End Of Development For Grsecurity Announced?

vrtk writes "I received this minutes ago, from the grsecurity mailing list, also displayed on the official site for the open-source security project: 'Beginning today, May 31, 2004, development of grsecurity will cease. On June 7, the website, forums, mailing list, and CVS will be shut down. Due to a sponsor unexpectedly dropping sponsorship of grsecurity while continually promising payment, I began the summer in debt and had to borrow money from family to pay for food. If none of the companies that depend on grsecurity, some of them being very large, are able to sponsor the project, grsecurity will cease to exist. I am not looking for paypal donations at this point, unless those that donate do so with the recognition that despite their donation, grsecurity may still never be returning.'"

Smells like a lawsuit

[Anonymous Coward]

Sound a lot like material breach of contract with them not coming through with the money. Or else the deliberatly sabatoged it in order to own that dev space.

Re:Smells like a lawsuit

[frisket]

Promises of sponsorship from corporations should be treated as theory, not fact. The only thing that matters is the cash or the credit in your bank account: even a certified check isn't worth a wet fart until it's lodged and cleared.

Corporations are inherently risky to deal with: after all, the reason they incorporated in the first place was to shelter behind the protection of the joint stock limited liability company where their identity can be anonymous and their liability limited.

Re:Smells like a lawsuit

[YU Nicks NE Way]

Nope -- there's no contract in a gift. A contract requires an exchange of value; a promise of a gift is never a contract.

Re:Smells like a lawsuit

[ron_ivi]

Sounds like an easy lawsuit.

A large corporate sponsor vs. someone broke, in debt, and borrowing money from his family.

I can see it now. "Hey mom, I just got a letter saying if I continue my suit I'm being countersued for $47,000,000, can you loan me $250,000 for a good lawyer?"

Re:Smells like a lawsuit

[passthecrackpipe]

Yeah - exactly my thoughts. How does this work?

1.) Do open source project in spare time
2.) Realise people like my stuff and use it
3.) get sacked/quit/start business based on project
4.) ????
5.) Don't profit
6.) Shut down project

While I must confess to not knowing all the sordid details, I see this kind of stuff all the time - people start a business based on an open source model, without realising that it really is pretty hard - just as hard as running a business on a conventional model. They then act as if

Just as hard?

[John Harrison]

just as hard as running a business on a conventional model.

I would guess that it is in some ways much harder. You are giving away all of your unique IP, so some of those that might be your paying customers in a conventional model are simply using your software for free.

Of course you could argue that it is easier because you have access to tools, libraries, a community of debuggers and testers, and other advantages of open source. But none of those advantages actually brings in the cash, they just cut

Re:Smells like a lawsuit

[ibbey]

It's almost blackmail. "Support me else I shut it down."

That's hardly in the spirit of Free Software.

Since when is the spirit of Free Software doing work that benefits others and expecting nothing in return? What any given author expects in return may vary, but expecting money isn't out of line. The author presumably has expenses related to the project and is well within his rights to state that he will not continue development if he can't find someone to offset those expenses.

Remember, though, that since the project is GPL'd, there's nothing stopping you or anyone else from downloading the source & taking over the maintenance & development for him. That's the spirit of open source.

Re:Smells like a lawsuit

[ron_ivi]

"It's almost blackmail. ... That's hardly in the spirit of Free Software."

C'mon guys. It's nothing like blackmail. In fact it demonstrates one of the great strengths of the spirit of free software.

One of the key benefits of open source is that if the originator of the product can't continue the project for any reason (bought by a competitor, switched to a closed-source model, got kicked out of parents basement, got bored) - anyone's free to fork it and continue on.

He's just letting the community know that he's likely to move on and if people depend on it to fork the software now. It's still far more courtious than a commercial company going under _without_ any options for continued support for their customers.

Re:Smells like a lawsuit

[Crashmarik]

On the flipside if your employers (giving you the benefit of the doubt there) checks to you started bouncing would you be in work on monday or would you be at your lawyers ?

Writing software is work. You may enjoy it, it may be like the worlds greatest crossword puzzle, and seeing everything actually do what it should can be better than sex. So what, I don't see any "Enjoyable profession", handing back paychecks en masse. This man has bills to pay, He has been forced to the point where he is tapping his f

Re:Smells like a lawsuit

[sydb]

I don't think anyone "in free software" thinks development has no cost. I think they are keenly aware what the cost is - usually their time.

It's only a few idiots who equate Free with free.

However I think your charaterisation of open source development is either naive or trollish.

Damn shame

[darth_MALL]

Chalk up another boot to the nuts for the little guy. Good luck to them in the future :(

Grsecurity vs. Openwall

[JuliusRV]

Too bad! It was only last week that I heard that Grsecurity was so promising and more actively delevoped than, for example, Openwall [openwall.com]

LIDS: a natural alternative

[ospirata]

I have used GR Security for quite some time, and its not that great loss.

OpenWall was mentioned, but I preffer LIDS [lids.org] as a replacement to GRSecurity. The itens below where taken from GRSecurity site. All listed features are at LIDS either:
# Change root (chroot) hardening
# /tmp race prevention
# Extensive auditing
# Prevention of entire classes of exploits related to address space bugs (from the PaX project)
# Additional randomness in the TCP/IP stack
# A restriction that allows a user to only view his/

Re:Grsecurity vs. Openwall

[D_Gr8_BoB]

Solar Designer released [openwall.com] the Openwall patch to kernel 2.4.26 on April 17th, three days after the kernel itself was released. That's pretty active maintainance if not development of new features. I like it because it tends to be more conservative than many other security patches out there.

Additional information

[ccTech]

I also submitted this story (rejected) and provided various informational links on this issue:

For a comparison between Grsecurity and SELinux:
http://www.cs.virginia.edu/~jcg8f/GrsecuritySELi nuxCaseStudy.pdf

They also document and explain many of the issues facing the LSM project as well:
http://www.grsecurity.org/lsm.php

It will be interesting to see how the Gentoo Hardened Project will respond to this as well as they have done a great deal of work with grsecurity and provided some exceptional Grsecurity documentation (for the 1.9.x series).
http://www.gentoo.org/proj/en/hardened/index.xml
http://www.gentoo.org/proj/en/hardened/grsecurit y.xml

It will be sad to see this project fade away, especially for those needing an expressive security RBAC/MAC/PAX system. Grsecurity, combined with PAX, provided a well rounded security system that was sensible, somewhat easy to learn, and easier to administrate thanks to the powerful gradm Learning capability.

Re:Additional information (broken links)

[pyrrhonist]

WTF slashdot??? When I pasted this in, there were no spaces in the links!

Here, I'll fix it. Your post with clickable links:

For a comparison between Grsecurity and SELinux:

click here [virginia.edu]

They also document and explain many of the issues facing the LSM project as well: here [grsecurity.org]

It will be interesting to see how the Gentoo Hardened Project will respond to this as well as they have done a great deal of work with grsecurity and provided some exceptional Grsecurity documentation (for the 1.9.x series).
Hardened Gentoo [gentoo.org]
Gentoo Grsecurity Guide [gentoo.org]

It will be sad to see this project fade away, especially for those needing an expressive security RBAC/MAC/PAX system. Grsecurity, combined with PAX, provided a well rounded security system that was sensible, somewhat easy to learn, and easier to administrate thanks to the powerful gradm Learning capability.

You might want to use HTML next time. Or you might not.

Re:Additional information (broken links)

[JohnFluxx]

It's to stop people writing really longs words and screwing up the table widths.

Make them actual links and you won't have that problem.

the decision not to pay him was no doubt made by..

[Anonymous Coward]

the sort of bastards that make $2500/hour being driven to country clubs to shake hands and joke about 'damned hippies'.

"What, we don't need to pay him?"

"Heh, yeah. Damn fool fell for that Open Source crap. He gets what he deserves."

"Well, Damn Dirty Hippies, etc. Oh, and pass the caviar."

Re:the decision not to pay him was no doubt made b

[kunudo]

I think someone should disclose the name of the sponsor that pulled out, not to flame them (well, maybe...) but so that others that might be depending on them get to re-evaluate the economics of their projects. Anyone know who it was?

Brad Spender Developer of GRSecurity is a Hero

[phunster]

Brad Spender is truly an Internet hero, a pioneer who made us all safer. He went about his work selflessly, with precision and excellence.

If ever there was a time to band together to save one of our own this is it. Brad has gone into debt while helping to make multi-billion dollar corporations safer. Perhaps at the end of the day they will come through for Brad, perhaps they will not. There must be some way that we can all help him regardless of what his corporate sponsors do.

Re:Brad Spender Developer of GRSecurity is a Hero

[Anonymous Coward]

Unfortunately you are correct and at the same time incorrect.

1. The kernel developers have no real security experience at all. They are also stubborn and have a certain authority that simply does not get challenged. They actually simply refure to see the points in being proactive and fixing security flaws with better architectures - they just want to fix individual tiny flaws.

2. The kernels are developing. Even the "stable" branches. It's FEATURES that are frozen, not implementations. Grsecurity is a lot implementation centric.

3. There is internal politics in the kernel development team (the inferior exec_shield by RedHat, SELinux, kernel security model architecture, ..).

4. Grsecurity's contents will be outdated very fast. Couple small version numbers will make it take someone a bit more knowing to port the pathes. Soon just the theories will remain and most likely in the current athmosphere no one will really pick the project back up on the tracks.

5. Security is a hard thing to measure. Trying to convince pointy haired managers to pay for something that is FREE (hey, it's open source!) is nearly impossible.

6. Grsecurity is the first package to really fix some fundamental security flaws widely in Linux systems. Spender IS a genuine hero. An unknown hero after a while since the mainstream development is so far off from the secure tracks.

Sorry.. But it looks bad. Really like the dark ages for Linux security.

Spender may or may not be a hero

[fw3]

But grsec being dead should be no surprise.

I read the 'comparative to LSM/SEL' links posted above, they are hardly complete, and while they may be arguably correct pont for point I couldn't agree with them.

If GRSEC is so good why have I never heard of any fully developed policy models? SE-Linux can run pretty much out of the box on a fully-featured server. I've run it without undue difficulty on 3 different distributions.

Spender and the RSBAC people both like to get up and say tbat LSM is no good. Lots of reasons are given e.g. "it doesn't provide full Bell-LaPadula security assurance" or "parts are patented".

I would counter:

Both grsec and rsbac are piecemeal solutions, pretty much a hodgepodge of admittedly good ideas patching the kernel to implement 'security'. By comparison LSM/SEL are integrated into the mainline kernel now, and the chosen perimiter is a pretty good one for practically improving Unix (Linux) security issues.

The 'Bell-La Padula' argument basically is complaining that SEL isn't setup for MLS (Multi-level-secure) so it must be no fscking good (TM). This of course is neglecting that the *target* audience for MLS computing (CIA, NSA, DOD ...) have given up on it, my understading is that most MLS implementations have been replaced with air-gapped systems to deal with the levels.

Now if the intended users if MLS (class B and A TCSEC evaluated systems) who have very deep pockets indeed have scrapped them who the hell are the targetted users?

As an amusing side story the founder of a distribution based on RSBAC not only had no idea about this when he started the project, he also had no idea what MLS was and had never read word one of the TCSEC. And when he did he was suddenly wondering how to get evaluated (for a certification that's no longer even available).

So basically I think Spender is interested in being *right*, not interested in doing collaborative work and when something better (in the sense of *practical and useful* came along he had little more to do than poke technical holes in it.

So I'm not in the least surprised that he's losing his funding. LSM/SEL is available, works now and is cost-effective to actually use on production servers.

It's the easiest thing in the world to point out that someone else's system design is not perfectly secure. However practical security is more a matter of practice and process than design anyway. And in the final analysis if you're not willing to make something that actually works (and to work with others to achieve that) then you're gonna have a hard time finding customers.

Re:Brad Spender Developer of GRSecurity is a Hero

[keesh]

No, Brad Spender is an arrogant fucktard who cared more about screwing over people who disagreed with him (for example, he tried to deliberately withold information on a RedHat security flaw until after Fedora Core 2 was released, just to bring them around to his way of thinking) than fixing things.

About Brad Spender being an asshole

[^BR]

This post by Marius Amodt Eriksen [monkey.org] is most insightful.

cease to exist?

[lawngnome]

how can it cease to exist? isnt open source software forever? (well in some form or another) it may not be regularly updated (or updated at all by the looks of the article) but could still prove useful in the future...

Re:cease to exist?

[TWX]

If the main project site is gone and all of the continuing development notes are no longer available, it's much harder for it to continue. Remember, the code itself is just the end product of a process that involves designing, coding, testing, revising, re-testing, etc, etc, etc. While someone who has the GPLed source could continue to work on it, such a person wouldn't have the experience or results from this process that the original developer had.

If the project is fairly mature, like the Linux Kernel, KDE, FVWM, or any other number of projects with lots of developers then it's easier to lose the top guy or gal and continue development. Linus' turning over the previous stable kernel trees to other big Linux guys like Alan Cox or any of the others is an example. One guy or even a very small number of people on a specific, niche utility or patch might not be able to achieve the same.

The space and organization required to keep the project internet-accessible is also a problem, as this case directly shows. He can't afford the space and bandwidth. I feel his pain, it's hard enough just keeping a personal domain with a mild amount of traffic up for almost no money. Trying to run something with backend CGI for forums and CVS isn't free.

I hope that people are able to reorganize this project, but if that doesn't work then it doesn't.

Re:cease to exist?

[ameoba]

Why not just move everything over to Sourceforge and not worry about hosting costs?

Re:cease to exist?

[jmt9581]

If you read the announcement on his website, he points out that he's received free hosting over the last year and a half, that's not the issue. The issue is buying food for himself.

Re:cease to exist?

[westlake]

how can it cease to exist? isnt open source software forever?

how long does an project have to lie dormant before you admit that it is dead?

Re:cease to exist?

[aminorex]

Well, Latin pretty well died in 454 A.D., but they
still speak it in Vatican City in 2004 A.D., and
I recall the film "Rushmore" posing the question
"is Latin really dead?" almost as recently, so we
can put a firm lower bound of 1550 years...

Re:cease to exist?

[pseudochaotic]

If i understand correctly, it's tied to a specific version of the kernel, so it'll be outdated pretty quickly, and all but useless.

Isn't it GPL'ed?

[shoppa]

Is grsecurity GPL'ed or not? I always thought it was, which just means that the guy's involvement and leadership will be shut off, not those of others... it's a pain when the CVS tree and mailing list archives are gone but usually resuming development from a late snapshot isn't too bad. Maybe others had mirrored the CVS tree?

Re:Isn't it GPL'ed?

[mcc]

The problem isn't the code itself, which will remain GPLed. But the problem is the code by itself isn't as useful since this is the kind of project that requires constant maintenance. Who's going to host the code? More crucially, who's going to maintain it and ensure it remains compatible with new kernel versions and modules? You? Didn't think so.

The fact anyone could host the project doesn't help unless someone actually does...

Poor bastard

[HeLLLight]

Really feel sorry for this guy (or girl). It must really suck when someone promises to fund your project, of which you earn your livley hood from; then the person just dissapears and cuts funding with no explanation (as of yet).

I have never heard of this project till today, but I would not be suprised if this is an all too often occurence in the OSS world.

Hopefully he finds a new sponser so that he can carry on. It really sucks when you put a lot of time and effort into something, then to have someone just pull the plug on you (completly out of your control) and to be then left with nothing.

Good luck.

Sponsorship is a bad model.

[k98sven]

Sorry to say this, but I feel that sponsorship is ultimately not a good way to run an OSS project.

If you rely on sponsorships, you have to expect this kind of thing to happen. It does. All the time.

If there are businesses which are using your software, then there should be a market for you in consulting. Consulting is a proven business model for OSS development. (Not that it is much more of a guarantee, but at least you have a contract.)

Not to mention that many big businesses view consulting and sponsorship as two very, very different things. It has to do with bookmaking. Money paid as consulting makes it more evident that you are providing a service than money marked down as 'sponsorship'.

Now, if your project is not commercially interesting, and you still want to get paid for doing it, perhaps you should be looking for a research position instead, if it's innovative enough.

And if it's not innovative nor commercially interesting.. Well then it's a hobby, goddamnit! :-)

Re:Sponsorship is a bad model.

[gl4ss]

yeah..

Like mountain climbers.. happened to bump into a lecture by one guy who regularly climbs to the tallest mountains in the world.

what sucks most in his 'job', and what is 'hardest'?
getting sponsorships. he ends up doing pitiful seminars(about mountain climbing) and visiting grocery stores regularly as part of the sponsorship agreements.

Do what all FOSS developers do.

[Anonymous Coward]

Support yourself by selling grsecurity tshirts and coffee mugs.

Re:Do what all FOSS developers do.

[nkh]

I tried to live
off OSS development
and all I got was this
lousy T-shirt!

Gentoo Hardened?

[djcapelis]

I wonder if the Gentoo Hardened project will continue grsecurity development, they've done a bit of work with it anyways. Gentoo could certainly supply grsecurity with the needed webspace/cvs hosting etc...

I wonder if that option was looked at before spender decided to give up. Does anyone have ideas on why this couldn't be done? Seems fairly simple to me..

Re:Gentoo Hardened?

[wolf31o2]

The parent apparently doesn't know everything about how the Gentoo Hardened project and spender got along. To put it kindly, they didn't get along. The manager of the Hardened project did not agree with spender on much and they got into several outright flame wars in public. It got so bad a few weeks back, that solar, the person who maintains grsecurity for Gentoo, was trying to get the Hardened project broken out, simply to remove the Hardened manager from the equasion.

I prefer the grsecurity patches t

Re:Gentoo Hardened?

[Tony Hoyle]

*Never* go full time based on a promise.

I'm currently in the process of finding sponsorship. Sure, I've got promises, but there's no way in hell I'm handing in my notice until there's a contract signed by both parties for at least 12 months.

You also have to be prepared to do some crap just to give value for money outside the project... even if it's a couple of days a week doing something else you've still got 3 days (+weekends depending on your motivation) to do the interesting stuff. So the sponsor wan

My advice to the developer

[Anonymous Coward]

Apparently you have not learned all the steps of OSS development.

You have successfully completed two stages:
1. Develop free software.
2. Run out of money.

And you quit at this point forgetting about the third step.

3. Launch a massive copyright-infringement patent-violation lawsuit against IBM and pay lawyers with stock.

background on grsecurity

[Elendur]

For those who don't know, grsecurity is a security oriented patch for the Linux kernel. It provides mandatory access controls, strengthens the chroot system call, adds /proc and filesystem protections, allows for kernel level auditing of almost everything, and includes the PaX patch to provide non-executable memory pages and address space layout randomization.

The MAC part, called RBAC for Role Based Access Controls, is very well done and the best I've seen. Configuration is very easy through a flat file interface. The system enforces that you have certain intelligent configurations set so you can't make simple mistakes destroying your security. It has a learning mode which will automatically give a least access ruleset for the whole system. Amazingly it actually works quite well. Also the learning mode can be turned on for individual roles or subjects making it easy to add a new program to a system with RBAC already running.

In my opinion grsecurity was the best hope for real security on linux for most people as it provides a comprehensive solution, is easy to set up, and it well engineered.

Sponsors for Open-source

[KrisCowboy]

This, I think is the single-most important problem Open-Source software is facing. Sponsors - Money. Since most of the software is free(both as in free-beer and freedom of speech), financially supporting the developers is a bit difficult. What can be done about this? All the big corporations using the open-software can be forced to pay a nominal amount - by nominal, I mean something very less than what a typical prorietary software owner charges. It should be a one-time nominal amount, with upgrades and pat

Re:Sponsors for Open-source

[mslinux]

Here are some real-world lessons that I learned the hard way:

1. When it comes to business, it's every man for himself... you *really* have to see it that way or some other guy will eat your lunch.

2. Nothing personal, but fuck you. (you being anyone asking for money that isn't compelled by law or contractual obligation). It's simple really, you want people to give *you* their money... not the other way around, got that?

3. Never give anyone a break... that's not how rich men become rich. Do you think that they'd give you a break? Does your landlord give you a break on a month's back rent? How bout the cell phone company... sure, they'll let you skip the early opt-out penality on your 2-year contract ;)

4. Work for yourself... put yourself first 100% of the time. You're in business for you, no one else.

5. It's just business, nothing personal, but fuck you.

With point number 5 constantly in mind, go get 'em tiger. Enough of this cry-baby OSS/Free Software crap. This guy gave grsecurity away for free. No one made him do it. Let's all hope he learned a lesson, I sure as hell did.

Kudos to RMS and Torvalds for giving away top-notch software *and* for not expecting anything in return other than recognition... that's all I've ever given them, and all I ever will.

Insult to injury

[PsychoKiller]

Not only does he run out of money, he gets a slashdotting too. :(

that's not how it works

[dekeji]

Sorry, but that's not how OSS development gets funded; you can't just put up some software on a web site and wait for donations.

Grsecurity looks like something you might be able to fund as part of a security consulting business. Or, if dealing with people is not your thing, you might be able to make a living writing books about security and how to use grsecurity. Or you might be able to do it on the side while working for a large company.

If grsecurity is as useful as you think, if there was a lively community around it, and if the code is usable, there is a good chance someone else will pick it up and actually build a successful business around it. If nobody continues development of grsecurity at this point, then it wasn't really a good, live open source project anyway--it was just some useful code released under the GPL.

Please don't complain about it: while your desire to create open source software is admirable, it is still your problem if you fail because you picked a naive business model.

Re:that's not how it works

[theM_xl]

RTFA. He didn't do that. His sponsor PROMISED to pay him, and didn't deliver on that promise.

To quote the immortal Sam Goldwyn:

[mcc]

"A verbal contract isn't worth the paper it's printed on."

Ulterior motives?

[redphive]

I don't want to sound too much like a troll, but is it possible that this is a method to induce payment by the unmentioned sponsor? If the sponsorship was so crucial to the development of the project (which, as stated was done by a single individual for the most part) and the sponsor already has made use of the project, a change to another project, or relying on the OSS community to take over would be too costly or disruptive, that it may be in the best interest of the developer to come to this decision. I feel bad for Brad, grsecurity obviously is/was something he put a lot of time and effort into, and if matters have come up that prevent him from continuing, so be it. I don't, however like the fact that "no one else is good enough to produce the quality work he has" or "lack the vision for the poject", it seems to lack sincerity for some reason, and I wonder if his motives lie somewhere else.

Since when...

[mbottrell]

What amazes me is that it's automagically assumed that a code-cutter also has business sense to run a successful business.

Remember at the end of the day he's a code-cutter... not a suit... if he was a suit.. he wouldn't be a code-cutter now would he! :[

I must admit as a code-cutter I'm sick of many businesses idea of 'yeah... lets' get it under the GPL... we can use, abuse and not pay for it'.

Bad Karma to this idea of thinking...
These fat-cats still drive home to a nice warm bed, big meal and watch their TV.

How about flipping some $$'s towards the smuck that did all your hard work and ensure he's still around next year when you have a real question abuot the software.

At the end of the day... nothing is FREE... someone pays... unfortunately with a lot of GPL.. it's normally the developer and his family. :(

Re:Since when...

[Unordained]

... that would be why OSS is partially volunteer work. you agree to do it knowing this can happen to you, and that you're okay with it. if you're not, don't take the risk.

the rest of the world operates around "we want this, we'll pay you to do it." around here, we seem to assume that "i want this, you'll pay me to do it" is going to work. it's not, except if, by sheer luck, you happen to want to do something, and get paid to do it, that someone else is willing to pay for already. and then they're using you

Promised payment?

[FattMattP]

Due to a sponsor unexpectedly dropping sponsorship of grsecurity while continually promising payment

They promised? You didn't have a contract? Sorry to say it but welcome to the real world. People can be ruthless.

Help the guy make ends meet

[NitsujTPU]

Somebody should take a collection. This guy got screwed and, even though he is taking down the effort, and will not pursue further development. Somebody should help him to recover the funds that he's sacrificed as part of this effort.

Why not you?

[FanaticalDesperado]

Somebody should take a collection

Why don't you take up a collection for the guy? Personally, I see this as a hard lesson that the guy just learned. If a company is promising you money then you should get it in a contract! If a company won't put it in a contract, you have two choices:
1. Tell them that you need the funds up front so you can afford to dedicate yourself to the project. If they won't do that, then you work on the project as time and money allow from your personal schedule and budget.

What you people don't understand

[Anonymous Coward]

IRC log excerpt for you people. The fact is, there will be NO grsecurity without Spender getting some money. Stop hammering his site. No one else is qualified to really carry on developing the Grsecurity. Maintaining (porting to next slightly modified kernels and stuff) perhaps but not truly keeping the development going.

Look at also this:
http://grsecurity.net/~spender/researchpap e r.pdf
The guy is a genious. A real gem. He can't be replaced. It's not money or death for the project.

23:55 bleh, i wish a m

The truth about funding.

[thenumberofthebeast]

There is a truth here that points to the fundamental long-term problem for many free software projects.

Whilst I know nothing of grsecurity (but heck this is /. since when do I need to know anything to have an opinion!), and I feel sorry for the guy whos brainchild this is, we can all learn from this tale of woe.

Very few of us have the privilege of sponsorship, or the luxury of independant funding (stand up Mr Stallman), and lets face it, most of our projects aren't as essential as the GNU system, the Ke

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Love that Open Source business model.

[scrytch]

> Another fine example of the open source business model.

A few companies can make it work as a business model. Not many. Perhaps you're not grasping that to many, it's simply not a model, it's a hobby, and that they do it simply because they love to. Some truly fine work comes from hobbyists in all areas; ARRL and HAM nuts design antennas, recreationists gather comprehensive research, and so on. Could you back an industry with it? Maybe. As reliably as with a paid model? Probably not. But it d

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Love that Open Source business model.

[scrytch]

> Show me a better commercial browser than Mozilla.

People are willing to pay money for Opera. I personally cannot understand why, but their money is talking -- for them, it is better. Browsers do have a steep barrier to entry however (Mozilla simply ignores it for the most part, it does not really have to market itself)

> Show me a better web server than Apache

How's Zeus grab you? Runs circles around Apache -- the apache developers themselves will be the first to tell you it's not a speed demon.

Re:Love that Open Source business model.

[maximilln]

-----
If it's a hobby, then fine; treat it like one
-----
This is an ages old argument and stinks like so much COW DUNG.

Just because someone enjoys what they do does not give big businesses a free pass to leave them in the cold when it comes time to have a home and eat. Should a farmer provide his crops for free just because he enjoys working with the earth? Why don't CEOs work for free? They seem to be enjoying themselves on the golf course often enough. How about politicians? Why don't they work for fr

Re:Love that Open Source business model.

[donnz]

Just because this particular OSS "business" is failing doesn't impunge on whole model. Many people do very well selling services based on OSS producats *and* contributing to the projects they use.

Strangely, I don't see many posts decrying the "proprietory" business model every time a company fails (which a large number do).

I suggest you actually take an Economics 101 paper some day, the results may surprise you.

Open Source == Philanthropy

[PureFiction]

End of story. Sometimes you can actually make a bit of money doing. Sometimes you can make some damn good money doing it.

But in the end, open source == philanthropy and it's just a question of who is donating what. (time, money, advocacy, etc)

WTF is Open Source anyway?

[im a fucking coward]

Just in case everyone forgot, open source was meant to satisfy a programing itch, not necessarily provide a living. The fact that so many coders are able to use it to maintain a standard of living is an unintended side effect.

Though it would be possible for others to handle maintenance of the project, the quality won't be held to the same standards and will not progress with the same goals I have set for the project.

Without a signed, insured contract what guarantee did the sponsor(s) have that the maintainer(s) was doing a competent job anyway? I guess they had the same guarantee the main dev had in getting paid, i.e. none.

No offense meant to the dev, but come the hell on. This is one of the weirdest cases of sour grapes I've read in the OS department.

Voluntary contributions to OSS == non-starter

[whatthef*ck]

If you want to see how willing users are to financially support the OSS products they use, go to the main page of Sourceforge [sourceforge.net] and look at the list of "Top Downloads". You'll notice that the 4th most downloaded program, Azureus - BitTorrent Client [sourceforge.net], has a little "$" icon next to it indicating that it's set up to accept Paypal donations. The list of all its donations, which can be viewed here, [sourceforge.net] shows that on average they get maybe one donation a week, but two days ago they were downloaded over 22,000 times. [sourceforge.net]

If

Re:Voluntary contributions to OSS == non-starter

[ln -sf head ass]

The page you linked up only shows donations by users registered on SourceForge. I donated, and do not show up there, not having so registered. There are probably others. While the donations not shown may not be enough to put his kids through college, they probably provide a bit of beer money.

As far as willingness to pay goes, I am a thousand times more likely to give money to a programmer that makes something I use and just asks for it, as opposed to nagware or crippleware, which I will either do without or

Society needs a change in thought

[maximilln]

I read through the comments and it's all the same. People think it's a shame that this guy got shafted. Everyone agrees that what he did for Linux security was worthwhile and good work. Everyone also recognizes that large corporations are happily taking everything they want from open source without feeling obligated to support it.

While this guy paid "the ultimate price" by facing bankruptcy, or homelessness, and joblessness, this is not a new problem the US economic society. People who give 120% at their jobs have typically been seen as little more than rubes by middle and upper management. There's something to be taken from all of this.

If you are a true geek/nerd you will remember back to school days when you were busy acing tests and pushing the class. You will remember the disgusted looks from your average classmates when you were solving complex physics/math/political problems in your head and they were busy looking out the window wondering when the bell would ring. As it turns out, it is those average classmates who now sit in positions of middle and upper management. They never needed to overachieve. Their family was comfortable and there was no pressure to excel. Now that they are no longer in the same class as the overachievers, but rather sitting in a positon of control, they are ready to exact their revenge for years of intellectual humbling.

Middle managers and upper managers have no conscience. They see the world as something that they can milk dry without ever giving back. The system has become so skewed and top-heavy that, for the most part, they're right. Look at the average productivity of American workers. They've got us horse-whipped and scared sh_tless that we'll be the next ones scrambling to vacate before the bank forcloses on the mortgage and sends the repo man for the car. It would take years of happily firing overachievers before the actual impact of not getting any real productive work done begins to take any noticeable toll on them.

One previous poster pointed out,"At the end of the golfing day these guys still drive home in their Jags and BMWs to a $5 million dollar house on 30 acres of land and eat more caviar". It's the plain, unadultered, grim truth. Unless Society, in general, grows a conscience and begins to fairly compensate people like Spender and the Grsecurity team then they (the management and the government officials that they're sleeping with) will work us all over until every last vein is dry. This isn't up to the government to legislate or the universities to come up with research funding. This is about the social responsibility of big corporations to start giving back. For all the limos, and private planes, and tax deductions, and stock investments which are artificially inflated by the retirement investments of the workers, you'd think that someone could cough up $75k/year to fund this guy.

Re:Society needs a change in thought

[HuguesT]

I wouldn't get fixed up on the revenge thing. I've seen with my own eyes highly intelligent, technically literate people take up management positions and little by little move from a situation where they understood the technical matters and paid attention to the plebs to one where they didn't care about anything or anyone, just because they could.

It's not revenge over the nerds, it's just plain, unadulterated power and human nature.

To help you understand, do you care about what the cleaners at your place

Re:Society needs a change in thought

[Lobo93]

Anarchism for dummies

1. Co-operate.

Even simpler.

Let's sum up...

[stienman]

So far my understanding is that

GRSecurity:
* Fixes the problems in Linux that normally make Linux hard to secure
* Is very kernel version specific (ie, maintenance intensive)
* Easy to use
* Roughly equivilant to, or slightly better than, many other existing hardening 'patches'

The author backs some of this up by saying: "Though grsecurity is licensed under the GPL, I am the sole developer and originator of ideas for the project. Though it would be possible for others to handle maintenance of the project, the quality won't be held to the same standards and will not progress with the same goals I have set for the project."

So - it's either badly designed or grossly incomplete. Or both.

If it is maintenance intensive then the system needs a redesign from the bottom up, or deeper - draw up new specifications keeping in mind the limitations of the system you are modifying.

If it's grossly incomplete then there is little loss to the community. It may have been a great personal loss, but you should never, ever do what this devloper did - float a loan for someone else which they could not personally handle. You don't have to be a business wizard in order to feed yourself.

From Michael Gerber's book "E-Myth Revisited":
Poor businesspeople work "in" the business - they're technicians who daily make the product or service. The business can't succeed without the individual, who may be a genius at providing a product or service but spends every day firefighting.
Brilliant company owners work "on" the business. They build systems, processes, and techniques so the business runs smoothly. These awsome managers don't just solve problems, they invent solutions that eliminate problems forever, or that automatically deal with the issue when it comes up again.(emphasis mine)

If this project requires constant maintenance, or cannot survive without this particular programmer, then it is firmly in the 'poor firefighting technician' category.

Poor guy. I hope he gets on his feet and succesfully finds something that fulfills his need to create. This obviously is not the kind of work he's cut out for, though, and I hope, for his sake, that he chooses not to allow further sponsership of his work on this project.

-Adam

Re:So what?

[Atzanteol]

Since the developers went and got all selfish about things like 'eating' and 'clothes'?

Re:So what?

[Timesprout]

Eating!, Eating!! you selfish selfish bastard. I remember when I was a developer there was no eating for us. No, we would suck rocks for days to extract a few minerals and salts. Obviously though a developer cannot live on rocks alone so we would rectally insert small pieces of lumber and the occasional shrub into our colons to make sure we had a balanced diet and plenty of roughage. Ah those were the days !!

Re:So what?

[JohnFluxx]

Jeez. Trusting a company that promises to pay is lofty and unrealistic.

Re:So what?

[AstroDrabb]

You must have the brains of a rat and those who modded this "Insightful" must have equal brain power. Please tell me, what is "Insightful" in

It sounds like what he wanted was employment. Being able to make a living off of a hobby is a lofty and unrealistic goal.

Where is the "Insightful" knowledge that I should have gained from this comment? What it comes down to is this was _not_ a hobby for this guy. He worked full time and a few $BIG_COMPANIES promised him $XYZ in payment if he delivered $ABC. He delivered $ABC, and those $BIG_COMPANIES did not deliver $XYZ in payment. Most likely becuase his code was under the GPL and they could use it without his consent or their payments.

Re:So what?

[SilentChris]

"He worked full time and a few $BIG_COMPANIES promised him $XYZ in payment if he delivered $ABC."

Which is kind of the reason some programmers (most?) shouldn't be involved with money-related matters and $BIG_COMPANIES. "Promised" means absolutely nothing in the business world.

He should've let someone else handle financial issues if he was having trouble making rent. Instead, like most programmers, he unfortunately felt that if he mastered one system, he's mastered them all. Not usually the case.

Re:So what?

[skraps]

Since when is corporate monetary sponsorship necessary for an individual to develop open-source software?

Monetary sponsorship isn't a *necessary* ingredient of anything. Sure is nice to have food, though. I guess we could plant gardens or something.

Re:So what?

[Timesprout]

I'll tell IBM to shut down their Linux sponsorship and investment so in that case.

Re:So what?

[op00to]

A large portion of linux development would suddenly halt, yes.

Re:So what?

[AstroDrabb]

A large portion? Please give us links to this "large" portion of Linux development. Most of IBM's development is focused around the _Linux Kernel_. Linux will go on with or without IBM. IBM's generosity helps a lot and is much appreciated, espcially by me. However, if IBM dropped Linux, it would be just a blip on the radar of Linux development. And development would continue as normal.

Re:So what?

[YOU LIKEWISE FAIL IT]

If that's the case, is Linux really "free" afterall, or is it beholden to commercial, sponsor interests? I'd hate to think it was turning into Fox News.

This is what...

[wtrmute]

It would make it possible (maybe not popular) to license the use of the brand to registered corporations

... and then we'd have a tax on operating systems, just like in the one from Redmond. Why would we bother with it, then? I'd as soon switch to FreeBSD and stick with it. We can't have a double standard.

As for the grsecurity developer, it's unfortunate, but FOSS developers really do need a day-job. I understand him being angry at a sponsor who fell through on a contract, but holding the project h

Re:Maybe he should just GET A JOB then!

[Anonymous Coward]

Can't. He's not Indian.

Re:Open source

[Laxitive]

Gee, this whole "capitalism" thing doesn't seem to be working out for a lot of people either [google.com]

-Laxitive

Re:Open source

[kawika]

Or perhaps capitalism IS working, and this is the way for people to choose the projects they think are worth supporting.

Re:Open source

[Laxitive]

I think you are browsing at +1 moderation, and not seeing the context in which I made my post. Your point is the one I was trying to make, although I didn't state it explicitly.

The subtler strains of sarcasm don't really come across well in text :)

-Laxitive

Re:Open source

[Laxitive]

Gah, this is the first time I've responded to my own post. But seeing the responses, I think I must clarify:

My parent post was intended as a sarcastic quip at the post that it was responding to. Because the post I was responding to was moderated -1, my response shows up as a top-level post if you're browsing at +1 moderation. I'm not some bitter socialist.

I should have quoted the original post I was responding to. Sorry.

-Laxitive

Re:Open source

[Laxitive]

Perhaps. But this one example isn't sufficient evidence for claims that the free software model fails.

About the 'software as art' mode. There is one crucial difference between art and software. Art has no implicit notion of providing functional value - it is inherently aesthetic in nature. Software is all about functional value. Code is not art. Code may be written artfully, but that's just a turn of phrase, and it's incorrect to read too much into it.

The code is art claim is usually made by people

Re:Open source

[GPLDAN]

Software is also based on iteration. Buying the 1.0 product of somebody isn't a reason to conclude the deal.

I'd like to see art use that model. Hey, this painting you are buying is 1.0. I have plans to improve it, I'll stop by and work on it some more while it's on your wall.

Re:Bankruptcy is the bedrock of capitalism

[Too Much Noise]

Bad companies must be allowed to fail. Else you wind up with Soviet Union-style state supported industries where the industry pretends to pay the workers who pretend to work.

Only it's not just the communists that do something like this. The western countries call that 'subventions' and 'protectionist trade policies'. Sometimes it actually makes sense (strategic products/industries and so on), sometimes it's just to keep the jobs within the country.

Re:Open source

[skraps]

Just wait some days till many firms and thousand of users will step up and offer support for such a usefull product. We'll talk again then, about the open source business model, my friend.

Seriously, you guys should just collect your arguments into a list and then refer to them by number. It would save typing, and my time re-reading the same old re-hashed arguments.

Re:Question

[ealex292]

Read the website - both questions are answered in a short, 1 paragraph bit of text. GPL: >Though grsecurity is licensed under the GPL, I am >the sole developer and originator of ideas for the >project. Though it would be possible for others to >handle maintenance of the project, the quality >won't be held to the same standards and will not >progress with the same goals I have set for the >project. It is GPL licensed, but he doesn't think that it will keep being developed without him.

Does Anybody RTFA's?

[SteveM]

From the link given in the story:

... I am not looking for help with hosting, as the hosting for grsecurity has been provided for free for over a year and a half and will continue to be provided unless the project has to end. ...

And:

... Though grsecurity is licensed under the GPL, ...

How fucking hard was that? And this guy gets a +5 insightful. [shakes head in disbelief]

SteveM

Re:Question

[pavon]

Source and documentation is not what keeps software alive. It is the working knowledge and contributions of the developers that keeps a project alive. You can release all the code you want, but until that code exists in someone else's head it is dead and stagnant.

That is one of the main difference between Linux and the Hurd (the other being iterative programming vs design everything first, code latter). Linus actively facilitated contributions from others and as a result he ended up with a community of dev

Re:What is grsecurity?

[Richard_L_James]

Security focus provided the following good explanation:

"...Grsecurity is a suite of patches (distributed as a single patch file) for the Linux kernel that are an attempt to improve the security of a Linux system. Grsecurity is based on a port of some previous patches for the Linux 2.2 kernel, including Openwall and PaX, which have never been ported to the 2.4 kernel. Grsecurity provides some updates to these patches and has been ported to the Linux 2.4 kernel..." continue reading SecurityFocus's review [securityfocus.com].

Re:I wonder if

[1lus10n]

If you illegally use the source and it can be proven it negates all laws regarding the possible protection of it. A theif's stolen property is not his, therefor it is not subjected to legal protection. By stealing something you broke the law, and hence waived any rights you might have had regarding the stolen property.

Of course it still has to be proven. Which is where the problem lies (most of us dont feel like spending time reverse engineering proprietary products). However most companies that have th

True capitalism

[3770]

Wow, you have just created a place where software _truly_ will be written according to capitalist rules. It will be like an auction, where the programmer that asks the least will snatch the bid, and it is absolutely location independent.

Then how will you compete with India?

Maybe that is the future. We will have to get used to that none of that development will be done in the U.S. At least not by anyone that doesn't live with his parents.

The truth hurts

[Canberra Bob]

The big BIG problem for the FOSS business model for the little guy is some large company running off with the product and either offering it themselves, or in this case not bothering to contribute anything back.

And yes, software costs money to develop. Even if you do it in your spare time, that is time that could be spent on a profit earning venture. For better or worse, we live in a capitalistic society. You go to the supermarket, they will expect you to pay cash for what you buy.

And the FOSS zealots

Re:The truth hurts

[maximilln]

-----
And the FOSS zealots ARE partially responsible
-----
No. You had it right the first time...

-----
The big BIG problem for the FOSS business model for the little guy is some large company running off with the product and either offering it themselves, or in this case not bothering to contribute anything back.
-----
This has been happening for years. Big companies produce crap which they charge way too much for. Some guy who makes a similar product in his free time produces something better and asks to be

Re:The truth hurts

[maximilln]

Alright. We agree.

I don't know what's the bigger travesty: The FOSS zealots that don't try to educate young kids about the real way the business world works or THE SCHOOL SYSTEMS which fill their heads full of all of this crap about the best product winning, and the fair opportunities in the business world, and all the same junk that the FOSS zealots are guilty of.

We should really just take the candy coating off of life and tell the kids as soon as they hit six years old,"Look, kid, unless your family i