
Important Notice Regarding Public Availability of Stable Patches - dantiberian
https://grsecurity.net/announce.php
======
AaronFriel
Looks like the product in question is Wind River Linux, a product of a
subsidiary of Intel.

Here's the forum post on backporting an EFI fix:

[https://forums.grsecurity.net/viewtopic.php?f=3&t=3713](https://forums.grsecurity.net/viewtopic.php?f=3&t=3713)

And products with Wind River Linux prominently mentions GRSecurity
advertisements:

[https://www.google.com/search?q=wind+river+linux+grsecurity](https://www.google.com/search?q=wind+river+linux+grsecurity)

Edit: It looks like I wasn't the only one to find this. I'll keep this post at
the top for other people to reply to.

~~~
na85
That's infuriating.

------
JohnTHaller
As a general rule, smaller companies that release their code under the GPL
have almost no recourse against huge companies violating their copyrights. One
of the big flash drive makers released their own portable browser based on
PortableApps.com's Firefox Portable a few years back and distributed it on
millions of drives with my name and all copyrights stripped off of it. This
happened after I'd been in negotiations with them about using our software
platform and fully informed their subsidiary in charge of their resulting
software platform of the legal obligations of the GPL including a direct call
with the subsidiary's CEO. The most I could do was send them a C&D.

To add insult to injury, the subsidiary released a hardware product years
later and another company released a similar but different product in the same
segment. The subsidiary sued the other company and had this PR story published
about how the CEO was so offended by the "theft" and had to sue them to be
able to look his kids in the face.

~~~
randx838
This is not at all true. They are liable for significant monetary damages for
violating copyright, and you can find a lawyer to take up the case if you own
the copyright. There are a couple well known organizations who have gotten
paid more than their expenses from lawsuits against gpl violating companies:
sfconservancy.org, sflc.org., fsf.org.

~~~
teraflop
In principle, yes. In practice, large companies have extensive legal resources
and can afford to drag out a lawsuit far beyond the resources of a team
volunteer/hobbyist developers.

It's great that groups like the FSF and Software Freedom Conservancy are using
their funds to support legal action when necessary, but they can't be
everywhere and enforce everything.

~~~
randx838
In practice, yes. First of all, all those organizations have enforced the gpl
on behalf of "a team volunteer/hobbyist developers" from large companies. In
fact, it's the primary kind of enforcement they do. Second of all, individuals
who have zero resources win lawsuits against large companies EVERY SINGLE DAY.
Lawyers work on contingency and pro bono. Stop this hand waving crap saying
the gpl can't "really" be enforced for volunteer efforts.

~~~
JohnTHaller
Yeah, again, no it doesn't work that way. Again, the folks you mentioned
generally only work for non-profits and individual hobbyist devs. They don't
work with for-profit companies (even if the company isn't making a profit at
present).

And the whole contingency thing... a lot less common than you think. Speaking
as someone that's had his copyright ripped off multiple times and been injured
due to negligence by the city of New York and/or Amtrak and looked into it
with multiple attorneys in each case.

For the most part, the legal system serves those with means and those with
means alone.

~~~
belorn
The problem is the same for photographers as for coders. The law that prevent
advertisement companies from lifting a image from flikr is the same that
prevent companies from lifting some code and removing the license.

Every time and again I read news about some photographer than sued some
company and got a million or so for the efforts. Its not easy, quite expensive
and I guess many author do give up rather than push forward, but there is
recourse against huge companies that violate copyright. The good thing about
such lawsuits is that the burden of proof for having a license sits on the
infringer, which means a judge don't actually need to understand that fine
details of software licenses in order to find someone guilty of infringement.

~~~
simoncion
All that notwithstanding, it appears that _pursuing_ one of these cases is
terribly expensive. Does the avenue exist? Yes. Is it _actually_ available to
those who don't have a bunch of cash to burn? No.

As JohnTHaller said: "For the most part, the legal system serves those with
means and those with means alone."

As you said: "Its not easy, quite expensive..."

------
performa
Sounds like Verifone is one of the GPL violators. They are known for being
"open" except when you want to innovate without permission.

[http://global.verifone.com/products/software/v-os/](http://global.verifone.com/products/software/v-os/)
\- Says its Linux Based.

[http://www.verifone.com/products/hardware/multimedia/](http://www.verifone.com/products/hardware/multimedia/)
\- Have an MX 900 series of products.

[http://www.verifone.com/products/hardware/petro-pos-
systems/](http://www.verifone.com/products/hardware/petro-pos-systems/) \-
Have a Petro series of Products

NYSE:PAY - are a multi-billion dollar company.

Employee asking for help:
[https://forums.grsecurity.net/viewtopic.php?f=3&t=3938&p=139...](https://forums.grsecurity.net/viewtopic.php?f=3&t=3938&p=13940#p13940)

GRsec saying its verifone:
[https://twitter.com/grsecurity/status/450995354972864513](https://twitter.com/grsecurity/status/450995354972864513)

Thread indicating they are using an old unmaintained kernel:
[https://twitter.com/grsecurity/status/424914478912651264](https://twitter.com/grsecurity/status/424914478912651264)

Industry called out specifically: "Not only has the entire embedded industry
as a whole not contributed a single dime toward our continued development and
maintenance (despite our work being critical to the security of the millions
of devices using our code: streaming media players, credit card processing
systems, etc), the companies we've identified have actively violated the GPL
and even our trademark. These transgressions have continued despite their
awareness and our legal action."

------
ploxiln
"Since our lawyer has advised us not to mention the companies by name"

Yeah, uh, they're lawyers, they always say that, it's not a signal with any
information in it.

As you said, this company can outspend you, and it's not worth it for you to
try litigating. Public shaming is all you have! And, since the primary issue
was them claiming their kernel has "grsecurity", public shaming is actually a
great solution: try to make the technical community aware that this company's
security hardening doesn't deserve the "grsecurity" description. You may even
get more business from competitors who want to be able to say they worked with
you on their grsecurity integration.

~~~
michael_storm
The lawyers say that because they're advising their clients not to set
themselves up for a libel suit, not because they're buzzkills. In other news,
doctors recommend you eat healthy, but don't they _always_ say that?

~~~
ploxiln
ya know... my mother is a doctor, a Family Practitioner (FP). She's the type
who's probably more frank with her patients than most. But she still would
give slightly different advice to family than to patients. This is to manage
risk of lawsuits, unreasonably angry patients, etc. It has to do with the
balance of risk and blame. You can imagine the typical stuff - excessive
tests, end-of-life decisions...

------
halosghost
This is such a bummer! I just recently switched over to grsec (on Arch) and I
could not be happier with the results; seriously, it has made such a huge
increse in security so simple to navigate. The Grsec team does incredible
work; that no lawyer is willing to pursue this case saddens me, but that's a
secondary issue. The core problem here is the corporations with money have
functionally unlimited legal authority. It is so far beyond me that society
has allowed this to come to be and continues to do nothing to stop it.

To Brad and the PaX team directly (if you read this): You do incredible work
and I sincerely hope this move leads to an inundation of sponsorship so that
even more people can benefit from your hard work and innovation. Till then,
know that there are those of us that stand behind you 100 percent!

------
dijit
This angers me. I mean, they're doing the right thing, but it should never
have come to this.

volunteers shouldn't be shelling out thousands in copyright and licensing
violations- even if they won in court, the amount awarded back would probably
be a pittance compared to what these manufacturers make by using their
code/trademarks.

I love what the pax guys do, almost every major exploit in the last year is
mitigated in some form by grsec.. I wonder what becoming a sponsor entails.. I
mean, I wish I could support all the FOSS I use, but I'd go broke pretty
quick. :(

~~~
lucb1e
> I mean, I wish I could support all the FOSS I use, but I'd go broke pretty
> quick. :(

Yeah I seem to have that a lot as well.

What I figured a while ago, in summary, is this: we will always use more than
we can contribute back. As a silly example, I am grateful for the invention of
the wheel but in no way could I pay someone back (living or dead) for every
single thing like that. The important thing is that we do _something_.
Contribute either with time and skill or with money to a few projects you care
about and which you feel can actually use your help. That's still tricky,
though, I wouldn't know which of the 2100 installed apt-get packages need my
support the most, but realizing this (rather than feeling indebted) gives me
some peace of mind.

(If anyone cares, I actually blogged about this:
[http://lucb1e.com/?p=post&id=121](http://lucb1e.com/?p=post&id=121) )

------
bmir-alum-007
Most, but not all, companies generally don't donate any money to server OSes
and open source they deploy by the hundreds of thousands. It sucks but it's
the current state of affairs. (I think more FOSS should be be less free and
monetized more in the context of large-scale enterprise purposes, in order to
keep developers' bills paid and support quality up. The honor system doesn't
work because most corporate choose to "cheat" where possible.)

If a project releases open source totally for free, it cannot realistically
expect sponsorship to magically appear.

If a project _needs_ sponsorship to _keep the lights on_ , the _we 're closing
up shop, unless ..._ routine works.

If a project prefers to become a commercial product with a freemium option,
they should do such.

Otherwise, don't slave away on a project and resent what you cannot afford to
give away. Just _don 't_ do it, if you can't live with it being exploited by
companies for free.

Punishing everyone for the sin of a few rogue companies is the kindergarteners
routine and childish. It doesn't work and it just angers people without
solving the licensing issue at a core level.

PS: Perhaps grsecurity may want to instead consider a sensible noncommercial
license similar to somewhere between AGPL and something like what good ol'
evil Oracle would license their DBMS, i.e., companies over X employees or Y
revenue need a license; hobbyists, academics and individual developers
exempted. Drama resolved.

~~~
geofft
> PS: Perhaps grsecurity may want to instead consider a sensible noncommercial
> license similar to somewhere between AGPL and something like what good ol'
> evil Oracle would license their DBMS, i.e., companies over X employees or Y
> revenue need a license; hobbyists, academics and individual developers
> exempted. Drama resolved.

Being a set of Linux patches, it would be hard for them not to make their code
available under GPLv2.

They can do the Red Hat thing of making code available only to paying
customers, and terminating their customers' accounts if they redistribute
things publicly. They mention that in the post.

------
armitron
Ah Spender. Always the drama queen.

The real problem here is not companies abusing the GPL (good luck with that),
but grsecurity not being integrated with mainline after more than a decade.

You see, if Spender really cared about security he would work with the kernel
developers in order to get grsecurity into the kernel but of course being such
a famewhore, he never did that. Everything is fine as long as he is the center
of attention, actual security be damned.

Spender: I among many have little sympathy for you, you've long exhausted our
patience with your antics. Grsecurity is a niche project with minimal actual
security impact in the "real world", all because of the deranged way you
choose to manage it. Your primary concern, your _ONLY_ concern should be
getting grsecurity into the kernel, not companies ripping you off, not
companies abusing your trademark, not companies "not playing nice". In the
grand scheme of things, these are irrelevant.

~~~
dewyatt
Do you mean Spengler, perhaps?

~~~
adamzochowski
I think "spendy" is his irc nick. And "spender" is his grsec machine nick
[https://www.grsecurity.net/~spender/](https://www.grsecurity.net/~spender/)

------
NeutronBoy

      The test series, unfit in our view for production use, will however continue to
      be available to the public
    

Doesn't sound like that will stop companies from picking it up and using it
unfortunately.

This is such a shit situation to be in. Hopefully this publicity gains them
some traction with the companies and communities who do care about it.

------
coderjames
I'm obviously misunderstanding something about this.

Since grsecurity is GPL'd (being modifications to the GPL'd kernel), anyone
that is "a customer of any product that uses grsecurity in binary form, [is]
entitled to the complete corresponding source code." Which means their stable
patches will get requested and released by someone anyway.

Help me understand how this will have any effect on the actual availability of
their stable series?

~~~
awalton
It basically just adds a level of indirection. Rather than going straight to
the grsecurity folks, you now have to go to whichever downstream is
disseminating the kernel based on that patch. Bummer.

Really, it's just weakening the brand they've created for themselves. It
always sounds really great in theory, but it's almost never worth it. It's the
GPL, they've literally signed up for this type of code (ab)use. I'm not sure
why people have trouble understanding this concept.

(Though if they wanted to be really snarky, they'd relicense their code GPLv3
and watch these companies go into complete hysterics.)

~~~
0x0
But wouldn't they need to follow the Linux license, which is GPL2only?

~~~
RaleyField
Code will be available to sponsors and sponsors would be entitled to release
it to the public, but presumably they will threaten to cut you from future
updates if they did that, otherwise these is no point in raising the paywall.
Unless you are willing to burn dozens of shell companies for each update there
is no way of stopping them.

~~~
teraflop
Is that actually allowed by the GPL? The text says:

> Each time you redistribute the Program (or any work based on the Program),
> the recipient automatically receives a license from the original licensor to
> copy, distribute or modify the Program subject to these terms and
> conditions. _You may not impose any further restrictions on the recipients '
> exercise of the rights granted herein._

(emphasis mine) Is it legal to penalize someone for exercising their
redistribution rights, or would that count as a _de facto_ restriction?

~~~
RaleyField
> you may not impose any further restrictions on the recipients' exercise of
> the rights granted herein.

Further restrictions probably aren't introduced if they packaged this the
right way i.e. not bind the GPL license with whatever agreement they will come
up with. Sponsors will still have the same rights they are now used to, but
GPL never speaks obligations on the distributor having to provide updated
versions.

------
RaleyField
> We decided that it is unfair to _our sponsors_ that the above mentioned
> unlawful players can get away with their activity.

How is that unfair to them specifically? The purpose of this is to protect
them by raising a paywall for anyone that isn't their 'sponsor'?
(tangentially, that's why I prefer BSD/MIT, because people aren't as obsessed
with other people doing dirty, nasty things with their free code.)

It's bad enough that these patches aren't integrated into the kernel like they
ought to be or that they aren't included into mainline distros and are only
ever present on custom built machines, now they are behind paywall as well.
Damit, I don't want to move to OpenBSD.

~~~
yellowapple
> Damit, I don't want to move to OpenBSD.

Why not? OpenBSD's awesome.

~~~
na85
Maybe for servers. It's completely unusable due to performance problems on my
i7-powered thinkpad.

~~~
yellowapple
Really? I run it on a PowerBook G4, and while it's sluggish, it's not entirely
"unsuable". If a 10-year-old single-core machine can handle OpenBSD, I'd be
amazed by even the slightest performance issue on a quad-core, hyperthreaded,
modern PC. What's additionally surprising is that this is the case on a
Thinkpad, of all things; IIRC, the OpenBSD devs dogfood OpenBSD pretty heavily
on Thinkpads due to their FOSS-friendliness.

Does your laptop have an Nvidia GPU, by chance? In my experience, those do
tend to have very bad performance on OpenBSD. Intel and AMD/ATI GPUs should
work better.

Also, it's worth mentioning that OpenBSD's kernel has a whole slew of
debugging and error checking features compiled in by default; compiling a
custom kernel without such features can be done, but the docs don't really
recommend it, since it becomes excruciatingly difficult to troubleshoot any
problems with it.

~~~
na85
My laptop has an Intel card, and everything is nominally supported.

You are free to be surprised all you wish: I went back to linux because I was
sick of dealing with the system locking up for 5-10 seconds every time I
opened, closed, or switched to a new browser tab. Couple that with 1-2 fewer
hours' worth of battery life and I found myself very quickly asking what the
point of "code correctness" was if the system just doesn't work.

A thoroughly frustrating experience from top to bottom.

~~~
yellowapple
Just saying. If you haven't already, I'd definitely send them a bug report and
dmesg; that all seems _very_ abnormal.

------
Animats
OK, figure out who the involved is. It shouldn't be too hard if you're active
in that area.

~~~
crazysim
I'm going to guess it's the top result from the Google search of the forums
for EFI and grsecurity? That or the wind is blowing me the wrong way down the
river.

~~~
gnoway
This would be really surprising and disappointing. Wind River used to be a/the
major FreeBSD sponsor and is now owned by Intel. Intel of course is heavily
invested in the Linux and FOSS community.

~~~
fredkbloggs
Intel's commitment is to specific products and technologies that it has
determined are either in great market demand or are checkbox items in support
of its other products. The company has no affinity whatsoever to Free Software
or Open Source ideals, and most of its products are closed-source and
protected with extremely restrictive licenses. This is especially true in the
space at issue here; Intel does not make its firmware available under anything
resembling Open Source terms. The same applies to its CPU microcode, most of
its specifications, and the large body of tooling used by OEMs and embedded
developers (much of which is not only closed but Windows-only). Intel is
committed to supporting GNU/Linux distributions offered by its partners or as
demanded by the market at large, but in general it remains an extremely
closed, secretive vendor.

~~~
gnoway
They run the open source technology center ([http://01.org](http://01.org)).
Even if their actual goal is exploitation, why would they even blink at 5
figures a year to sponsor this group vs. giving their lawyers something to do
and risking exposure like this?

------
Asbostos
It's not clear to me that he has any case at all with the trademark. You don't
get to dictate how everyone uses your trademark. Some uses are acceptable
without permission:

"Usually it is permissible to use another person’s or company’s trademark or
service mark when referring to a product or service of that person or company,
provided it is clear that the mark is being used truthfully to refer to that
specific product or service. It may not be used in a way that might mislead
others as to that person’s or company’s affiliation with, sponsorship of or
endorsement of your company or its products or services—for example, using a
logo instead of simply the word form of the mark, or using the mark more
prominently or frequently than necessary." [1]

This appears to be how Wind River is using it.

[1]
[http://www.inta.org/TrademarkBasics/FactSheets/Pages/Tradema...](http://www.inta.org/TrademarkBasics/FactSheets/Pages/TrademarkUseFactSheet.aspx)

~~~
randx838
Agreed. I could see this being possible with a pre-existing trademark policy,
and an explicitly different trademark for "test quality" code, and being very
careful about it all, but otherwise I just don't see it. Trademark is to
correctly identify the source of a good, and the source here is identified
correctly. If it was creative commons licensed, they would be required to do
what they have done.

Not only all that, it seems like this is a bit strange that their complaint is
that they called it grsecurity without using a blessed version, so their
response is to stop giving out blessed versions publicly. Won't that just
encourage more companies to do exactly what they are complaining about?

~~~
davorak
> Won't that just encourage more companies to do exactly what they are
> complaining about?

It will become much harder for any company to argue the they are using
grsecurity if they are not a sponsor since it is not public disseminated any
more.

This should give their lawyers considerable more leverage and the offending
company's lawyers are more likely to warn discourage stone walling the
grsecurity team since the company will be in a weaker position.

~~~
randx838
I see. This plus an official trademark policy might help.

------
vini
[https://www.google.com/search?q=grsecurity+forum+patch+porte...](https://www.google.com/search?q=grsecurity+forum+patch+ported)

------
0x0
That's a shame. :(

Also a shame that it's probably going to be way too expensive to lawyer up
something like the Firefox an RedHat style of trademark protection (where
forks (or even re-compiles) must use off-label branding). :(

Also a shame that the companies in question can't even be named (and
shamed)...

~~~
zobzu
Veriphone
[https://forums.grsecurity.net/viewtopic.php?f=3&t=3938&p=139...](https://forums.grsecurity.net/viewtopic.php?f=3&t=3938&p=13940#p13940)

There, shamed. Easy.

------
dfc
There are a lot of people complaining about a future w/o grsecurity and I
share your feelings. However I was surprised to see that nobody has mentioned
that you and I can also donate to the project.

Yes, it sucks that MegaCorp and InnoTrode are not compensating Grsecurity for
the work. Its probably just as shitty that I have used grsecurity for as long
as I have and just got around to donating to the project. If you use
grsecurity and don't want to see it disappear go donate. Grsecurity accepts
paypal/bitcoin/dwolla:

[https://grsecurity.net/contribute.php](https://grsecurity.net/contribute.php)

------
CodeMage
Naive question: can't EFF help?

~~~
RaleyField
Linus should've helped. But they don't want to merge patches to the kernel.
Use OpenBSD.

~~~
zobzu
To be frank, the grsecurity folks and Brad in particular aren't exactly nice
to others or trying the get stuff merged in the right way, so they don't get a
lot of support from the kernel folks.

Most of the time Brad is shaming kernel devs and saying they're all idiots.

~~~
rodgerd
> To be frank, the grsecurity folks and Brad in particular aren't exactly nice
> to others or trying the get stuff merged in the right way, so they don't get
> a lot of support from the kernel folks.

Linus "I am not a nice person, deal with it" Torvalds is upset because someone
else is a ranty meany about him? Heaven forbid!

~~~
strcat
Brad doesn't throw personal attacks and insults around like Linus anyway.
Plain spoken criticism of actions and ideas is not a personal attack. He tends
to strongly disagree with the upstream kernel developers on issues related to
security and what pisses them off is that his criticism is fair and accurate.
They should be embarrassed about the state of security (and stability...) in
vanilla, and they get offended when it's pointed out.

~~~
forgottenpass
_Brad doesn 't throw personal attacks and insults around like Linus anyway.
Plain spoken criticism of actions and ideas is not a personal attack._

Quoted below: Plainly spoken criticism of action and ideas

    
    
        The real question the news articles should be asking is why the embedded 
        industry as a whole is scum and why everyone has problems w/ them
    

[https://twitter.com/grsecurity/status/636873270285967361](https://twitter.com/grsecurity/status/636873270285967361)

------
blm
I want to add something. I am sure that it will get obliterated by other
people. I am not with anyone that uses grsecurity.

On the one hand I can imagine nothing more bitter than other people making
money on your hard work.

However, isnt this how the whole thing goes? I mean there wouldn't be a linux
kernel without the work of a whole bunch of companies. Did they get
sponsorship money from you? grsecurity wouldn't exist without the work of a
bunch of other people. Did grsecurity pass on money to other vendors that they
rely on? What about people that wrote the drivers that grsecurity use when
they did development.

Open source only works because people contribute to a shared base. In return
for their contributions they get to use what others already contributed.

~~~
halosghost
It seems like you've missed the point. The problem isn't that companies are
using the work without paying. The problem is that the unnamed companies are
essentially lying in their marketing and violating the grsec trademark in the
process.

This is not how FLOSS is supposed to go.

~~~
blm
Why do you think they are lying? Did the companies use not apply the
grsecurity patches but claim they did?

If they did apply the patches AND used the grsecurity trademark in their
brochures what is the problem? They arent misrepresenting grsecurity. They
arent being derogatory in any way. Why can't you say that you have the kernel
and you applied grsecurity patches?

It seems so funny when people are all about GPL code and "freedom" and yet act
so precious about a "trademark" just like proprietary enterprises.

~~~
teraflop
The whole point of trademark law is that the owner of the trademark gets to
control how it's used in commerce. If the mark is being used to advertise a
company's product, grsecurity has the right to prohibit it; the company
doesn't get to make the call.

This isn't a free-speech issue -- it's just a simple acknowledgement of the
fact that consumers treat names, logos, branding etc. as indicators of a
product's origin, and that there's a public interest in making those
indicators accurate. You can refer to the trademark as long as you don't do so
in a way that misrepresents your product. In this case, unless there are
specific disclaimers to the contrary, a reasonable person would think
"grsecurity" means "code released and approved by the grsecurity team",
instead of a version that a third party has modified.

------
sarciszewski
Can we as a society stop ripping off open source developers?

Companies that do are essentially stealing from artisans to build
infrastructure to defraud the poor so they can horde wealth.

~~~
cwyers
Actual GPL violations are bad. If actual trademark infringement happened (the
blog post presents the company's counterarguement as to whether or not that
happened, and I neither know enough about the law to assess the competing
claims or know enough about the situation to know whether or not the blogpost
fairly represented the counterarguement), that's bad.

But "[not] bother[ing] to hire us to perform the port properly for them or to
actively maintain the security of the kernel they're providing to their paid
customers" isn't ripping off the developers or stealing from artisans. Nor is
"not contribut[ing] a single dime toward our continued development and
maintenance." None of those things are required by the GPL. If you want to
sell software, and if you want to get pissed when people use your software
without paying you for it, choose a license that requires people to pay you
for your software.

(And exactly how much money has GRsecurity paid to the developers of the
kernel they're patching? The unmitigated gall factor here is stronger than
most of these kinds of rants that I've seen, because they're not even the
upstream.)

~~~
rodgerd
> And exactly how much money has GRsecurity paid to the developers of the
> kernel they're patching?

They've donated a lot more mockery than money, I would think.

It's a good point.

~~~
strcat
The Linux kernel wouldn't have features like ASLR,
protected_{hardlinks,symlinks}, dmesg_restrict, kptr_restrict, ptrace_scope
and lots more if not for PaX/grsecurity.

The fact that pipacs and spender no longer spend their time pushing stuff
upstream doesn't mean that upstream doesn't benefit in a huge way from
grsecurity via others like Kees Cook who are willing to deal with the
politics.

grsecurity doesn't violate the Linux trademark or licensing. It's not a good
point at all. You wonder why they don't contribute upstream directly? It has a
lot to do with this entitled attitude.

