Regions it is legal to use grsec in SecureDrop without commercial license?


I spent some time looking over your FAQ and performed other searches to try to find an answer:

For entities that use SecureDrop, how is licensing and use of grsec with Linux kernels newer than 4.9 handled?

Are you maintaining older patch files which were still opensource under GPL and upgrading them to work with newer kernels? (Effectively, maintaining a fork since last GPL release?) Using an exception, where the scripted process avoid a need for a commercial license?

Are sites that run SecureDrop with the default install expected to buy commercial licenses from grsec?


If a commercial grsecurity / grsec license is required, are there regions where it is not required?

If you have any links to documents or documents which discuss this issue, and legal risk mitigation wrt grsec licensing, please let me/us know.


1 Like

Thank you for getting in touch! We have an arrangement with grsecurity that allows us to use their x86 patches for SecureDrop’s servers, and we are in compliance with their GPL license requirements. Because we distribute grsec patched 4.14-series kernels directly (as opposed to distributing the grsec patches), it is not incumbent on any instance or individual that uses the kernel to also obtain a grsec license.

In order to remain in compliance with the GPL license associated with grsec[0] and with the terms of our subscription, (and also because we <3 open source), we supply the source code for patched 4.14-series kernels upon request. The notice of this offer can be found in the SecureDrop github repo[1].

I hope this answers your questions! If not, give us a shout back.

[0] - see licensing note about halfway down the page

Thanks for your reply; this answers my question.