[PaXTeam]

and the source of those numbers is...?

> As for grsecurity, 100% of the core grsecurity team (that work at "Open Source Security") are paid for their work.

that's 100% false. both spender and me are developing our code in our free time. what the company is for is customer support, not R&D. shocked you are? :)

[cyphar]

> and the source of those numbers is...?

GregKH, who you linked in a cousin comment. IIRC ~20% of code authors are not associated with a company. And if we go by your logic, then an even larger proportion are not "being paid for their kernel work". For a concrete example, I'm a maintainer of container runtimes at my current job but I have contributed code to Linux as part of my job -- does that count as "being paid" for it? In my mind, yes. In your mind, clearly not. But in GregKH's statistics I count as an employee of a company (not an independent).

But since you're too lazy to look at your own link, here's the article for 4.11 (https://lwn.net/Articles/720336/). 14% of changesets and 13% of lines changed are by people not associated with a company.

> that's 100% false. both spender and me are developing our code in our free time. what the company is for is customer support, not R&D. shocked you are? :)

"I work in an L3 support role on $technology, but any R&D work I do on $technology is completely unrelated." It's like you're not willing to acknowledge that the only reason someone would pay a two-person team for support on a kernel technology like grsecurity+PaX is that the same team is developing it. So even if your invoices don't have "development" written on them, the only reason you'd have customers is because of the fact that you are the main R&D behind what you're supporting.

[PaXTeam]

can you quote Greg back on your "At most 80% of Linux contributors have jobs at software companies" because i don't see it in there? and you can add the source for your 20% while at it. on the other hand what Greg did say is this:

> The majority of developers are paid for their work[...].

that's not at all true for our case, that's all i pointed out.

> I'm a maintainer of container runtimes at my current job but I have > contributed code to Linux as part of my job.

if it's on company time (and thus dime) then yes, it's a paid job.

> 14% of changesets and 13% of lines changed are by people not associated with a company.

not really, more than half of each is 'unknown', so you can't tell one way or another. anyway, not sure what these are supposed to prove/disprove given what Greg himself said in the above quote.

> It's like you're not willing to acknowledge that the only reason someone would pay a two-person > team for support on a kernel technology like grsecurity+PaX is that the same team is developing it.

indeed it's not the only reason but since it's not your business (no offense meant just stating a fact), i can't comment on this further. what i did mean however is something different than the direction you veered off: our work isn't developed because it's paid for, it's a completely volunteer free time project (spender has a day job unrelated to this work, and until about a year ago i didn't have any at all in fact). that is, if you took the money out of the picture, our work would still continue to live on as it has for the previous 16 years. that is absolutely not true for upstream linux development (if it were then all these companies have been cheated out of their money they spent on developer salaries).

[cyphar]

> can you quote Greg back on your "At most 80% of Linux contributors have jobs at software companies" because i don't see it in there? and you can add the source for your 20% while at it. on the other hand what Greg did say is this:

Sorry, it's 86% and 14% in Linux 4.11. It's literally in the link I posted. He gave a talk a few years ago at Linaro IIRC where he said "80% and 20%" as approximates but it seems like it's closer to 85% and 15%.

> not really, more than half of each is 'unknown', so you can't tell one way or another

Companies which pay their developers to work for Linux want to exercise their copyrights. It wouldn't make sense for them to conceal developers they are paying to work on Linux. I would argue more people who are listed as "from company X" are working outside of their work but have to declare their company ties due to IP worries.

> if it's on company time (and thus dime) then yes, it's a paid job.

Well, it's actually a bit more far-reaching than that. Most companies also claim that work directly related to your job (even not on "company time") is still owned by them (which you can assume means that's what they're paying you for). Maybe that's not the case in Hungary, but that is the case in America (and Australia where I am).

> if you took the money out of the picture, our work would still continue to live on as it has for the previous 16 years. that is absolutely not true for upstream linux development

I mean, Linux kernel development worked in this way for the first several years when it started. It doesn't really make sense to make authoritative statements about what is and is not possible in hypotheticals. Both Linux and grsecurity were developed for some time without direct income sources from most contributors.

All of the being said, I'm not sure why any of this is relevant. To me the statement "we are 100% unpaid for grsecurity R&D" sounds more like a semantic game than an earnest statement, given that you definitely are paid for grsecurity (whether it says R&D on the invoice is semantics IMO).

But w/e. You can pretend that you aren't paid for your work to seem more righteous. You don't get any sympathy points from me though.

[PaXTeam]

> Sorry, it's 86% and 14% in Linux 4.11. It's literally in the link I posted.

you first quoted 80% and chided me for not reading the article linked to because it supposedly implied/had it in there. now you're moving the goalposts and point at a different article that i can't have guessed before you posted it.

> Maybe that's not the case in Hungary, but that is the case in America (and Australia where I am).

it's not necessarily the case there either. i had worked in both countries and always negotiated contracts that wouldn't have such overreaching clauses.

> I mean, Linux kernel development worked in this way for the first several years when it started.

exactly and you can see how much (or little, in this case) that achieved vs. what money did when it started to pour in. it's not at all hypothetical that if currently paid developers were stopped getting paid then the current pace of development would stop to a crawl (related example: look at gcc vs. clang/llvm after google/etc moved their developers from one to the other). easy test: would you continue to work on linux with the same pace/effort if your company stopped paying you for it? yes/no? if you answer yes then i also expect you to pay them back any past salaries you cheated out of them ;).

> Both Linux and grsecurity were developed for some time without direct income sources from most contributors.

in our case, it's not 'some time' but 'all the time'. that's the big difference which puts the original statement into a very different light:

> Meanwhile the kernel upon which their work is built has been provided for free for much longer

that 'for free' isn't at all free (money makes it happen) unlike our volunteer project (money doesn't make it happen).

[cyphar]

> you first quoted 80% and chided me for not reading the article linked to because it supposedly implied/had it in there.

Sorry, I assumed that 80% and 86% were close enough that a reasonable reader would be able to see that I had mis-remembered the second significant figure for statistics I heard a while ago.

My apologies.

> easy test: would you continue to work on linux with the same pace/effort if your company stopped paying you for it? yes/no?

Yes (though my work is not generally kernel work, I would still continue to contribute to the free software projects I currently work on at the same pace).

> if you answer yes then i also expect you to pay them back any past salaries you cheated out of them ;).

... why? An employer pays you to solve technical problems that rise from their business. That doesn't mean that as an individual I wouldn't work on similar problems anyway, it just means that I get paid to work on specific problems rather than whatever I find important.

Effectively an employer pays you to change your priorities to match your employer's priorities. How much your priorities actually changed is not relevant.

Let me ask you a question. If one of your customers found a security issue in grsecurity or found that one of the features of grsecurity was broken, would you prioritise fixing it over whatever interesting feature you were working on "in your spare time"? If yes, then congratulations you're paid to develop grsecurity. If no, then I wouldn't pay you for support because I would have gained very little for my support contract.

> in our case, it's not 'some time' but 'all the time'.

You can continue to claim that, and I will continue to call bullshit. While you might be able to argue semantics and say "technically we never were paid for any particular features" I find such discussion disingenuous.

> puts the original statement into a very different light:

That statement doesn't say "developed for free" it says "provided for free". If it said "developed for free" I wouldn't agree with it. But by the same token I don't agree that there isn't a significant proportion of development that is not paid, and I don't lend credence to hypothetical predictions about how Linux would be developed without anyone being paid.

Despite what you say, Linux was developed for free for the first year or so and was mostly developed for free for several more years.

[PaXTeam]

> Sorry, I assumed that 80% and 86% were close enough that a reasonable reader would be able > to see that I had mis-remembered the second significant figure for statistics I heard a while ago.

vs.

>>and the source of those numbers is...? >GregKH, who you linked in a cousin comment.

the article i linked to has neither number.

> An employer pays you to solve technical problems that rise from their business

not at all. an employer pays for stuff it can't get done for free. it's basic economics at least but i'm sure some shareholders would also have trouble understanding why the company would waste money that way. you just admitted that you'd gladly do the same work for free yet you somehow failed to tell that to your employer who are thus paying you for something that they could get for free and spend that money on other important things instead. that's doubly damaging to your employer.

> Let me ask you a question. [...]

it doesn't have to be a security bug and it doesn't have to come from a customer, we look at them with the same attention and priority regardless. money has nothing to do with it, we do it (and we have done so since the beginning) whether we're paid or not. i think you just have a hard time imagining that what customers pay for isn't R&D (though we're open to such contract work too).

> That statement doesn't say "developed for free" it says "provided for free".

yes and it's disingenous as to be able to provide linux 'for free' someone has had to pay for it which is very different from our situation.

> I don't agree that there isn't a significant proportion of development that is not paid[...]

you're arguing semantics ('significant' vs 'majority') with Greg at this point, i'll let you two work it out.

> I don't lend credence to hypothetical predictions about how Linux would be developed without anyone being paid.

fortunately you don't need to predict anything, just compare the code of linux 1.0 and 4.11.

> Despite what you say, Linux was developed for free for the first year or so and was mostly > developed for free for several more years.

i never said anything like that unless of course you can quote me back on it.

anyway, you're clearly more interested in insults and ad hominem than a rational discussion, so you can have the last word.