
HardenedLinux: The way to the Ark - viraptor
https://hardenedlinux.github.io/announcement/2017/04/29/hardenedlinux-statement2.html
======
nickpsecurity
The points on Linux foundation half-assing or stealing credit are damning.
They shouldn't be doing it if it's true. I do have to question or counter a
few things:

"The ability to create stuff out of nothing( from 0 to 1) is rare.
PaX/Grsecurity is the origin of OS defense mitigation and still is the most
effective defense solution."

Secure UNIX goes back to the 80's with commercial releases with security-
enhancements back to about 1990 w/ Trusted Xenix. They disappeared except for
the Compartment Mode Workstations, which whittled down to maybe two, since
neither paid market nor FOSS would compromise on legacy app breakage to reduce
attacks or leaks. High-assurance security switched to creating deprivileged
VM's for UNIX's on separation kernels with rigorous development, review, and
testing. Some were even modifying the CPU's themselves to try to encrypt or
authenticate memory pages to spot breaks. This work wasn't the first in OS
security, the strongest in OS security then, or the strongest model today.

This author's evangelism aside, it was a great supplement to a Linux box to
reduce the risk in many ways. They did a lot of great, tactical mitigations
that would certainly stop a decent chunk of exploits. Neater still is that
they're complementary to the prior work in high-security UNIX and attempts to
automatically obfuscate systems for security. I recommend adding as many as
possible long as it performs well.

"Closing the public access doesn’t make PaX/Grsecurity a non-free/libre
software. Those who purchase subscriptions can access the source code. "

This is what I'm not getting. I've seen the claim in several places.
Free/libre software requires ability to read, modify, _and distribute_ the
code. It's only free-as-in-speech software if I'm allowed to give it to the
whole world for free. If it's freely provided and no source distribution is
allowed, then it's free-as-in-beer. If it's paid-source and no redistribution,
then it's proprietary software that comes with source. So-called shared source
is a business model I encourage for companies that absolutely won't do paid
GPL or dual-licensed. Better than nothing if tool becomes popular or
necessary. Plus, might let license of specific products or versions expire
into FOSS license later.

In any case, it's proprietary, shared-source software if I have to pay for the
source and can't redistribute it. So, could any HN readers who really know how
their business model works confirm or reject that with data? What exactly do
people buy with what rights? I keep hearing different things.

"More importantly, PaX team/Spender generously shared their work with the
FLOSS world in the past 16 years."

This is very commendable on top of the security gains it provided. It's why
I'm questioning the claims instead of critiquing the team for going paid. I
encourage it given companies will just freeload off you until the work is
nearly unsustainable. One can always offer perpetual, free licenses to
contributors, universities, non-profits, small businesses, and so on if
feeling altruistic. Otherwise, they get what quality/security they pay for.

~~~
viraptor
> if I have to pay for the source and can't redistribute it.

You can redistribute it. The license doesn't stop you.

You may just find yourself in a situation where grsecurity won't renew your
contract next time, if you do that.

~~~
nickpsecurity
I appreciate the clarification. Yeah, that's not free software since you have
to keep paying for it. Or it's a grey area kind of like charging for
distribution but used to nullify a benefit of free software. I'm still
thinking of this as non-free, shared-source software for now.

