lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20070615080252.GA28281@elte.hu>
Date:	Fri, 15 Jun 2007 10:02:52 +0200
From:	Ingo Molnar <mingo@...e.hu>
To:	Linus Torvalds <torvalds@...ux-foundation.org>
Cc:	Michael Poole <mdpoole@...ilus.org>,
	Daniel Hazelton <dhazelton@...er.net>,
	Alexandre Oliva <aoliva@...hat.com>,
	Lennart Sorensen <lsorense@...lub.uwaterloo.ca>,
	Greg KH <greg@...ah.com>,
	debian developer <debiandev@...il.com>,
	"david@...g.hm" <david@...g.hm>,
	Tarkan Erimer <tarkan@...one.net.tr>,
	linux-kernel@...r.kernel.org,
	Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3


* Linus Torvalds <torvalds@...ux-foundation.org> wrote:

> On Thu, 14 Jun 2007, Michael Poole wrote:
> >
> > If the DRM signature and program executable are coupled such that 
> > they are not useful when separated, the implication to me is that 
> > they form one work that is based on the original Program.  This is 
> > beyond the GPL's permission for "mere aggregation".
> 
> So you want to make things like a 160-bit SHA1 hash of a binary be a 
> "derived work" of that software?
> 
> Trust me, you *really* don't want to go there. It's an insane legal 
> standpoint, and if you were right, we'd be in a *world* of trouble.
> 
> Think about something as simple as security software that creates 
> filesystem checksums for verifying the integrity of the filesystem, 
> and protects against tampering.
> 
> Do you *really* want to claim that the SHA1 checksum of your "oracle" 
> binary is owned by Oracle, and you need to have a special license to 
> copy that checksum around and verify it?

not only that, but it would instantly turn everyone who owns a hard 
drive or a CD-ROM into a copyright violator: the disks checksums the 
content of the disk _in a reversible way_. Same for RAID5 and RAID6 
techniques. By installing Quake3 on a Windows box one sure does not have 
permission to create a derived work of Windows and Quake3, right? =B-)

a checksum, a one-way hash, or even reversible parity bit(s) that 
'mixes' the copies of multiple works together clearly cannot be new work 
that falls under copyright protection.

Firstly, it is not a new work, because a 'work' has to be created by a 
human - and here the new content was created by a machine. Copyright 
protection only applies to sufficiently original works created by 
humans.

Secondly, it is _at most_ a new, partial copy of existing works and 
hence you need the permission to copy all the works in question. (but 
you needed that permission to create the harddisk anyway)

Thirdly, it could be argued that the sha1 is not even a copy, because it 
is irreversible and hence not even a single bit of the original work can 
be reconstructed from it hence it cannot even be a 'partial copy of the 
original'.

that's at least 3 robust levels of argument against the insane and 
absurd notion that the SHA1 key is somehow a derived work of the copy it 
checksums.

	Ingo
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ