Grsecurity Vendor Sues Open Source Pioneer Bruce Perens in GPLv2 Disagreement – InApps Technology 2022

One of open source’s guiding lights, Open Source Initiative co-founder Bruce Perens, is being sued by Open Source Security, the company behind the Grsecurity patch management software for the Linux kernel, over a disagreement about the GNU GPLv2 license.

Open Source Security alleges that Perens made “abusive and false” claims in a blog post that resulted in “substantial harm to Grsecurity’s reputation, goodwill, and future business prospects,” according to a complaint filed at the U.S. District Court, Northern District of California, San Francisco Division.

Perens’ own attorney Heather Meeker sees the defamation lawsuit as “an attack on the free exchange of ideas in the free software community on matters of public interest.” Open Source Security did not respond to a request for comment.

Grsecurity offers patches for recently unearthed Linux kernel vulnerabilities. Perens argued that the company prohibits users from redistributing the patches, though the company itself denies that this is the case. Nonetheless, Perens’ blog post in question, posted June 28, argued that because of this prohibition Grsecurity violates the open source GPLv2 license, and, as a result, the company’s customers would also be liable for contributory infringement as well.

“Currently, Grsecurity is a commercial product and is distributed only to paying customers. Under their Stable Patch Access Agreement, customers are warned that if they redistribute the Grsecurity patch, as would be their right under the GPL, that they will be assessed a penalty: they will no longer be allowed to be customers, and will not be granted access to any further versions of Grsecurity. GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition,” Perens argued in his post.

Grsecurity maintains that neither its software nor its business practices violate the GPL2 license.

But while on the surface this lawsuit appears like something involving GNU GPL v2, but it’s not. It’s a case of defamation, Peren’s attorney said, in an email interview.

“This lawsuit is not about GPL, actually. It is about the right to express opinions about license compliance — which is a legal topic of great importance to free software developers. Mr. Perens was only expressing his opinion, and neither intends nor needs to attack anyone. His motivation is only to help the community and the public understand the benefits of free software and how to best support it,” said Meeker. “Open Source Security is creating its own problems with its business model and this lawsuit.”

Others in the open source community have expressed similar sentiments.

“I think the plaintiff’s stance of suing someone for commenting on their potential non-compliance with the GPL is clearly a silencing tactic. It’s hard not to see this as part of a worrisome trend to silence journalists who have the audacity to report on things that not everyone — especially the subject — will like hearing,” said Deb Nicholson, long-time free software advocate.

This is not the first run-in Open Source Security/Grsecurity has had with the Linux open source community. On the Linux Kernel Mailing List Linux creator, Linus Torvalds wrote:

Don’t bother with grsecurity.
Their approach has always been “we don’t care if we break anything, we’ll just claim it’s because we’re extra secure”.

The thing is a joke, and they are clowns. When they started talking about people taking advantage of them, I stopped trying to be polite about their bullshit.

Their patches are pure garbage.

The Linux Foundation is a sponsor of InApps Technology.

Feature image via Pixabay.