back to article Hardened Linux stalwarts Grsecurity pull the pin after legal fight

The gurus behind the popular and respected Linux kernel hardening effort Grsecurity will stop providing free support for their stable offering. In future, only paying sponsors will get stable patches to shore up their kernels' defenses. The public stable patches will not be distributed beyond the next two weeks in response to …

  1. Pen-y-gors

    Name names?

    "a “multi-billion dollar” corporation"

    Go on, who is it...?

    1. Pascal Monett Silver badge

      Can't find a thing

      The aforementioned company has been using the grsecurity name all over its marketing material and blog posts

      If that is the case, the why, when I search for "grsecurity", do I only find sites that discuss a version of the product, or its merits, and no sites that say that they're using it in a product ? Or even a marketing page mentioning it ?

      1. Anonymous Coward
        Anonymous Coward

        Re: Can't find a thing

        I did, although it took a few goes at tweaking the keywords, and I cannot be sure that the result was in any way a correct indication of the offending company. I searched with google using: grsecurity product embedded , and looked down the list a bit.

        1. Anonymous Coward
          Anonymous Coward

          Re: Can't find a thing

          I searched with google using: grsecurity product embedded , and looked down the list a bit.

          Followed your suggestion, and if it's the company that I think it is then they have form.

    2. Darkimmortal

      Re: Name names?

      The rumours point to a subsidiary of Intel.

      Can't say I'm surprised, with their history of asshole business practice.

  2. Anonymous Coward
    Anonymous Coward

    Non sequitur?

    Patches will be ceased in the next two weeks in response to an expensive and lengthy court case between the small outfit and a “multi-billion dollar” corporation which it says flagrantly infringed its trademark.

    Grsecurity man Brad Spengler says he has “had enough” of the embedded device industry ripping its technology and not donating “a single dime”.

    “We decided that it is unfair to our sponsors that the above mentioned unlawful players can get away with their activity [and] we will cease the public dissemination of the stable series and will make it available to sponsors only,”

    I'm having trouble reconciling how a trademark attack from Oracle (presumably) can be connected with "the embedded device industry ripping its technology" and necessitate complete implosion.. ?

    1. I Am Spartacus


      Where did that name pop up from? Or was it the standard "evil company" that is used as a general go to?

      Citation needed.

      1. Anonymous Coward
        Anonymous Coward

        Re: Oracle?

        standard "evil company" / usual suspect (I did say "presumably")

        Commentards below seem to have linked it to the Wintel cartel.. which sounds every bit as eligible an "evil company"

        Still having trouble with the cause and effect logic regardless...

        1. Sir Runcible Spoon

          Re: Oracle?

          I get the feeling that other (smaller, lower profile) vendors are doing the same thing, but weren't worth the effort to chase since they don't have the same level of exposure to discrediting their brand-name.

          However, a large corporation using their kernel in an unsupported manner, yet implying that it is (i.e. without providing any caveats in the marketing blurb) is a serious matter for any company.

          Basically if this cobbled together product is shown to be insecure, then it tarnishes the Grsecurity brand through no fault of their own.

          I can't say I blame them, unfortunately if you give some people an inch, they give you the shaft.

      2. Brewster's Angle Grinder Silver badge

        I Am Spartacus "Citation needed."

        Oh, the irony.

    2. madscientist42

      Re: Non sequitur?

      Not to mention questioning the whole "ripping it's technology off" thing- it's GPLed, no? How in the smeg is it "ripping it off" when the tech HAS TO BE DISTRIBUTED FREELY as a requirement of the license? Trademark issues? Seriously? That's not tech...that's branding.

    3. Robert Helpmann??

      Re: Non sequitur?

      I get them being upset about their brand being attached to what they consider an inferior product, but this sounds a lot like they jumped on one business model and are pissed off that another business decided to take advantage of a perfectly legal, though different, way of doing business. If it is a trademark issue, then fine, take them to court. Even if it fails to gain any funds for the company, the best way to lose a trademark in the US is to fail to defend it. If it is a matter of use of their product, as long as no laws were broken, then there is nothing that can be done, even if it is a bitter pill to swallow.

      I view this action as an admission that the Grsecurity business model did not work and hope the change works out well for them.

  3. cantankerous swineherd

    could it be windriver/intel?

    1. I Am Spartacus

      Wind River

      After searching on a judicious typo, I came across Wind River, who sell a version of their Linux Kernel with an embedded GRSecurity module.

      1. Destroy All Monsters Silver badge
        Paris Hilton

        Re: Wind River

        "Linux Carrier Grade Profile" shurely better than "Windows for Warships"?

        So .... looking forward to a nice statement by WindRiver.

        And what does the GNU legal counsel say?

        1. Dave Stevens

          Re: Windows for Warships

          It's called Carrier Grade because they started supplying the OS for telecom companies.

          Nortel gave them lots of patches as part of a support deal a decade or so ago.

      2. GrumpenKraut

        Re: Wind River

        Funny how they are using the "grsecurity" name with any mention it's a trademark. Also funny they seemingly simply rename the grsecurity kernel as "WInd River Linux 6.0". The stench is strong indeed.

  4. Destroy All Monsters Silver badge
    Paris Hilton

    How is ripoff company connected to stopping support for "stable" as apparently they are not using it in the first place, and is it time to start registering trademarks on, say "grsecurity"?

    1. G2


      grsecurity trademark has already been registered and from the grsecurity announce, seems the unnamed multi-billion company *cough*Intel*cough*wind river*cough* doesn't care squat about others' trademarks

      Word Mark GRSECURITY

      Goods and Services IC 009. US 021 023 026 036 038. G & S: Computer application software for laptop computers, mobile phones, desktop computers, servers, and mainframes for use in auditing computer users' activity, controlling access to software applications and file, network, and credential services provided by the computer's operating system, and preventing breaches of computer security. FIRST USE: 20011001. FIRST USE IN COMMERCE: 20011001

      Standard Characters Claimed

      Mark Drawing Code (4) STANDARD CHARACTER MARK

      Serial Number 85506017

      Filing Date December 29, 2011

      Current Basis 1A

      Original Filing Basis 1A

      Published for Opposition July 10, 2012

      Registration Number 4213087

      Registration Date September 25, 2012

      Owner (REGISTRANT) Open Source Security, Inc. CORPORATION VIRGINIA 2437 Raleigh Dr Lancaster PENNSYLVANIA 17601

      1. This post has been deleted by its author

      2. madscientist42

        Re: re:trademark

        Heh... IP ownership's only worth the amount of money you're willing to piss onto the floor getting "justice".

        Trademarks...heh... IF this was a Trademark pissing match, Grsecurity may not be trademarkable enough for them to have prevailed against Intel.

  5. Jason Bloomberg Silver badge

    "in response to an expensive and lengthy court case"

    Did they win or lose that case?

    I am guessing they lost, failed to convince the court that what was happening was wrong, still maintain it was, and are now planning to throw all the toys out of the pram.

    1. G2

      Re: "in response to an expensive and lengthy court case"

      they didn't lose.. they did not even get in front of a judge/court.... they can't afford to sue as they do not have the money to afford suing.

      quote from their announcement:

      so I reached out to the community at the time with a brief explanation of the problem to see if anyone knew of a trademark litigation attorney that would be interested in taking the case on a contingent fee basis. There were no replies, and our own lawyer's efforts at finding a trademark expert only resulted in finding someone who would analyze the case at a cost well above everything we had already spent: money we don't have, and money that could be better spent on development and research.


      tl;dr version: "How much justice can you afford to buy?"


      1. madscientist42

        Re: "in response to an expensive and lengthy court case"

        I've always held that a Patent, Copyright, or Trademark was worth the amount of money you have to LITIGATE an infraction. You might get someone in a law firm to salute a contingency deal if it's bad enough like the busybox/Verizon/Actiontec fubar. If it's like this kerfluffle? How many tens of thousands of dollars do you have to waste?

    2. GrumpenKraut

      Re: "in response to an expensive and lengthy court case"

      Read the grsecurity announcement linked in the article to see why your comment is rather stupid. Hint: billion dollar company.

      Edit: G2 says it in the post above.

      1. Destroy All Monsters Silver badge

        Re: "in response to an expensive and lengthy court case"

        > billion dollar company.

        Irrelevant. Trademark litigation is not exactly an open-ended "he said/she said" affair.

        "We want them to stop using this"

        "Is it a registered trade mark in the economic area described in the filing" YES

        "Is in the same domain of application" YES

        "Ok, stop using it"

        1. Ian Michael Gumby

          @Destroy Re: "in response to an expensive and lengthy court case"


          Its not that simple and its costs money to sue.

          People get this idea that there's going to be some lawyer willing to take on a big company like an Oracle, Intel, IBM, etc ... on a contingency fee.

          Lawyers work on a per hour basis and unless they see a big enough payday or are willing to make the investment, contingency doesn't pay the bills.

          1. Destroy All Monsters Silver badge

            Re: @Destroy "in response to an expensive and lengthy court case"

            The kickstart something.

            The model of "doing OSS in spare time" is dangerous in any case and bound to de-cliff at a moment's notice. Because too personal.

            Intel is generally not too unfriendly irt OSS though. What's going on here?

        2. GrumpenKraut

          Re: "in response to an expensive and lengthy court case"

          > > billion dollar company.

          > Irrelevant.

          Please talk to any small business how they'd feel about going to court against such a giant. When your company is bankrupt you'll not ever see the part where you are winning.

          1. Dave Stevens

            Re: "in response to an expensive and lengthy court case"

            I don't know that Intel is really interested in spending money on Windriver court cases.

            Intel bought them to help sell chips in the embedded market, not to syphon money to layers.

            If anything the converse is true, there's no money to be made by a Giant into suing a small company. They don't compete with Intel, so even pushing them into bankruptcy would be moot and Intel customers need to know that GPS licenses are safe before they buy Linux derivatives anyway.

        3. madscientist42

          Re: "in response to an expensive and lengthy court case"

          The PROBLEM there is that you lack understanding about this. It goes that way- but in order to collect damages, you must PROVE that they damaged you...and you will burn tens if not hundreds of thousands of dollars to GET there on a trademark...IF you can even get a court to salute your legal theory (Don't bet on it...)

          So...getting someone like Intel to quit doing o' luck. You'll need it along with those thousands upon thousands of dollars, pounds, euros, etc. to GET a whiff of what you just described.

    3. Lee D

      Re: "in response to an expensive and lengthy court case"

      If no lawyer is willing to take up the case, there's probably a reason.

      If no lawyer is willing to charge a price you can afford, there's probably a reason.

      Additionally, if this is simply a trademark / passing off case, it's quite difficult to assert that they aren't using "grsecurity" code, or that they are somehow misrepresenting them. The GPL presumably applies to the code, so throwing your toys out of the pram for people using part of the code is really something that you should have accounted for when you started. Of course, people will take the code, tweak it, even reissue it under different names. You're providing them code under a licence that allows (and in some cases demands) that. The v2 licence of the kernel doesn't mention trademarks to my knowledge.

      To say they are then misusing the trademark by saying it includes grsecurity code, and asking a court to do something about it... well, it does seem to be rather a complex and difficult thing to do. Is this any different to saying the code is "compatible with Microsoft Windows", "includes PhysX technology", etc.? There's a reason that places like that can't stop you saying that, or make you sign specific contracts before you CAN use their technology legally anyway.

      What's the demand here? Are you after use of the trademark meaning you must update to the latest version of grsecurity with every product you use immediately upon release? Nobody would want to touch your trademark in that case anyway. They'd just take your code, rename it, sell it as their own, with no mention. Are they claiming to BE grsecurity? It doesn't seem like it. They're saying it's code grsecurity code in it and/or is based off grsecurity. Which appears to be true.

      I think there's a reason no lawyer will touch it, even a law student or similar. Except without payment. They know they're going to lose or the "win" will be so minor as to be worthless.

      I've had a couple of rows with this guy (I believe he goes by PaXTeam) on too. His views are contrary to common-sense in just about everything and he has a way of rubbing everyone up the wrong way by "knowing better" than everyone else about... well... everything. It's a great product, and he's obviously a skilled coder, but the guy has no idea how to discuss things sensibly. I see this as an extension of his normal way of dealing with people - unreasonable demands and blown-out-of-proportion incidents focused around his unrealistic expectations.

  6. JimboSmith Silver badge

    Strangely I just found this

    Which is a pretty nice post on this subject.

    Google cache just in case:

    1. Destroy All Monsters Silver badge

      Re: Strangely I just found this

      I don't see where the problem is.

      Sounds like a friendly report & patch to me.

      1. Joseph Eoff

        Re: Strangely I just found this

        Problem is clear:

        The post is from august 2013 asking for help in resolving a problem with a versiob of GrSecurity from August 2012 - out of date software. The post is asking for help in porting a fix from the current version back to the older one. The post is from Wind River (subsidiary of Intel.)

        That fits all the known facts. Using an old version of GRsecurity in an embedded Linux kernel and backporting changes from newer version, multi billion dollar company.

        1. Anonymous Coward
          Anonymous Coward

          Re: Strangely I just found this

          Is there any evidence that any newer version would break on the desired hardware, thus making a backport a necessary evil?

  7. TJD

    Ahem - Linux kernel code is GPL Code

    I think everyone is forgetting that the Linux kernel is GPL code.

    If GrSecurity sells or gives any code to anyone outside of GrSecurity, they are required to make that code available to everyone, regardless of whether they paid for it or not. That is the distribution requirement of the GPL. If GrSecurity attempts to withhold patches from the public that they are giving out to select individuals, they are violating the GPL, and subject to a lawsuit for breach of contract by the FSF. No one is "ripping" GrSecurity off if they use the code. They have that right. GrSeecuity has no right to tell anyone how they can use or not use GPL licensed code. It does not matter of they wrote it or not.

    While it has nothing to do with the GPL, if they put the name "GrSecurity" in the kernel code as a name on a menu, they are implicitly giving people the right to use that, and to say "Yes, we are using GrSecurity code."


    1. Dave Stevens

      Re: Ahem - Linux kernel code is GPL Code

      That's not how it works. They are required to give the source when they distribute the kernel. If someone asks them for the source, they should say "Get it from the same place you got the binary from."

      When a consumer buys an embedded device, they don't usually get the source either. I certainly didn't get any source with that Samsung phone.

      1. Dadmin

        Re: Ahem - Linux kernel code is GPL Code

        No problem. I don't buy Intel and will watch out for their farting up the Wind River area. Clearly if they can't cook up a usable security solution for their products in-house they are not so mighty, are they? Weak security means John Q. Pubic will empty the shelves of these toys and prop up an inviting env for me to go wandering about it.

        IoT is going to be a giant field day for casual hacking of wireless conveniences. Let the games commence!!1! Thank you, Intel and Wind Ripper, or whatever the hell you are.

    2. Anonymous Coward
      Anonymous Coward

      Re: Ahem - Linux kernel code is GPL Code

      Yeah but they want free support also.


      Sorry, we don't provide free support to a multi-billion dollar company that sells devices using grsecurity while violating the license of its GPL license and that of all other GPL code on the devices. Your MX900 and Petro series of products don't ship with the associated source code, nor is any written offer provided for the source code. Purchasers of these products have no idea at all that they use GPL-licensed software or that they have a right to its modified source code. It's fitting that a company profiting off the exploitation of open-source developers that license under the GPL (and not BSD) for a reason would come here for free support. Fitting, but incredibly rude.


  8. tomtomtom3

    What impact will this decision have on future Debian Stable releases? Will Debian be allowed to distribute these patches?

  9. Anonymous Coward
    Anonymous Coward

    trolling time

    Or you know you can skip all the patches and mitigation bloat and get better security out of the box with OpenBSD. Its base as been audited much more thoroughly plus as an added bonus you get yourself a real POSIX OS. If your OS ships with the hairball bash by default (and as the default shell) then you probably don't care about all that much about security.

    1. Anonymous Coward
      Anonymous Coward

      Re: trolling time

      And before someone says it f__k RBAC (OpenBSD already has alot of other things by default of grsecurity like stack smashing protection, ASLR, etc) and the closing the stable door after the horse has bolted aspect to it.

      > 1. Why doesn't OpenBSD have something like RBAC?

      RBAC has a lot more knobs to tweak, so you can always go back after a security incident and say "aha! I need to tweak *that* knob to prevent this next time!" But it has a steep learning curve, and everything you don't know about how your RBAC is configured is as much a problem as everything you got wrong. Most people use RBAC on Linux by turning it off.

      OpenBSD permissions are fairly simple, thoroughly considered, and set up with sane defaults. Most people continue to rely on just these basic controls, on OpenBSD *and* on systems with RBAC.

      1. Anonymous Coward
        Anonymous Coward

        Re: trolling time

        With Linux RBAC the odds of an admin borking at least one system wide program by getting the permissions wrong or them changing on an upgrade are a million times more likely than RBAC being stout enough to actually stop a determined user who has already compromised a system.

        1. Anonymous Coward
          Anonymous Coward

          Re: trolling time

          Indeed, although truth be told the same might be said about any other MAC system (except of course in case of at least some of the others you can get a lot of policies configured for you upstream). RBAC is the one component of GRSecurity that I keep off. There is a lot of other valuable stuff in there though so the end of public distribution of stable patches is sad news.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like