back to article Open Source Security hit with bill for defamation claim

Open Source Security, maker of the grsecurity Linux kernel patches, has been directed to pay Bruce Perens and his legal team almost $260,000 following a failed defamation claim. The security biz, and its president Brad Spengler, sued Perens last year over a blog post, alleging defamation. Perens, one of the early leaders in …

  1. Jim Mitchell

    Wait, the company is called "Open Source Security" but their kernel patches are not actually open source? Somebody should sue them for false advertising.

    1. keithzg

      The source is "Open", but the rights to redistribute them are lacking. This is the sort of dilution of terminology that's why hardliners still say "Free" or "Libre" rather than "Open".

      Frankly, any time a person or entity refers to it as "Open Source" rather than "Free Software" it's worth being at least a bit suspicious if they actually believe in the principles or are just in it for themselves---take a careful look at the details.

      1. GIRZiM

        re: the rights to redistribute them are lacking

        As I remember it, it was reported in El Reg (in the last couple of years or so) that the reason for that was that companies/businesses were including it in their software/firmware and charging for it, which wasn't part of the licence from OSS.

        I think there might also have been something that was going on that OSS felt was harmful to their reputation - something like that anyway.

        1. Adrian Midgley 1

          Re: re: the rights to redistribute them are lacking

          One of the features of FLOSS.

          It seems unlikely they want to be a FLOSS company, did they write all their code themselves ?

          1. GIRZiM

            Re: re: the rights to redistribute them are lacking

            No idea - haven't looked into it, it's just something I vaguely remember reading about here in the last couple of years.

            It could equally be that vendors were modifying it and distributing it with their kit/solutions and not including the proper accreditation and/or source and/or not contributing the modifications back upstream - dunno, as I said, I didn't look into it, just noted it and I have no idea what the specific licence breach was, just recall that it had something to do with the licencing.

      2. Anonymous Coward
        Anonymous Coward

        Open Source Security Inc. Doesn't Make Open Source

        The rules for Open Source are at

        Right at #1 is "Free Redistribution". Now, take a look at the Grsecurity Stable Patch Access Agreement at and tell me that's "Free Redistribution".

        Open Source, Free Software, and Libre refer to the same thing. A long time ago there was someone who tried to drive a wedge between them. I haven't heard from him lately, have you?

        1. ForthIsNotDead

          Re: Open Source Security Inc. Doesn't Make Open Source

          From the GR Security web site (emphasis added by me):

          The rights and obligations under the GPLv2 are listed at You may use, copy, modify, and distribute any Linux kernel modified by combination with grsecurity patches under the terms of GPLv2.

          What's the issue? I note that they changed the page on 7 June. Maybe they've acquiesced?

          1. SImon Hobson Bronze badge

            Re: Open Source Security Inc. Doesn't Make Open Source

            You may use, copy, modify, and distribute any Linux kernel modified by combination with grsecurity patches under the terms of GPLv2.

            What's the issue?

            What about redistributing the source for that modified kernel ? GPLv2 says that if you modify and distribute a piece of GPLv2 code, then you are required to provide the source if asked for it.

            AIUI, grsecurity also allow you to redistribute the patched source - but if you do will terminate your contract with them. That's not exactly allowing you to redistribute in accordance with GPL - it's basically saying that you can't redistribute if you want to carry on getting their patches in future. That's what Bruce Peren's opinion was about.

        2. Anonymous Coward
          Anonymous Coward

          Re: Open Source Security Inc. Doesn't Make Open Source

          To ForthIsNotDead, the text of the Grsecurity agreement which Mr. Perens objected to is in Exhibit B at this link:

          This is submitted by Grsecurity and (like all case documents) publicly archived by Perens.

          The relevant text is:

          Notwithstanding these rights and obligations, the User acknowledges that redistribution of the provided stable patches or changelogs outside of the explicit obligations under the GPL to User's customers will result in termination of access to future updates of grsecurity stable patches and changelogs.

    2. Nick Kew

      No Trademark

      This would appear to illustrate why "Open Source" should be a proper trademark. Its real-world usage is strongly associated with something that this company appears to be abusing.

      I guess the words alone were deemed too generic to register.

      1. DropBear

        Re: No Trademark

        Bullshit. I've seen many examples over the years which were labelled "Open Source" with the source accessible in some manner for which you still had zero rights outside of looking at it. I don't give a crap that's not some people mean when _they_ talk about OS, the point is that many clearly mean something wholly non-open by it, which is why a distinction is necessary and still very much useful. To date, I have seen ZERO software claiming to be "libre" except chained seven ways to hell.

  2. ma1010

    Freudian slip?

    "Nonetheless, we are confident Open Source Security will ultimately persist."

    Persist? No doubt the lawyers will keep the case going to keep charging those fees.

    Prevail? I rather doubt it, as their sueball was crap to start with, as the courts have ruled.

    1. Doctor Syntax Silver badge

      Re: Freudian slip?

      I doubt it was a slip. The translation reads: "Our client is losing but we want them to keep paying our fees for the foreseeable future."

    2. AdamWill

      Re: Freudian slip?

      Note, the article author beat you to this, and did it more subtly too. :P

  3. Anonymous Coward

    Waiting for the other shoe to drop

    And of course the real fun will be when OSS can't afford the bill and they are made bankrupt and Bruce Perens becomes the new owner of the copyright of OSS's code; shortly followed by said code being open sourced just like it should have been in the first place. *grin*

    1. Doctor Syntax Silver badge

      Re: Waiting for the other shoe to drop

      "Bruce Perens becomes the new owner of the copyright of OSS's code"

      More likely his lawyers. It's their fees that are to be paid.

      1. John Lilburne

        Re: Waiting for the other shoe to drop

        Wait on the EFF are getting involved on behalf of Perens ... that has got to be the kiss of death.

  4. Anonymous Coward
    Anonymous Coward

    OSS deserves everything coming to them!

    I've read the blog post and it even started with "in my opinion...." yet OSS still tried to bully this guy into taking it down. They deserve everything coming to them in my opinion.

    I also hope this whole case will backfire making more companies and people alike pull out of this mess called grsecurity. No, I'm not bashing. It's just logical reasoning: one of the pillar stones in computer and online security is transparency; sharing information. When a backdoor or vulnerability is found it's usually in the best people's interests to share that information so that others can prepare themselves for it.

    So here we have a security company who tried to take down a blog post where someone merely shared their personal opinion. Making me wonder: what would happen if somewhat decided to share something they perceived to be facts about backdoors within the grsecurity project?

    Do you really think that this company would allow for that to happen? If this is how they treat an opinionated blogger, then I think they'll treat a mid cart security source which posts controversial material about their project even worse.

    And when a security firm tries to shut someone up I always have to wonder: how many more people did they try to hassle and what for?

    Would you really put your trust into a dominating dictatorial bunch like that? I sure wouldn't!

    1. DropBear

      Re: OSS deserves everything coming to them!

      The only thing that saddens me about this is that OSS will probably _not_ get well and truly bankrupted by the judgement. They absolutely should be obliterated, with extreme prejudice. Handling costs of such trivial litigation as a routine cost of doing business should not be possible - any company engaging in such practices should face the likely prospect of a fine ten times their entire worth. Maybe that would make them less touchy and think twice before "getting offended".

  5. AdamWill

    call the fire brigade

    "The security software biz may persist but the Electronic Frontier Foundation hopes to prevent the firm from prevailing."

    Ten points for sneaky vocabulary burn, there. Excellent work.

  6. Anonymous Coward
    Anonymous Coward

    More pain coming than you realize

    Notice that Mr. Spengler is a plaintiff as an individual, along with his corporation. That means he's personally liable for anything his corporation can't pay. That was a pretty bad decision!

  7. Anonymous Coward
    Anonymous Coward

    It looks it takes more lawyers for a suit than developers to write an application..

    ... and they are paid more.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like