On Thursday 25 June 2009 07:04:07 Detlev Zundel wrote:
but when customers absolutely state their requirements are secure boot and the ability to lock their hardware so no one else can run things, then i'm not about to argue with them. their response is simply "fine, we'll move on to the next guy who will satisfy our requirements".
It is your decision if you don't want to even understand your customers needs.
wrong, we've actually done the opposite. we know what they want to do and it is doable with GPLv2. it is not doable with GPLv3.
From what I read, I do not get this impression. "Locking people out" is not a ulterior motive but the outcome of a perceived threat to a business model. It was this business model that I wanted to get a clear picture of. It seems I cannot get any more informatino here.
locking down a machine is part of due diligence as well when it comes to certification. not taking measures to prevent uncertified code from running is a legal liability for companies.
An aircraft is also a certified product - won't you think? Do you believe that an airline carrier ships its planes to the manufacturer if they need to replace a screw? Obviously there must be ways to ensure certification even in such cases. Why should those methods not be applicable to other fields as well?
It is this "certification is only possible like we say" attitude which I seriously question.
whether you question this attitude doesnt matter. you arent a lawyer in general, you arent a lawyer for these companies, and you arent indemnifying them. their legal review says that it's a requirement, so it is now a requirement for the software. anything beyond that is irrelevant.
they arent generally trying to lock out people who just want to toy, they're targeting people who want to clone their hardware or functionality to create knockoffs or they're trying to guarantee lock down so they can get certified (like medical devices).
How does GPLv3 vs. GPLv2 touch the "we will get cloned" question? Maybe I do not see the obvious here, but sourcecode to binaries under either license must be available, so what's the difference?
if you dont have the decryption keys, you cant read the end program. having access to the u-boot source doesnt matter.
Having access to the physical device will. How long do you think will it take to get broken into? Unfortunately physics do not follow wishes of companies as seen over and over in the past.
and companies understand that. i never said locking the device is a 100% guarantee to prevent cloning -- nothing in life is 100%. it does however significantly make it harder to reverse engineer a black box that is wiggling pins than it is to disassemble code and memory. the companies i work with are concerned with delaying clones for most of that product generation's life span, not eternity. if the clone comes in after the company has gotten their fair share out of it, then that's fine by them. clones are an unfortunate aspect of commercial life. without the secure boot aspect, people are able to create knockoffs with enough turn around time to do quite a bit of damage to the product's life span.
It's not the first time I hear this mantra. Can you give me some facts to back this up?
i dont know what kind of "facts" you're looking for. i didnt make this scenario up, it was described to me by a customer in the US and their experience with Chinese cloners. i'm not going to give customer information or name names if that's what you want. -mike