A major corporation is misusing grsecurity’s trademarks and tarnishing its brand – and as a consequence, the leader of the project said Wednesday, grsecurity will stop making its stable patches available to the general public.
In an official announcement, grsecurity project leader Brad Spengler said that it was unfair to the project’s sponsors to allow the companies in the embedded Linux industry – which he declined to name, citing legal advice – to dilute grsecurity’s trademarks.
“Companies in the embedded industry not playing by the same rules as every other company using our software violates users' rights, misleads users and developers, and harms our ability to continue our work,” he wrote.
Grsecurity is an open-source project that creates and distributes security patches for the Linux kernel. Until now, grsecurity has distributed everything it creates, including stable patches for older versions of the kernel, as well as the “test” series, which apply to the most recent kernel versions. It also offers additional support in exchange for paid sponsorship of the project, but users have been free to integrate any patches they like on their own.
However, according to Spengler, a “multi-billion-dollar corporation” recently began advertising its commercial embedded Linux products with references to grsecurity, despite the fact that the software has been substantially modified.
“The aforementioned company has been using the grsecurity name all over its marketing material and blog posts to describe their backported, unsupported, unmaintained version in a version of Linux with other code modifications that haven’t been evaluated by us for security impact,” he said. “Simply put, it is NOT grsecurity – it doesn’t meet our standards and at the same time it uses our brand and reputation to further its marketing.”
But grsecurity doesn’t have the money to fight a legal battle, Spengler said, and so the decision was made to simply stop releasing stable patches to non-sponsors – in effect, cutting off the alleged violator’s access to grsecurity’s code improvements. The project’s full source code will still be released to the public at large, but non-sponsors will have to pick through every update to find out what’s applicable to them.
The new policy will go into effect in less than two weeks. Spengler could not be reached for further comment.
UPDATE: Spengler contacted Network World after this article was published, saying that the still-unnamed company in question was not violating the GPL, as the first version of the article stated. The story has been updated accordingly.