lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 16 Jun 2007 17:58:11 -0700 (PDT)
From:	Linus Torvalds <torvalds@...ux-foundation.org>
To:	Bron Gondwana <brong@...tmail.fm>
cc:	Alexandre Oliva <aoliva@...hat.com>, Ingo Molnar <mingo@...e.hu>,
	Alan Cox <alan@...rguk.ukuu.org.uk>,
	Daniel Hazelton <dhazelton@...er.net>,
	Greg KH <greg@...ah.com>,
	debian developer <debiandev@...il.com>, david@...g.hm,
	Tarkan Erimer <tarkan@...one.net.tr>,
	linux-kernel@...r.kernel.org,
	Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3



On Sun, 17 Jun 2007, Bron Gondwana wrote:
> 
> No, I'm arguing that it's not "mere aggregation" - the kernel is useless
> on that machine unless the BIOS is present or replaced with something
> else with equivalent functionality.

That's *not* a valid argument!

I know, I know, it's a common one, but it is *nonsense*.

The thing is, "mere aggregation" doesn't mean what you think it means.

"Mere aggregation" doesn't mean that they cannot depend on each other. It 
means that they are not *based* on each other in the sense of GPLv2.

In other words, "mere aggregation" is about two pieces that are not 
derivative works under copyright law.

For example, on a Red Hat DVD, *every*single*binary* on that DVD requires 
a kernel to run on. And the kernel image itself "depends" on the user 
programs to actually do something _useful_. 

But it's all still "mere aggregation", because they are not related to 
each other in the sense of being derived works!

So "mere aggregation" is not about intimacy. OF COURSE high-tech products 
depend intimately on each other. The Linux kernel cannot boot on a PC 
without a BIOS or something equivalent. You cannot run your graphical 
environment without a kernel, an X server, the CPU, the memory, the 
display, the BIOS, the power company (or an equivalent hand-crank) etc etc 
etc, and these things are all very much dependent on each other to make a 
"usable system", that has absolutely _zero_ relevance to whether they are 
"mere aggregation" or not.

So the only thing the "mere aggregation" phrase in the GPLv2 means is 
simply: "putting together two or more pieces that are not derived works of 
each other". That's what that

	mere aggregation of another work not based on the Program
	                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

part of the license is all about.  The BIOS is "another work", and it 
clearly is "not based on the Program". The "aggregation" just means 
"putting them together", and the "mere" is there just to show that as far 
as the license is concerned, that is not even interesting!

In other words, the sentence in section 2 about mere aggregation says one 
thing only: the fact that you lump things together storage-wise does not 
matter *at*all* for the license. The _only_ thing that matters for the 
GPLv2 is whether something is a derived work, _not_ whether it is lumped 
together, and depends on something else.

This is why the BIOS is irrelevant. You can put it in the same flash chip 
as the kernel: it still isn't a derived work of Linux (and Linux is not a 
derived work of the BIOS), and the GPLv2 explicitly makes it clear that 
the license holds no sway over the BIOS, even though it's physically on 
the same chip.

The BIOS can do whatever it wants to, and the GPLv2 has *nothing* to say 
about it. The GPLv2 makes that very clear indeed. It is just "mere 
aggregation", and the fact that they  are in the same machine, on the same 
harddisk, on the same flash rom, or on the same DVD doesn't bring them any 
closer from a *copyright* angle.

Copyright in general (and the GPLv2 in the specific) isn't about how 
things are *physically* tied together. It's not even about how things 
interconnect, and how "important" they are for each other. It is _purely_ 
about whether they are derived works.

So when the GPLv2 talks about "mere aggregation", it talks about it 
specifically to say that it does not matter, and that the license _only_ 
affects the actual derived work!

This is why the BIOS, the hardware, the programs you run under Linux etc 
etc are all totally irrelevant. The GPLv2 explicitly says that they are 
irrelevant as far as that license is concerned.

			Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ