| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 15 Jun 2007 08:47:49 -0400 From: Michael Poole <mdpoole@...ilus.org> To: Daniel Hazelton <dhazelton@...er.net> Cc: Bernd Paysan <bernd.paysan@....de>, david@...g.hm, Alexandre Oliva <aoliva@...hat.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Kevin Fox <Kevin.Fox@....gov>, Lennart Sorensen <lsorense@...lub.uwaterloo.ca>, Greg KH <greg@...ah.com>, debian developer <debiandev@...il.com>, Tarkan Erimer <tarkan@...one.net.tr>, linux-kernel@...r.kernel.org, Andrew Morton <akpm@...ux-foundation.org>, mingo@...e.hu Subject: Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3 Daniel Hazelton writes: > On Friday 15 June 2007 05:30:09 Bernd Paysan wrote: >> On Friday 15 June 2007 01:46, david@...g.hm wrote: >> > if you cannot modify the software that runs on your Tivo hardware you >> > haven't tried very hard. >> >> Yes, but the GPLv2 clearly says that you don't have to try very hard. The >> preferred form of modification has to be distributed. I can run a >> decompiler or disassembler on a program, and I can even modify it in place >> with a hex editor (I have even modified programs in embedded ROMs by using >> focussed ion beam, so I know you can modify every program if you try hard >> enough). It's certainly possible to crack Tivo's firmware to accept my own >> signature, but it's *not* the preferred form of modification, the source >> code and Tivo's key for the signature. > > How is a signing key part of the "preferred form for modification"? It isn't a > requirement to *modify* anything, just to *replace* something. (And I am > *NOT* going to explain why "replace != modify" again) The signing key determines a critical portion of the binary form that was distributed. You cannot produce that portion of the binary form without the signing key. Without that portion, the binary form does not perform the function for which it is distributed. If you think such an input is not part of "the preferred form for modification", I have a bridge to sell you. The work that the GPL protects a recipient's right to modify and redistribute is not the source code -- it is each form the user receives. >> Since Tivo's firmware only accepts a signed kernel, the combination of >> kernel+signature is the binary they ship. The kernel itself is useless, the >> signature as well. Therefore, you can imply that Tivo's key is part of >> the "other stuff" the GPLv2 mentions, because you need it to recreate the >> same code as Tivo did and shipped (compilers insert timestamps and such), >> and to modify that code. The source code is just a mean, the thing they >> shipped is the end (the binary), and they have to comply with the GPL for >> that binary - which by all means of practical understanding includes the >> signature. > > I can find no such requirement in the GPLv2. In fact, it actually says that > you don't even have to be able to *USE* the program. See section 12 of the > GPL if you don't believe me. Section 12 of the GPL(v2) is a warranty and liability disclaimer. It is not an absolution of license obligations. It limits the liability of a distributor to the end user, not to copyright owners. Michael Poole - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists