Hi folks -
Nice work on U-boot! We are using it with good success on an ARM9 embedded device that is just coming to production.
Late last week the busybox project maintainer decided that the next version will be licensed as "GPL v2 only", matching the Linux kernel license, this is a change from an effective "GPL v2 'or later'" license like U-boot currently has.
During the discussions about this I became aware that there may be some conflict between GPL v3 and using privately signed crypto hashes to validate GPL v2 "or later" binaries, some people at least (Linus) hold that the GPL v3 will allow recipients of the binaries to demand private signing keys. I am uncertain what the facts are, especially as GPL V3 is not done yet, but looking at it the "or later" license it allows the FSF to decide anything they like at any later date and it can cause the distributor trouble accordingly because the GPL V2 "or later" clause arguably at least signs him up for complying with $TO_BE_DETERMINED_BY_FSF_WHEN_THEY_WANT, since a recipient can at any time decide he applies V3 or Vn.
I audited the packages we use and I find more or less of an issue with three: one we use one small file from and it can be rewritten; one only has the "or later" copyright on files we are not distributing the binary for, and lastly there is U-boot, which is currently pretty solidly in the V2 "or later" camp in grep's opinion :-)
Since all U-boot users who may use signatures to verify the provenance of a package are in the same boat, I am wondering what the general opinion about this situation is, and what the feeling would be about a Linux kernel/busybox-style GPL V2-only license.
-Andy