Re: Support Grsecurity/PaX

Jason A. Donenfeld

On Wed, Aug 19, 2015 at 4:43 PM, Dan Kohn <dankohn@...> wrote:
Jason, if CII funded Grsecurity/PaX for a year or two, it would keep
the project going, but then what?
That's a nearly reasonable objection, but I think it's a bit narrow of
a vision on how many open projects work. More generally, it's "how can
a small but essential open source project be supported?" One answer is
by merging with an already funded project, like the Linux kernel
itself, that already has plenty of commercial investment, with paid
developers. Another, more accessible, answer is -- by receiving
funding when it can, using that funding to improve the project, and
have those improvements result in more interest, and therefore more
funding and grants down the line. It appears that many projects work
this way. For example, OpenBSD seems to be supported by generous
donations and grants (one of which has come from the CII, IIRC). The
longer these projects go, the more likely funding from various places
is to pour in. It seems that having CII fund Grsecurity/PaX for a year
or two would indeed result in increased momentum, more interest, and
therefore a steady stream of funding and support from elsewhere going
forward. This, anyway, is the route that most smaller open source
projects take, that do not directly have developers who are paid by
commercial entities. And on top of this, there's the obvious point: a
year or two of funded Grsecurity/PaX work would result in research and
practical security solutions that would be a massive benefit to all. I
suspect there are additional counter arguments as well that I am
missing (others can chime in?), because were it the case that it's not
worthwhile to fund something for a year or two as you described, many
projects that do now receive funding would become woefully ineligible.

Join to automatically receive all group messages.