The gurus behind the popular and respected Linux kernel hardening effort Grsecurity will stop providing free support for their stable offering. In future, only paying sponsors will get stable patches to shore up their kernels’ defenses.
The public stable patches will not be distributed beyond the next two weeks in response to an expensive and lengthy court case between the small outfit and a “multi-billion dollar” corporation which it says flagrantly infringed its rights. Beta-test-grade patches will still be available for all.
Grsecurity man Brad Spengler says he has “had enough” of the embedded device industry ripping off his company’s efforts, trashing its trademarks, and breaching the source code’s open-source GPLlicense, without donating “a single dime.”
The straw that broke the camel’s back was an face-off in which Spengler says “a multi-billion dollar corporation had made Grsecurity a critical component of their embedded platform.”
Spengler’s got no problem with that, but is concerned “… they’re using an old, unsupported kernel and a several year old, unsupported version of grsecurity that they’ve modified.” That gets Spengler’s goat, because he thinks it is typically slack practice “for the embedded Linux industry, seemingly driven by a need to mark a security checkbox at the lowest cost possible. So it’s no surprise that they didn’t bother to hire us to perform the port properly for them or to actively maintain the security of the kernel they’re providing to their paid customers.”
But Spengler can’t tolerate the fact “the aforementioned company has been using the grsecurity name all over its marketing material and blog posts to describe their backported, unsupported, unmaintained version in a version of Linux with other code modifications that haven’t been evaluated by us for security impact.”
“Simply put, it is NOT grsecurity – it doesn’t meet our standards and at the same time it uses our brand and reputation to further its marketing,” he added. “They are publishing a ‘grsecurity’ for a kernel version we never released a patch for.”
“We decided that it is unfair to our sponsors that the above mentioned unlawful players can get away with their activity [and] we will cease the public dissemination of the stable series and will make it available to sponsors only,” Spengler continued in his statement.
“The test series, unfit in our view for production use, will however continue to be available to the public to avoid impact to the Gentoo Hardened and Arch Linux communities.
“If this does not resolve the issue, despite strong indications that it will have a large impact, we may need to resort to a policy similar to Red Hat’s or eventually stop the stable series entirely as it will be an unsustainable development model.”
Grsecurity provides various operating-system-level security defenses against hacking attacks – from stack overflow protection and bounds checks on kernel-copied data to filesystem hardening. It includes a lot of set-it-and-forget-it features that automatically prevent systems from coming to harm, and is used by most who rely on a hardened flavor of Linux.
Neal Wise, director of penetration testing firm Assurance.com.au and a Unix geek, says the decision is a tragic one that could most affect hosting providers who distribute Linux images containing grsecurity’s popular deep security access controls.
There has been a very a long history of companies not paying for the cost of the open source engineering they rely on,” Wise says. “And it hurts to see people trading on your name and not compensating. I find it really rich that someone would string them along with a legal fight when those engineers use their open source technology.”
It will be difficult to replace grsecurity’s top-notch patching efforts. People with the necessary skills to take up the task likely already work for the organisation.
Melbourne security bod Edward Farrell, of Mercury Information Security, says it is shame the open-source project was forced to quit, given it is useful and stable.
“Companies are taking advantage of published free tools without paying and that screws people over and makes things more insecure,” Farrell said.