GRSecurity Closes Stable Patch of Linux Kernel, Your opinion?
Go to grsecurity.org, look on the side panel where it lists the versions, you see: Stable (Restricted): 3.1-3.2.71 Last updated: 09/13/15 Stable (Restricted): 3.1-3.14.52 Last updated: 09/13/15 Test (Free): 3.1-4.1.7 Last updated: 09/13/15 What does this mean? It means the stable source patches, which are wholely derivative works of the linux kernel, have been brought closed. This is how to "un-GPL" a work, 101. That is what has happened, effectivly: they got around your intent that derivative works be open, like the linux kernel, except this time they are not even distributing source (like RedHat does) but not the binaries, the source itself is restricted. What do these stable patches consist of? It is a diff that is created by linux kernel + grsecurity changes to linux kernel + backports of security patches to the linux kernel. 200 dollars a month if you want it. They're using your security patches, and have closed the source of the finished "product" to all the world. GRSecurity Linux Kernel patch ends public accessability of stable patches. (The full rundown) Grsecurity is a 4MB patch of the linux kernel. For 14 years now Brad Spengler and "PaxTeam" have released to the public a patch to the kernel that prevents buffer overflows, adds address space protection, adds Access Control List functions, prevents various other security related errors (the programs are terminated rather than allowed to write to protected memory or execute other flaws), aswell as various improvements shell servers might find useful such as allowing a user to only see his own processes (unless he is in a special group), and tracking the ipaddress associated with a particular process. Now Brad Spengler has announced that there will be no more public distribution of the stable GRSecurity patch of the linux kernel. Some supporters of GRSecurity have claimed that GRSecurity is not even a derivative work of the linux kernel and that Spengler may do whatever he wishes, including closing to code to all except those who pay him 200 dollars per month. Detractors contend that GRSecurity is a derivative work, and have noted that it is not likely that the thousands of linux code contributors intended that derivative works be closed in this manner. Detractors have also noted the differences between copyright grants and alienations based on property law and those based on contract law, and that the linux kernel is likely "licensed" under contract law and not "licensed" under property law (to use the term loosely), and that this has implications regarding the relevancy of the intentions of the parties. Detractors have also noted that the agreement is not likely to be deemed fully integrated. Supporters of GRSecurity have then claimed that the linux kernel's license (GPLv2) is just a "bare license". Detractors then noted that licenses (creatures of property law) can be rescinded by the licensor at-will (barring estoppel), and in that case any contributor to the Linux Kernel code could rescind Brad Spengler's permission to create derivative works of their code at will, and that the GRSecurity Supporters should hope that Linux (and the GPL) is "licensed" under a contract and not a bare license. The whole situation stems from WindRiver, a subsidiary on Intel(R), mentioning that they use GRSecurity in their product. Brad Spengler wished for WindRiver to pay him a 200 dollars per month fee. Spengler then threatened to sue Intel under copyright law and trademark law. He, at that time, claimed that Intel was "violating the GPL" (a claim that has now been rescinded) and his trademark on the word "GRSecurity" (a claim which still stands but is currently not being pursued in court). Intel threatened to ask for legal cost reimbursement if Spengler brought this to court (Judges often reward this for spurious baseless claims to discourage excessive litigation). It has been noted that Brad Spengler's copyright claim is more-or-less non-existent, and his trademark claim is very weak and near non-existent (thus the threat for reimbursement of fees). In trademark law one is barred from, within a field of endeavor, conflating another persons trademark with ones own product one created. Here WindRiver (a subsidiary of Intel(R)) simply noted that it used the grsecurity patch in it's product: It did not create a brand new piece of code and call that "GRSecurity": It simply used what Spengler provided. In retaliation, Spengler has announced he is closing the stable grsecurity patch to all but those who pay him 200 dollars per month. (And notes that any other branch is not fit for human consumption) -- More can be found at: grsecurity.org and http://grsecurity.net/announce.php The text of the announcement: "Important Notice Regarding Public Availability of Stable Patches Due to continued violations by several companies in the embedded industry of grsecurity®'s trademark and registered copyrights, effectiv
problems about dependency of mysql-server-5.5-dbgsym
Hi guys Pls see these two http://ddebs.ubuntu.com/dists/trusty/main/binary-amd64/Packages http://ddebs.ubuntu.com/dists/trusty-updates/main/binary-amd64/Packages with keywork 'Package: mysql-server-5.5-dbgsym' the same package from different (but related) repo has different dependencies. One is '(= 5.5.35+dfsg-1ubuntu1)' and another is '(= 5.5.44-0ubuntu0.14.04.1)'. The first on from trusty and breaks in installation if I don't set ddebs' trust-updates in apt source. Is that a bug? -- Gareth Cloud Computing, OpenStack, Distributed Storage, Fitness, Basketball OpenStack contributor, kun_huang@freenode My promise: if you find any spelling or grammar mistakes in my email from Mar 1 2013, notify me and I'll donate $1 or ¥1 to an open organization you specify. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Getting ubuntu iso securely
If a current method doesn't exist then maybe we can just create one? On Mon, Sep 14, 2015 at 10:32 AM, Ralf Mardorf wrote: > On Mon, 14 Sep 2015 16:19:36 + (UTC), rajeev bhatta wrote: > >It is not time consuming.. just for the user experience.. > > Hi, > > IMHO for averaged users it is time consuming. Even a power users not > necessarily deals with the right people to get a key she or he can > trust, that can be used to verify ownership of the particular > public Ubuntu key. > > I am a Linux power user and I don't own a key to verify the particular > public key, that belongs to the key, that was used to sign the Ubuntu > images. > > Please let me know, how I can get such a key, without spending much > time ;). > > Regards, > Ralf > > -- > Ubuntu-devel-discuss mailing list > Ubuntu-devel-discuss@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss > -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Getting ubuntu iso securely
On Mon, 14 Sep 2015 16:19:36 + (UTC), rajeev bhatta wrote: >It is not time consuming.. just for the user experience.. Hi, IMHO for averaged users it is time consuming. Even a power users not necessarily deals with the right people to get a key she or he can trust, that can be used to verify ownership of the particular public Ubuntu key. I am a Linux power user and I don't own a key to verify the particular public key, that belongs to the key, that was used to sign the Ubuntu images. Please let me know, how I can get such a key, without spending much time ;). Regards, Ralf -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Getting ubuntu iso securely
It is not time consuming.. just for the user experience.. On Monday, 14 September 2015 9:39 PM, Ralf Mardorf wrote: On Mon, 14 Sep 2015 08:39:00 -0700, Ryein Goddard wrote: >Probably a good idea to have something on the site reminding users to >verify the download. Especially something as important as the >operating system. Several times I put this issue in on *buntu mailing lists. Even if the download buttons would link to the download site with the signed checksums, instead of just downloading the image, while automatically https://help.ubuntu.com/community/VerifyIsoHowto would pop up too, then how do you expect that averaged users should get a key they trust, that can be used to verify ownership of a key that claims to be owned by Ubuntu? It's a well-meant idea, but Rune Schjellerup Philosof, Rajeev Bhatta and Ryein Goddard please be honest, how time consuming was it for you to get a key you trust, that can be used to verify ownership of the public Ubuntu key? Do you expect that an averaged user who automatically needs to get signed checksums provided by pushing a button, instead of visiting the download site on her/his own, would like to go through the hassle that comes with the web of trust? Regards, Ralf -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Getting ubuntu iso securely
On Mon, 14 Sep 2015 08:39:00 -0700, Ryein Goddard wrote: >Probably a good idea to have something on the site reminding users to >verify the download. Especially something as important as the >operating system. Several times I put this issue in on *buntu mailing lists. Even if the download buttons would link to the download site with the signed checksums, instead of just downloading the image, while automatically https://help.ubuntu.com/community/VerifyIsoHowto would pop up too, then how do you expect that averaged users should get a key they trust, that can be used to verify ownership of a key that claims to be owned by Ubuntu? It's a well-meant idea, but Rune Schjellerup Philosof, Rajeev Bhatta and Ryein Goddard please be honest, how time consuming was it for you to get a key you trust, that can be used to verify ownership of the public Ubuntu key? Do you expect that an averaged user who automatically needs to get signed checksums provided by pushing a button, instead of visiting the download site on her/his own, would like to go through the hassle that comes with the web of trust? Regards, Ralf -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Getting ubuntu iso securely
Probably a good idea to have something on the site reminding users to verify the download. Especially something as important as the operating system. On Mon, Sep 14, 2015 at 3:49 AM, Rajeev Bhatta wrote: > Hi, what is the need for a publicly available iso to be secured... All > packages bundled are already publicly available... > > Md5 files makes sense as it is necessary for maintaining the validity of > the file download and not let users be tricked by a incorrect file being > passed as a correct one. > > I do agree with you that the instructions for validating the file should > be available with the download. > > Thanks > > On Sep 11, 2015 12:18 PM, Rune Schjellerup Philosof > wrote: > > > > Hi > > > > I am puzzled by the absence of a secure method of downloading the ubuntu > > iso images. > > www.ubuntu.com is not served over https and neither is > releases.ubuntu.com. > > > > None of the mirrors are using https. > > > > Isn't this a major security flaw? > > > > I know that there are md5sum files and they are gpg signed as well. And > if > > you search for it you might find > > https://help.ubuntu.com/community/VerifyIsoHowto. > > But on www.ubuntu.com there are no instructions reminding you to verify > > the download. > > > > -- > > Ubuntu-devel-discuss mailing list > > Ubuntu-devel-discuss@lists.ubuntu.com > > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss > -- > Ubuntu-devel-discuss mailing list > Ubuntu-devel-discuss@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss > -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Database connectvity drivers for LibreOffice
Hi, my name is Denis. I found you have a page with a list of drivers for LibreOffice connection http://packages.ubuntu.com/trusty/libreoffice-base-drivers My team developed various ODBC drivers and some of them were tested to work with LibreOffice and OpenOffice. Our SQLite ODBC driver and PostgreSQL ODBC driver shown a full support of LibreOffice and OpenOffice. Here are the drivers https://www.devart.com/odbc/postgresql/download.html https://www.devart.com/odbc/sqlite/download.html Can you please add them to drivers page of yours http://packages.ubuntu.com/trusty/libreoffice-base-drivers ? Waiting for your reply... -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Getting ubuntu iso securely
Hi, what is the need for a publicly available iso to be secured... All packages bundled are already publicly available... Md5 files makes sense as it is necessary for maintaining the validity of the file download and not let users be tricked by a incorrect file being passed as a correct one. I do agree with you that the instructions for validating the file should be available with the download. Thanks On Sep 11, 2015 12:18 PM, Rune Schjellerup Philosof wrote: > > Hi > > I am puzzled by the absence of a secure method of downloading the ubuntu > iso images. > www.ubuntu.com is not served over https and neither is releases.ubuntu.com. > > None of the mirrors are using https. > > Isn't this a major security flaw? > > I know that there are md5sum files and they are gpg signed as well. And if > you search for it you might find > https://help.ubuntu.com/community/VerifyIsoHowto. > But on www.ubuntu.com there are no instructions reminding you to verify > the download. > > -- > Ubuntu-devel-discuss mailing list > Ubuntu-devel-discuss@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Getting ubuntu iso securely
Hi I am puzzled by the absence of a secure method of downloading the ubuntu iso images. www.ubuntu.com is not served over https and neither is releases.ubuntu.com. None of the mirrors are using https. Isn't this a major security flaw? I know that there are md5sum files and they are gpg signed as well. And if you search for it you might find https://help.ubuntu.com/community/VerifyIsoHowto. But on www.ubuntu.com there are no instructions reminding you to verify the download. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss