Alex Zeffertt wrote:
Andy Green wrote:
Since all U-boot users who may use signatures to verify the provenance of a package are in the same boat, I am wondering what the general opinion about this situation is, and what the feeling would be about a Linux kernel/busybox-style GPL V2-only license.
I am curious as to what worries you about GPL v3.
Is it that you wish to build a version of u-boot that will only load a kernel that has been signed with your private key?
If so, then your customers will not be free to modify their kernel even though they may access its source.
This seems to go against the spirit of the GPL. However, I can also see that for some products linux will only be used if it can be shown to be tamper proof.
Hi Alex -
My main concern is in fact updates, currently we package our updates, including U-boot in RPMs and I intend to sign them, and check the signature before allowing install. In this embedded device the user does not have root access. We use RPM so we can completely and easily fulfill the requirement for sources that match any binaries we ship by capturing them into SRPMs.
It seems to me possible for a GPL 2 "or later" user to argue that he should have the signing keys on the basis that he is choosing to "modify" the code on the provisions of GPL 3, not GPL 2 and despite that the distributor says he gave the sources on GPL 2 rules. (Last week on another mailing list a guy was arguing that even GPL2-only code would qualify for the same treatment, but I can't see how that can be).
Because the hardware is fixed, and the special nature of what U-boot does, a workaround for me might be to never update U-boot, but obviously that is less than fully desirable. That way we ship U-boot in the flash, provide sources for it, but never distribute a signed update avoiding the proposed potential problem.
I audited the sources for all the packages we will ship, and there is only one other relatively small source file in net-tools that is GPL2 "or later", so I am considering making sure everything non-proprietary we ship is GPL2-only or more liberal.
-Andy