From yesterday's decision in Open Source Security, Inc. v. Perens (N.D. Cal.):

This is a defamation lawsuit. The plaintiffs—Open Source Security ("OSS") and its CEO Bradley Spangler—make security software (called "patches") to fix security vulnerabilities in the open-source Linux Operating System. Open-source software like Linux is free software that anyone can modify, use, and share. The Linux software here is released under an open-source license that prevents users like OSS from imposing additional restrictions if they redistribute the software.

The defendant Bruce Perens—who is a respected programmer known for his founding of the Open Source Initiative—criticized OSS's business model for distributing its security patches on the ground that it violated the open-source license and thus potentially subjected users to liability for copyright infringement or breach of contract. The plaintiffs [sued, basically for defamation -EV]….

OSS's security patch is distributed under the trade name Grsecurity and uses "licensed work of the Linux Operating System kernel that is released" under an open-source license called the GNU General Public License, version 2 (variously, "General Public License", "GPL", or GPLv2). Section 6 of the General Public License forbids users who redistribute the Linux kernel from restricting its use:

Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. … Open Source Security sells its product to customers pursuant to a user access agreement called the "Stable Patch Access Agreement." The Access Agreement contains the following provision about redistribution: "The User has all rights and obligations granted by grsecurity's software license, version 2 of the GNU GPL. These rights and obligations are listed at http://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html. Notwithstanding these rights and obligations, the User acknowledges that redistribution of the provided stable patches or changelogs outside of the explicit obligations under the GPL to User's customers will result in termination of access to future updates of grsecurity stable patches and changelogs."

Thus, if a user redistributes the Grsecurity patch, OSS will terminate the users' access to future updates of the patches.

OSS alleges that this business model does not violate the GNU General Public License, which has the following provision:

When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things….

On July 10, 2017, Mr. Perens updated [an earlier] blog post about Grsecurity [to read]:

Warning: Grsecurity: Potential contributory infringement and breach of contract risk for customers It's my strong opinion that your company should avoid the Grsecurity product sold at grsecurity.net because it presents a contributory infringement and breach of contract risk. … Under their Stable Patch Access Agreement, customers are warned that if they redistribute the Grsecurity patch, as would be their right under the GPL, that they will be assessed a penalty: they will no longer be allowed to be customers, and will not be granted access to any further versions of Grsecurity. GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition…. Grsecurity's Stable Patch Access Agreement adds a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms. Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kernel, terminates, and the copyright of the Linux Kernel is infringed. The GPL does not apply when Grsecurity first ships the work to the customer, and thus the customer has paid for an unlicensed infringing derivative work of the Linux kernel developers with all rights reserved. The contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached. As a customer, it's my opinion that you would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity…. In the public interest, I am willing to discuss this issue with companies and their legal counsel, under NDA, without charge. I am an intellectual property and technology specialist who advises attorneys, not an attorney. This is my opinion and is offered as advice to your attorney. Please show this to him or her.

The plaintiffs allege that the statements in the updated blog post are false because "the Access Agreement does not violate the [General Public License]" and they are "not aware of any legal authority holding" or "remotely suggesting" that Open Source violated the terms of the General Public License….