an IPFire system would donate 1€ per month, worries about funding would become obsolete.)
-Michael
Best regards, Timmothy Wilson
On Mon, 2015-08-31 at 12:08 +0200, IT Superhack wrote:
Michael Tremer:
I certainly like the idea to help funding the project. However I do not see any point in raising money to give to the lawyers to defend the trademark or to sue because of the GPL violation. That money could certainly be used better than being given to the lawyers.
I agree with Michael. Raising money just for giving them to lawyers is not a very good solution in my point of view.
In the past, I noticed that there were patches send to grsecurity coming from the IPFire team. Therefore, I guess there might be a way to get out of this situation.
What does that change?
Remember Transifex? On their website, they said that open-source projects don't need to pay anything, commercial projects need to do so. I like this idea because it takes the money from those who can afford to pay it, and not from everybody. Maybe Brad and the PaX team would agree to this...
This is very easy to do with services and not so easy with software. We don't have a license for that, either. I personally would not consider this being a good option because free software should be free for every one.
Just donate to the projects you use and love. Every single bit does help. It will sum up soon.
I have a general question here: How much users does IPFire has? (Once Michael said if everybody running an IPFire system would donate 1€ per month, worries about funding would become obsolete.)
We do not know exactly how many systems are out there. If you count users that would be an extremely higher number than instances, because we know that there are many with hundreds and thousands of users.
I said that in my talk at the last IPFire summit, that if we had one Euro for each running system a month, we would have enough money to run the project in a different way :)
-Michael
Best regards, Timmothy Wilson
-Michael
Michael Tremer:
On Mon, 2015-08-31 at 12:08 +0200, IT Superhack wrote:
Michael Tremer:
I certainly like the idea to help funding the project. However I do not see any point in raising money to give to the lawyers to defend the trademark or to sue because of the GPL violation. That money could certainly be used better than being given to the lawyers.
I agree with Michael. Raising money just for giving them to lawyers is not a very good solution in my point of view.
In the past, I noticed that there were patches send to grsecurity coming from the IPFire team. Therefore, I guess there might be a way to get out of this situation.
What does that change?
It is usually much easier to solve a conflict if both sides already know each other and cooperated in the past... (Not sure if it works here, but usually, it does.)
Remember Transifex? On their website, they said that open-source projects don't need to pay anything, commercial projects need to do so. I like this idea because it takes the money from those who can afford to pay it, and not from everybody. Maybe Brad and the PaX team would agree to this...
This is very easy to do with services and not so easy with software. We don't have a license for that, either. I personally would not consider this being a good option because free software should be free for every one.
Of course, it would conflict with the definition of "free" software. But in my opinion, it is better to restrict the freedom than to ruin your project, and I think that's what the grsecurity team did (which is understandable to me).
Just donate to the projects you use and love. Every single bit does help. It will sum up soon.
I have a general question here: How much users does IPFire has? (Once Michael said if everybody running an IPFire system would donate 1€ per month, worries about funding would become obsolete.)
We do not know exactly how many systems are out there. If you count users that would be an extremely higher number than instances, because we know that there are many with hundreds and thousands of users.
Of course, but I'm sure there is a way of telling the amount (1 000? 100 000? 1 Million?) of systems, isn't it?
I said that in my talk at the last IPFire summit, that if we had one Euro for each running system a month, we would have enough money to run the project in a different way :)
Ah, okay, that was it.
Best regards, Timmothy Wilson
On Wed, 2015-09-09 at 18:35 +0200, IT Superhack wrote:
Michael Tremer:
On Mon, 2015-08-31 at 12:08 +0200, IT Superhack wrote:
Michael Tremer:
I certainly like the idea to help funding the project. However I do not see any point in raising money to give to the lawyers to defend the trademark or to sue because of the GPL violation. That money could certainly be used better than being given to the lawyers.
I agree with Michael. Raising money just for giving them to lawyers is not a very good solution in my point of view.
In the past, I noticed that there were patches send to grsecurity coming from the IPFire team. Therefore, I guess there might be a way to get out of this situation.
What does that change?
It is usually much easier to solve a conflict if both sides already know each other and cooperated in the past... (Not sure if it works here, but usually, it does.)
Yes, we try out best, but I am afraid that in the end we cannot make a huge difference to this whole mess. Haven't heard anything from Brad in the mean time...
Remember Transifex? On their website, they said that open-source projects don't need to pay anything, commercial projects need to do so. I like this idea because it takes the money from those who can afford to pay it, and not from everybody. Maybe Brad and the PaX team would agree to this...
This is very easy to do with services and not so easy with software. We don't have a license for that, either. I personally would not consider this being a good option because free software should be free for every one.
Of course, it would conflict with the definition of "free" software. But in my opinion, it is better to restrict the freedom than to ruin your project, and I think that's what the grsecurity team did (which is understandable to me).
The grsecurity project is not ruined. At least not the software. That the situation is not making things easier is undoubtedly true.
I just do not see a way that makes it possible to run a project "half -open". Either you publish the code or not. If you open it for one group, what would stop an other group from taking it? We have seen that this company in question does not really about any licensing any way.
I am also not entirely sure if that what Brad does is a good solution. First of all grsecurity is not usable for most of its users since most likely they will all use the "stable" version. But this patch modifies lots of kernel code which is licensed under the terms of the GPL. Modifications of that must be made public. I do not know what will be released and when, but I think that this cannot be a permanent solution any way.
Just donate to the projects you use and love. Every single bit does help. It will sum up soon.
I have a general question here: How much users does IPFire has? (Once Michael said if everybody running an IPFire system would donate 1€ per month, worries about funding would become obsolete.)
We do not know exactly how many systems are out there. If you count users that would be an extremely higher number than instances, because we know that there are many with hundreds and thousands of users.
Of course, but I'm sure there is a way of telling the amount (1 000? 100 000? 1 Million?) of systems, isn't it?
We do have fireinfo and based on the data of that an estimation of how many systems there are out there. However we do not know how accurate that is. Probably not very much.
I said that in my talk at the last IPFire summit, that if we had one Euro for each running system a month, we would have enough money to run the project in a different way :)
Ah, okay, that was it.
I am not sure if that is obvious or not: Our situation has not improved a single bit since then. It has even become slightly worse. So if you know someone who can become a sponsor, ask them to get in touch with us.
Best, -Michael
Best regards, Timmothy Wilson
-
IT Superhack -
Larsen -
Michael Tremer -
Paul Simmons -
William Pechter