14 DAY TRIAL // Grsecurity is a well-known set of patches for the Linux kernel, which greatly enhance the ability of the system to withstand various security threats. As you can imagine, there are many companies that want to use Grsecurity, and they need to follow the accompanying GPL license. They are not doing that, and now Grsecurity needs to take some drastic action.
The Grsecurity patches cover certain versions of the Linux kernel, and they are available for download. This means that anyone - and that includes companies - can take these patches and incorporate them in the Linux kernel. They do so by following the GPL license, and they have to make available any modifications they bring.
It turns out that the good work done by Grsecurity is also being used by multi-billion dollar companies that are selling devices powered by the Linux kernel, but they are not respecting the license, and they are using the old and discontinued kernels.
This might seem like a problem for the company and its buyers, but that's not the case. That company, which needs to remain unnamed, is still using the Grsecurity brand on its products to underline extra “security,” but that's not really happening. By using old and unmaintained kernels, and old patches, they are just checking a virtual security “box,” and they are essentially tricking their customers.
Grsecurity is not forced to take drastic measures
The developers behind Grsecurity tried everything, including legal action, but it's difficult to fight a legal battle when you're an open source project and the entity breaking the law is actually a billion dollar company.
There are a few legitimate sponsors out there for Grsecurity, who give money to the project. So, the Grsecurity team has decided to provide these patches only to sponsors. This is a heavy blow to the rest of the community, but it's the only way to make sure that all the other Grsecurity users follow the same rules as everyone.
“This announcement is our public statement that we've had enough. Companies in the embedded industry not playing by the same rules as every other company using our software violates users' rights, misleads users and developers, and harms our ability to continue our work. Though I've only gone into depth in this announcement on the latest trademark violation against us, our experience with two GPL violations over the previous year have caused an incredible amount of frustration,” wrote Brad Spengler and The PaX Team.
This is actually a notice, and this decision will come into effect in two weeks’ time.