| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 15 Jun 2007 06:14:33 -0400 From: Daniel Hazelton <dhazelton@...er.net> To: Bernd Paysan <bernd.paysan@....de> Cc: david@...g.hm, Alexandre Oliva <aoliva@...hat.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Kevin Fox <Kevin.Fox@....gov>, Lennart Sorensen <lsorense@...lub.uwaterloo.ca>, Greg KH <greg@...ah.com>, debian developer <debiandev@...il.com>, Tarkan Erimer <tarkan@...one.net.tr>, linux-kernel@...r.kernel.org, Andrew Morton <akpm@...ux-foundation.org>, mingo@...e.hu Subject: Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3 On Friday 15 June 2007 05:30:09 Bernd Paysan wrote: > On Friday 15 June 2007 01:46, david@...g.hm wrote: > > if you cannot modify the software that runs on your Tivo hardware you > > haven't tried very hard. > > Yes, but the GPLv2 clearly says that you don't have to try very hard. The > preferred form of modification has to be distributed. I can run a > decompiler or disassembler on a program, and I can even modify it in place > with a hex editor (I have even modified programs in embedded ROMs by using > focussed ion beam, so I know you can modify every program if you try hard > enough). It's certainly possible to crack Tivo's firmware to accept my own > signature, but it's *not* the preferred form of modification, the source > code and Tivo's key for the signature. How is a signing key part of the "preferred form for modification"? It isn't a requirement to *modify* anything, just to *replace* something. (And I am *NOT* going to explain why "replace != modify" again) > Since Tivo's firmware only accepts a signed kernel, the combination of > kernel+signature is the binary they ship. The kernel itself is useless, the > signature as well. Therefore, you can imply that Tivo's key is part of > the "other stuff" the GPLv2 mentions, because you need it to recreate the > same code as Tivo did and shipped (compilers insert timestamps and such), > and to modify that code. The source code is just a mean, the thing they > shipped is the end (the binary), and they have to comply with the GPL for > that binary - which by all means of practical understanding includes the > signature. I can find no such requirement in the GPLv2. In fact, it actually says that you don't even have to be able to *USE* the program. See section 12 of the GPL if you don't believe me. > "You can imply" means: It depends on court and legal system. I'm quite > confident that in Germany, the legal system might favor the "GPLv2 does not > allow tivoization" point of view, and in the USA, the legal sysem might do > the opposite. In light of the d-link case, I'm pretty certain that the German Courts interpretation of the GPLv2 makes "Tivoization" a violation. In the US I can say that the result would be "GPLv2 does not disallow tivoization". As I've pointed out in other posts, the GPLv2 actually *limits* itself to three specific "activities". Whether it was intended to "incidentally" cover other things or not, it does *clearly* state what it's scope is. If that scope *IS* *NOT* the intent of the person and/or person who authored the license, that text *SHOULD* *NOT* exist. DRH -- Dialup is like pissing through a pipette. Slow and excruciatingly painful. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists