California Court of Appeals decision in proceedings between Open Source Security Inc. (develops the Grsecurity project) and Bruce Perens. The court dismissed the appeal and affirmed the lower court's verdict, which dismissed all claims against Bruce Perens, and ordered Open Source Security Inc to recover legal costs of $259 (Perens attracted well-known lawyers and the EFF to defend him). At the same time, Open Source Security Inc has 14 days to file a request for a rehearing with the participation of an expanded judicial panel, and there is also the possibility of escalating the proceedings with the involvement of a higher court.
Recall that in 2017, Bruce Perens (one of the authors of the definition of Open Source, co-founder of the OSI (Open Source Initiative), creator of the BusyBox package and one of the first leaders of the Debian project) published in his blog , in which he criticized the restriction of access to Grsecurity developments and warned against buying a paid version due to GPLv2 licenses. Grsecurity developer did not agree with this interpretation and sued Bruce Perens, accusing him of publishing false statements under the guise of facts and abusing his position in the community to deliberately harm the business of Open Source Security. The court dismissed the claims, stating that the posting on Perens' blog was a personal opinion based on known facts and was not intended to cause premeditated harm to the plaintiff.
At the same time, the proceedings did not directly address the issue of a possible violation of the GPL when applying restrictive conditions when distributing Grsecurity patches (termination of the contract in case of transferring patches to third parties). Bruce Perens believes that the very fact of creation is a violation of the GPL in the contract. In the case of Grsecurity patches, what is being considered is not a self-contained GPL product, the property rights to which are in the same hands, but a derivative work from the Linux kernel, which also affects the rights of the kernel developers. Grsecurity patches cannot stand alone without the kernel and are inextricably linked to it, which meets the criteria for a derivative product. Signing an agreement to provide access to Grsecurity patches violates GPLv2, as Open Source Security is not allowed to distribute a derivative product of the Linux kernel with additional terms without obtaining the consent of the kernel developers.
Grsecurity's position is based on the fact that the contract with the client defines the conditions for terminating the contract, according to which the client may lose access to future versions of patches. It is emphasized that the conditions mentioned relate to access to code that has not yet been written, which may appear in the future. The GPLv2 license, on the other hand, defines the distribution terms for existing code and contains no explicit restrictions applicable to code that has not yet been created. At the same time, Grsecurity customers do not lose the ability to use patches already released and received by them and can dispose of them in accordance with the terms of GPLv2.
Source: opennet.ru