Linux kernel security gurus Grsecurity oust freeloaders from castle

Linux users, the free lunch is over. Pennsylvania-based Open Source Security on Wednesday decided to stop making test patches of Grsecurity available for free.

The software, a set of powerful Linux kernel security enhancements, includes features such as support for role-based access controls and chroot restrictions that harden Linux implementations.

Two years ago, the Linux security outfit did the same for stable patches of Grsecurity.

The company's decision to limit its open-source security software to paying sponsors stemmed from alleged misuse of Grsecurity's trademark by an undisclosed company that appears to have been Intel's Wind River.

Asked whether the company in question was Wind River, Grsecurity creator and Open Source Security president Brad Spengler, in an email to The Register, declined to comment.

In any event, when legal saber-rattling failed to produce the desired result, Spengler's company closed its free software spigot, except for test patches.

Now those too have been paywalled. And as a consequence, there will be no more public PaX patches for future kernel releases, because PaX includes Grsecurity contributions.

Organizations willing to pay the subscription fee – which once started at $200 per month but is now tailored on a per-customer basis – will be able to continue to benefit from Grsecurity patches.

Freeloaders will have to explore other options, which Open Source Security contends don't exist.

"Unfortunately, in contrast to Microsoft's post-Windows XP Trustworthy Computing initiative which drastically changed its security trajectory, the Linux community at large has failed to invest adequately in security over the past two decades," the company said in a blog post.

"Partially due to this, there is no direct alternative to Grsecurity or even any option that provides a substantial fraction of Grsecurity's features or overall benefits."

Asked whether he had anything to add to the announcement, Spengler pointed to a post from security researcher Jonathan Zdziarski as representative of his thoughts on the matter, and added:

All I would say other than that at this time is that I've spent nearly half of my life (16 out of 34 years) on this work and published it for free for people to learn and benefit from. The testimonial we added to the site today from Tavis Ormandy speaks to the impact we've had on our field.

There are many commentators and complainers today, especially when it involves free software, and very few people dedicating half of their life to creating useful original work. When those efforts suddenly get co-opted by companies using misleading marketing and essentially corporate-funded plagiarism, it's not conducive to the desire to create and publish new work. So we're refocusing our efforts back to those who respect and value our time.

To date and going forward, Grsecurity's patches are and will be distributed under the GPLv2 free-software license, just like the Linux kernel. You could, therefore, pay for future code and release it for everyone, but that would be a surefire way to end your Grsecurity subscription for good. ®