grsecurity

In the release notes of the latest grsecurity, Brad Spengler mentions the fact that Linus and then Andrew Morton did not respond to his emails regarding security vulnerabilities found during December. Included in the notes was a proof-of-concept as well as patches that fix the exploits.

I’m left wondering what the motivation is behind the release of these exploits. Is Brad looking to help the Linux community? Maybe continue to promote full-disclosure? If he is doing either of these, then I would say that is most admirable and definitely the “right thing to do”.

However, in recent months, Brad has done some less than savory things with grsecurity. In reading over the reasoning behind his removal of the grsecurity source from his site at that time, it was because he was trying to prompt a sponsor to pay up and more importantly maybe find another sponser that could help pay for the continued development.

Again, I’m left wondering, what is the motivation behind the pulling of grsecurity? I don’t see this as a good thing for users of the grsecurity or Linux communities. It sounds to me like Brad believes he “deserves” something for his continued development of grsecurity. If funding dries up in the future Brad, I would suggest walking away from grsecurity completely. I’ll bet a pint of my fine Oregon handcrafted homebrew that somebody would pickup the project and do it with a lot less grief.

Did Linus ever complain that people were using Linux and then pull the source on it if he couldn’t pay to develop it? More importantly, do you think he ever would? Of course not. In that respect, I can understand why Linus and Andrew may have decided not to listen to Brad at that time. Either that, or it was the holidays and they were just busy with other things …