In an official announcement, grsecurity project leader Brad Spengler said that it was unfair to the project’s sponsors to allow the companies in the embedded Linux industry – which he declined to name, citing legal advice – to dilute grsecurity’s trademarks.
+ALSO ON NETWORK WORLD: Massachusetts boarding school sued over Wi-Fi sickness + Access points with 802.11ac are taking over enterprise WLANs
“Companies in the embedded industry not playing by the same rules as every other company using our software violates users' rights, misleads users and developers, and harms our ability to continue our work,” he wrote.
Grsecurity is an open-source project that creates and distributes security patches for the Linux kernel. Until now, like any other GPL project, grsecurity has distributed everything it creates, including stable patches for older versions of the kernel, as well as the “test” series, which apply to the most recent kernel versions. It also offers additional support in exchange for paid sponsorship of the project, but users have been free to integrate any patches they like on their own.
However, according to Spengler, a “multi-billion-dollar corporation” recently began advertising its commercial embedded Linux products with references to grsecurity, despite the fact that it modified the software in violation of the GPL.
“The aforementioned company has been using the grsecurity name all over its marketing material and blog posts to describe their backported, unsupported, unmaintained version in a version of Linux with other code modifications that haven’t been evaluated by us for security impact,” he said. “Simply put, it is NOT grsecurity – it doesn’t meet our standards and at the same time it uses our brand and reputation to further its marketing.”
But grsecurity doesn’t have the money to fight a legal battle, Spengler said, and so the decision was made to simply stop releasing stable patches to non-sponsors – in effect, cutting off the alleged violator’s access to grsecurity’s code improvements. The project’s full source code will still be released to the public at large, in compliance with the GPL, but non-sponsors will have to pick through every update to find out what’s applicable to them.
The new policy will go into effect in less than two weeks. Spengler could not be reached for further comment.