you conveniently forgot to mention the fundamental difference: the upstream kernel isn't developed for free whereas our code has always been. changes the equation quite a bit, doesn't it?
> And do you have proof that PaXTeam is not paid, if you are indeed PaXTeam?
sure, come visit me in hungary and i'll take you to the local tax authorities and grant you access to my files. of course you'll have to prove your own identity first ;).
You mean that some developers are paid to implement things by companies? Fair enough, though I'd still argue it's not developed commercially because no one pays to get access to the result (they only pay to influence the result).
>> sure, come visit me in hungary
That'd be amusing, maybe sometime this summer? I'm kinda busy right now setting up my business :')
Let me know when you're around the Benelux, we could do the key-siging song-and-dance over a coffee or beer.
Then find someone interested in paying for its development?
Security improvements to Linux are great. However a hardened linux kernel is a derived work of the kernel.
It's unethical to take free software, build upon it, redistribute to customers but under contract agreements which prevent them from exercising their freedoms afforded by the license of the kernel.
If you think the linux kernel is crap, you are more than welcome to write your own kernel.
At most 80% of Linux contributors have jobs at software companies. That doesn't mean that all of them are paid for their kernel development, but at least 20% of contributors are definitely not paid for it.
As for grsecurity, 100% of the core grsecurity team (that work at "Open Source Security") are paid for their work. I will admit that I'm not fully aware of the interactions between PaXTeam and grsecurity, but I'd be shocked to hear that nobody at PaXTeam works at a software company related to security or kernel hardening.
> As for grsecurity, 100% of the core grsecurity team (that work at "Open Source Security") are paid for their work.
that's 100% false. both spender and me are developing our code in our free time. what the company is for is customer support, not R&D. shocked you are? :)
GregKH, who you linked in a cousin comment. IIRC ~20% of code authors are not associated with a company. And if we go by your logic, then an even larger proportion are not "being paid for their kernel work". For a concrete example, I'm a maintainer of container runtimes at my current job but I have contributed code to Linux as part of my job -- does that count as "being paid" for it? In my mind, yes. In your mind, clearly not. But in GregKH's statistics I count as an employee of a company (not an independent).
But since you're too lazy to look at your own link, here's the article for 4.11 (https://lwn.net/Articles/720336/). 14% of changesets and 13% of lines changed are by people not associated with a company.
> that's 100% false. both spender and me are developing our code in our free time. what the company is for is customer support, not R&D. shocked you are? :)
"I work in an L3 support role on $technology, but any R&D work I do on $technology is completely unrelated." It's like you're not willing to acknowledge that the only reason someone would pay a two-person team for support on a kernel technology like grsecurity+PaX is that the same team is developing it. So even if your invoices don't have "development" written on them, the only reason you'd have customers is because of the fact that you are the main R&D behind what you're supporting.
can you quote Greg back on your "At most 80% of Linux contributors have jobs at software companies" because i don't see it in there? and you can add the source for your 20% while at it. on the other hand what Greg did say is this:
> The majority of developers are paid for their work[...].
that's not at all true for our case, that's all i pointed out.
> I'm a maintainer of container runtimes at my current job but I have
> contributed code to Linux as part of my job.
if it's on company time (and thus dime) then yes, it's a paid job.
> 14% of changesets and 13% of lines changed are by people not associated with a company.
not really, more than half of each is 'unknown', so you can't tell one way or another. anyway, not sure what these are supposed to prove/disprove given what Greg himself said in the above quote.
> It's like you're not willing to acknowledge that the only reason someone would pay a two-person
> team for support on a kernel technology like grsecurity+PaX is that the same team is developing it.
indeed it's not the only reason but since it's not your business (no offense meant just stating a fact), i can't comment on this further. what i did mean however is something different than the direction you veered off: our work isn't developed because it's paid for, it's a completely volunteer free time project (spender has a day job unrelated to this work, and until about a year ago i didn't have any at all in fact). that is, if you took the money out of the picture, our work would still continue to live on as it has for the previous 16 years. that is absolutely not true for upstream linux development (if it were then all these companies have been cheated out of their money they spent on developer salaries).
> can you quote Greg back on your "At most 80% of Linux contributors have jobs at software companies" because i don't see it in there? and you can add the source for your 20% while at it. on the other hand what Greg did say is this:
Sorry, it's 86% and 14% in Linux 4.11. It's literally in the link I posted. He gave a talk a few years ago at Linaro IIRC where he said "80% and 20%" as approximates but it seems like it's closer to 85% and 15%.
> not really, more than half of each is 'unknown', so you can't tell one way or another
Companies which pay their developers to work for Linux want to exercise their copyrights. It wouldn't make sense for them to conceal developers they are paying to work on Linux. I would argue more people who are listed as "from company X" are working outside of their work but have to declare their company ties due to IP worries.
> if it's on company time (and thus dime) then yes, it's a paid job.
Well, it's actually a bit more far-reaching than that. Most companies also claim that work directly related to your job (even not on "company time") is still owned by them (which you can assume means that's what they're paying you for). Maybe that's not the case in Hungary, but that is the case in America (and Australia where I am).
> if you took the money out of the picture, our work would still continue to live on as it has for the previous 16 years. that is absolutely not true for upstream linux development
I mean, Linux kernel development worked in this way for the first several years when it started. It doesn't really make sense to make authoritative statements about what is and is not possible in hypotheticals. Both Linux and grsecurity were developed for some time without direct income sources from most contributors.
All of the being said, I'm not sure why any of this is relevant. To me the statement "we are 100% unpaid for grsecurity R&D" sounds more like a semantic game than an earnest statement, given that you definitely are paid for grsecurity (whether it says R&D on the invoice is semantics IMO).
But w/e. You can pretend that you aren't paid for your work to seem more righteous. You don't get any sympathy points from me though.
> Sorry, it's 86% and 14% in Linux 4.11. It's literally in the link I posted.
you first quoted 80% and chided me for not reading the article linked to because it supposedly implied/had it in there. now you're moving the goalposts and point at a different article that i can't have guessed before you posted it.
> Maybe that's not the case in Hungary, but that is the case in America (and Australia where I am).
it's not necessarily the case there either. i had worked in both countries and always negotiated contracts that wouldn't have such overreaching clauses.
> I mean, Linux kernel development worked in this way for the first several years when it started.
exactly and you can see how much (or little, in this case) that achieved vs. what money did when it started to pour in. it's not at all hypothetical that if currently paid developers were stopped getting paid then the current pace of development would stop to a crawl (related example: look at gcc vs. clang/llvm after google/etc moved their developers from one to the other). easy test: would you continue to work on linux with the same pace/effort if your company stopped paying you for it? yes/no? if you answer yes then i also expect you to pay them back any past salaries you cheated out of them ;).
> Both Linux and grsecurity were developed for some time without direct income sources from most contributors.
in our case, it's not 'some time' but 'all the time'. that's the big difference which puts the original statement into a very different light:
> Meanwhile the kernel upon which their work is built has been provided for free for much longer
that 'for free' isn't at all free (money makes it happen) unlike our volunteer project (money doesn't make it happen).
And do you have proof that PaXTeam is not paid, if you are indeed PaXTeam?