This kind of behavior is one of the things that kills me about grsecurity. They're completely abusing the spirit of the GPLv2 license but are probably following the letter of it.
If you choose to exercise your GPLv2 rights, your contract with them is terminated and you will receive no further security updates (considering this is a security product, it makes it pretty useless to you). You are then blacklisted from doing business with them ever again.
Bruce Perens argues[1] that this is a penalty for exercising your rights under the GPL and therefore violates section 6[2]: "You may not impose any further restrictions on the recipients' exercise of the rights granted herein"
He argues contributory infringement and breach of contract, but he really only goes into the breach of contract theory.
I'm more curious about the contributory infringement theory. You cannot have contributory infringement without there being a direct infringement by someone else for the contributory infringer to have contributed to. I don't see offhand who would be the direct infringer whose infringement Grsecurity is contributing to.
The way I'm readying it, his point is that a Grsecurity customer, who is not infringing Linux copyright (because they're not distributing kernels) would still be on the hook for contributory infringement because they contributed to Grsecurity's infringement.
Brad goes into this here. Grsecurity has written extensively about this.
Read the links to their site where they go even further into detail.
Grsecurity is not violating any license. There are multiple quotes from authorities on the matter in that link. If they were, so would Redhat, Canonical, etc.
If I had to deal with constantly having my name dragged over something I wasn't doing, I would probably be pretty upset about it as well. Further, the Linux Kernel community tends to have... some negative communication patterns.
But the content is very valid, you should give it a fair read, regardless of how you view Brad's language.
The comment they're replying to is also not exactly smelling of roses. It makes some pretty unsubstantiated claims.
I read Peren's claims, and IMHO they're very thin. It seems to be a classic case of "I don't like this" (which is fair enough) and then trying to find "objective" arguments to support that position. Not impressed.
After you are blacklisted, can't you still get security updates from other grsecurity subscribers? I suppose grsecurity could also blacklist any subscribers sharing to blacklisted people, but how could they possibly enforce this, if your friendly subscriber doesn't tell?
According to the Reddit thread linked in this thread, no one has ever been blacklisted:
> We have in fact never had to terminate a relationship with any customer of ours. We build trusted relationships with our customers, so any talk of "threats" or anything else is simply completely fabricated (as you obviously noted, anyone repeating such claims has no evidence whatsoever for them).
> There is no restriction or prohibition, correct. In fact, we are far more lenient than other companies when it comes to our policies. We have in fact never had to terminate a relationship with any customer of ours.
> We're generally only concerned with fraudulent customers who would lie during the quoting process with the intent to cause damage to the business by intentionally reposting all updates received online. Obviously, they have the right under the GPL to do that (the fraudulent representation notwithstanding), but we also obviously have the right to refuse future business with them. As noted by the lawyer in the link above, that right has been repeatedly reaffirmed by the US Supreme Court. It's not controversial whatsoever.
If you choose to exercise your GPLv2 rights, your contract with them is terminated and you will receive no further security updates (considering this is a security product, it makes it pretty useless to you). You are then blacklisted from doing business with them ever again.