lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 15 Jun 2007 11:30:09 +0200
From:	Bernd Paysan <bernd.paysan@....de>
To:	david@...g.hm
Cc:	Alexandre Oliva <aoliva@...hat.com>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Kevin Fox <Kevin.Fox@....gov>,
	Daniel Hazelton <dhazelton@...er.net>,
	Lennart Sorensen <lsorense@...lub.uwaterloo.ca>,
	Greg KH <greg@...ah.com>,
	debian developer <debiandev@...il.com>,
	Tarkan Erimer <tarkan@...one.net.tr>,
	linux-kernel@...r.kernel.org,
	Andrew Morton <akpm@...ux-foundation.org>, mingo@...e.hu
Subject: Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3

On Friday 15 June 2007 01:46, david@...g.hm wrote:
> if you cannot modify the software that runs on your Tivo hardware you
> haven't tried very hard.

Yes, but the GPLv2 clearly says that you don't have to try very hard. The 
preferred form of modification has to be distributed. I can run a 
decompiler or disassembler on a program, and I can even modify it in place 
with a hex editor (I have even modified programs in embedded ROMs by using 
focussed ion beam, so I know you can modify every program if you try hard 
enough). It's certainly possible to crack Tivo's firmware to accept my own 
signature, but it's *not* the preferred form of modification, the source 
code and Tivo's key for the signature.

Since Tivo's firmware only accepts a signed kernel, the combination of 
kernel+signature is the binary they ship. The kernel itself is useless, the 
signature as well. Therefore, you can imply that Tivo's key is part of 
the "other stuff" the GPLv2 mentions, because you need it to recreate the 
same code as Tivo did and shipped (compilers insert timestamps and such), 
and to modify that code. The source code is just a mean, the thing they 
shipped is the end (the binary), and they have to comply with the GPL for 
that binary - which by all means of practical understanding includes the 
signature.

"You can imply" means: It depends on court and legal system. I'm quite 
confident that in Germany, the legal system might favor the "GPLv2 does not 
allow tivoization" point of view, and in the USA, the legal sysem might do 
the opposite.

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
http://www.jwdt.com/~paysan/

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ