> Linus himself called the code quality "questionable" at best
Linus hates them. There's a very long history there.
> for people who care so much about "improving the security landscape" by walling off the very contributions that can help keep others safe online.... I don't really care what they put on their CV I wouldn't want them on my security team.
You have no idea what you're talking about.
edit:
> You have furthered Cyber Security by exactly 0 points.
Notably, despite never upstreaming their work, they are still responsible for inventing the most important mitigations in your computer, including your hardware (ASLR, SMAP, SMEP, to name a few). So no matter what they have absolutely furthered security by much more than 0.
I said it in force, you took it too literally. I don't care who they are or what their "achievements" are. If you care about improving security to the point that you will create patches on top of a open source program and then turn around and lock them behind an EULA that prevents people from sharing that code with the rest of the world you're not helping the security landscape at all. All your doing is making security something that only a select few will actually be able to pay for which is where I take the most issue.
If the GRSecurity team was actually invested in improving the security of the kernel they would be working to submit those patches to mainline. I have not seen any effort to refute this.
Edit: So again, because they work behind closed doors I'm just supposed to take their security contributions at face value without any way to audit what they have done? Again I ask again. How does that improve security? Security through obscurity is not security.
> All your doing is making security something that only a select few will actually be able to pay for which is where I take the most issue.
I don't know why you take issue with a company selling a product, especially when they gave it away for decades beforehand.
> If the GRSecurity team was actually invested in improving the security of the kernel they would be working to submit those patches to mainline. I have not seen any effort to refute this.
Upstream has always been extremely hostile to security and security patches. The only reason things have changed at all is because now Google pays Linus's paycheck and a few companies like them control the vast majority of contributions, so if they want security patches to be applied they can make it happen.
That is not how things worked until the last decade or so.
Also, why should they? No one was paying them to do that, or anything for a long time. Why are you dictating that they should spend their time that way? How do you know that would be the best for security? We've all benefited from their approach so clearly what they were doing wasn't so terrible - your browser is randomizing its address space right this very second because of their work.
> Edit: So again, because they work behind closed doors I'm just supposed to take their security contributions at face value without any way to audit what they have done? Again I ask again. How does that improve security? Security through obscurity is not security.
Their patches were open to everyone for decades. You have no idea what you're talking about.
Linus hates them. There's a very long history there.
> for people who care so much about "improving the security landscape" by walling off the very contributions that can help keep others safe online.... I don't really care what they put on their CV I wouldn't want them on my security team.
You have no idea what you're talking about.
edit:
> You have furthered Cyber Security by exactly 0 points.
Notably, despite never upstreaming their work, they are still responsible for inventing the most important mitigations in your computer, including your hardware (ASLR, SMAP, SMEP, to name a few). So no matter what they have absolutely furthered security by much more than 0.