| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 18 Jun 2007 12:07:57 -0700 (PDT) From: david@...g.hm To: Alexandre Oliva <aoliva@...hat.com> cc: Anders Larsen <al@...rsen.net>, Ingo Molnar <mingo@...e.hu>, Alan Cox <alan@...rguk.ukuu.org.uk>, Daniel Hazelton <dhazelton@...er.net>, Linus Torvalds <torvalds@...ux-foundation.org>, Greg KH <greg@...ah.com>, debian developer <debiandev@...il.com>, Tarkan Erimer <tarkan@...one.net.tr>, linux-kernel@...r.kernel.org, Andrew Morton <akpm@...ux-foundation.org> Subject: Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3 On Mon, 18 Jun 2007, Alexandre Oliva wrote: > On Jun 18, 2007, Anders Larsen <al@...rsen.net> wrote: > >> On Sat, 16 Jun 2007 22:54:56 -0300, Alexandre Oliva wrote: >>> I don't know any law that requires tivoization. > >> Not exactly laws, but pretty close: > >> Credit-card payment terminals are subject to strict security >> certification, where it has to be ensured that > >> a) the user cannot tinker with the device without rendering it unusable >> for its original purpose (electronic payments), and > > I think GPLv3 has that covered: > > Network access may be denied when the modification itself materially > and adversely affects the operation of the network or violates the > rules and protocols for communication across the network. > > I've been sufficiently annoyed by credit card transactions that cannot > be completed for network-down reasons that I believe such devices > depend on network access to perform the original purpose, and even > though IANAL I think that cutting off network access in case the > software no longer complies with the regulations is permitted by the > license. you misunderstand the reason for these rules. they want to prevent anyone from modifying the credit card machine to store copies of all the card info locally. this modification would not affect what goes over the wire at all. so your exception doesn't apply >> b) the manufacturer is able to update the device _in_ _the_ _field_. > > If the above is not enough, you could always use ROM. Sure, if you > can replace the ROM, so can the user, and this just goes to show how > short-sighted the alleged prohibitions on user tinkering with the > software are. Sure, it would be more costly, but it's not like the > law (or the agreements in place) *mandate* tivoization. you don't really answer this issue. since these boxes are required to be sealed and physically anti-tamper, changing the ROM is not acceptable. David Lang - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists