[U-Boot] U-book and GPLv3? (fwd)
Hello,
I was asked about relicensing U-Boot as GPLv3:
------- Forwarded Message
Date: Thu, 18 Jun 2009 09:17:28 -0400 From: Richard Stallman rms@gnu.org To: Wolfgang Denk wd@denx.de Subject: U-book and GPLv3?
I really enjoy the name U-boot. What are the advantages of U-boot over PMON?
Have you considered moving U-boot to "GPLv3-or-later"?
------- End of Forwarded Message
I know that we have had similar discussions before (see for example http://thread.gmane.org/gmane.comp.boot-loaders.u-boot/24029), but I would like to take the chance and re-poll what the community's opinion about this is.
Comments welcome...
[I intend to summarize and send this summary to RMS and post it here.]
Best regards,
Wolfgang Denk
On Thursday 18 June 2009 10:51:28 Wolfgang Denk wrote:
From: Richard Stallman rms@gnu.org
Have you considered moving U-boot to "GPLv3-or-later"?
I know that we have had similar discussions before (see for example http://thread.gmane.org/gmane.comp.boot-loaders.u-boot/24029), but I would like to take the chance and re-poll what the community's opinion about this is.
Comments welcome...
i think it's a bad idea. it'll almost certainly lead to forks as people use it on systems where they dont want to let people boot custom builds. i.e. customers absolutely want to lock their hardware such that only their builds run on it. GPLv2 allows this while GPLv3 does not.
Linux has taken a realistic stance here and i think U-Boot should follow suit (well, i dont care about the "or later" part, just that the base from denx is GPLv2). also, it would make code sharing with Linux a nightmare since many pieces have moved to explicitly GPLv2 -- no one is going to audit code flowing between to make sure things can move safely. -mike
On 16:51 Thu 18 Jun , Wolfgang Denk wrote:
Hello,
I was asked about relicensing U-Boot as GPLv3:
I'm not for the GPLv3 I've the same opinion as Linus Torvald
And as we share a lot's of code with Linux we should continue and not use the GPLv3 at all
Please also note that we have code that is GPLv2 Only 1nd I do known a lot of firms that will stop to use and dev under U-Boot if we switch to the v3
so I'm against it
Best Regards, J.
On Thu, Jun 18, 2009 at 11:46 AM, Jean-Christophe PLAGNIOL-VILLARDplagnioj@jcrosoft.com wrote:
On 16:51 Thu 18 Jun , Wolfgang Denk wrote:
Hello,
I was asked about relicensing U-Boot as GPLv3:
I'm not for the GPLv3 I've the same opinion as Linus Torvald
And as we share a lot's of code with Linux we should continue and not use the GPLv3 at all
Isn't there a practical consideration too? Since copyright assignment isn't required on u-boot contributions, you would have to track down all of the contributors and get their permission for the licensing change. Mozilla had to do this when they changed their license and it took them two years to find everyone. Linus has stated that tracking down all of the contributors to the kernel is virtually impossible.
Please also note that we have code that is GPLv2 Only 1nd I do known a lot of firms that will stop to use and dev under U-Boot if we switch to the v3
so I'm against it
Best Regards, J. _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
Hi Jon,
On Thu, Jun 18, 2009 at 11:46 AM, Jean-Christophe PLAGNIOL-VILLARDplagnioj@jcrosoft.com wrote:
On 16:51 Thu 18 Jun , Wolfgang Denk wrote:
Hello,
I was asked about relicensing U-Boot as GPLv3:
I'm not for the GPLv3 I've the same opinion as Linus Torvald
And as we share a lot's of code with Linux we should continue and not use the GPLv3 at all
Isn't there a practical consideration too? Since copyright assignment isn't required on u-boot contributions, you would have to track down all of the contributors and get their permission for the licensing change. Mozilla had to do this when they changed their license and it took them two years to find everyone. Linus has stated that tracking down all of the contributors to the kernel is virtually impossible.
If code is licensed under the "GPLv2 or later" clause, it can be moved without permission from the author. It's really "GPLv2 only" which needs confirmation.
Cheers Detlev
Wolfgang Denk wrote:
Hello,
I was asked about relicensing U-Boot as GPLv3:
------- Forwarded Message
Date: Thu, 18 Jun 2009 09:17:28 -0400 From: Richard Stallman rms@gnu.org To: Wolfgang Denk wd@denx.de Subject: U-book and GPLv3?
I really enjoy the name U-boot.
^_^
s/U-boot/U-Boot/ Wolfgang specifies that somewhere, but I cannot find it now. :-P
What are the advantages of U-boot over PMON?
This PMON? http://www.linux-mips.org/wiki/PMON
OK, this looks a little fresher: http://olph.gdium.com/wiki/doku.php/system:pmon http://dev.lemote.com/code/pmon http://www.opsycon.se/PMON2000/Main
Quotes below are from the http://www.linux-mips.org/wiki/PMON site since it is more quotable. ;-)
1) PMON supports MIPS. Only MIPS? Before Y2K. After Y2K? Sorta.
U-Boot supports many processors and processor families. The current list include the PowerPC, ARM family (many different manufacturers), AVR32, Blackfin, Coldfire, Microblaze, MIPS, NIOS, NIOS2, SuperH, LEON, and i386 (poorly, but /that/ ain't our fault).
2) "Everything about the PMON 2000 site is shaky at best. An updated version promised in March of 2005 never materialized. The knowledgebase is a joke and the documentation is a mixed bag."
U-Boot has a very active community. While the u-boot mail list isn't quite the firehose that the linux mail list is, it is pretty easy to get overwhelmed.
U-Boot has a passable knowledgebase http://www.denx.de/wiki/DULG/Faq and a pretty good user's manual http://www.denx.de/wiki/view/DULG/UBoot. Asking questions on the email list generally results in quick and helpful responses, assuming the question was a smart question http://catb.org/esr/faqs/smart-questions.html.
3) "CVS access is supposed to be available but is not."
U-Boot "gits" it. OK, bad pun, but the point is, U-Boot has excellent source control modeled after the linux development methods (two levels with one BDFL and many custodians) and using the git distributed SCM tool. http://www.denx.de/wiki/U-Boot/Custodians
4) It appears PMON is BSD-licensed. That is good for companies with proprietary code, not so good for sharing and standing on the shoulders of giants.
U-Boot is GPLv2 (sometimes "or later"). While that doesn't have as sharp of teeth as GPLv3, unlike BSD it gives the community a legal lever to pry code out of semi- and un-cooperative corporations.
---
U-Boot has a *lot* of functionality. It has a lot of helpful "board bring up" commands, a (hacked) ash-ish command handler, ability to boot an OS (linux or many others) over ethernet/TFTP or from a file system in flash or from a USB disk or a hard disk or a SD card, or raw from flash or over the serial link or...
This all fits inside 128K++, depending on the features and commands compiled in. OK, mostly 256K, often bumping above that.
[snip]
Best regards, gvb
There's only one thing about U-Boot that doesn't seem so good:
U-Boot is GPLv2 (sometimes "or later").
To have some parts which are GPLv2 only is unfortunate. Is there any chance of convincing those authors to change that?
Hello Richard,
There's only one thing about U-Boot that doesn't seem so good:
U-Boot is GPLv2 (sometimes "or later").To have some parts which are GPLv2 only is unfortunate.
This is due to us many times (re-)using Linux drivers inside U-Boot.
Also this is one of the objections worded on the mailing list, namely that such a cooperation will be impossible in the future if U-Boot moves to GPLv3.
As a base for reasonable discussion, I think we need to evaluate those claims and back them up by actual figures. Only then the real effort needed to move and the potential loss of "code immigration" can be estimated.
Is there any chance of convincing those authors to change that?
Apart from the the above reasons, currently most people who voiced their opinion (not too many right now) oppose the move. The reasoning seems to be that companies using U-Boot inside a commercial product consider it to be "a neccessary precondition to only accept blessed firmware upgrades" (my wording). What motivates this argument is not completely clear to me. Maybe it is fear of being liable as a product vendor to faulty sw upgrades.
A common theme in the embedded community is the fear of "getting copied by cheap labor countries" - which should not be the case here, but I cannot say for sure.
I believe that without discussing this question seriously with all its implications we will not get enough momentum to even start defining the work for a switch.
We should also start to actively inform the regularly appearing people on this mailing list complaining that they cannot get the source code to U-Boot of "device xyz" that with a GPLv2 U-Boot this may become a theoretical question in the future when they cannot install the changed binary anymore.
Cheers Detlev
On Tue, Jun 23, 2009 at 06:33:53PM +0200, Detlev Zundel wrote:
Also this is one of the objections worded on the mailing list, namely that such a cooperation will be impossible in the future if U-Boot moves to GPLv3.
As a base for reasonable discussion, I think we need to evaluate those claims and back them up by actual figures. Only then the real effort needed to move and the potential loss of "code immigration" can be estimated.
The NAND subsystem is from Linux and is GPL v2 only, as is the u-boot-specific NAND code in drivers/mtd/nand. nand_ecc.c is an exception, which not only has the "or later" language but also has an exception that makes it non-viral.
env_nand.c is v2-or-later. cmd_nand.c has no explicit license.
In summary: If you switch to v3, you lose much of NAND. Unless RMS volunteers to rewrite it. :-)
Is there any chance of convincing those authors to change that?
Apart from the the above reasons, currently most people who voiced their opinion (not too many right now) oppose the move. The reasoning seems to be that companies using U-Boot inside a commercial product consider it to be "a neccessary precondition to only accept blessed firmware upgrades" (my wording). What motivates this argument is not completely clear to me. Maybe it is fear of being liable as a product vendor to faulty sw upgrades.
Regardless of what motivates it, people who sell hardware to such customers (and who also contribute to u-boot) may not want to risk losing that business by pushing GPLv3 on them.
-Scott
On Tuesday 23 June 2009 15:26:35 Scott Wood wrote:
On Tue, Jun 23, 2009 at 06:33:53PM +0200, Detlev Zundel wrote:
Apart from the the above reasons, currently most people who voiced their opinion (not too many right now) oppose the move. The reasoning seems to be that companies using U-Boot inside a commercial product consider it to be "a neccessary precondition to only accept blessed firmware upgrades" (my wording). What motivates this argument is not completely clear to me. Maybe it is fear of being liable as a product vendor to faulty sw upgrades.
Regardless of what motivates it, people who sell hardware to such customers (and who also contribute to u-boot) may not want to risk losing that business by pushing GPLv3 on them.
indeed. expecting businesses to push other peoples' agenda isnt realistic, especially when the conversation is pretty much a net customer loss for said businesses. customers arent going to appear because your business is now pushing GPLv3 instead of GPLv2, but they will certainly disappear. -mike
On 15:41 Tue 23 Jun , Mike Frysinger wrote:
On Tuesday 23 June 2009 15:26:35 Scott Wood wrote:
On Tue, Jun 23, 2009 at 06:33:53PM +0200, Detlev Zundel wrote:
Apart from the the above reasons, currently most people who voiced their opinion (not too many right now) oppose the move. The reasoning seems to be that companies using U-Boot inside a commercial product consider it to be "a neccessary precondition to only accept blessed firmware upgrades" (my wording). What motivates this argument is not completely clear to me. Maybe it is fear of being liable as a product vendor to faulty sw upgrades.
Regardless of what motivates it, people who sell hardware to such customers (and who also contribute to u-boot) may not want to risk losing that business by pushing GPLv3 on them.
indeed. expecting businesses to push other peoples' agenda isnt realistic, especially when the conversation is pretty much a net customer loss for said businesses. customers arent going to appear because your business is now pushing GPLv3 instead of GPLv2, but they will certainly disappear.
200% agree I can assure you that today If we switch the V2 to the v3 we will lose a lot of customers and soc that use secure boot as example which is not a progression but a problematic regression
And force to give the private key which use to sign the code is not reallist it's a security flaw
so U-Boot will close itself to a lots of business and customers
Best Regards, J.
Hi Jean-Christophe,
On 15:41 Tue 23 Jun , Mike Frysinger wrote:
On Tuesday 23 June 2009 15:26:35 Scott Wood wrote:
On Tue, Jun 23, 2009 at 06:33:53PM +0200, Detlev Zundel wrote:
Apart from the the above reasons, currently most people who voiced their opinion (not too many right now) oppose the move. The reasoning seems to be that companies using U-Boot inside a commercial product consider it to be "a neccessary precondition to only accept blessed firmware upgrades" (my wording). What motivates this argument is not completely clear to me. Maybe it is fear of being liable as a product vendor to faulty sw upgrades.
Regardless of what motivates it, people who sell hardware to such customers (and who also contribute to u-boot) may not want to risk losing that business by pushing GPLv3 on them.
indeed. expecting businesses to push other peoples' agenda isnt realistic, especially when the conversation is pretty much a net customer loss for said businesses. customers arent going to appear because your business is now pushing GPLv3 instead of GPLv2, but they will certainly disappear.
200% agree I can assure you that today If we switch the V2 to the v3 we will lose a lot of customers and soc that use secure boot as example which is not a progression but a problematic regression
What exactly is secure boot?
And force to give the private key which use to sign the code is not reallist it's a security flaw
That's interesting to hear. Where exactly is there "security" involved and why should security be implementable by signed binaries only? Does that mean that for example I have *no secure* software on my computer right now? Don't you mistake "security" for "authenticity"?
so U-Boot will close itself to a lots of business and customers
As you are not trying to give concrete examples, let me try to formulate your "facts": U-Boot will not be usable within DRM systems. Is that what you are saying?
Cheers Detlev
Hi Detlev,
What exactly is secure boot?
Jean-Christophe - if I may interject... Embedded systems using core soc silicon from a number of manufacturers have started to use what is known as 'secure boot'. This is typically the case in applications which utilise conditional access system software to protect content. The emphasis on using secure boot is largely driven by the conditional access industry itself.
Secure boot basically means that internally in the soc, fuses are blown that provide some semblance of a low-level hw signature. This signature is combined with additional information from a conditional access / security vendor who may provide tools/utilities for 'signing' bootloader and/or application software binary code images. Consider the case where the soc is boot-strapped by low-level 'secure boot' code. Even before the bootloader's main() is entered, the boot code validates the image using secure features such as private keys. If validation succeeds the platform bootstrap continues to main(). If the licensing of U-Boot changed and U-Boot contained secure boot code and/or features such as these in its low-level bootstrap code, it is feasible that the secure features would have to be made public, thus there would be a rather large security flaw.
Don't you mistake "security" for "authenticity"?
In this context, I believe both terms are interchangeable and effectively mean the same thing. It is secure because only authenticated code is allowed to be executed, thus another step to avoid piracy, hacking of conditional access systems etc.
Hope that helps.
Cheers, -- Matt
Hi Matthew,
thanks for the explanation.
Don't you mistake "security" for "authenticity"?
In this context, I believe both terms are interchangeable and effectively mean the same thing.
This is generally not true. These concepts have well defined meanings. I can have a secure communicatins channel with someone I did not authenticate. Also I can have a non-secure communications channel with someone who authenticated himself by some means to me.
It is secure because only authenticated code is allowed to be executed, thus another step to avoid piracy, hacking of conditional access systems etc.
Running only authenticated code does *not* ensure security, no matter how much this is wished for.
But no matter, I now understand that "security" seems to mean "data can only be handled in the way intended by the owners of the data" which is a different concept to me.
Cheers Detlev
On Wednesday 24 June 2009 12:45:38 Detlev Zundel wrote:
It is secure because only authenticated code is allowed to be executed, thus another step to avoid piracy, hacking of conditional access systems etc.
Running only authenticated code does *not* ensure security, no matter how much this is wished for.
But no matter, I now understand that "security" seems to mean "data can only be handled in the way intended by the owners of the data" which is a different concept to me.
you ignored my simple straightforward example where both authenticity and security is provided. cpu only loads signed u-boot -- authenticity. u-boot only loads encrypted signed binaries -- security and authenticity. since the binaries stay inside of the CPU, for all practical (and then some) purposes, the decrypted binary will never be discovered from this system.
and unless you're lumping data and code together under the term "data", that part is also incorrect. -mike
Hi Mike,
On Wednesday 24 June 2009 12:45:38 Detlev Zundel wrote:
It is secure because only authenticated code is allowed to be executed, thus another step to avoid piracy, hacking of conditional access systems etc.
Running only authenticated code does *not* ensure security, no matter how much this is wished for.
But no matter, I now understand that "security" seems to mean "data can only be handled in the way intended by the owners of the data" which is a different concept to me.
you ignored my simple straightforward example where both authenticity and security is provided. cpu only loads signed u-boot -- authenticity. u-boot only loads encrypted signed binaries -- security and authenticity. since the binaries stay inside of the CPU, for all practical (and then some) purposes, the decrypted binary will never be discovered from this system.
Obviously we differ in what "security" means. Where I used security as an attribute of a communications channel which seems to be a popular interpretation in computer science, you interpret "security" to mean "not discoverable from outside the device". The latter interpretation is used in the DRM systems trying to rub off the good annotations of "security" onto those systems - but still it is not synonymous to "security" for me.
So by definition, an authenticated, encrypted (and non-discoverable binary) can still use non-secure communications channels. Those things are orthogonal and actually I do not know why we argue about that anyway because it is beside the point of this thread.
and unless you're lumping data and code together under the term "data", that part is also incorrect.
Code is data for sure. Using higher level languages like e.g. Lisp, this should be extremely clear.
Cheers Detlev
On Thursday 25 June 2009 07:22:10 Detlev Zundel wrote:
On Wednesday 24 June 2009 12:45:38 Detlev Zundel wrote:
It is secure because only authenticated code is allowed to be executed, thus another step to avoid piracy, hacking of conditional access systems etc.
Running only authenticated code does *not* ensure security, no matter how much this is wished for.
But no matter, I now understand that "security" seems to mean "data can only be handled in the way intended by the owners of the data" which is a different concept to me.
you ignored my simple straightforward example where both authenticity and security is provided. cpu only loads signed u-boot -- authenticity. u-boot only loads encrypted signed binaries -- security and authenticity. since the binaries stay inside of the CPU, for all practical (and then some) purposes, the decrypted binary will never be discovered from this system.
Obviously we differ in what "security" means. Where I used security as an attribute of a communications channel which seems to be a popular interpretation in computer science, you interpret "security" to mean "not discoverable from outside the device". The latter interpretation is used in the DRM systems trying to rub off the good annotations of "security" onto those systems - but still it is not synonymous to "security" for me.
you really should use the standard terms of the trade then, otherwise you will just keep confusing people. http://en.wikipedia.org/wiki/Information_security#Basic_principles -mike
Hi Mike,
you really should use the standard terms of the trade then, otherwise you will just keep confusing people.
I will not bother discussing this anymore with you but rather leave it up to the reader to decide on who is confusing.
Cheers Detlev
Embedded systems using core soc silicon from a number of manufacturers have started to use what is known as 'secure boot'. This is typically the case in applications which utilise conditional access system software to protect content. The emphasis on using secure boot is largely driven by the conditional access industry itself.
The principal purpose of these products is to restrict the public's freedom. So it is natural that their means involve restricting our freedom too.
In DefectiveByDesign.org we organize protests against such devices. They don't deserve help.
In this context, I believe both terms are interchangeable and effectively mean the same thing. It is secure because only authenticated code is allowed to be executed, thus another step to avoid piracy,
If that is meant to refer to sharing of copies of published works, please don't call that "piracy". That is a propaganda term which is used to spread the assumption that sharing is bad. See http://www.gnu.org/philosophy/words-to-avoid.html.
Richard,
Richard Stallman wrote:
Embedded systems using core soc silicon from a number of manufacturers have started to use what is known as 'secure boot'. This is typically the case in applications which utilise conditional access system software to protect content. The emphasis on using secure boot is largely driven by the conditional access industry itself.The principal purpose of these products is to restrict the public's freedom. So it is natural that their means involve restricting our freedom too.
You are right in many cases, but on the other hand especially in the embedded market there are lots of systems which should definitivly NOT boot every code provided. Just some examples:
- automotive control units: Think about cars being on the highway with many fancy features built into their electronics (from their owners), which unfortunately are a security risk for the owner and others on the road. If a major accident is caused by modified car control software, who will be sued in the first run? The owner (already dead?)? Or the car manufacturer who made the system open to changes from everyone?
- medical equipment: Think what nice features could be implemented into these many machines located in the emergency room... Accessible to any person who comes by.
My personal believe is that there are many examples of embedded systems, that should only execute software that has been carefully tested.
And I don't like the idea to see this area as non-compatible with free software like U-Boot, Linux and others.
wkr,
Thomas.
In DefectiveByDesign.org we organize protests against such devices. They don't deserve help.
In this context, I believe both terms are interchangeable and effectively mean the same thing. It is secure because only authenticated code is allowed to be executed, thus another step to avoid piracy,If that is meant to refer to sharing of copies of published works, please don't call that "piracy". That is a propaganda term which is used to spread the assumption that sharing is bad. See http://www.gnu.org/philosophy/words-to-avoid.html. _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
- automotive control units: Think about cars being on the highway with many fancy features built into their electronics (from their owners), which unfortunately are a security risk for the owner and others on the road.
I don't think cars depend on software for safety as such. If a computer breaks down, the engine mail run badly -- but if you run out of gas, it might stop entirely. You can still steer the car.
If someday cars do have computers whose proper functioning is necessary for safety, we could use airplanes as a policy example. If you own a small plane, you are free to change it, but you need to get the change inspectied for airworthiness.
- medical equipment: Think what nice features could be implemented into these many machines located in the emergency room... Accessible to any person who comes by.
Being free to change your copy of a program does not mean you must let anyone and everyone change your copy. For instance, the code on my netbook is all free software, but it is not generally accessible to anyone but me.
On Thursday 25 June 2009 19:29:26 Richard Stallman wrote:
- automotive control units: Think about cars being on the highway with many fancy features built into their electronics (from their owners), which unfortunately are a security risk for the owner and others on the road.I don't think cars depend on software for safety as such. If a computer breaks down, the engine mail run badly -- but if you run out of gas, it might stop entirely. You can still steer the car.
If someday cars do have computers whose proper functioning is necessary for safety, we could use airplanes as a policy example. If you own a small plane, you are free to change it, but you need to get the change inspectied for airworthiness.
this is pure wishful thinking. people personally modifying software in their car are not going to go get it recertified.
- medical equipment: Think what nice features could be implemented into these many machines located in the emergency room... Accessible to any person who comes by.Being free to change your copy of a program does not mean you must let anyone and everyone change your copy. For instance, the code on my netbook is all free software, but it is not generally accessible to anyone but me.
none of your scenarios are applicable to the issues Thomas raised. public safety is significantly more important than a handful of hackers here. i'm not going to knowingly subject myself to a medical device that emits radiation (e.g. x-ray machine) that allows anyone to modify it. that sucker had better be locked down to prevent any uncertified (e.g. signed) software modifications. companies that have access to the hardware capabilities to prevent this (i.e. secure boot) and dont implement it are blatantly negligent. -mike
> - medical equipment: Think what nice features could be implemented into > these many machines located in the emergency room... Accessible to any > person who comes by. > > Being free to change your copy of a program does not mean you must let > anyone and everyone change your copy. For instance, the code on my > netbook is all free software, but it is not generally accessible to > anyone but me.
none of your scenarios are applicable to the issues Thomas raised.
My argument shows that his scenario is unrealistic in supposing that "any person who comes by" can change the software in computers in the hospital. If the hospital has the key to install modified software, "any person who comes by" will not know the key. Even most of the staff will not know it.
There probably are ways that people could sabotage the equipment if they were determined to do so. Physically, that is. A person with experience in servicing these machines could find a way to make them work wrong but not obviously wrong in a couple of minutes. Computers don't change the situation.
It makes no sense to demand a double set of bars over the window while ignoring the flimsy door with a weak lock.
Therefore, there is no real issue with these medical devices. But even if there were, the requirement for installation information in GPLv3 does not apply to products specifically for hospitals, since they are not consumer products.
Richard,
Richard Stallman wrote:
- automotive control units: Think about cars being on the highway with many fancy features built into their electronics (from their owners), which unfortunately are a security risk for the owner and others on the road.I don't think cars depend on software for safety as such. If a computer breaks down, the engine mail run badly -- but if you run out of gas, it might stop entirely. You can still steer the car.
You are only concentrating on the motor control. I am not sure about the technical skill of the American automotive industry (grin, grin), but at least in Europe SOME cars already have some safety functions based on computer systems for good reason.
If someday cars do have computers whose proper functioning is necessary for safety, we could use airplanes as a policy example. If you own a small plane, you are free to change it, but you need to get the change inspectied for airworthiness.
Right. The car owner must. But what happens if he doesn't? After a major accident, will the lawyers really sue the car owner? Or the company who let the car owner tinker around in the ECU?
Keep in mind that for most car owners, it is much easier to understand the safety aspects of a mechanical modification of the car than all safety aspects of a SW modification.
- medical equipment: Think what nice features could be implemented into these many machines located in the emergency room... Accessible to any person who comes by.Being free to change your copy of a program does not mean you must let anyone and everyone change your copy. For instance, the code on my netbook is all free software, but it is not generally accessible to anyone but me.
Just out of curiousity: Which percentage of that SW is already GPLv3?
wkr, Thomas.
On Wednesday 24 June 2009 20:59:11 Richard Stallman wrote:
Embedded systems using core soc silicon from a number of manufacturers have started to use what is known as 'secure boot'. This is typicallythe case in applications which utilise conditional access system software to protect content. The emphasis on using secure boot is largely driven by the conditional access industry itself.
The principal purpose of these products is to restrict the public's freedom. So it is natural that their means involve restricting our freedom too.
it sure is nice to make generalities as it makes your resulting argument so much easier to digest. the companies ive worked with could give two sh*ts about end customers tinkering with their products. they're interested in keeping their product secure from other people in their respective industry and from malicious tampering for regulation/safety purposes. -mike
On Thu, 25 Jun 2009, Mike Frysinger wrote:
On Wednesday 24 June 2009 20:59:11 Richard Stallman wrote:
Embedded systems using core soc silicon from a number ofmanufacturers
have started to use what is known as 'secure boot'. This istypically
the case in applications which utilise conditional access system
software
to protect content. The emphasis on using secure boot is largely
driven by
the conditional access industry itself.
The principal purpose of these products is to restrict the public's freedom. So it is natural that their means involve restricting our freedom too.
it sure is nice to make generalities as it makes your resulting argument so much easier to digest. the companies ive worked with could give two sh*ts about end customers tinkering with their products. they're interested in keeping their product secure from other people in their respective industry and from malicious tampering for regulation/safety purposes.
I would like to add that sometimes regulations EXPLICITELY require secure boot. No product can be approved without it. And this does not have anything to do with public's freedom. Just one example is gambling industry which I happen to work right now. Nobody cares about cloning or public's freedom here. What they care about is that nobody can cheat on those nice shiny machines that sometimes let a lucky person to win a multimillion jackpot.
--- ****************************************************************** * KSI@home KOI8 Net < > The impossible we do immediately. * * Las Vegas NV, USA < > Miracles require 24-hour notice. * ******************************************************************
ksi@koi8.net a écrit :
On Thu, 25 Jun 2009, Mike Frysinger wrote:
On Wednesday 24 June 2009 20:59:11 Richard Stallman wrote:
The principal purpose of these products is to restrict the public's freedom. So it is natural that their means involve restricting our freedom too.
it sure is nice to make generalities as it makes your resulting argument so much easier to digest. the companies ive worked with could give two sh*ts about end customers tinkering with their products. they're interested in keeping their product secure from other people in their respective industry and from malicious tampering for regulation/safety purposes.
I would like to add that sometimes regulations EXPLICITELY require secure boot. No product can be approved without it. And this does not have anything to do with public's freedom. Just one example is gambling industry which I happen to work right now. Nobody cares about cloning or public's freedom here. What they care about is that nobody can cheat on those nice shiny machines that sometimes let a lucky person to win a multimillion jackpot.
Please point out precisely the regulations that require secure boot. Should be trivial as regulations are by definition public.
I failed to understand how a secure booted machine can be updated by the manufacturer to fix a bug for example, but not by a customer.
Regards,
Jean-Christian de Rivaz
On Thu, 25 Jun 2009, Jean-Christian de Rivaz wrote:
ksi@koi8.net a ?crit :
On Thu, 25 Jun 2009, Mike Frysinger wrote:
On Wednesday 24 June 2009 20:59:11 Richard Stallman wrote:
The principal purpose of these products is to restrict the
public's
freedom. So it is natural that their means involve restricting
our
freedom too.
it sure is nice to make generalities as it makes your resulting
argument
so much easier to digest. the companies ive worked with could give
two
sh*ts about end customers tinkering with their products. they're interested in keeping their product secure from other people in their
respective
industry and from malicious tampering for regulation/safety
purposes.
I would like to add that sometimes regulations EXPLICITELY require
secure
boot. No product can be approved without it. And this does not have
anything
to do with public's freedom. Just one example is gambling industry
which I
happen to work right now. Nobody cares about cloning or public's
freedom
here. What they care about is that nobody can cheat on those nice
shiny
machines that sometimes let a lucky person to win a multimillion
jackpot.
Please point out precisely the regulations that require secure boot. Should be trivial as regulations are by definition public.
Do you happen to know what "Google" is?
This is our Nevada regulations:
http://gaming.nv.gov/stats_regs.htm
I failed to understand how a secure booted machine can be updated by the manufacturer to fix a bug for example, but not by a customer.
The manufacturer can _NOT_ update his machine at will. _EACH AND EVERY_ change goes through the same approval process.
And one more hint--external hackers is _NOT_ the primary concern here. The most important task is to make cheating by casino _EMPLOYEES_ as difficult as it's possible.
--- ****************************************************************** * KSI@home KOI8 Net < > The impossible we do immediately. * * Las Vegas NV, USA < > Miracles require 24-hour notice. * ******************************************************************
ksi@koi8.net a écrit :
Please point out precisely the regulations that require secure boot. Should be trivial as regulations are by definition public.
Do you happen to know what "Google" is?
Yes, thanks :-)
For example this document have the term "secure boot": http://www.dcg.virginia.gov/supplier/sup-rules/standards.shtm The wording is this one: "D. Electronic Bingo [...] 3. [...] Security measures that may be employed to comply with these provisions include, but are not limited to the use of dongles, digital signature comparison hardware and software; secure boot loaders, encryption, and key and callback password systems."
The term "secure boot" is listed as a possibility, not as a requirement.
Now I don't have the time to parse every possible document that Google propose. This is why I politely ask a precise example, as I was under the impression that some peoples know very well this subject.
This is our Nevada regulations:
I don't have the time to parse all the documents listed at this URL, but I downloaded the one I suspect is the more relevant: http://gaming.nv.gov/stats_regs/reg14_tech_stnds.pdf And I cannot found "secure boot" into it.
I failed to understand how a secure booted machine can be updated by the manufacturer to fix a bug for example, but not by a customer.
The manufacturer can _NOT_ update his machine at will. _EACH AND EVERY_ change goes through the same approval process.
Still, technically the hardware have only two possibility: 1) it can be reprogrammed. 2) it can't be reprogrammed.
If 1), I dont' see how the a boot loader can't be replaced by a less secure one and let boot anything.
if 2), there is not point as nobody can possibly make any update, so the firmware don't have to be secured.
Regards,
Jean-Christian de Rivaz
On Thu, 25 Jun 2009, Jean-Christian de Rivaz wrote:
ksi@koi8.net a ?crit :
Please point out precisely the regulations that require secure boot. Should be trivial as regulations are by definition public.
Do you happen to know what "Google" is?
Yes, thanks :-)
For example this document have the term "secure boot": http://www.dcg.virginia.gov/supplier/sup-rules/standards.shtm The wording is this one: "D. Electronic Bingo [...] 3. [...] Security measures that may be employed to comply with these provisions include, but are not limited to the use of dongles, digital signature comparison hardware and software; secure boot loaders, encryption, and key and callback password systems."
The term "secure boot" is listed as a possibility, not as a requirement.
Now I don't have the time to parse every possible document that Google propose. This is why I politely ask a precise example, as I was under the impression that some peoples know very well this subject.
This is our Nevada regulations:
I don't have the time to parse all the documents listed at this URL, but I downloaded the one I suspect is the more relevant: http://gaming.nv.gov/stats_regs/reg14_tech_stnds.pdf And I cannot found "secure boot" into it.
Are you looking for a precise phrase?
I failed to understand how a secure booted machine can be updated by
the
manufacturer to fix a bug for example, but not by a customer.
The manufacturer can _NOT_ update his machine at will. _EACH AND
EVERY_
change goes through the same approval process.
Still, technically the hardware have only two possibility:
- it can be reprogrammed.
- it can't be reprogrammed.
If 1), I dont' see how the a boot loader can't be replaced by a less secure one and let boot anything.
if 2), there is not point as nobody can possibly make any update, so the firmware don't have to be secured.
You are trying to make sense out of the regulations. It doesn't work this way. If regulations say "one must use a screwdriver with a red handle on this screw" one must use the red screwdriver. No matter if it makes sense or not. If you feel it's bullshit you should fight for the regulation to change that is a very long (years, not months) and very difficult process. In the meantime you _MUST_ use that red screwdriver.
Then you should read not only technical part but also a procedural one on how approvals are given. You must persuade the Commision to give you an approval. And they give them at their discretion. And you can NOT sue them.
Finally don't forget that your employees all want to get their salary paid and that comes from your business revenues. No approval == No business. Good luck fighting regulations.
--- ****************************************************************** * KSI@home KOI8 Net < > The impossible we do immediately. * * Las Vegas NV, USA < > Miracles require 24-hour notice. * ******************************************************************
ksi@koi8.net a écrit :
On Thu, 25 Jun 2009, Jean-Christian de Rivaz wrote:
ksi@koi8.net a ?crit :
Please point out precisely the regulations that require secure boot. Should be trivial as regulations are by definition public.
Do you happen to know what "Google" is?
Yes, thanks :-)
For example this document have the term "secure boot": http://www.dcg.virginia.gov/supplier/sup-rules/standards.shtm The wording is this one: "D. Electronic Bingo [...] 3. [...] Security measures that may be employed to comply with these provisions include, but are not limited to the use of dongles, digital signature comparison hardware and software; secure boot loaders, encryption, and key and callback password systems."
The term "secure boot" is listed as a possibility, not as a requirement.
Now I don't have the time to parse every possible document that Google propose. This is why I politely ask a precise example, as I was under the impression that some peoples know very well this subject.
This is our Nevada regulations:
I don't have the time to parse all the documents listed at this URL, but I downloaded the one I suspect is the more relevant: http://gaming.nv.gov/stats_regs/reg14_tech_stnds.pdf And I cannot found "secure boot" into it.
Are you looking for a precise phrase?
I want to look deeper into the subject. I think that if a regulation make a technical point as a requirement, then it must more or less describe the technical point so that it can be implemented is a way it work as expected. As an engineer, I think that a "secure boot" is only a buzz word: if the system can be physically modified, it can't be secured. If it can't be physically modified, then you don't need a secure boot.
I failed to understand how a secure booted machine can be updated by
the
manufacturer to fix a bug for example, but not by a customer.
The manufacturer can _NOT_ update his machine at will. _EACH AND
EVERY_
change goes through the same approval process.
Still, technically the hardware have only two possibility:
- it can be reprogrammed.
- it can't be reprogrammed.
If 1), I dont' see how the a boot loader can't be replaced by a less secure one and let boot anything.
if 2), there is not point as nobody can possibly make any update, so the firmware don't have to be secured.
You are trying to make sense out of the regulations. It doesn't work this way. If regulations say "one must use a screwdriver with a red handle on this screw" one must use the red screwdriver. No matter if it makes sense or not. If you feel it's bullshit you should fight for the regulation to change that is a very long (years, not months) and very difficult process. In the meantime you _MUST_ use that red screwdriver.
Then you should read not only technical part but also a procedural one on how approvals are given. You must persuade the Commision to give you an approval. And they give them at their discretion. And you can NOT sue them.
In this second part, I don't make reference to regulation. I only talk about the technical problem of reprogramming a system.
Finally don't forget that your employees all want to get their salary paid and that comes from your business revenues. No approval == No business. Good luck fighting regulations.
Why do you think I want to fight regulation ? I actually be more concerned about understanding how a proprietary hidden piece of code into u-boot can possibly make a system satisfy a security regulation.
Regards,
Jean-Christian de Rivaz
On Thu, 25 Jun 2009, Jean-Christian de Rivaz wrote:
ksi@koi8.net a ?crit :
On Thu, 25 Jun 2009, Jean-Christian de Rivaz wrote:
ksi@koi8.net a ?crit :
Please point out precisely the regulations that require secure
boot.
Should be trivial as regulations are by definition public.
Do you happen to know what "Google" is?
Yes, thanks :-)
For example this document have the term "secure boot": http://www.dcg.virginia.gov/supplier/sup-rules/standards.shtm The wording is this one: "D. Electronic Bingo [...] 3. [...] Security measures that may be employed to comply with these provisions include, but are not limited to the use of dongles,
digital
signature comparison hardware and software; secure boot loaders, encryption, and key and callback password systems."
The term "secure boot" is listed as a possibility, not as a
requirement.
Now I don't have the time to parse every possible document that
propose. This is why I politely ask a precise example, as I was
under
the impression that some peoples know very well this subject.
This is our Nevada regulations:
I don't have the time to parse all the documents listed at this URL,
but
I downloaded the one I suspect is the more relevant: http://gaming.nv.gov/stats_regs/reg14_tech_stnds.pdf And I cannot found "secure boot" into it.
Are you looking for a precise phrase?
I want to look deeper into the subject. I think that if a regulation make a technical point as a requirement, then it must more or less describe the technical point so that it can be implemented is a way it work as expected. As an engineer, I think that a "secure boot" is only a buzz word: if the system can be physically modified, it can't be secured. If it can't be physically modified, then you don't need a secure boot.
It is not just technical measures; it is a complex of them and different operating procedures.
When you hit a jackpot the machine should be immediately stopped (hang) in that state and nobody should touch it. Then a controller comes into the scene. He pulls all the EPROM chips from the machine and checks them with MD5 or whatever is approved and checks every single piece of programmable hardware with some procedure approved for this particular model. That would not prevent a cheating casino employee from replacing some EPROM chip (or whatever) with his own one but it will NOT allow for stuffing the original one back once the jackpot is hit so the cheating will be detected.
That's only one example...
I failed to understand how a secure booted machine can be
updated by
the
manufacturer to fix a bug for example, but not by a customer.
The manufacturer can _NOT_ update his machine at will. _EACH AND
EVERY_
change goes through the same approval process.
Still, technically the hardware have only two possibility:
- it can be reprogrammed.
- it can't be reprogrammed.
If 1), I dont' see how the a boot loader can't be replaced by a less secure one and let boot anything.
if 2), there is not point as nobody can possibly make any update, so
the
firmware don't have to be secured.
You are trying to make sense out of the regulations. It doesn't work
this
way. If regulations say "one must use a screwdriver with a red handle
on
this screw" one must use the red screwdriver. No matter if it makes
sense or
not. If you feel it's bullshit you should fight for the regulation to
change
that is a very long (years, not months) and very difficult process. In
the
meantime you _MUST_ use that red screwdriver.
Then you should read not only technical part but also a procedural one
on
how approvals are given. You must persuade the Commision to give you
an
approval. And they give them at their discretion. And you can NOT sue
them.
In this second part, I don't make reference to regulation. I only talk about the technical problem of reprogramming a system.
Ah, that's absolutely orthogonal issue... We do NOT do something stupid from engineering standpoint because it makes sense (and quite often it doesn't) but because the regulations and the Commission's understanding of them requires that.
Yes, many of those are stupid and outdated but they do a good job anyways; there is not that much cheating in our casinos.
Finally don't forget that your employees all want to get their salary
paid
and that comes from your business revenues. No approval == No
business. Good
luck fighting regulations.
Why do you think I want to fight regulation ? I actually be more concerned about understanding how a proprietary hidden piece of code into u-boot can possibly make a system satisfy a security regulation.
It is not just hardware/software. The latter is only a part of solution. It is NOT the machine that pays that jackpot, it is real humans. There is no way to make the system unbreakable and impossible to cheat on. That's why an additional layer of security is being able to DETECT that system had been cheated on.
--- ****************************************************************** * KSI@home KOI8 Net < > The impossible we do immediately. * * Las Vegas NV, USA < > Miracles require 24-hour notice. * ******************************************************************
ksi@koi8.net a écrit :
I downloaded the one I suspect is the more relevant: http://gaming.nv.gov/stats_regs/reg14_tech_stnds.pdf And I cannot found "secure boot" into it.
Are you looking for a precise phrase?
I want to look deeper into the subject. I think that if a regulation make a technical point as a requirement, then it must more or less describe the technical point so that it can be implemented is a way it work as expected. As an engineer, I think that a "secure boot" is only a buzz word: if the system can be physically modified, it can't be secured. If it can't be physically modified, then you don't need a secure boot.
It is not just technical measures; it is a complex of them and different operating procedures.
Yes, I known that. But here we specifically talk about u-boot. You still failed to show a description of how u-boot can be modified to secure a system and why this must be a hidden proprietary code.
I failed to understand how a secure booted machine can be
updated by
the
manufacturer to fix a bug for example, but not by a customer.
The manufacturer can _NOT_ update his machine at will. _EACH AND
EVERY_
change goes through the same approval process.
Still, technically the hardware have only two possibility:
- it can be reprogrammed.
- it can't be reprogrammed.
If 1), I dont' see how the a boot loader can't be replaced by a less secure one and let boot anything.
if 2), there is not point as nobody can possibly make any update, so
the
firmware don't have to be secured.
[...]
Ah, that's absolutely orthogonal issue... We do NOT do something stupid from engineering standpoint because it makes sense (and quite often it doesn't) but because the regulations and the Commission's understanding of them requires that.
Yes, many of those are stupid and outdated but they do a good job anyways; there is not that much cheating in our casinos.
You seem to agree that a "secure boot" is maybe not more that only a marketing word...
[...]
Why do you think I want to fight regulation ? I actually be more concerned about understanding how a proprietary hidden piece of code into u-boot can possibly make a system satisfy a security regulation.
It is not just hardware/software. The latter is only a part of solution. It is NOT the machine that pays that jackpot, it is real humans. There is no way to make the system unbreakable and impossible to cheat on. That's why an additional layer of security is being able to DETECT that system had been cheated on.
So why using open source at all if you think that hidden code is a way to make a system more secure ? It highly not consistent !
Regards,
Jean-Christian de Rivaz
On Thu, 25 Jun 2009, Jean-Christian de Rivaz wrote:
ksi@koi8.net a ?crit :
I downloaded the one I suspect is the more relevant: http://gaming.nv.gov/stats_regs/reg14_tech_stnds.pdf And I cannot found "secure boot" into it.
Are you looking for a precise phrase?
I want to look deeper into the subject. I think that if a regulation make a technical point as a requirement, then it must more or less describe the technical point so that it can be implemented is a way
it
work as expected. As an engineer, I think that a "secure boot" is
only a
buzz word: if the system can be physically modified, it can't be secured. If it can't be physically modified, then you don't need a secure boot.
It is not just technical measures; it is a complex of them and
different
operating procedures.
Yes, I known that. But here we specifically talk about u-boot. You still failed to show a description of how u-boot can be modified to secure a system and why this must be a hidden proprietary code.
> I failed to understand how a secure booted machine can be
updated by
the
> manufacturer to fix a bug for example, but not by a
customer.
The manufacturer can _NOT_ update his machine at will. _EACH
AND
EVERY_
change goes through the same approval process.
Still, technically the hardware have only two possibility:
- it can be reprogrammed.
- it can't be reprogrammed.
If 1), I dont' see how the a boot loader can't be replaced by a
less
secure one and let boot anything.
if 2), there is not point as nobody can possibly make any
update, so
the
firmware don't have to be secured.
[...]
Ah, that's absolutely orthogonal issue... We do NOT do something
stupid from
engineering standpoint because it makes sense (and quite often it
doesn't)
but because the regulations and the Commission's understanding of them requires that.
Yes, many of those are stupid and outdated but they do a good job
anyways;
there is not that much cheating in our casinos.
You seem to agree that a "secure boot" is maybe not more that only a marketing word...
No, this does not have the same strict meaning as "#6-32x1/2" slotted head steel zinc plated machine screw." It is a set of different features. Here is e.g. a Freescale's whitepaper on one of their SoCs:
http://www.freescale.com/files/32bit/doc/white_paper/IMX31SECURITYWP.pdf
[...]
Why do you think I want to fight regulation ? I actually be more concerned about understanding how a proprietary hidden piece of code into u-boot can possibly make a system satisfy a security
regulation.
It is not just hardware/software. The latter is only a part of
solution. It
is NOT the machine that pays that jackpot, it is real humans. There is
no
way to make the system unbreakable and impossible to cheat on. That's
why an
additional layer of security is being able to DETECT that system had
been
cheated on.
So why using open source at all if you think that hidden code is a way to make a system more secure ? It highly not consistent !
Who is talking about hidden code? It can be open source. And quite often it is. And most of that code, BTW, is written by the people who are paid to do it. If you want to make us drop U-Boot and write our own firmware no problems, that's just additional job security for us. But don't expect all those people to do anything on U-Boot and forget about their contributions.
--- ****************************************************************** * KSI@home KOI8 Net < > The impossible we do immediately. * * Las Vegas NV, USA < > Miracles require 24-hour notice. * ******************************************************************
ksi@koi8.net a écrit :
Ah, that's absolutely orthogonal issue... We do NOT do something
stupid from
engineering standpoint because it makes sense (and quite often it
doesn't)
but because the regulations and the Commission's understanding of them requires that.
Yes, many of those are stupid and outdated but they do a good job
anyways;
there is not that much cheating in our casinos.
You seem to agree that a "secure boot" is maybe not more that only a marketing word...
No, this does not have the same strict meaning as "#6-32x1/2" slotted head steel zinc plated machine screw." It is a set of different features. Here is e.g. a Freescale's whitepaper on one of their SoCs:
http://www.freescale.com/files/32bit/doc/white_paper/IMX31SECURITYWP.pdf
This paper mainly describes hardware features that are not relevant for u-boot. The ROM authenticate a script that authenticate the boot loader (u-boot) that authenticate the firmware image (kernel and RO filesystem). The ability to update this system is controlled by a chain of asymmetric keys.
It seem that the GPLv3 do not require to publish the private key if this is not a consumer product. I suspect that if a regulation exists for a product that require a security schema, then GPLv3 also do not force to publish the private key, but that must be carefully verified.
In a more philosophical aspect, and as a customer, I can understand that some code are dangerous to modify and are secured, but there is a real issues that the security is also used to abuse the freedom to modify a system that don't require a high level of security. What you will do the day you can't find a computer that can't boot a Open Source system ? The GPLv3 is maybe right by requiring to allow to modify a system as long as this is not restricted by a regulation for safety reason.
[...]
Why do you think I want to fight regulation ? I actually be more concerned about understanding how a proprietary hidden piece of code into u-boot can possibly make a system satisfy a security
regulation.
It is not just hardware/software. The latter is only a part of
solution. It
is NOT the machine that pays that jackpot, it is real humans. There is
no
way to make the system unbreakable and impossible to cheat on. That's
why an
additional layer of security is being able to DETECT that system had
been
cheated on.
So why using open source at all if you think that hidden code is a way to make a system more secure ? It highly not consistent !
Who is talking about hidden code? It can be open source. And quite often it is. And most of that code, BTW, is written by the people who are paid to do it. If you want to make us drop U-Boot and write our own firmware no problems, that's just additional job security for us. But don't expect all those people to do anything on U-Boot and forget about their contributions.
Pretty aggressive position. If I understand you correctly, there is already a asymmetric key authentication code to secure a firmware in u-boot. Please point out where it is because I can't find it in the last GIT tree.
Regards,
Jean-Christian de Rivaz
I would like to add that sometimes regulations EXPLICITELY require secure boot. No product can be approved without it. And this does not have anything to do with public's freedom. Just one example is gambling industry which I happen to work right now.
Gambling machines for casinos are not consumer products, so GPLv3's requirement to deliver installation information does not apply to them.
> Embedded systems using core soc silicon from a number of manufacturers > have started to use what is known as 'secure boot'. This is typically > the case in applications which utilise conditional access system software > to protect content. The emphasis on using secure boot is largely driven by > the conditional access industry itself. > > The principal purpose of these products is to restrict the public's > freedom. So it is natural that their means involve restricting our > freedom too.
it sure is nice to make generalities as it makes your resulting argument so much easier to digest. the companies ive worked with could give two sh*ts about end customers tinkering with their products. they're interested in keeping their product secure from other people in their respective industry and from malicious tampering for regulation/safety purposes.
The comment I responded to talked about the "conditional access industry" and my response was about those products too. I stand by what I said about them.
Your various messages suggest that you are talking about other kinds of products, so that your experience does not conflict with what I said.
I can assure you that today If we switch the V2 to the v3 we will lose a lot of customers
Are the users of U-Boot usually customers? That term normally refers to people that buy a commercial product or service.
And force to give the private key which use to sign the code is not reallist it's a security flaw
I have a computer on which I can install any code I choose. I don't think that is a security flaw.
On the contrary, if only one company can install a new version, that is a grave security flaw for me as a user.
On 20:59 Wed 24 Jun , Richard Stallman wrote:
I can assure you that today If we switch the V2 to the v3 we will lose a lot of customersAre the users of U-Boot usually customers? That term normally refers to people that buy a commercial product or service.
This where I disagree my customer are firm that will hire me or buy me something too. In this case the firm can require for their business secure boot. You only see the one part of the business and the world.
And force to give the private key which use to sign the code is not reallist it's a security flawI have a computer on which I can install any code I choose. I don't think that is a security flaw.
For your personnal computer fine, but all products will not have the same requirements or targets.
On the contrary, if only one company can install a new version, that is a grave security flaw for me as a user.
If I use a GPLv3 bootloader in a medical tool, a car, Point of payment terminal, Military System, etc... it is a grave security flaw. I'm not sure that you will be very happy if someone can modify the Firmware freely. As you may loose money to be killed and at the extrem kill millions of people.
I do not think the v3 is a benefit. I'll never accept the concept to an opensource licence that will force me to use a software in a specific way that someone will choose for me as do the v3. It will be freedom kill.
Here you try to restrict people freedom because you do not like what they do. It will result as the same as live in jail.
Please remember I can create what product I want with opensource component I'm free to do it If I accept the fact ot reverse code to the community or at least to your customer.
I think you take the problem in the wrong way. You want to be able to do what you want with your hardware fine so do not buy non upgradable hardware. Help people as I to convince firm to develop - when it's possible - full opensource product as the openmoko, beagle project etc...
In this case it will be a win-win in the otherway it's extremist, business and freedom kill
In France we have this "la liberté de chacun s'arrete ou celle d'autrui commence" you can transalte by something like this Your freedom will stop where the freedom of someone else will start
So the GPLv3 no
Best Regards, J.
If I use a GPLv3 bootloader in a medical tool, a car, Point of payment terminal, Military System, etc... it is a grave security flaw. I'm not sure that you will be very happy if someone can modify the Firmware freely. As you may loose money to be killed and at the extrem kill millions of people.
There is no need to exaggerate. Millions of people modify cars physically, and it is not a dangerous practice.
If you buy a car, or a medical tool for my own use, you deserve to be able to change the software in it, just as you can change it physically.
The other systems that you speak of are not consumer products, so this requirement in GPLv3 does not apply to them.
I do not think the v3 is a benefit. I'll never accept the concept to an opensource licence that will force me to use a software in a specific way that someone will choose for me as do the v3. It will be freedom kill.
You seem to be worried about something you haven't described clearly. I think you're afraid of shadows, but since you have not described them clearly, I really don't know.
All I can say is that no version of the GPL was meant to be an open source license. Thinking of it in terms of "open source" will tend to be an obstacle to understanding it.
On 00:50 Fri 26 Jun , Richard Stallman wrote:
If I use a GPLv3 bootloader in a medical tool, a car, Point of payment terminal, Military System, etc... it is a grave security flaw. I'm not sure that you will be very happy if someone can modify the Firmware freely. As you may loose money to be killed and at the extrem kill millions of people.There is no need to exaggerate. Millions of people modify cars physically, and it is not a dangerous practice.
It is.
If you buy a car, or a medical tool for my own use, you deserve to be able to change the software in it, just as you can change it physically.
Certanly not when you use your car your are also on the public domain (road) so it your car have a system faillure you can kill yourself and kill other people. Remember that you are not allow to modify your car as your wish there is law that will forbiden you to do this in a lot' of country.
The other systems that you speak of are not consumer products, so this requirement in GPLv3 does not apply to them.
in a Point of payment terminal it does not apply are sure? There are distributed to storekeeper and you use your credit card in there shop. So in your idea they modify it and if they stole your credit card number and secret code and then stole your money. No Way
I do not think the v3 is a benefit. I'll never accept the concept to an opensource licence that will force me to use a software in a specific way that someone will choose for me as do the v3. It will be freedom kill.You seem to be worried about something you haven't described clearly. I think you're afraid of shadows, but since you have not described them clearly, I really don't know.
as example with the v3 you force me to give you my private key that I use to protect the product this is not acceptable
All I can say is that no version of the GPL was meant to be an open source license. Thinking of it in terms of "open source" will tend to be an obstacle to understanding it.
Sorry you only think about yourself and your interest, I respect the GPLv2 and the work have been done around. But the GPLv3 is an extremism that I do not want to go.
Best Regards, J.
Hi Jean-Christophe,
On 00:50 Fri 26 Jun , Richard Stallman wrote:
If I use a GPLv3 bootloader in a medical tool, a car, Point of payment terminal, Military System, etc... it is a grave security flaw. I'm not sure that you will be very happy if someone can modify the Firmware freely. As you may loose money to be killed and at the extrem kill millions of people.There is no need to exaggerate. Millions of people modify cars physically, and it is not a dangerous practice.
It is.
If you buy a car, or a medical tool for my own use, you deserve to be able to change the software in it, just as you can change it physically.
Certanly not when you use your car your are also on the public domain (road) so it your car have a system faillure you can kill yourself and kill other people. Remember that you are not allow to modify your car as your wish there is law that will forbiden you to do this in a lot' of country.
It seems that you have very strong interests on the software side, which need to be considered separately, but here you are really distorting actual reality. As this example is likely best known to everybody, I'll comment on this one - it seems currently too much work without a prospect of any gain to comment on everything.
Of course you can modify your own car. This is *not* forbidden - why do you claim such a thing? Heck you can even attach a rocket to it *as long* as you don't use the car on public streets. If you do, all you got to do is to get your modifications approved. No big deal, go to a <insert favorite car brand here> meeting and look at the cars there.
I can even build my own car from scratch and get it certified.
Although I wanted to restrict myself to cars - it's the same with planes. It is common practice for example to modify glider planes (increasing wing span for example to be more competitive today) for which the manufacturer even *does not exist* any more today. Admittedly this is some work to get it certified, but it is doable by a private person for sure, I personally know some.
Actually I can even build my own *plane* and still get it certified (this is not uncommon).
Cheers Detlev
Detlev,
Detlev Zundel schrieb:
Hi Jean-Christophe,
On 00:50 Fri 26 Jun , Richard Stallman wrote:
...
If you buy a car, or a medical tool for my own use, you deserve to be able to change the software in it, just as you can change it physically.
Certanly not when you use your car your are also on the public domain (road) so it your car have a system faillure you can kill yourself and kill other people. Remember that you are not allow to modify your car as your wish there is law that will forbiden you to do this in a lot' of country.
...
Of course you can modify your own car. This is *not* forbidden - why do you claim such a thing? Heck you can even attach a rocket to it *as long* as you don't use the car on public streets. If you do, all you got to do is to get your modifications approved. No big deal, go to a <insert favorite car brand here> meeting and look at the cars there.
I can even build my own car from scratch and get it certified.
Maybe you are right.
But for actually modifying safety critcal software (e.g. for airbag control, ABS/ESP control, not talking about break-by-wire/steer by wire systems) properly you will need MUCH more than the source code. You will need the requirements specifications, the SW design documentation, the test specifications.
Wouldn't it make sense to add a paragraph to the GPL, stating that a company using GPL software in their system must also provide all that documentation to their customers? Only then the SW modification can be properly done?
Don't forget that a proper test area is also needed, which can simulate all kind of street conditions. For ABS/Airbag you may also need a crash test environment including soem sample cars to try thigns out.
Without access to these, you will not be able to prove proper system behaviour to the certification authorities.
(set the irony tag wherever you find it suitable.
Back to being earnest: I think the GPL is a very important license to generate open-source software and that the results on the SW quality are very significant. The switch to GPLv3 may make sense for many SW systems, mainly in the desktop/gadget area.
Even the traditional industry has learned in the last few years, that open source software is nothing to be afraid of and that sharing the own general know how based on SW improvements is a benefit for all.
But similar to the fact, that there is not ONE operating system fitting all needs and ONE SW package fitting all needs, there also is not ONE OS license, that fits to all requirements.
So once again I think GPLv3 for U-Boot would avoid using it in many possible applications, which would be a loss for the project and its users.
wkr, Thomas.
Wouldn't it make sense to add a paragraph to the GPL, stating that a company using GPL software in their system must also provide all that documentation to their customers? Only then the SW modification can be properly done?
It is not possible for a software license to require this in general. It may be possible to require this in the case where the software is delivered with a product. For GPLv4, we could think about whether this is a good idea. But we are not yet working on a GPLv4.
Don't forget that a proper test area is also needed, which can simulate all kind of street conditions. For ABS/Airbag you may also need a crash test environment including soem sample cars to try thigns out.
Without access to these, you will not be able to prove proper system behaviour to the certification authorities.
I don't know what standards they use. If certification is hard to get, that may discourage people from changing this software. Whether that is a good or a bad outcome, I am not sure. If the certification is indeed necessary, and done reasonably, I suppose the outcome is good.
Be that as it may, it does not excuse letting manufacturers restrict the users for their own purposes.
So once again I think GPLv3 for U-Boot would avoid using it in many possible applications, which would be a loss for the project and its users.
It is important for free software users to remember that they are giving the users something, not vice versa. If people use U-Boot, that is their gain; if they don't use it, that is their loss.
During my work on GCC and other programs, companies often asked me to weaken the license and in exchange we would get "more use" of the program. I respond to them, "More use of the program is just a subgoal; the main goal is to give more users freedom."
Sometimes companies say that they would put a lot of effort into improving a program if the developers change the license. But they do not necessarily contribute much if the developer caves. In effect they are asking to buy a license change on credit and won't even sign an IOU.
Richard,
Richard Stallman wrote:
Wouldn't it make sense to add a paragraph to the GPL, stating that a company using GPL software in their system must also provide all that documentation to their customers? Only then the SW modification can be properly done?It is not possible for a software license to require this in general. It may be possible to require this in the case where the software is delivered with a product. For GPLv4, we could think about whether this is a good idea. But we are not yet working on a GPLv4.
Obviously I should have set the <ironic> tag explicitly. Please don't do that. And if you do, please don't point to me as the originator of that idea. Because I think my "idea" is bad.
wkr, Thomas.
Detlev Zundel schrieb:
Hi Jean-Christophe,
On 00:50 Fri 26 Jun , Richard Stallman wrote:
If I use a GPLv3 bootloader in a medical tool, a car, Point of payment terminal, Military System, etc... it is a grave security flaw. I'm not sure that you will be very happy if someone can modify the Firmware freely. As you may loose money to be killed and at the extrem kill millions of people.There is no need to exaggerate. Millions of people modify cars physically, and it is not a dangerous practice.
It is.
If you buy a car, or a medical tool for my own use, you deserve to be able to change the software in it, just as you can change it physically.
Certanly not when you use your car your are also on the public domain (road) so it your car have a system faillure you can kill yourself and kill other people. Remember that you are not allow to modify your car as your wish there is law that will forbiden you to do this in a lot' of country.
It seems that you have very strong interests on the software side, which need to be considered separately, but here you are really distorting actual reality. As this example is likely best known to everybody, I'll comment on this one - it seems currently too much work without a prospect of any gain to comment on everything.
Of course you can modify your own car. This is *not* forbidden - why do you claim such a thing? Heck you can even attach a rocket to it *as long* as you don't use the car on public streets. If you do, all you got to do is to get your modifications approved. No big deal, go to a <insert favorite car brand here> meeting and look at the cars there.
I can even build my own car from scratch and get it certified.
Although I wanted to restrict myself to cars - it's the same with planes. It is common practice for example to modify glider planes (increasing wing span for example to be more competitive today) for which the manufacturer even *does not exist* any more today. Admittedly this is some work to get it certified, but it is doable by a private person for sure, I personally know some.
Actually I can even build my own *plane* and still get it certified (this is not uncommon).
Cheers Detlev
> The other systems that you speak of are not consumer products, so this > requirement in GPLv3 does not apply to them. in a Point of payment terminal it does not apply are sure?
I am sure. Those are not consumer products. They are made for businesses only.
> You seem to be worried about something you haven't described clearly. > I think you're afraid of shadows, but since you have not described > them clearly, I really don't know. as example with the v3 you force me to give you my private key that I use to protect the product this is not acceptable
To deny the key to the user is not acceptable. It makes the software non-free, and gives the developer power over the user that nobody should have.
On 17:35 Fri 26 Jun , Richard Stallman wrote:
> The other systems that you speak of are not consumer products, so this > requirement in GPLv3 does not apply to them. in a Point of payment terminal it does not apply are sure?I am sure. Those are not consumer products. They are made for businesses only.
Wrong, as example your cell phone can be a part of the PPT, and your also have product on the market that allow you to use a PPT at home instead of just write your credit card number on a website. So your definition of consumer produts is dangerous and will not fit at all because you can not known what we can create
> You seem to be worried about something you haven't described clearly. > I think you're afraid of shadows, but since you have not described > them clearly, I really don't know. as example with the v3 you force me to give you my private key that I use to protect the product this is not acceptableTo deny the key to the user is not acceptable. It makes the software non-free, and gives the developer power over the user that nobody should have.
Certanly not, it will make the product not hackable certanly not the software non-free.
Best Regards, J.
> I am sure. Those are not consumer products. They are made for > businesses only. Wrong, as example your cell phone
For the record, I do not have a cell phone, because I object to the surveillance they do.
can be a part of the PPT, and your also have product on the market that allow you to use a PPT at home instead of just write your credit card number on a website.
Here is the definition from the GPL v3:
A "User Product" is either (1) a "consumer product", which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling.
I am assuming "PPT" refers to point-of-sale terminals, but I can't be sure of that.
Sale terminals models meant for business use are not consumer products; whether they contain a kind of cell phone does not affect the question.
If there is a terminal model made for home use, that might be a consumer product. If so, GPLv3 would require allowing the user to install modified software. It follows that the bank that the user deals with would check for a valid credit card in its server rather than in the device. This is not hard.
> To deny the key to the user is not acceptable. It makes the software > non-free, and gives the developer power over the user that nobody > should have. Certanly not, it will make the product not hackable certanly not the software non-free.
The reason access to source code and freedom to change it are important is so that you can use your changed version. If the product you bought requires changes to be authorized by someone other than you, that freedom has been reduced to a theoretical fiction. So the software is not free.
Hi Mike,
On Tuesday 23 June 2009 15:26:35 Scott Wood wrote:
On Tue, Jun 23, 2009 at 06:33:53PM +0200, Detlev Zundel wrote:
Apart from the the above reasons, currently most people who voiced their opinion (not too many right now) oppose the move. The reasoning seems to be that companies using U-Boot inside a commercial product consider it to be "a neccessary precondition to only accept blessed firmware upgrades" (my wording). What motivates this argument is not completely clear to me. Maybe it is fear of being liable as a product vendor to faulty sw upgrades.
Regardless of what motivates it, people who sell hardware to such customers (and who also contribute to u-boot) may not want to risk losing that business by pushing GPLv3 on them.
indeed. expecting businesses to push other peoples' agenda isnt realistic, especially when the conversation is pretty much a net customer loss for said businesses.
It seems so clear for you, but it isn't for me - where is this net loss for them, what exactly do they loose?
customers arent going to appear because your business is now pushing GPLv3 instead of GPLv2, but they will certainly disappear.
Why will they disappear?
Cheers Detlev
On Wednesday 24 June 2009 05:12:01 Detlev Zundel wrote:
On Tuesday 23 June 2009 15:26:35 Scott Wood wrote:
On Tue, Jun 23, 2009 at 06:33:53PM +0200, Detlev Zundel wrote:
Apart from the the above reasons, currently most people who voiced their opinion (not too many right now) oppose the move. The reasoning seems to be that companies using U-Boot inside a commercial product consider it to be "a neccessary precondition to only accept blessed firmware upgrades" (my wording). What motivates this argument is not completely clear to me. Maybe it is fear of being liable as a product vendor to faulty sw upgrades.
Regardless of what motivates it, people who sell hardware to such customers (and who also contribute to u-boot) may not want to risk losing that business by pushing GPLv3 on them.
indeed. expecting businesses to push other peoples' agenda isnt realistic, especially when the conversation is pretty much a net customer loss for said businesses.
It seems so clear for you, but it isn't for me - where is this net loss for them, what exactly do they loose?
customers arent going to appear because your business is now pushing GPLv3 instead of GPLv2, but they will certainly disappear.
Why will they disappear?
if you want to push your agenda on your customers (i'm assuming you actually have some and arent just here for fun), that's your business. but when customers absolutely state their requirements are secure boot and the ability to lock their hardware so no one else can run things, then i'm not about to argue with them. their response is simply "fine, we'll move on to the next guy who will satisfy our requirements".
they arent generally trying to lock out people who just want to toy, they're targeting people who want to clone their hardware or functionality to create knockoffs or they're trying to guarantee lock down so they can get certified (like medical devices).
that's my practical standpoint from my job experience -- GPLv3 will cause a u- boot fork and the net result is not beneficial to anyone. my completely personal standpoint is the same -- do not use the GPLv3. -mike
Hi Mike,
On Wednesday 24 June 2009 05:12:01 Detlev Zundel wrote:
On Tuesday 23 June 2009 15:26:35 Scott Wood wrote:
On Tue, Jun 23, 2009 at 06:33:53PM +0200, Detlev Zundel wrote:
Apart from the the above reasons, currently most people who voiced their opinion (not too many right now) oppose the move. The reasoning seems to be that companies using U-Boot inside a commercial product consider it to be "a neccessary precondition to only accept blessed firmware upgrades" (my wording). What motivates this argument is not completely clear to me. Maybe it is fear of being liable as a product vendor to faulty sw upgrades.
Regardless of what motivates it, people who sell hardware to such customers (and who also contribute to u-boot) may not want to risk losing that business by pushing GPLv3 on them.
indeed. expecting businesses to push other peoples' agenda isnt realistic, especially when the conversation is pretty much a net customer loss for said businesses.
It seems so clear for you, but it isn't for me - where is this net loss for them, what exactly do they loose?
customers arent going to appear because your business is now pushing GPLv3 instead of GPLv2, but they will certainly disappear.
Why will they disappear?
if you want to push your agenda on your customers (i'm assuming you actually have some and arent just here for fun), that's your business.
Is it possible that you jump to conslusions here? All we - on a regular basis - do is to talk to our customers until we understand what the customer needs. Then we think about how this can or cannot be done with the help of Free Software. After all nobody is forcing anyone to use Free Software and for some customer wishes Free Software may simply be not a legal option, so what?
In this process it is common that customers have incomplete information about Free Software in general and not well-articulated fears making them jump to premature conclusions (e.g. "we need a closed source Linux kernel driver") which would prevent us from doing development for them. At this point it is extremely important to learn about the reasoning of the customer and then clearing up confusion probably leading to revisiting the question of using Free Software.
Essentially I can only remember one customer in the last years who did not go further at the time after learning that we would not develop a non-GPL kernel module. Incidentally this customer is now back on our doorstep because the market effectively forces him to use a GNU/Linux system from a feature perspective. This time around closed sources kernel modules are not even on the agenda anymore.
but when customers absolutely state their requirements are secure boot and the ability to lock their hardware so no one else can run things, then i'm not about to argue with them. their response is simply "fine, we'll move on to the next guy who will satisfy our requirements".
It is your decision if you don't want to even understand your customers needs. I surely do and this is what I try to understand in this thread.
I admit that I did not think this through completely, but how much of this "no one else can run things" is actually connected to the bootloader? U-Boot itself will not be handling "prime content" I guess. Those "secure boot" you talk about - what is it exactly and what are the potential attack vectors of it? Are there vectors besides the bootloader? If so, how does a "non-supporting" bootloader make the situation any worse?
they arent generally trying to lock out people who just want to toy, they're targeting people who want to clone their hardware or functionality to create knockoffs or they're trying to guarantee lock down so they can get certified (like medical devices).
How does GPLv3 vs. GPLv2 touch the "we will get cloned" question? Maybe I do not see the obvious here, but sourcecode to binaries under either license must be available, so what's the difference?
that's my practical standpoint from my job experience -- GPLv3 will cause a u- boot fork and the net result is not beneficial to anyone.
You must have a very good crystal ball. Maybe if my crystal ball was that good I did not need to ask questions.
my completely personal standpoint is the same -- do not use the GPLv3.
Ok, somehow this was already clear to me.
On the other hand I also do believe that for a project which is here simply because of the benefits of the GPL, we should spend some time thinking this through and then base the decision of the project on a sound basis. Handwaving arguments do not help much here, so thanks for your input.
Cheers Detlev
On Wednesday 24 June 2009 09:17:50 Detlev Zundel wrote:
if you want to push your agenda on your customers (i'm assuming you actually have some and arent just here for fun), that's your business.
Is it possible that you jump to conslusions here? All we - on a regular basis - do is to talk to our customers until we understand what the customer needs. Then we think about how this can or cannot be done with the help of Free Software. After all nobody is forcing anyone to use Free Software and for some customer wishes Free Software may simply be not a legal option, so what?
In this process it is common that customers have incomplete information about Free Software in general and not well-articulated fears making them jump to premature conclusions (e.g. "we need a closed source Linux kernel driver") which would prevent us from doing development for them. At this point it is extremely important to learn about the reasoning of the customer and then clearing up confusion probably leading to revisiting the question of using Free Software.
Essentially I can only remember one customer in the last years who did not go further at the time after learning that we would not develop a non-GPL kernel module. Incidentally this customer is now back on our doorstep because the market effectively forces him to use a GNU/Linux system from a feature perspective. This time around closed sources kernel modules are not even on the agenda anymore.
and that's your prerogative. how you choose to run your business has no bearing at all on how other people choose to run their businesses.
but when customers absolutely state their requirements are secure boot and the ability to lock their hardware so no one else can run things, then i'm not about to argue with them. their response is simply "fine, we'll move on to the next guy who will satisfy our requirements".
It is your decision if you don't want to even understand your customers needs.
wrong, we've actually done the opposite. we know what they want to do and it is doable with GPLv2. it is not doable with GPLv3.
yes, there are cases of ingrained perceptions about how to accomplish something and GPLv3 blocks those methods. but again, it is *your* choice to attempt to educate people here, it is not the automatic burden of people to champion the GNU cause for you.
I admit that I did not think this through completely, but how much of this "no one else can run things" is actually connected to the bootloader? U-Boot itself will not be handling "prime content" I guess. Those "secure boot" you talk about - what is it exactly and what are the potential attack vectors of it? Are there vectors besides the bootloader? If so, how does a "non-supporting" bootloader make the situation any worse?
secure boot is pretty straightforward. the CPU has internal keys programmed into it and will only boot signed binaries. this is u-boot. u-boot in turn will only boot signed encrypted binaries using keys inside of the CPU that can only be accessed by code running on the CPU. licensing of these binaries obviously doesnt matter. the encrypted stream is transferred from external storage into internal CPU storage, decrypted there, and then executed from there. so there is no possibility of sniffing the decrypted stream on any bus as it never leaves the CPU.
they arent generally trying to lock out people who just want to toy, they're targeting people who want to clone their hardware or functionality to create knockoffs or they're trying to guarantee lock down so they can get certified (like medical devices).
How does GPLv3 vs. GPLv2 touch the "we will get cloned" question? Maybe I do not see the obvious here, but sourcecode to binaries under either license must be available, so what's the difference?
if you dont have the decryption keys, you cant read the end program. having access to the u-boot source doesnt matter.
that's my practical standpoint from my job experience -- GPLv3 will cause a u- boot fork and the net result is not beneficial to anyone.
You must have a very good crystal ball. Maybe if my crystal ball was that good I did not need to ask questions.
then you should take it in to get serviced
my completely personal standpoint is the same -- do not use the GPLv3.
Ok, somehow this was already clear to me.
On the other hand I also do believe that for a project which is here simply because of the benefits of the GPL, we should spend some time thinking this through and then base the decision of the project on a sound basis. Handwaving arguments do not help much here, so thanks for your input.
except that licensing choice is just as much practical considerations (can XYZ be done with the GPLv3) as it is personal choice. it dictates how we choose to *let* other people utilize the code. i personally dont have a problem with people locking their hardware. that is their choice and the GPLv2 allows them that freedom. hell, i wouldnt have a problem with a public domain u-boot. people dont use GPLv3 because it is a "superior" license from a technical perspective, they use it because they want to *restrict* how others use their code. -mike
Hi Mike,
On Wednesday 24 June 2009 09:17:50 Detlev Zundel wrote:
if you want to push your agenda on your customers (i'm assuming you actually have some and arent just here for fun), that's your business.
Is it possible that you jump to conslusions here? All we - on a regular basis - do is to talk to our customers until we understand what the customer needs. Then we think about how this can or cannot be done with the help of Free Software. After all nobody is forcing anyone to use Free Software and for some customer wishes Free Software may simply be not a legal option, so what?
In this process it is common that customers have incomplete information about Free Software in general and not well-articulated fears making them jump to premature conclusions (e.g. "we need a closed source Linux kernel driver") which would prevent us from doing development for them. At this point it is extremely important to learn about the reasoning of the customer and then clearing up confusion probably leading to revisiting the question of using Free Software.
Essentially I can only remember one customer in the last years who did not go further at the time after learning that we would not develop a non-GPL kernel module. Incidentally this customer is now back on our doorstep because the market effectively forces him to use a GNU/Linux system from a feature perspective. This time around closed sources kernel modules are not even on the agenda anymore.
and that's your prerogative. how you choose to run your business has no bearing at all on how other people choose to run their businesses.
All I said is that we have a pretty good idea of what is legal and what isn;t and that we will not start work in an area where we belive we could actually be liable by law. How you come to the conclusion that this is "prerogative" completely escapes me. Are you sure that you are interested in what I say?
but when customers absolutely state their requirements are secure boot and the ability to lock their hardware so no one else can run things, then i'm not about to argue with them. their response is simply "fine, we'll move on to the next guy who will satisfy our requirements".
It is your decision if you don't want to even understand your customers needs.
wrong, we've actually done the opposite. we know what they want to do and it is doable with GPLv2. it is not doable with GPLv3.
From what I read, I do not get this impression. "Locking people out" is
not a ulterior motive but the outcome of a perceived threat to a business model. It was this business model that I wanted to get a clear picture of. It seems I cannot get any more informatino here.
yes, there are cases of ingrained perceptions about how to accomplish something and GPLv3 blocks those methods. but again, it is *your* choice to attempt to educate people here, it is not the automatic burden of people to champion the GNU cause for you.
What kind of axe do you have to grind here? We (as a project) were asked about our stance to move to GPLv3 which is a perfectly good question to pose. All I want to do is collect facts - your allegation that I want other people to carry a "burden" shows me that this way will bear no more fruit.
they arent generally trying to lock out people who just want to toy, they're targeting people who want to clone their hardware or functionality to create knockoffs or they're trying to guarantee lock down so they can get certified (like medical devices).
How does GPLv3 vs. GPLv2 touch the "we will get cloned" question? Maybe I do not see the obvious here, but sourcecode to binaries under either license must be available, so what's the difference?
if you dont have the decryption keys, you cant read the end program. having access to the u-boot source doesnt matter.
Having access to the physical device will. How long do you think will it take to get broken into? Unfortunately physics do not follow wishes of companies as seen over and over in the past.
On the other hand I also do believe that for a project which is here simply because of the benefits of the GPL, we should spend some time thinking this through and then base the decision of the project on a sound basis. Handwaving arguments do not help much here, so thanks for your input.
except that licensing choice is just as much practical considerations (can XYZ be done with the GPLv3) as it is personal choice. it dictates how we choose to *let* other people utilize the code.
Licensing ceases to be a personal choice when it is a community project.
i personally dont have a problem with people locking their hardware. that is their choice and the GPLv2 allows them that freedom.
You have a strange definition of freedom - for you it is limited to the provider of the devices not to the users of the devices. I guess this is what this all boils down to.
hell, i wouldnt have a problem with a public domain u-boot. people dont use GPLv3 because it is a "superior" license from a technical perspective, they use it because they want to *restrict* how others use their code.
Are you standing on your head typing this? You actually want to allow a few people to _massively_ restrict all the rest. I cannot follow here.
Cheers Detlev
Detlev Zundel wrote:
i personally dont have a problem with people locking their hardware. that is their choice and the GPLv2 allows them that freedom.
You have a strange definition of freedom - for you it is limited to the provider of the devices not to the users of the devices. I guess this is what this all boils down to.
No, it is "let the device providers and the users who have *chosen* to use those devices sort it out themselves, *I'm* not restricting anyone".
It's not "strange" or "standing on your head", it's just a different opinion.
-Scott
> You have a strange definition of freedom - for you it is limited to the > provider of the devices not to the users of the devices. I guess this > is what this all boils down to.
No, it is "let the device providers and the users who have *chosen* to use those devices sort it out themselves, *I'm* not restricting anyone".
More precisely stated, it's "I'm not restricting anyone, and if someone else is, I don't care." The difference here is between defending freedom and standing aside while it gets lost.
Leaving the powerful few and the weak divided many to "sort it out" is predictably likely to lead to bad results. (That is why consumer protection law exists -- because a market without regulation is dangerous. This is also why financial industry regulation exists, and if the powerful had not sabotaged it, we wouldn't have the current economic downturn.)
On Thu, Jun 25, 2009 at 08:30:29AM -0400, Richard Stallman wrote:
> You have a strange definition of freedom - for you it is limited to the > provider of the devices not to the users of the devices. I guess this > is what this all boils down to. No, it is "let the device providers and the users who have *chosen* to use those devices sort it out themselves, *I'm* not restricting anyone".More precisely stated, it's "I'm not restricting anyone, and if someone else is, I don't care." The difference here is between defending freedom and standing aside while it gets lost.
Not "I don't care", but "I have different ideas of what constitutes unreasonable restriction", or possibly "I don't want to use this particular means to address it because it has other harmful effects".
Leaving the powerful few and the weak divided many to "sort it out" is predictably likely to lead to bad results. (That is why consumer protection law exists -- because a market without regulation is dangerous. This is also why financial industry regulation exists, and if the powerful had not sabotaged it, we wouldn't have the current economic downturn.)
Sure. That doesn't mean that every specific regulation is automatically good.
-Scott
On Wednesday 24 June 2009 12:34:40 Detlev Zundel wrote:
On Wednesday 24 June 2009 09:17:50 Detlev Zundel wrote:
if you want to push your agenda on your customers (i'm assuming you actually have some and arent just here for fun), that's your business.
Is it possible that you jump to conslusions here? All we - on a regular basis - do is to talk to our customers until we understand what the customer needs. Then we think about how this can or cannot be done with the help of Free Software. After all nobody is forcing anyone to use Free Software and for some customer wishes Free Software may simply be not a legal option, so what?
In this process it is common that customers have incomplete information about Free Software in general and not well-articulated fears making them jump to premature conclusions (e.g. "we need a closed source Linux kernel driver") which would prevent us from doing development for them. At this point it is extremely important to learn about the reasoning of the customer and then clearing up confusion probably leading to revisiting the question of using Free Software.
Essentially I can only remember one customer in the last years who did not go further at the time after learning that we would not develop a non-GPL kernel module. Incidentally this customer is now back on our doorstep because the market effectively forces him to use a GNU/Linux system from a feature perspective. This time around closed sources kernel modules are not even on the agenda anymore.
and that's your prerogative. how you choose to run your business has no bearing at all on how other people choose to run their businesses.
All I said is that we have a pretty good idea of what is legal and what isn;t and that we will not start work in an area where we belive we could actually be liable by law. How you come to the conclusion that this is "prerogative" completely escapes me. Are you sure that you are interested in what I say?
i think you are interpreting the word incorrectly. it is your prerogative -- your right -- to run your business however you want.
but when customers absolutely state their requirements are secure boot and the ability to lock their hardware so no one else can run things, then i'm not about to argue with them. their response is simply "fine, we'll move on to the next guy who will satisfy our requirements".
It is your decision if you don't want to even understand your customers needs.
wrong, we've actually done the opposite. we know what they want to do and it is doable with GPLv2. it is not doable with GPLv3.
From what I read, I do not get this impression. "Locking people out" is not a ulterior motive but the outcome of a perceived threat to a business model. It was this business model that I wanted to get a clear picture of. It seems I cannot get any more informatino here.
locking down a machine is part of due diligence as well when it comes to certification. not taking measures to prevent uncertified code from running is a legal liability for companies. you can chalk these use cases up as "perceived threads to a business model" all you like. many customers arent going to change because of your opinion, and while you may not business with them, i dont have a problem with doing it.
yes, there are cases of ingrained perceptions about how to accomplish something and GPLv3 blocks those methods. but again, it is *your* choice to attempt to educate people here, it is not the automatic burden of people to champion the GNU cause for you.
What kind of axe do you have to grind here? We (as a project) were asked about our stance to move to GPLv3 which is a perfectly good question to pose. All I want to do is collect facts - your allegation that I want other people to carry a "burden" shows me that this way will bear no more fruit.
i wasnt directing all of these comments directly at you. i dont know you nor do i care. if the GNU project wants people to use the GPLv3 and people have a perception of it being crap, then it's their problem to address it.
they arent generally trying to lock out people who just want to toy, they're targeting people who want to clone their hardware or functionality to create knockoffs or they're trying to guarantee lock down so they can get certified (like medical devices).
How does GPLv3 vs. GPLv2 touch the "we will get cloned" question? Maybe I do not see the obvious here, but sourcecode to binaries under either license must be available, so what's the difference?
if you dont have the decryption keys, you cant read the end program. having access to the u-boot source doesnt matter.
Having access to the physical device will. How long do you think will it take to get broken into? Unfortunately physics do not follow wishes of companies as seen over and over in the past.
and companies understand that. i never said locking the device is a 100% guarantee to prevent cloning -- nothing in life is 100%. it does however significantly make it harder to reverse engineer a black box that is wiggling pins than it is to disassemble code and memory. the companies i work with are concerned with delaying clones for most of that product generation's life span, not eternity. if the clone comes in after the company has gotten their fair share out of it, then that's fine by them. clones are an unfortunate aspect of commercial life. without the secure boot aspect, people are able to create knockoffs with enough turn around time to do quite a bit of damage to the product's life span.
On the other hand I also do believe that for a project which is here simply because of the benefits of the GPL, we should spend some time thinking this through and then base the decision of the project on a sound basis. Handwaving arguments do not help much here, so thanks for your input.
except that licensing choice is just as much practical considerations (can XYZ be done with the GPLv3) as it is personal choice. it dictates how we choose to *let* other people utilize the code.
Licensing ceases to be a personal choice when it is a community project.
that is plain wrong. it is always a personal choice and by advocating it in a community setting, you're pushing your personal choices on others. i want to stay with the GPL-2 -- i am pushing my personal preference on others. you want to move to the GPL-3 -- you are pushing your personal preference on others.
i personally dont have a problem with people locking their hardware. that is their choice and the GPLv2 allows them that freedom.
You have a strange definition of freedom - for you it is limited to the provider of the devices not to the users of the devices. I guess this is what this all boils down to.
no, i have a definition of freedom you cant cope with. what i choose to do with my time and code i write is absolutely my choice. i have no problem people taking my code and doing whatever they want with it -- that's why i release to public domain.
hell, i wouldnt have a problem with a public domain u-boot. people dont use GPLv3 because it is a "superior" license from a technical perspective, they use it because they want to *restrict* how others use their code.
Are you standing on your head typing this? You actually want to allow a few people to _massively_ restrict all the rest. I cannot follow here.
and it's funny you cant cope with this simple concept. your code, your time, your choice. my code, my time, my choice. if people take my work i give away freely and "massively restrict the rest", then i dont have a problem with that. -mike
Hi Mike,
but when customers absolutely state their requirements are secure boot and the ability to lock their hardware so no one else can run things, then i'm not about to argue with them. their response is simply "fine, we'll move on to the next guy who will satisfy our requirements".
It is your decision if you don't want to even understand your customers needs.
wrong, we've actually done the opposite. we know what they want to do and it is doable with GPLv2. it is not doable with GPLv3.
From what I read, I do not get this impression. "Locking people out" is not a ulterior motive but the outcome of a perceived threat to a business model. It was this business model that I wanted to get a clear picture of. It seems I cannot get any more informatino here.
locking down a machine is part of due diligence as well when it comes to certification. not taking measures to prevent uncertified code from running is a legal liability for companies.
An aircraft is also a certified product - won't you think? Do you believe that an airline carrier ships its planes to the manufacturer if they need to replace a screw? Obviously there must be ways to ensure certification even in such cases. Why should those methods not be applicable to other fields as well?
It is this "certification is only possible like we say" attitude which I seriously question.
you can chalk these use cases up as "perceived threads to a business model" all you like. many customers arent going to change because of your opinion, and while you may not business with them, i dont have a problem with doing it.
Sure, you're decision. Although I cannot read it from what you wrote, if you do business knowingly entering grey areas of licensing questions (like writing closed source drivers for the Linux kernel), there is a pretty good chance that one could go to court for "gross negligence".
This is not a joke. Here in Germany lawyers actually evaluated if a manager can get sued for "gross negligence" when deploying Free Software in a company because of the "everybody can change the software" aspect.
yes, there are cases of ingrained perceptions about how to accomplish something and GPLv3 blocks those methods. but again, it is *your* choice to attempt to educate people here, it is not the automatic burden of people to champion the GNU cause for you.
What kind of axe do you have to grind here? We (as a project) were asked about our stance to move to GPLv3 which is a perfectly good question to pose. All I want to do is collect facts - your allegation that I want other people to carry a "burden" shows me that this way will bear no more fruit.
i wasnt directing all of these comments directly at you. i dont know you nor do i care.
Yep, thanks for the confirmation.
they arent generally trying to lock out people who just want to toy, they're targeting people who want to clone their hardware or functionality to create knockoffs or they're trying to guarantee lock down so they can get certified (like medical devices).
How does GPLv3 vs. GPLv2 touch the "we will get cloned" question? Maybe I do not see the obvious here, but sourcecode to binaries under either license must be available, so what's the difference?
if you dont have the decryption keys, you cant read the end program. having access to the u-boot source doesnt matter.
Having access to the physical device will. How long do you think will it take to get broken into? Unfortunately physics do not follow wishes of companies as seen over and over in the past.
and companies understand that. i never said locking the device is a 100% guarantee to prevent cloning -- nothing in life is 100%. it does however significantly make it harder to reverse engineer a black box that is wiggling pins than it is to disassemble code and memory. the companies i work with are concerned with delaying clones for most of that product generation's life span, not eternity. if the clone comes in after the company has gotten their fair share out of it, then that's fine by them. clones are an unfortunate aspect of commercial life. without the secure boot aspect, people are able to create knockoffs with enough turn around time to do quite a bit of damage to the product's life span.
It's not the first time I hear this mantra. Can you give me some facts to back this up?
i personally dont have a problem with people locking their hardware. that is their choice and the GPLv2 allows them that freedom.
You have a strange definition of freedom - for you it is limited to the provider of the devices not to the users of the devices. I guess this is what this all boils down to.
no, i have a definition of freedom you cant cope with.
Oh, I can cope with this definition for sure. It is rather misleading to attach it to the word "freedom" however.
what i choose to do with my time and code i write is absolutely my choice. i have no problem people taking my code and doing whatever they want with it -- that's why i release to public domain.
hell, i wouldnt have a problem with a public domain u-boot. people dont use GPLv3 because it is a "superior" license from a technical perspective, they use it because they want to *restrict* how others use their code.
Are you standing on your head typing this? You actually want to allow a few people to _massively_ restrict all the rest. I cannot follow here.
and it's funny you cant cope with this simple concept. your code, your time, your choice. my code, my time, my choice.
Again, no problem coping with this concept if put in these words. Just don't use "restriction" or "freedom" then.
if people take my work i give away freely and "massively restrict the rest", then i dont have a problem with that.
So we are in accord after all - I don't want my work to be used in this way. Simple ;)
Cheers Detlev
On Thursday 25 June 2009 07:04:07 Detlev Zundel wrote:
but when customers absolutely state their requirements are secure boot and the ability to lock their hardware so no one else can run things, then i'm not about to argue with them. their response is simply "fine, we'll move on to the next guy who will satisfy our requirements".
It is your decision if you don't want to even understand your customers needs.
wrong, we've actually done the opposite. we know what they want to do and it is doable with GPLv2. it is not doable with GPLv3.
From what I read, I do not get this impression. "Locking people out" is not a ulterior motive but the outcome of a perceived threat to a business model. It was this business model that I wanted to get a clear picture of. It seems I cannot get any more informatino here.
locking down a machine is part of due diligence as well when it comes to certification. not taking measures to prevent uncertified code from running is a legal liability for companies.
An aircraft is also a certified product - won't you think? Do you believe that an airline carrier ships its planes to the manufacturer if they need to replace a screw? Obviously there must be ways to ensure certification even in such cases. Why should those methods not be applicable to other fields as well?
It is this "certification is only possible like we say" attitude which I seriously question.
whether you question this attitude doesnt matter. you arent a lawyer in general, you arent a lawyer for these companies, and you arent indemnifying them. their legal review says that it's a requirement, so it is now a requirement for the software. anything beyond that is irrelevant.
they arent generally trying to lock out people who just want to toy, they're targeting people who want to clone their hardware or functionality to create knockoffs or they're trying to guarantee lock down so they can get certified (like medical devices).
How does GPLv3 vs. GPLv2 touch the "we will get cloned" question? Maybe I do not see the obvious here, but sourcecode to binaries under either license must be available, so what's the difference?
if you dont have the decryption keys, you cant read the end program. having access to the u-boot source doesnt matter.
Having access to the physical device will. How long do you think will it take to get broken into? Unfortunately physics do not follow wishes of companies as seen over and over in the past.
and companies understand that. i never said locking the device is a 100% guarantee to prevent cloning -- nothing in life is 100%. it does however significantly make it harder to reverse engineer a black box that is wiggling pins than it is to disassemble code and memory. the companies i work with are concerned with delaying clones for most of that product generation's life span, not eternity. if the clone comes in after the company has gotten their fair share out of it, then that's fine by them. clones are an unfortunate aspect of commercial life. without the secure boot aspect, people are able to create knockoffs with enough turn around time to do quite a bit of damage to the product's life span.
It's not the first time I hear this mantra. Can you give me some facts to back this up?
i dont know what kind of "facts" you're looking for. i didnt make this scenario up, it was described to me by a customer in the US and their experience with Chinese cloners. i'm not going to give customer information or name names if that's what you want. -mike
Hi Mike,
It is this "certification is only possible like we say" attitude which I seriously question.
whether you question this attitude doesnt matter. you arent a lawyer in general, you arent a lawyer for these companies, and you arent indemnifying them. their legal review says that it's a requirement, so it is now a requirement for the software. anything beyond that is irrelevant.
Now was this so hard? This is actually an important fact that it is a legal requirement for a company - thanks.
It was a pain to find out however.
It's not the first time I hear this mantra. Can you give me some facts to back this up?
i dont know what kind of "facts" you're looking for. i didnt make this scenario up, it was described to me by a customer in the US and their experience with Chinese cloners. i'm not going to give customer information or name names if that's what you want.
Well, the problem with "facts" is that I like them to be backed up. I don't know whether I should believe this mantra until I have seen actual products and/or figures. If you don't need this - fine, your choice.
It's like the "patents strengthen innovation" mantra. Regardless that there was no study to ever show such effect this was repeated over and over. People questioning it got "shut up" replies like you deal out. Unfortunately recent studies show the opposite of the claim, no matter how much the mantra is still repeated.
Cheers Detlev
On Thursday 25 June 2009 10:20:47 Detlev Zundel wrote:
It's not the first time I hear this mantra. Can you give me some facts to back this up?
i dont know what kind of "facts" you're looking for. i didnt make this scenario up, it was described to me by a customer in the US and their experience with Chinese cloners. i'm not going to give customer information or name names if that's what you want.
Well, the problem with "facts" is that I like them to be backed up. I don't know whether I should believe this mantra until I have seen actual products and/or figures. If you don't need this - fine, your choice.
well g'luck with that. you're going to have to find a customer yourself or find someone who *hasnt* signed a NDA. -mike
Hi,
On Thursday 25 June 2009 10:20:47 Detlev Zundel wrote:
It's not the first time I hear this mantra. Can you give me some facts to back this up?
i dont know what kind of "facts" you're looking for. i didnt make this scenario up, it was described to me by a customer in the US and their experience with Chinese cloners. i'm not going to give customer information or name names if that's what you want.
Well, the problem with "facts" is that I like them to be backed up. I don't know whether I should believe this mantra until I have seen actual products and/or figures. If you don't need this - fine, your choice.
well g'luck with that. you're going to have to find a customer yourself or find someone who *hasnt* signed a NDA.
... n ) Proof by intimidation n+1) Proof by vigorous handwaving n+2) Proof by obfuscation n+3) Proof by wishful citation n+4) Proof by vehement assertion n+5) Proof not available without NDA
Now, wait a minute, I think we have an original new entry here to this list ;)
Cheers Detlev
On Friday 26 June 2009 04:25:42 Detlev Zundel wrote:
On Thursday 25 June 2009 10:20:47 Detlev Zundel wrote:
It's not the first time I hear this mantra. Can you give me some facts to back this up?
i dont know what kind of "facts" you're looking for. i didnt make this scenario up, it was described to me by a customer in the US and their experience with Chinese cloners. i'm not going to give customer information or name names if that's what you want.
Well, the problem with "facts" is that I like them to be backed up. I don't know whether I should believe this mantra until I have seen actual products and/or figures. If you don't need this - fine, your choice.
well g'luck with that. you're going to have to find a customer yourself or find someone who *hasnt* signed a NDA.
... n ) Proof by intimidation n+1) Proof by vigorous handwaving n+2) Proof by obfuscation n+3) Proof by wishful citation n+4) Proof by vehement assertion n+5) Proof not available without NDA
Now, wait a minute, I think we have an original new entry here to this list ;)
basically you're making the assertion that (1) i just made all of this sh*t up, (2) i'm basically a liar, and (3) i must be making these claims because i think this discussion is "fun". rather than providing funny little lists, why dont you come straight out and call someone a filthy liar. frankly, you can kiss my ass.
i attempted to provide real world experience with the information i'm allowed, and apparently that wasnt "good enough" for you, how convenient for your little crusade to control the usage of others. -mike
Hi,
On Friday 26 June 2009 04:25:42 Detlev Zundel wrote:
On Thursday 25 June 2009 10:20:47 Detlev Zundel wrote:
It's not the first time I hear this mantra. Can you give me some facts to back this up?
i dont know what kind of "facts" you're looking for. i didnt make this scenario up, it was described to me by a customer in the US and their experience with Chinese cloners. i'm not going to give customer information or name names if that's what you want.
Well, the problem with "facts" is that I like them to be backed up. I don't know whether I should believe this mantra until I have seen actual products and/or figures. If you don't need this - fine, your choice.
well g'luck with that. you're going to have to find a customer yourself or find someone who *hasnt* signed a NDA.
... n ) Proof by intimidation n+1) Proof by vigorous handwaving n+2) Proof by obfuscation n+3) Proof by wishful citation n+4) Proof by vehement assertion n+5) Proof not available without NDA
Now, wait a minute, I think we have an original new entry here to this list ;)
basically you're making the assertion that (1) i just made all of this sh*t up, (2) i'm basically a liar, and (3) i must be making these claims because i think this discussion is "fun". rather than providing funny little lists, why dont you come straight out and call someone a filthy liar.
I am not repsonsible for what you read into my mails. I never made such assertions.
Cheers Detlev
On Friday 26 June 2009 09:56:21 Detlev Zundel wrote:
On Friday 26 June 2009 04:25:42 Detlev Zundel wrote:
On Thursday 25 June 2009 10:20:47 Detlev Zundel wrote:
> It's not the first time I hear this mantra. Can you give me some > facts to back this up?
i dont know what kind of "facts" you're looking for. i didnt make this scenario up, it was described to me by a customer in the US and their experience with Chinese cloners. i'm not going to give customer information or name names if that's what you want.
Well, the problem with "facts" is that I like them to be backed up. I don't know whether I should believe this mantra until I have seen actual products and/or figures. If you don't need this - fine, your choice.
well g'luck with that. you're going to have to find a customer yourself or find someone who *hasnt* signed a NDA.
... n ) Proof by intimidation n+1) Proof by vigorous handwaving n+2) Proof by obfuscation n+3) Proof by wishful citation n+4) Proof by vehement assertion n+5) Proof not available without NDA
Now, wait a minute, I think we have an original new entry here to this list ;)
basically you're making the assertion that (1) i just made all of this sh*t up, (2) i'm basically a liar, and (3) i must be making these claims because i think this discussion is "fun". rather than providing funny little lists, why dont you come straight out and call someone a filthy liar.
I am not repsonsible for what you read into my mails. I never made such assertions.
Jon Stewart summed up this position fairly well with an example. I'm not saying your mother is a whore.....I'm just saying, isnt it interesting that she has money. And I dont know what she does during the day. -mike
Mike Frysinger vapier@gentoo.org writes:
Jon Stewart summed up this position fairly well with an example. I'm not saying your mother is a whore.....I'm just saying, isnt it interesting that she has money. And I dont know what she does during the day.
You are disqualifying yourself here. Go on if you like, I will not join you on this level anymore.
Cheers Detlev
On Friday 26 June 2009 11:11:06 Detlev Zundel wrote:
Mike Frysinger vapier@gentoo.org writes:
Jon Stewart summed up this position fairly well with an example. I'm not saying your mother is a whore.....I'm just saying, isnt it interesting that she has money. And I dont know what she does during the day.
You are disqualifying yourself here. Go on if you like, I will not join you on this level anymore.
i'm pretty sure you missed the point completely. review the structure, not the content. -mike
Hi Mike,
It is this "certification is only possible like we say" attitude which I seriously question.
whether you question this attitude doesnt matter. you arent a lawyer in general, you arent a lawyer for these companies, and you arent indemnifying them. their legal review says that it's a requirement, so it is now a requirement for the software. anything beyond that is irrelevant.
Now was this so hard? This is actually an important fact that it is a legal requirement for a company - thanks.
As a quick web research did not help, if this is a legal requirement, then can you point me to the law which requires such a thing?
Thanks Detlev
On Thursday 25 June 2009 10:41:13 Detlev Zundel wrote:
It is this "certification is only possible like we say" attitude which I seriously question.
whether you question this attitude doesnt matter. you arent a lawyer in general, you arent a lawyer for these companies, and you arent indemnifying them. their legal review says that it's a requirement, so it is now a requirement for the software. anything beyond that is irrelevant.
Now was this so hard? This is actually an important fact that it is a legal requirement for a company - thanks.
As a quick web research did not help, if this is a legal requirement, then can you point me to the law which requires such a thing?
nothing personal, but ...
(1) you still arent a lawyer (2) i never said there was a law that stated this (3) i did say "their legal team came to the conclusion that ..."
the law and your interpretation of it is irrelevant. customers are viewing this as a requirement and thus it's the same thing. if you think there is an image problem, then feel free to assist the GNU project in an "awareness" campaign. i work in the practical realm. -mike
Hi Mike,
On Thursday 25 June 2009 10:41:13 Detlev Zundel wrote:
It is this "certification is only possible like we say" attitude which I seriously question.
whether you question this attitude doesnt matter. you arent a lawyer in general, you arent a lawyer for these companies, and you arent indemnifying them. their legal review says that it's a requirement, so it is now a requirement for the software. anything beyond that is irrelevant.
Now was this so hard? This is actually an important fact that it is a legal requirement for a company - thanks.
As a quick web research did not help, if this is a legal requirement, then can you point me to the law which requires such a thing?
nothing personal, but ...
(1) you still arent a lawyer (2) i never said there was a law that stated this (3) i did say "their legal team came to the conclusion that ..."
the law and your interpretation of it is irrelevant.
Wow, the law is irrelevant. I give up. You repeatedly claim stuff without backing anything up. There is nothing more I can gain from this discussion, so I let it rest.
Cheers Detlev
On Friday 26 June 2009 04:21:15 Detlev Zundel wrote:
On Thursday 25 June 2009 10:41:13 Detlev Zundel wrote:
It is this "certification is only possible like we say" attitude which I seriously question.
whether you question this attitude doesnt matter. you arent a lawyer in general, you arent a lawyer for these companies, and you arent indemnifying them. their legal review says that it's a requirement, so it is now a requirement for the software. anything beyond that is irrelevant.
Now was this so hard? This is actually an important fact that it is a legal requirement for a company - thanks.
As a quick web research did not help, if this is a legal requirement, then can you point me to the law which requires such a thing?
nothing personal, but ...
(1) you still arent a lawyer (2) i never said there was a law that stated this (3) i did say "their legal team came to the conclusion that ..."
the law and your interpretation of it is irrelevant.
Wow, the law is irrelevant. I give up. You repeatedly claim stuff without backing anything up. There is nothing more I can gain from this discussion, so I let it rest.
why not try keeping up with the thread instead of taking things out of context. the point of this subthread was that the software people doing the work are told to do XYZ by their legal team. thus it is a software requirement irregardless of anything else.
plus, the law in these areas is hardly ever clear. it may state one thing, and yet there are precedences that take it a different way. or the laws have no precedence at all (which is fairly typical with open source) in which case lawyers are often very conservative. after all, their screw up here could easily cost a company 6 or 7 figures if not worse penalties.
your demand of black and white conformance in a pure gray legal world is completely unrealistic. -mike
On Thu 25 Jun 2009 10:41, Detlev Zundel pondered:
Hi Mike,
It is this "certification is only possible like we say" attitude which I seriously question.
whether you question this attitude doesnt matter. you arent a lawyer in general, you arent a lawyer for these companies, and you arent indemnifying them. their legal review says that it's a requirement, so it is now a requirement for the software. anything beyond that is irrelevant.
Now was this so hard? This is actually an important fact that it is a legal requirement for a company - thanks.
As a quick web research did not help, if this is a legal requirement, then can you point me to the law which requires such a thing?
As Mike said - there are many organisations which require this. Some from a legal standpoint, some from a certification standpoint. It depends on the end product.
Your ability not to find them doesn't change the fact that they do exist.
Search for:
IEC 61508-3 : Functional safety of E/E/PE safety-related systems Part 3: Software requirements http://en.wikipedia.org/wiki/IEC_61508
IEC 601-1-4 : Safety Requirements for Programmable Electronic Medical Systems
ANSI/UL 1998 : Standard for Safety Software in Programmable Components
There are other that are industry specific - the gambling industry is a good one (that ksi already pointed out)
http://gaming.nv.gov/stats_regs/reg14_tech_stnds.pdf
1.080 Control program requirements. (a) Employ a mechanism approved by the chairman which verifies that all control program components, including data and graphic information, are authentic copies of the approved components. The chairman may require tests to verify that components used by Nevada licensees are approved components. The verification mechanism must have an error rate of less than 1 in 10 to the 38th power and must prevent the execution of any control program component if any component is determined to be invalid.
That doesn't use the words secure boot - but if that is what the chairman of the Nevada gaming commision decides - then that is what is is...
As Mike has stated - we work on many devices who's products would fall under the GPL 3's “User Products” category - who's manufactures have told us "No GPL3". They have this right - the right to use the software - or the right to choose something else. They have indicated they will exercise this right - so far - I believe them.
If Wolfgang decides to remove all the "GPL-2 only" code, and re-write that, and release U-Boot under GPL-3 - that is his right - he needs to do the things that let him sleep better at night.
If he decides to do so - it just means that I will need to exercise my rights - and either fork, or go work on MicroMonitor - neither are really that appealing for me - but they are the only choice I have with a GPL-3 U-Boot. Part of any freedom is the freedom to have an amicable disagreement, and make an alternative choice.
I will only need to make that choice when I see a commit to: http://git.denx.de/cgi-bin/gitweb.cgi?p=u-boot.git;a=blob;f=COPYING;hb=HEAD which updates it to GPL3.
Until then - it is just time wasted, when I should be doing more productive things. :)
-Robin
Although this is a bad analogy for the existing topic - I have always told my kids - part of freedom is the right to make choices, and allow others to make choices you don't agree with. If you choose to believe your water bottle is some sort of deity, and want to worship it - that is fine. I'll stand up and defend your rights to do so. I will still think you are nuts and will not join you in your water bottle worship (no offence meant to any existing, future or past water bottle worshippers).
Freedom does not mean "my freedom" - it is not my right to enforce my belief system on you, but my obligation to stand and defend your rights to do something I don't like.
Pushing one's person's belief system on another belongs in comp.sys.mac.advocacy and no where else.
As Mike has stated - we work on many devices who's products would fall under the GPL 3's User Products category - who's manufactures have told us "No GPL3".
Would you like to describe one such product? All the product types discussed so far are outside the category of User Products. The laws you cites also seem to apply to things which are not User Products.
They have this right - the right to use the software - or the right to choose something else. They have indicated they will exercise this right - so far - I believe them.
If a company seeks to restrict users like you and me, I strongly hope my software does not help them.
On Mon 29 Jun 2009 14:48, Richard Stallman pondered:
As Mike has stated - we work on many devices who's products would fall under the GPL 3's User Products category - who's manufactures have told us "No GPL3".Would you like to describe one such product?
Portable hand held medical devices - such as Glucometers. They fall into both categories. They are medical devices, who's "bad" software could cause a user to give them selves too much insulin (hypoglycemia -> pass out -> seizure -> death), or too little insulin (Hyperglycaemia -> stupor -> coma -> death). Yeah, death is over the top - as most diabetics understand their body well enough not recognise the signs much before the pass out stages - but for the person who isn't familiar with things - it is possible.
They are marketted, and purchased by end consumers (Amazon shows 115 results in their search), and I would think that would make them fall into the "User Products".
All the product types discussed so far are outside the category of User Products. The laws you cites also seem to apply to things which are not User Products.
I don't think I had any links to laws - only specifications.
Years ago - I helped develop a cloths dryer which needed to pass UL 1998 - since the cut off switch (open the door, the dryer stops spinning), was a GPIO on a 8-bit microcontroller...
White goods are as consumer/user products as you can get - all need to pass some sort of safety spec, when software failures can hurt people.
They have this right - the right to use the software - or the right to choose something else. They have indicated they will exercise this right - so far - I believe them.If a company seeks to restrict users like you and me, I strongly hope my software does not help them.
And I think that is great that you feel like that. You have every right to limit the use of the software you write and support - just like I have that same right not to feel the same way.
I feel that companies should have the right to choose how to use the software I develop, as long they give things back, and I can use it on _my_ hardware (which the GPL2 allows/encourages) - I don't really care what they do on their hardware. That is their business, not mine.
I hope that you can respect my choice - and not try to convince me or others that your choices are superior to mine.
-Robin
Portable hand held medical devices - such as Glucometers. They fall into both categories. They are medical devices, who's "bad" software could cause a user to give them selves too much insulin (hypoglycemia -> pass out -> seizure -> death), or too little insulin (Hyperglycaemia -> stupor -> coma -> death).
That would be a good reason for the user not to change the software in this device. However, that does not mean he should be stopped.
After all, the user could also change the circuitry in the device, if he is inclined to do so. That too could make it give bad readings. So what? We do not need a nanny state stopping people from going out of their way to take risks. Warning them is enough.
They are marketted, and purchased by end consumers (Amazon shows 115 results in their search), and I would think that would make them fall into the "User Products".
These are indeed User Products, and the user who buys them should have control over what they do.
I hope that you can respect my choice - and not try to convince me or others that your choices are superior to mine.
If your mind is made up, I will not pointlessly annoy you by trying to convince you. I will continue trying to convince others.
In 1983, almost everyone thought my ideas were foolish, but I did not let that stop me, so now we have the GNU/Linux operating system.
On Tue 30 Jun 2009 10:04, Richard Stallman pondered:
Portable hand held medical devices - such as Glucometers. They fall into both categories. They are medical devices, who's "bad" software could cause a user to give them selves too much insulin (hypoglycemia -> pass out -> seizure -> death), or too little insulin (Hyperglycaemia -> stupor -> coma -> death).That would be a good reason for the user not to change the software in this device. However, that does not mean he should be stopped.
The FDA disagrees :)
They add requirements to ensure they detect faulty devices. It is a fact of physics that flash devices go bad over time - I'm sure even you appreciate the ability to know if something in your devices is the image that you thought it is, and doesn't have bit errors.
When they FDA certifies a device, they need to make sure that both hardware and the software on the unit when it gets to you - is the same as the version that they approved. If hardware can go wrong - there are normally power on self checks that test for this - and the unit will not power on if it detects the hardware is modified.
After all, the user could also change the circuitry in the device, if he is inclined to do so. That too could make it give bad readings.
It is not likely that the user has a the equipment to do so - it's not practical to think so anymore.
All the "circuitry" are integrated circuits. There are very few (none) external components to modify. Test strips are connected directly to the measurement IC, and the measurement IC is connected directly the the processor.
www.analog.com/AD5933
To make any meaningful modifications (which doesn't just remove a power supply, and cause the unit to die) starts out with a plazma etch machine - not exactly something most people have access to. (Here is one for $10k if you want)...
http://www.2spi.com/catalog/instruments/etchers1.shtml
Yeah, you could make your own fuming nitric acid on your stove, but that is even more over the top - plus - most fuming acids reacts with exposed bond pad metallization and normally result in ball bond discontinuity - hampering any further analysis, and making the device stop functioning...
I don't recommend it.
So what? We do not need a nanny state stopping people from going out of their way to take risks. Warning them is enough.
Then solve it through the legistation process - don't debate with developers.
The Federal Government (in the US) gave the FDA the requirement to do this in Federal Food, Drug, and Cosmetic Act (FD&C Act) of 1938 (amended since) - when people were accidently putting poisonous solvents in an "Elixir". http://en.wikipedia.org/wiki/Elixir_Sulfanilamide
I'm glad they are there. When you go to Trader Joe's in Cambridge (or where ever you go for sustenance), Are you OK with the "nanny state" ensuring the food is safe to eat?
They are marketted, and purchased by end consumers (Amazon shows 115 results in their search), and I would think that would make them fall into the "User Products".These are indeed User Products, and the user who buys them should have control over what they do.
That "nanny state" government that we live in - says otherwise.
Maybe I'm not fully understanding your position or what the intent of the GPL3 is - but it appears to me that there is a gap between the certification required in some markets/products, (and how people apply these certifications), and the rights given to end users under the GPL3 that make them not compatible.
If a product is required to be locked down by a certifying authority, (whom ever that may be), they can't use GPL3 code.
Your statements appear to me (to paraphrase) - those not willing to follow your rules should not have access to your code. And I'm completely fine with that. We contribute to various FSF projects that are under the GPL3 without any issue.
What I don't understand is the fact that the GPL3 seems to punish developers who are developing products for certain markets when their certifying authority (like the FDA) has requirements which are not compatible with the GPL3.
This really has nothing to do with tivoization, since in the Tivo case - they had no greater certification authority - and were just trying to restrict people's use.
I hope that you can respect my choice - and not try to convince me or others that your choices are superior to mine.If your mind is made up, I will not pointlessly annoy you by trying to convince you. I will continue trying to convince others.
That is great - and I applaud your efforts. I think that the work you are doing is valuable, and the contributions you have made have been critically important to the free and closed software developments that people to today.
But attempting to convincing other developers your rules are the best, without providing the pros (more freedom for end users) and cons (developers of certain products/markets which have requirements contrary to the requirements of the GPL3 will be excluded from using future versions) seems to be a little duplicitous.
There is little a developer can do about changing the requirements of the FDA. Maybe you should be working with these types of certification authorities, rather than individual developers? You have a much more recognised name than most of the people on this list - I'm sure that you could get a meeting with Ms Hamburg or Aneesh Chopra before I could - and would have a bigger impact too...
http://www.fda.gov/AboutFDA/CommissionersPage/default.htm http://www.usa.gov/dotgovbuzz/0509.html#dotgovspotlight
In 1983, almost everyone thought my ideas were foolish, but I did not let that stop me, so now we have the GNU/Linux operating system.
I never said your ideas were foolish - I don't think I even implied it.
I wouldn't contribute to free software projects if I though the concepts were flawed or foolish.
> That would be a good reason for the user not to change the software in > this device. However, that does not mean he should be stopped.
The FDA disagrees :)
Governments often oppose people's freedom. That is why fighting for freedom is hard.
They add requirements to ensure they detect faulty devices. It is a fact of physics that flash devices go bad over time - I'm sure even you appreciate the ability to know if something in your devices is the image that you thought it is, and doesn't have bit errors.
That sounds like a good feature. But if it is done in a way that permits the manufacturer to change the software after sale, then it can be done in a way that permits the owner to change the software too.
All the "circuitry" are integrated circuits. There are very few (none) external components to modify. Test strips are connected directly to the measurement IC, and the measurement IC is connected directly the the processor.
I did not know that. Thank you for the information.
While I probably would not want to change my glucometer, the practice of designing hardware so that people cannot change it is becoming more and more of a threat to our freedom in general.
If a product is required to be locked down by a certifying authority, (whom ever that may be), they can't use GPL3 code.
If the users' freedom is protected by GPLv3, the certifying authority that attacks users' freedom blocks the use of this code.
While I recognize that developers who get in the middle of this battle did not cause the battle, I will not surrender the fight just for their sake.
This really has nothing to do with tivoization, since in the Tivo case - they had no greater certification authority - and were just trying to restrict people's use.
These companies (if I understand the facts correctly from what people have said here) are doing the same thing to the user that tivo does, so it is equally wrong. The wrong is not in their motive, it is in what they do.
Suppose there were an official certification authority for video players. (Hollywood could probably buy such a law if it wanted to; Obama would be glad to sign it.) Would that make the tivo ok? Obviously not.
Thus, the existence of a certification authority does not alter the concluisions about the ethical issue of tivoization.
I support effective steps to protect safety for the users of medical devices. But, as I've explained above, that does not require tivoization, so it does not excuse tivoization either.
On Tue 30 Jun 2009 15:12, Richard Stallman pondered:
While I probably would not want to change my glucometer, the practice of designing hardware so that people cannot change it is becoming more and more of a threat to our freedom in general.
It is simple economics - it is about consumers making choices.
Most people in the general public don't _want_ to change anything, so they buy the cheapest unit. The price of that unit drops as the volume goes up. The suppliers compete, and integrate more into their ICs. The price drops more, and consumers line up to buy more, since the price is now cheaper.
People don't know what they are loosing if they don't know it exists.
If a product is required to be locked down by a certifying authority, (whom ever that may be), they can't use GPL3 code.If the users' freedom is protected by GPLv3, the certifying authority that attacks users' freedom blocks the use of this code.
While I recognize that developers who get in the middle of this battle did not cause the battle, I will not surrender the fight just for their sake.
So understand where the fight needs to take place. It's not at the developer level - its at the regulator level.
This really has nothing to do with tivoization, since in the Tivo case - they had no greater certification authority - and were just trying to restrict people's use.These companies (if I understand the facts correctly from what people have said here) are doing the same thing to the user that tivo does, so it is equally wrong. The wrong is not in their motive, it is in what they do.
Suppose there were an official certification authority for video players. (Hollywood could probably buy such a law if it wanted to; Obama would be glad to sign it.) Would that make the tivo ok? Obviously not.
Thus, the existence of a certification authority does not alter the concluisions about the ethical issue of tivoization.
So - why does the the GPL3 have an out for networking? (which is going to be abused).
From the GPL3:
Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network.
I can't see how someone can deny access to the network, while still allowing anyone's software to be run on the device, without some sort of key system in the networking hardware - is that what you had in mind?
I support effective steps to protect safety for the users of medical devices. But, as I've explained above, that does not require tivoization, so it does not excuse tivoization either.
I understand the moral dilemma, and your viewpoint. Unfortunately, no one who writes the standards is asking my (or anyone on this list's) opinion of what the certification process is.
-Robin
I can't see how someone can deny access to the network, while still allowing anyone's software to be run on the device, without some sort of key system in the networking hardware - is that what you had in mind?
This is aimed at cell phone networks: it recognizes they are allowed to make the network refuse to talk to a phone if the users's changes cause the phone to screw up the network.
On Wed, Jul 1, 2009 at 9:46 PM, Richard Stallmanrms@gnu.org wrote:
I can't see how someone can deny access to the network, while still allowing anyone's software to be run on the device, without some sort of key system in the networking hardware - is that what you had in mind?
This is aimed at cell phone networks: it recognizes they are allowed to make the network refuse to talk to a phone if the users's changes cause the phone to screw up the network.
Interesting, you allow the hardware & software designer to apply restrictions on the end user because their changes could 'screw up a network' but do not believe that the same restrictions apply when the changes could 'kill the user'
I admire your efforts with the GPL in version 3 in order to stop a blatant abuse of free software. However, I agree with many others in this thread, there are cases where GPL3 went just a little too far. I think GPL3 should have stopped where legislation requires that the software running on the device be certified.
I know you fear 'Big Corporations' pushing around governments to pass legislation like 'All Media Players must only allow software developed by the manufacturer of the device' and 'Any attempt to reverse engineer audio or video Codecs for use on non-proprietary systems is punishable by xyz'. But this is where advocates like yourself really need to stand tall - This argument goes way beyond Software Freedom - It bleeds into Copyright and Patents on algorithms, business methods, mathematical formula, DNA, arbitrary ideas - the list goes on. You seem a little reluctant to take this battle to this second (and arguably far more important) front.
You have done a marvelous job of changing the attitudes of individuals and corporations towards software development. There are only a few pockets of resistance that fail to grok the fact that the more people can play with your code, the better it becomes at a fraction of the price. These pockets reacted by 'Tivosation' and 'Patents' - You tried to counter-punch by saying 'You are not allowed to be part of our community' rather than doing what you did with the source code - Prove that the system works better without the restrictions - Make the restrictions an encumbrance on those that embrace them just like the the non-free developers are now encumbered by not embracing software freedom
Graeme Russ wrote:
On Wed, Jul 1, 2009 at 9:46 PM, Richard Stallmanrms@gnu.org wrote:
I can't see how someone can deny access to the network, while still allowing anyone's software to be run on the device, without some sort of key system in the networking hardware - is that what you had in mind?
This is aimed at cell phone networks: it recognizes they are allowed to make the network refuse to talk to a phone if the users's changes cause the phone to screw up the network.
Interesting, you allow the hardware & software designer to apply restrictions on the end user because their changes could 'screw up a network' but do not believe that the same restrictions apply when the changes could 'kill the user'
The network restriction makes an explicit distinction at an ownership boundary.
The network statement quoted by Robin is:
From the GPL3:
Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network.
Note that the network is owned by the service provider, *not* the end user. The end user is free to modify his gadget to his heart's content, but the service provider is *also* free to disallow that modified gadget from interacting with his (the service provider's) network. In other words, the modification permissiveness boundary matches the ownership boundary.
Mapping this concept to the gaming world, I would say that gaming machine owners should be allowed the freedom to modify a gaming machine, but the casino (governmental regulatory agency) would also be free to disallow paying out any winnings to that machine. Public access to the modified machine should not be allowed because that crosses the ownership boundary. IOW, if *you* game the machine, *you* can play to *your* heart's content, but but the gaming (in both senses) is bounded at the machine's boundary and the ownership boundary.
Mapping this to the medical world, you should be free to modify the firmware in medical devices 1) that you own and 2) are only used by yourself, as owner. Beyond that, there are already enough disclaimers that adding another disclaimer "if you rewrite this firmware, you could kill yourself" would be simple to add. Percentage-wise, it would probably add 1% to the pages of disclaimers already present.
There are already innumerable ways of harming (many ways fatally) oneself with medicines and medical equipment and these are already (theoretically) exhaustively listed. When I pick up a subscription from a pharmacy, I am forced to wait for the pharmacist to make sure I "understand" the pages of how I could do myself great bodily harm and *literally* sign a document that I was instructed in the dangers. Add a firmware modification disclaimer and you are all set... theoretically.
The classic warning sticker example is stepladders: http://www.michigan.gov/documents/cis_wsh_cet0403_103227_7.pdf Note that there is no interlock to prevent you from using the stepladder as a straight ladder or from using it on uneven slopes. <tongueincheek> Stepladder safety interlocks could be created - just think how much the world would save in emergency room costs if we eradicated stepladder injuries. </tongueincheek>
A related classic: http://1.bp.blogspot.com/_XEQbaTzjzsw/SGDiFJSSyyI/AAAAAAAAB5o/0NbNlsZI_5o/s320/unsafe+ladder+on+truck.jpg
[snip]
Best regards, gvb
On Wed 1 Jul 2009 07:46, Richard Stallman pondered:
I can't see how someone can deny access to the network, while still allowing anyone's software to be run on the device, without some sort of key system in the networking hardware - is that what you had in mind?This is aimed at cell phone networks: it recognizes they are allowed to make the network refuse to talk to a phone if the users's changes cause the phone to screw up the network.
There is a difference between the network not talking to you, and you not able to be on the network.
Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network.
The way I read that is that it is the unit you are on will have it's radio off, and you will not be able to use it, not the network will not talk to you.
You could apply the same thing to VoIP phones...
When XXXX manufacture makes a VoIP phone, they test it against various networking tests (all internal, since they are not required to release this info) to make sure that it acts "properly" on the network. They sign this image to make sure that flash is not failing. If something doesn't match the signature - how can the manufacture believe that is doesn't violate the rules or protocols of ethernet? So - it denies access to the network - by not booting that image. That is the only way that they can deny access to the network all SoC variations that I'm familiar with.
This is in no way trying to interperate the GPL3 for others (that is for lawyers to do) - but just a question from an interested developer - to me - it seems like tivo all over again. All Tivo needs to do is just make the network a piece of their application - and they have an out...
-Robin
Robin Getz sez,
This is in no way trying to interperate the GPL3 for others (that is for lawyers to do) - but just a question from an interested developer - to me - it seems like tivo all over again. All Tivo needs to do is just make the network a piece of their application - and they have an out...
I have an example using gambling machines. Say I have a friend Don Drakulich who runs a small peep show empire and has bought a five hundred slot machines from a defunct Los Vegas Casino. Don Drakulich thinks of himself as and honest businessman, meaning he has free and clear title to these machines having bought them at an auction. And why he plans on repurposing them as adult video peep show consoles.
They're perfect being based on slightly modified open source dev board running Linux. But however they have 'secure boot' so he can't modify the software so that they can legally be used in his peep show booths.
But then again because his software developer has contacts with a board assembly house, he is able to get the secure boot processors replaced at a mere cost of $20 per unit or $10,000 for the lot. No big deal.
So it sounds to me that secure boot has merely annoyed honset guys like Don. And not even slowed down the Serbian Mafia because they have a couple of their software guys working for a slot machine manufacturer.
But you're made it hard for someone who casually comes into possession of a slot machine to re-purpose it as say a video jukebox.
Also if anyone is still reading at this point I'll say this having worked on industrial controls that can both kill people or cause expensive damage to machines, equipment and product. The general trend is that the safety monitoring system must be separate from the command and control system.
IE, the PLC can try to turn on the $100,000 vacuum pump when the oil level is too low, but the safety interlock won't let the pump turn on. That's the world I come out of and it's why I find all of the GPL-V3 will negative impact product safety arguements lacking. And why I can assure you that none of the people involved in those industries care about the GPL.
And I'll say this, if you are primarily relying on a piece of software to prevent injury or death you really need to rethink what you are doing. For a good example of what can happen one can view this US Chemical Safety Board report on a accident that occurred at at facility involving controls that I personally worked on.
http://www.chemsafety.gov/investigations/detail.aspx?SID=30
Matt Harper. Tehama Wireless.
> Access to a network may be denied when the modification itself materially > and adversely affects the operation of the network or violates the rules > and protocols for communication across the network.
The way I read that is that it is the unit you are on will have it's radio off,
I think you have misinterpreted those words. Denying a user or a machine access to a network means cutting off communication in the network, not altering the machine.
This clause is not an exception to the requirement for installation information. Cell phones must offer installation information just like other User Products.
This clause says that, if a phone network operator sells you a phone with GPLv3-covered code, it does not thereby promise to continue trying providing service to the phone if your changes cause it not violate protocols and mess up network service. The operator is allowed to cut off service for this phone as it would any other malfunctioning phone.
On Thu 2 Jul 2009 09:56, Richard Stallman pondered:
> Access to a network may be denied when the modification itself > materially and adversely affects the operation of the network > or violates the rules and protocols for communication across > the network. The way I read that is that it is the unit you are on will have it's radio off,I think you have misinterpreted those words. Denying a user or a machine access to a network means cutting off communication in the network, not altering the machine.
If the cell phone operator's "rule" says that operating of a modified device should not effect non-modified devices in close proximity (jamming - which I think meets the "materially and adversely affects the operation of the network" statement) - in a TDMA network (like GSM is) - the only way to enforce that rule - is on the client side - not on the network side. There is nothing on the network side you can do to stop that that I'm aware of.
I'm aware that most devices today separate the datapump and the application processor, but this doesn't seem to be the trend - the trend is run both on the same CPU (as it decreases the cost).
This clause is not an exception to the requirement for installation information. Cell phones must offer installation information just like other User Products.
Right - but the cell phone provider should have the ability to alter the state of the device (not allow the radio to be turned on), so it can't "adversely affects the operation of the network" - shouldn't they?
Or is this where one person's freedom (the ability to modify their phone, and turn it into a jamming device), is more important than the freedom of everyone else to actually use their phones on the same network. (Which actually - wouldn't be a completely bad idea - when I have been standing near someone talking too loud into their phone in a public place, I often wish for a jam the network app on my phone :)
Robin Getz wrote:
On Thu 2 Jul 2009 09:56, Richard Stallman pondered:
> Access to a network may be denied when the modification itself > materially and adversely affects the operation of the network > or violates the rules and protocols for communication across > the network. The way I read that is that it is the unit you are on will have it's radio off,I think you have misinterpreted those words. Denying a user or a machine access to a network means cutting off communication in the network, not altering the machine.
If the cell phone operator's "rule" says that operating of a modified device should not effect non-modified devices in close proximity (jamming - which I think meets the "materially and adversely affects the operation of the network" statement) - in a TDMA network (like GSM is) - the only way to enforce that rule - is on the client side - not on the network side. There is nothing on the network side you can do to stop that that I'm aware of.
I'm aware that most devices today separate the datapump and the application processor, but this doesn't seem to be the trend - the trend is run both on the same CPU (as it decreases the cost).
This clause is not an exception to the requirement for installation information. Cell phones must offer installation information just like other User Products.
Right - but the cell phone provider should have the ability to alter the state of the device (not allow the radio to be turned on), so it can't "adversely affects the operation of the network" - shouldn't they?
Or is this where one person's freedom (the ability to modify their phone, and turn it into a jamming device), is more important than the freedom of everyone else to actually use their phones on the same network. (Which actually - wouldn't be a completely bad idea - when I have been standing near someone talking too loud into their phone in a public place, I often wish for a jam the network app on my phone :)
In the United States, most radio transmitters must be type accepted (certified) by the Federal Communications Commission. Modification voids the type acceptance, so operating a modified mobile phone on its original frequencies would be illegal regardless of what the phone company's rules say. However, no certification is necessary for transmitters operated according to the rules for the Amateur Radio Service. Thus, an licensed amateur could legally use a modified mobile phone, provided it transmitted on frequencies allocated for amateur radio and met the other requirements for amateur operation, including not causing harmful interference to other services.
This has been the situation in the US for many years, and I believe almost all countries are at least as restrictive.
Best regards, Larry
On Thu 2 Jul 2009 12:11, Larry Johnson pondered:
In the United States, most radio transmitters must be type accepted (certified) by the Federal Communications Commission. Modification voids the type acceptance, so operating a modified mobile phone on its original frequencies would be illegal regardless of what the phone company's rules say. However, no certification is necessary for transmitters operated according to the rules for the Amateur Radio Service. Thus, an licensed amateur could legally use a modified mobile phone, provided it transmitted on frequencies allocated for amateur radio and met the other requirements for amateur operation, including not causing harmful interference to other services.
Assuming that the _licensed_ amateur could modify the phone enough that it _could_ operate on frequencies allocated for amateur use.
The only thing that would be potentially close is a European GSM phone:
Rx Tx E-GSM-900 880.0–915.0 925.0–960.0 MHz R-GSM-900 876.0–915.0 921.0–960.0 MHz T-GSM-900 870.4–876.0 915.4–921.0 MHz
& the US amateur band at 902 - 928 MHz.
I don't think any of the CDMA phones are close enough to the amateur bands to have a hope of working - but I'm not as familiar with CDMA as GSM.
Robin Getz sez,
Assuming that the _licensed_ amateur could modify the phone enough that it _could_ operate on frequencies allocated for amateur use.
The only thing that would be potentially close is a European GSM phone:
Rx TxE-GSM-900 880.0–915.0 925.0–960.0 MHz R-GSM-900 876.0–915.0 921.0–960.0 MHz T-GSM-900 870.4–876.0 915.4–921.0 MHz
& the US amateur band at 902 - 928 MHz.
That would be the US ISM band.
I don't think any of the CDMA phones are close enough to the amateur bands to have a hope of working - but I'm not as familiar with CDMA as GSM.
Since I actually do wireless work I'll make another comment.
There are research and development exemptions to the licensing requirements. Ergo I can build, test or modify any radio I want for research purposes no license required.
What I can't do is deploy or sell them.
Even with licensed devices changes to the hardware or firmware are allowed as long an an engineer believes that the changes will not have any effect on the radio's meeting the applicable standards.
Also for radios operating on the cellular band there are really two licenses. One is the regulatory license. The other is the carriers certification.
Matt Harper Tehama Wireless
Robin Getz a écrit :
On Thu 2 Jul 2009 09:56, Richard Stallman pondered:
This clause is not an exception to the requirement for installation information. Cell phones must offer installation information just like other User Products.
Right - but the cell phone provider should have the ability to alter the state of the device (not allow the radio to be turned on), so it can't "adversely affects the operation of the network" - shouldn't they?
Or is this where one person's freedom (the ability to modify their phone, and turn it into a jamming device), is more important than the freedom of everyone else to actually use their phones on the same network. (Which actually - wouldn't be a completely bad idea - when I have been standing near someone talking too loud into their phone in a public place, I often wish for a jam the network app on my phone :)
An operator can only deny the access to his network. It can't *legaly* modify the user device without the user agreement. A user is *technically* free to modify a device to do what he want. But it can't *legaly* emit a signal not in conformance to the relevant regulations. There is a lot of them in the case of the a GSM/3G device: http://www.3gpp.mobi/specifications
Jean-Christian de Rivaz
If the cell phone operator's "rule" says that operating of a modified device should not effect non-modified devices in close proximity (jamming - which I think meets the "materially and adversely affects the operation of the network" statement)
It makes no difference, because the text in GPLv3 says nothing about this. It does not say that the network operator power gets all power he might "need" to enforce whatever rules he may make. It only recognizes that he is allowed to deny access to use his own network.
Right - but the cell phone provider should have the ability to alter the state of the device (not allow the radio to be turned on), so it can't "adversely affects the operation of the network" - shouldn't they?
No, they should not have such power. And in fact they do not have such power, with phones not tied to one provider.
It is impossible to stop people from making radio jammers, so it is pointless to go to excess just to block one of the many possible methods.
Richard,
Richard Stallman wrote:
While I probably would not want to change my glucometer, the practice of designing hardware so that people cannot change it is becoming more and more of a threat to our freedom in general.
Can you be a bit more specific on this? Which devices are you aware of, that use GPLv2 code and avoid an update? Except the once we were discussing here where it is questionable wheter the user actual should refrain from doing so, like medical devices and safety critical devices?
We heard about Tivo, but what other devices are there? Or are we talking about a possibility which has already outworn itself (like DRM media, which seem to be getting more and more unpolular)?
wkr, Thomas.
> While I probably would not want to change my glucometer, the practice > of designing hardware so that people cannot change it is becoming more > and more of a threat to our freedom in general.
Can you be a bit more specific on this? Which devices are you aware of, that use GPLv2 code and avoid an update?
This is a partial miscommunication -- I was talking more generally of designing hardware so that people cannot change it, so it controls them. Sometimes the hardware might contain tivoized software too, but that is an evil we already understand. The point that just struck me is that the hardware can be a system of control even aside from possible tivoization.
But I don't have a list of examples.
about a possibility which has already outworn itself (like DRM media, which seem to be getting more and more unpolular)?
I wish we could regard DRM as a fading threat. In music we see a retreat from DRM, but in e-books the threat is increasing.
I hope that our campaign against DRM is succeeding in building opposition. See DefectiveByDesign.org if you want to participate.
On Thu, Jul 2, 2009 at 9:56 AM, Richard Stallmanrms@gnu.org wrote:
about a possibility which has already outworn itself (like DRM media, which seem to be getting more and more unpolular)?
I wish we could regard DRM as a fading threat. In music we see a retreat from DRM, but in e-books the threat is increasing.
I hope that our campaign against DRM is succeeding in building opposition. See DefectiveByDesign.org if you want to participate.
You'd make me happy if I was able to access cable TV signals I have paid for without DRM. I can't stand having to rent cable boxes everywhere for the sole purpose of decoding DRM that I don't want.
U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
On Thursday 02 July 2009 10:44:39 Jon Smirl wrote:
On Thu, Jul 2, 2009 at 9:56 AM, Richard Stallmanrms@gnu.org wrote:
about a possibility which has already outworn itself (like DRM media, which seem to be getting more and more unpolular)?
I wish we could regard DRM as a fading threat. In music we see a retreat from DRM, but in e-books the threat is increasing.
I hope that our campaign against DRM is succeeding in building opposition. See DefectiveByDesign.org if you want to participate.
You'd make me happy if I was able to access cable TV signals I have paid for without DRM. I can't stand having to rent cable boxes everywhere for the sole purpose of decoding DRM that I don't want.
i'm fairly certain you can sue over that. i recall comcast or charter or some other large cable company getting spanked because they forced a lock in to their cable boxes thus preventing the consumer from using any other cable box provider. -mike
You'd make me happy if I was able to access cable TV signals I have paid for without DRM.
I think it is not quite correct to call cable scrambling DRM. DRM restricts the use of data you have a copy of. Cable scrambling prevents you from getting the data if you do not pay for the descrambler; however, as far as I know, once you do have the descrambler, and do get the data, it does not seriously impede your use of the data.
So this is more akin to buying a copy than to DRM. When I speak of abolishing DRM, it doesn't include this.
On Fri, Jul 03, 2009 at 09:47:20AM -0400, Richard Stallman wrote:
You'd make me happy if I was able to access cable TV signals I have paid for without DRM.I think it is not quite correct to call cable scrambling DRM. DRM restricts the use of data you have a copy of. Cable scrambling prevents you from getting the data if you do not pay for the descrambler; however, as far as I know, once you do have the descrambler, and do get the data, it does not seriously impede your use of the data.
This is not correct (any more). With the advent of CI+ for DVB (the european-originated version of digital TV meanwhile used in several parts of the world), the cable operators have the possibility to only allow descrambling by CI+ capable receivers/descrambling modules. However, to be CI+ compliant, all receivers and descrambling modules have to be certified and have to authenticate against each other to prevent CI+-compliant operation if this authentication fails. This is necessary because the CI+ specification mandates that any receiver operating a CI+ descrambling module honors the operator-sent bits specifying what you are allowed to do with the "descrambled" signal: analog/digital outputs, store on a disk (the time to stay there can be limited by the operator), and so on.
Needless to mention that you have to prove secure boot to get CI+ certification (and thus a valid certificate).
There's much more to this, but I hope you get the idea.
Regards, Wolfgang
With the advent of CI+ for DVB (the european-originated version of digital TV meanwhile used in several parts of the world), the cable operators have the possibility to only allow descrambling by CI+ capable receivers/descrambling modules. However, to be CI+ compliant, all receivers and descrambling modules have to be certified and have to authenticate against each other to prevent CI+-compliant operation if this authentication fails.
Cable decoders as such are not DRM, but CI+ is DRM.
Products designed to meet this specification are an attack on people's freedom. Making these products is inexcusable. People should protest them, not buy them.
Needless to mention that you have to prove secure boot to get CI+ certification (and thus a valid certificate).
There's much more to this, but I hope you get the idea.
I get the idea: the plan is simply evil. It is designed to subjugate users. The reason for the installation info requirements in GPLv3 is so that our software cannot be used for this.
Governments which have passed such laws are the enemies of their citizens. Fighting back against the companies which make these products is the first step for the citizens to reconquer their own countries. DRM systems like this ought to be illegal.
On Fri, Jul 3, 2009 at 9:47 AM, Richard Stallmanrms@gnu.org wrote:
You'd make me happy if I was able to access cable TV signals I have paid for without DRM.
I think it is not quite correct to call cable scrambling DRM. DRM restricts the use of data you have a copy of. Cable scrambling prevents you from getting the data if you do not pay for the descrambler; however, as far as I know, once you do have the descrambler, and do get the data, it does not seriously impede your use of the data.
So this is more akin to buying a copy than to DRM. When I speak of abolishing DRM, it doesn't include this.
The encrypted digital cable signal comes out from the cable box as HDCP encrypted HDMI. Your TV securely decrypts this.
A complex loop hole exists in the ability to re-digitize the analog component out signals. This is what a SlingBox does. The cable industry is on a schedule to remove component out two years from now. When component out is gone there will be no more analog hole.
Broadcast TV signals are carried in the clear. That's five out of the 600 channels on a normal cable system. The other 595 are encrypted.
Digital TV spells the end for the MythTV project and to some extent the death of TIVO. The only DVR you will be able to use is the one you rent from the cable company.
So I am paying for those 595 channels with no ability to archive them under my control unless I rent a secured DVR from the cable company. I took the disk out of mine, the information on the disk is encrypted.
Recently the head of the MPAA has been quoted as saying that the only fair use exemption is to use a video camera to photograph your TV.
On Fri, Jul 03, 2009 at 09:47:20AM -0400, Richard Stallman wrote:
You'd make me happy if I was able to access cable TV signals I have paid for without DRM.I think it is not quite correct to call cable scrambling DRM. DRM restricts the use of data you have a copy of. Cable scrambling prevents you from getting the data if you do not pay for the descrambler; however, as far as I know, once you do have the descrambler, and do get the data, it does not seriously impede your use of the data.
It requires that I use a specific tuner, whereas unscrambled channels allow me to use any tuner (including one built into the TV, VCR, DVR, etc). Often this tuner must be rented from the cable company on a per-TV basis, in addition to the cost of subscribing to the channels -- and channel changing from a DVR must happen via a sluggish and sometimes error-prone infrared interface.
It's not as bad as full DRM, sure, but it's more annoying than if they'd just filtered out the unsubscribed channels.
-Scott
That is great - and I applaud your efforts. I think that the work you are doing is valuable, and the contributions you have made have been critically important to the free and closed software developments that people to today.
If you mean that my work has contrubuted to non-free software developments, I am not proud of that. It is not a good thing that people develop or use non-free software.
(I don't refer to proprietary software as "closed source", since what I advocate is not "open source".)
On Tue 30 Jun 2009 15:12, Richard Stallman pondered:
That is great - and I applaud your efforts. I think that the work you are doing is valuable, and the contributions you have made have been critically important to the free and closed software developments that people to today.If you mean that my work has contrubuted to non-free software developments, I am not proud of that. It is not a good thing that people develop or use non-free software.
Not to go down a rat hole - but as a normal part of development of non-free software, people use emacs, gcc, and gdb all the time - you aren't proud of the contributions you made to those projects?
I was trying to say that your efforts have changed the face of computing in general, in both that it has created the "free" and "non-free" software software categories, and helped inform users of their freedoms they should be expecting.
To use someone else's words - an IDC 2006 study "Open Source in Global Software: Market Impact, Disruption, and Business Models" described free software and open source as "the most significant all-encompassing and long-term trend that the software industry has seen since the early 1980s" and found that over 70 percent of all developers are leveraging open-source and free software.
In any movement - there needs to be the golden standard - that is unwavering in its ethics and standards. Not everyone likes that standard - but it needs to be there.
Not to go down a rat hole - but as a normal part of development of non-free software, people use emacs, gcc, and gdb all the time - you aren't proud of the contributions you made to those projects?
Yes, I am, but not because they help proprietary software.
What I set out to change is not the face of computing but rather its ethical heart.
On Wed 1 Jul 2009 07:45, Richard Stallman pondered:
Not to go down a rat hole - but as a normal part of development of non-free software, people use emacs, gcc, and gdb all the time - you aren't proud of the contributions you made to those projects?Yes, I am, but not because they help proprietary software.
http://www.fsf.org/licensing/licenses/gpl-faq.html#CanIUseGPLToolsForNF
As it happens, Bison can also be used to develop non-free programs. This is because we decided to explicitly permit the use of the Bison standard parser program in Bison output files without restriction. We made the decision because there were other tools comparable to Bison which already permitted use for non-free programs.
If you aren't happy that they help proprietary software - why not change the license to make it so? You recently had the chance to do that with the gcc runtime libraries - but you (or the FSF/GCC steering committee) also decided not to.
http://www.fsf.org/licensing/licenses/gcc-exception-faq.html
However, the FSF decided long ago to allow developers to use GCC's libraries to compile any program, regardless of its license.
[snip]
We decided to permit this because forbidding it seemed likely to backfire, and because using small libraries to limit the use of GCC seemed like the tail wagging the dog.
I don't understand the how on one hand there is the "uncompromising attitude on ethical issues" (at least according to wikipedia) - but the FSF decides the practical considerations for other projects - "the tail wagging the dog".
How is the certification authority issue - whether is is a cell carrier (which the GPL3 says is an acceptable certification authority) and the FDA (which the GPL3 does not say is acceptable) determine when something is the tail or the dog?
I just don't understand the difference?
-Robin
> As it happens, Bison can also be used to develop non-free programs. This is > because we decided to explicitly permit the use of the Bison standard > parser program in Bison output files without restriction. We made the > decision because there were other tools comparable to Bison which already > permitted use for non-free programs.
If you aren't happy that they help proprietary software - why not change the license to make it so? You recently had the chance to do that with the gcc runtime libraries - but you (or the FSF/GCC steering committee) also decided not to.
I have a feeling those actions would backfire. Proprietary software is always bad, but that doesn't mean every possible attack against proprietary software is always good.
http://www.fsf.org/licensing/licenses/gcc-exception-faq.html > We decided to permit this because forbidding it seemed likely to > backfire, and because using small libraries to limit the use of GCC seemed > like the tail wagging the dog.
I don't understand the how on one hand there is the "uncompromising attitude on ethical issues" (at least according to wikipedia) - but the FSF decides the practical considerations for other projects - "the tail wagging the dog".
The decision being discussed in that page is a decision for GCC, not a decision "for other projects". (We can't decide for other projects.) The text describes why we did not put a stronger condition in a certain GCC license.
How is the certification authority issue - whether is is a cell carrier (which the GPL3 says is an acceptable certification authority) and the FDA (which the GPL3 does not say is acceptable) determine when something is the tail or the dog?
This has wandered rather far away from what the GPL says and from what I said. A cell phone carrier is not a certification authority, but the question is irrelevant to GPLv3 since it gives no special privilege to certification authorities.
Maybe you should be working with these types of certification authorities, rather than individual developers?
I would be glad to do so. I have no contacts in the FDA, and I am not so famous that mere mention of my name would make them pay attention. But maybe some of these developers could introduce me to someone useful to talk with. If you know them, would you like to try?
I'm sure that you could get a meeting with Ms Hamburg or Aneesh Chopra before I could
Who are they? Can you tell me how to contact them?
http://www.fda.gov/AboutFDA/CommissionersPage/default.htm
I will send mail to fetch that page.
If I see any chance of discussing this with them, I will at that point want to read the relevant certifications so that I can speak with them fully briefed.
On Tue 30 Jun 2009 15:12, Richard Stallman pondered:
Maybe you should be working with these types of certification authorities, rather than individual developers?I would be glad to do so. I have no contacts in the FDA, and I am not so famous that mere mention of my name would make them pay attention.
But maybe some of these developers could introduce me to someone useful to talk with. If you know them, would you like to try?
Can't promise much - but I can poke around.
I'm sure that you could get a meeting with Ms Hamburg or Aneesh Chopra before I couldWho are they? Can you tell me how to contact them?
Aneesh Chopra was Virginia’s Fourth Secretary of Technology, and has recently been sworn in as the Federal CTO.
http://radar.oreilly.com/2009/04/aneesh-chopra-great-federal-cto.html
http://www.fda.gov/AboutFDA/CommissionersPage/default.htmI will send mail to fetch that page.
If I see any chance of discussing this with them, I will at that point want to read the relevant certifications so that I can speak with them fully briefed.
Aneesh Chopra was Virginia s Fourth Secretary of Technology, and has recently been sworn in as the Federal CTO.
I doubt I could get an appointment with such a high-ranked "public servant" without help from a high-ranked public master (businessman). But we can try.
if the GNU project wants people to use the GPLv3 and people have a perception of it being crap, then it's their problem to address it.
I don't think there is much danger of that. Many software packages use GPLv3 and are appreciated by many users.
But there is a deeper point to make. The substance of what we do is our own responsibility, but others' "perception" of it is more directly their responsibility than ours. When we face an ethical issue, we should think about what is right and then do it. We should not back down merely because of disparagement from those who disagree.
On Thursday 25 June 2009 19:29:47 Richard Stallman wrote:
if the GNU project wants people to use the GPLv3 and people have a perception of it being crap, then it's their problem to address it.I don't think there is much danger of that. Many software packages use GPLv3 and are appreciated by many users.
But there is a deeper point to make. The substance of what we do is our own responsibility, but others' "perception" of it is more directly their responsibility than ours. When we face an ethical issue, we should think about what is right and then do it. We should not back down merely because of disparagement from those who disagree.
then i guess since u-boot is already doing what is right, this thread is a big waste of time -mike
then i guess since u-boot is already doing what is right, this thread is a = big=20 waste of time
I hope the main developers of U-Boot will conclude that it is right to move to GPLv3.
On Saturday 27 June 2009 16:07:36 Richard Stallman wrote:
then i guess since u-boot is already doing what is right, this thread is a big waste of timeI hope the main developers of U-Boot will conclude that it is right to move to GPLv3.
guess that depends on what you're defining as "main developers". if you look at the statistics of people who are actually doing the majority of the work, many have chimed in that they do not wish to move to the GPL-3. if your assumption is that the "noisy" people in this thread arent doing any real work wrt u-boot contributions, you're sorely mistaken. -mike
their response is simply "fine, we'll move on to the next= =20 guy who will satisfy our requirements".
When people offer to use my programs if I relax the license requirements, my respose to them is, "If you don't use my software, that's your loss."
On Wednesday 24 June 2009 20:59:47 Richard Stallman wrote:
their response is simply "fine, we'll move on to the next= =20 guy who will satisfy our requirements".When people offer to use my programs if I relax the license requirements, my respose to them is, "If you don't use my software, that's your loss."
feel free to go write your own bootloader then. or improve grub2 such that it can actually compete with u-boot. then you may make these statements all you like. -mike
On Wed, Jun 24, 2009 at 11:35 PM, Mike Frysingervapier@gentoo.org wrote:
On Wednesday 24 June 2009 20:59:47 Richard Stallman wrote:
their response is simply "fine, we'll move on to the next= =20 guy who will satisfy our requirements".
When people offer to use my programs if I relax the license requirements, my respose to them is, "If you don't use my software, that's your loss."
feel free to go write your own bootloader then. or improve grub2 such that it can actually compete with u-boot. then you may make these statements all you like. -mike
These kind of snide comments don't address the point and it really bugs me, just like the typical political response of "if you don't like 'x' then move to another country".
Richard is simply explaining how he thinks and feels, his point of view. Most people are aware that it is within their rights to implement software as they so choose. Be confident enough in your opinion and viewpoint to let others opinions stand without this kind of nonsense.
Chris
On Thu, Jun 25, 2009 at 12:48:12PM -0400, Chris Morgan wrote:
These kind of snide comments don't address the point and it really bugs me, just like the typical political response of "if you don't like 'x' then move to another country".
Actually, it's more like repeatedly telling a telemarketer, "Sorry, I'm not interested."
-Scott
Hi Scott,
On Tue, Jun 23, 2009 at 06:33:53PM +0200, Detlev Zundel wrote:
Also this is one of the objections worded on the mailing list, namely that such a cooperation will be impossible in the future if U-Boot moves to GPLv3.
As a base for reasonable discussion, I think we need to evaluate those claims and back them up by actual figures. Only then the real effort needed to move and the potential loss of "code immigration" can be estimated.
The NAND subsystem is from Linux and is GPL v2 only, as is the u-boot-specific NAND code in drivers/mtd/nand.
Ok, thanks for that info. Subtracting the drivers this is ~5k LOC, right?
nand_ecc.c is an exception, which not only has the "or later" language but also has an exception that makes it non-viral.
Why do you refer to one of the most important aspects of the effectiveness of the GPL as being viral? GPLd software neither attacks nor infects software so the wording is actively misleading.
env_nand.c is v2-or-later. cmd_nand.c has no explicit license.
In summary: If you switch to v3, you lose much of NAND. Unless RMS volunteers to rewrite it. :-)
Is there any chance of convincing those authors to change that?
Apart from the the above reasons, currently most people who voiced their opinion (not too many right now) oppose the move. The reasoning seems to be that companies using U-Boot inside a commercial product consider it to be "a neccessary precondition to only accept blessed firmware upgrades" (my wording). What motivates this argument is not completely clear to me. Maybe it is fear of being liable as a product vendor to faulty sw upgrades.
Regardless of what motivates it, people who sell hardware to such customers (and who also contribute to u-boot) may not want to risk losing that business by pushing GPLv3 on them.
Actually I want to understand why people fear to "loose business" with GPLv3. What is the exact scenario that is so threatening? Unless this is understood, it is hard to argue in any way.
Cheers Detlev
On Wed, Jun 24, 2009 at 11:09:49AM +0200, Detlev Zundel wrote:
nand_ecc.c is an exception, which not only has the "or later" language but also has an exception that makes it non-viral.
Why do you refer to one of the most important aspects of the effectiveness of the GPL as being viral? GPLd software neither attacks nor infects software so the wording is actively misleading.
I was referring to the "if you link me in, the entire project must be under my terms" clause. I refer to it as viral because that is the typical terminology for this sort of license -- so named because it can lead to software being licensed under GPL that otherwise wouldn't have been just so it can be combined with existing GPL software, and then yet more software licenses under GPL so it can link with *that* software (now devoid of the original code whose author explicitly chose GPL), etc.
Whether it is a good thing is a matter of personal opinion, which I was trying to keep out of that e-mail.
Looks like I failed. :-)
Regardless of what motivates it, people who sell hardware to such customers (and who also contribute to u-boot) may not want to risk losing that business by pushing GPLv3 on them.
Actually I want to understand why people fear to "loose business" with GPLv3. What is the exact scenario that is so threatening? Unless this is understood, it is hard to argue in any way.
U-boot contributor A wants to sell hardware to customer B, who wants secure boot, or for any other reason does not want to involve themselves in GPL3. I'm not going to provide names, but this is not hypothetical. If nobody wanted to do the things that GPLv3 prevents, there wouldn't be a GPLv3. :-)
U-boot goes GPLv3. A has a choice to continue developing on mainline u-boot, in which case one of these happens:
1. A develops *another* bootloader in parallel (possibly based on old GPLv2 u-boot) for customer B, 2. B develops (or acquires) their own firmware, or 3. B buys hardware from someone else who provides non-GPL3 firmware.
#2 seems unlikely if #3 is a reasonable option -- and if A is going to do #1, why wouldn't they develop *only* that non-GPL3 firmware if it is a superset of usefulness to A (who doesn't particularly care about the GPL3 agenda)? In other words, a fork.
-Scott
There is an enormous practical consideration stopping the licensing change. u-boot has not required copyright assignment. This means that every single person that has contributed code to u-boot needs to give their permission for the change. This includes the authors of code copied from the Linux kernel. It isn't good enough to just post to the email list and ask for the change, you have to make sure that every single person has been asked even if they aren't paying attention to the list. If any of these people object (and some already have objected) their contribution will need to be identified, removed and rewritten.
This is not a comment on the merits or faults of the GPL v3. It is just an assessment of the logistical effort required to do the change. IMHO it would be easier to just write a new boot loader from scratch, require copyright assignment on contributions and start off with the GPL v3 initially.
Hi Jon,
There is an enormous practical consideration stopping the licensing change. u-boot has not required copyright assignment. This means that every single person that has contributed code to u-boot needs to give their permission for the change.
This is not correct. People who wrote code under "GPLv2 or later" licenses would not need to be queried. The project could use the sources under a later version.
Cheers Detlev
On Wed, Jun 24, 2009 at 12:56 PM, Detlev Zundeldzu@denx.de wrote:
Hi Jon,
There is an enormous practical consideration stopping the licensing change. u-boot has not required copyright assignment. This means that every single person that has contributed code to u-boot needs to give their permission for the change.
This is not correct. People who wrote code under "GPLv2 or later" licenses would not need to be queried. The project could use the sources under a later version.
There is a mix of GPLv2 or later and GPLv2 code. You will have to sort which license applies. Let's hope nobody modified a GPL v2 header in any file to say "GPL v2 or later". That would open a giant can of worms.
This is a giant administrative nightmare. The effort for doing this exceeds the effort require to write a new boot loader. Require copyright assignment on the new boot loader and then the license can be easily changed.
Hi Jon,
On Wed, Jun 24, 2009 at 12:56 PM, Detlev Zundeldzu@denx.de wrote:
Hi Jon,
There is an enormous practical consideration stopping the licensing change. u-boot has not required copyright assignment. This means that every single person that has contributed code to u-boot needs to give their permission for the change.
This is not correct. People who wrote code under "GPLv2 or later" licenses would not need to be queried. The project could use the sources under a later version.
There is a mix of GPLv2 or later and GPLv2 code. You will have to sort which license applies.
Sure.
Let's hope nobody modified a GPL v2 header in any file to say "GPL v2 or later". That would open a giant can of worms.
We can trace with through the version control - it is doable.
This is a giant administrative nightmare. The effort for doing this exceeds the effort require to write a new boot loader. Require copyright assignment on the new boot loader and then the license can be easily changed.
How do you arrive at this conclusion? I rather say that if one was to seriously try this it can be done in a few weeks/months by one or two persons. The FSF offered to help track down people even.
Reimplementing the current U-Boot code base is orders of magnitude away from this.
Cheers Detlev
Hi Scott,
On Wed, Jun 24, 2009 at 11:09:49AM +0200, Detlev Zundel wrote:
nand_ecc.c is an exception, which not only has the "or later" language but also has an exception that makes it non-viral.
Why do you refer to one of the most important aspects of the effectiveness of the GPL as being viral? GPLd software neither attacks nor infects software so the wording is actively misleading.
I was referring to the "if you link me in, the entire project must be under my terms" clause.
For sure I know what you meant, but the term "virus" has a mental baggage way too big. I believe a metaphor only to be helpful if the attached concepts shed new light on the "target domain", but this is simply not the case here.
Of course I cannot forbid your using the word, but one should point out that the connotations are misleading.
Regardless of what motivates it, people who sell hardware to such customers (and who also contribute to u-boot) may not want to risk losing that business by pushing GPLv3 on them.
Actually I want to understand why people fear to "loose business" with GPLv3. What is the exact scenario that is so threatening? Unless this is understood, it is hard to argue in any way.
U-boot contributor A wants to sell hardware to customer B, who wants secure boot, or for any other reason does not want to involve themselves in GPL3. I'm not going to provide names, but this is not hypothetical. If nobody wanted to do the things that GPLv3 prevents, there wouldn't be a GPLv3. :-)
Actually I was trying to get more information about what those "things that GPLv3" prevents and customers want are - and what business model they are a part of.
It may come as a surprise, but I believe that the percentage of boards supported by U-Boot which are used in such scenarios is pretty small. Likely many of the newly added boards will fall into this category, but from the hundreds already supported not many will even care.
To get a better impression about this ratio should also be an important point in this discussion.
U-boot goes GPLv3. A has a choice to continue developing on mainline u-boot, in which case one of these happens:
- A develops *another* bootloader in parallel (possibly based on old GPLv2
u-boot) for customer B, 2. B develops (or acquires) their own firmware, or 3. B buys hardware from someone else who provides non-GPL3 firmware.
#2 seems unlikely if #3 is a reasonable option -- and if A is going to do #1, why wouldn't they develop *only* that non-GPL3 firmware if it is a superset of usefulness to A (who doesn't particularly care about the GPL3 agenda)? In other words, a fork.
It is good to actually get more concrete here, but I was really after the original motiviation of people avoiding GPLv3.
Thanks Detlev
> The NAND subsystem is from Linux and is GPL v2 only, as is the > u-boot-specific NAND code in drivers/mtd/nand.
Ok, thanks for that info. Subtracting the drivers this is ~5k LOC, right?
Two ways of dealing with ths include (1) contacting the developers and asking then to relicense, and (2) writing a replacement (it's not that big).
The FSF can't offer to rewrite it, but we could halp find any developers who are now difficult to contact.
On Tue, Jun 23, 2009 at 10:33 AM, Detlev Zundeldzu@denx.de wrote:
Is there any chance of convincing those authors to change that?
Apart from the the above reasons, currently most people who voiced their opinion (not too many right now) oppose the move. The reasoning seems to be that companies using U-Boot inside a commercial product consider it to be "a neccessary precondition to only accept blessed firmware upgrades" (my wording). What motivates this argument is not completely clear to me. Maybe it is fear of being liable as a product vendor to faulty sw upgrades.
That isn't my reasoning. I license under GPLv2 because I like that license. I don't like GPLv3 because I think it is too complex and it tries to solve things that are non-problems for me.
GPLv2 expresses well how I want to license my code. GPLv3 does not.
g.
This is due to us many times (re-)using Linux drivers inside U-Boot.
This won't stop you from making sure all of U-Boot (aside from these drivers) says "GPLv2 or later". Also, you can talk with the developers of the drivers that you need, or might need, to ask them to release their drivers GPLv2+.
The reasoning seems to be that companies using U-Boot inside a commercial product consider it to be "a neccessary precondition to only accept blessed firmware upgrades" (my wording).
What they mean is they think these companies want to tivoize it. I don't know whether that is true. For discussion, let's suppose it is true.
It has no impact whatsoever on making U-boot support GPLv2+.
However, it means that moving to GPLv3+ means a decision about values. Is it good for companies to use your program to deny the users' freedom? Or is it better to defend users' freedom by saying no to those companies? If a company seeks softwart with which to restrict users, would you rather tell them "Please do it with my program" or "I don't want to share the responsibility for what you are doing?"
Is popularity the most important value?
We should also start to actively inform the regularly appearing people on this mailing list complaining that they cannot get the source code to U-Boot of "device xyz" that with a GPLv2 U-Boot this may become a theoretical question in the future when they cannot install the changed binary anymore.
Exactly!
Hi Wolfgang,
I was asked about relicensing U-Boot as GPLv3:
From: Richard Stallman rms@gnu.org Subject: U-book and GPLv3? To: Wolfgang Denk wd@denx.de Date: Thu, 18 Jun 2009 09:17:28 -0400
I really enjoy the name U-boot. What are the advantages of U-boot over PMON?
Have you considered moving U-boot to "GPLv3-or-later"?
I know that we have had similar discussions before (see for example http://thread.gmane.org/gmane.comp.boot-loaders.u-boot/24029), but I would like to take the chance and re-poll what the community's opinion about this is.
For what it's worth, I would appreciate moving to GPLv3. Sparing details, my reasoning is the following. Basically I think most people appreciate the GPL for what it means in pratical terms:
* the freedom to use the software for any purpose, * the freedom to change the software to suit your needs, * the freedom to share the software with your friends and neighbors, * and * the freedom to share the changes you make.
Obviously the second item here will become void if vendor lockout of updates becomes common. So what will be left of the essential freedoms? I can study the code, I can modify it, but I am not allowed to run it. Excellent.
I think it is not a coincidence that devices which can be updated with arbitrary firmware sells pretty good in the meantime. Who buys routers capable of running OpenWRT because of their original firmware?
Of course vendors do still have the possibility to reject any form of warranty or liability once a firmware not provided by them is applied, but still the choice should be made by the person who owns the device. Just think about the "owns" in the previous sentence. Do you really own a device anymore if you cannot fix it? Would you buy a car that you are not allowed to change the tires by yourselves?
Well I get carried away, so I'd rather stop ;)
Cheers Detlev
On Friday 19 June 2009 04:40:59 Detlev Zundel wrote:
I was asked about relicensing U-Boot as GPLv3:
From: Richard Stallman rms@gnu.org Subject: U-book and GPLv3? To: Wolfgang Denk wd@denx.de Date: Thu, 18 Jun 2009 09:17:28 -0400
I really enjoy the name U-boot. What are the advantages of U-boot over PMON?
Have you considered moving U-boot to "GPLv3-or-later"?
I know that we have had similar discussions before (see for example http://thread.gmane.org/gmane.comp.boot-loaders.u-boot/24029), but I would like to take the chance and re-poll what the community's opinion about this is.
For what it's worth, I would appreciate moving to GPLv3. Sparing details, my reasoning is the following. Basically I think most people appreciate the GPL for what it means in pratical terms:
* the freedom to use the software for any purpose, * the freedom to change the software to suit your needs, * the freedom to share the software with your friends and neighbors, * and * the freedom to share the changes you make.Obviously the second item here will become void if vendor lockout of updates becomes common. So what will be left of the essential freedoms? I can study the code, I can modify it, but I am not allowed to run it. Excellent.
and this is why i dislike the GPLv3. the GPLv2 was all about the source, so the conversation between developers and everyone else was "you can take my source and modify it all you want, but i want to see the changes". sounds fair.
GPLv3 (ignoring the fix for the loophole with web applications) adds *nothing* to this premise. instead, it's used as an ideological club such that the conversation is now "i have all these ideas about how software should and shouldnt be utilized, so if you want to use my software, you too now have to subscribe to my way of thinking and you have to show me the changes".
so what does moving from GPLv2 to GPLv3 gain us in terms of protections ? nothing. it does however allow us to restrict the people who want to use u- boot to using it in only ways we've "blessed". that's plain wrong in my eyes and none of our business in the first place.
I think it is not a coincidence that devices which can be updated with arbitrary firmware sells pretty good in the meantime. Who buys routers capable of running OpenWRT because of their original firmware?
then let your wallet/politicians do the talking. i certainly do -- i avoid purchasing any music/games encumbered with DRM, or companies that employ such methods. but i'm above going around and forcing people to think the way i do with licenses. -mike
and this is why i dislike the GPLv3. the GPLv2 was all about the source, so the conversation between developers and everyone else was "you can take my source and modify it all you want, but i want to see the changes". sounds fair.
GPLv3 (ignoring the fix for the loophole with web applications) adds *nothing* to this premise. instead, it's used as an ideological club such that the conversation is now "i have all these ideas about how software should and shouldnt be utilized, so if you want to use my software, you too now have to subscribe to my way of thinking and you have to show me the changes".
so what does moving from GPLv2 to GPLv3 gain us in terms of protections ? nothing. it does however allow us to restrict the people who want to use u- boot to using it in only ways we've "blessed". that's plain wrong in my eyes and none of our business in the first place.
I think it is not a coincidence that devices which can be updated with arbitrary firmware sells pretty good in the meantime. Who buys routers capable of running OpenWRT because of their original firmware?
then let your wallet/politicians do the talking. i certainly do -- i avoid purchasing any music/games encumbered with DRM, or companies that employ such methods. but i'm above going around and forcing people to think the way i do with licenses.
agreed with Mike.
Best Regards, J.
On Sat, 27 Jun 2009, Jean-Christophe PLAGNIOL-VILLARD wrote:
and this is why i dislike the GPLv3. the GPLv2 was all about the
source, so
the conversation between developers and everyone else was "you can
take my
source and modify it all you want, but i want to see the changes".
sounds
fair.
GPLv3 (ignoring the fix for the loophole with web applications) adds
*nothing*
to this premise. instead, it's used as an ideological club such that
the
conversation is now "i have all these ideas about how software should
and
shouldnt be utilized, so if you want to use my software, you too now
have to
subscribe to my way of thinking and you have to show me the changes".
so what does moving from GPLv2 to GPLv3 gain us in terms of
protections ?
nothing. it does however allow us to restrict the people who want to
use u-
boot to using it in only ways we've "blessed". that's plain wrong in
my eyes
and none of our business in the first place.
I think it is not a coincidence that devices which can be updated
with
arbitrary firmware sells pretty good in the meantime. Who buys
routers
capable of running OpenWRT because of their original firmware?
then let your wallet/politicians do the talking. i certainly do -- i
avoid
purchasing any music/games encumbered with DRM, or companies that
employ such
methods. but i'm above going around and forcing people to think the
way i do
with licenses.
agreed with Mike.
Second that.
--- ****************************************************************** * KSI@home KOI8 Net < > The impossible we do immediately. * * Las Vegas NV, USA < > Miracles require 24-hour notice. * ******************************************************************
In article Pine.LNX.4.64ksi.0906271550150.14063@home-gw.koi8.net, ksi@koi8.net says...
On Sat, 27 Jun 2009, Jean-Christophe PLAGNIOL-VILLARD wrote:
and this is why i dislike the GPLv3. the GPLv2 was all about the
source, so
the conversation between developers and everyone else was "you can
take my
source and modify it all you want, but i want to see the changes".
sounds
fair.
GPLv3 (ignoring the fix for the loophole with web applications) adds
*nothing*
to this premise. instead, it's used as an ideological club such that
the
conversation is now "i have all these ideas about how software should
and
shouldnt be utilized, so if you want to use my software, you too now
have to
subscribe to my way of thinking and you have to show me the changes".
so what does moving from GPLv2 to GPLv3 gain us in terms of
protections ?
nothing. it does however allow us to restrict the people who want to
use u-
boot to using it in only ways we've "blessed". that's plain wrong in
my eyes
and none of our business in the first place.
I think it is not a coincidence that devices which can be updated
with
arbitrary firmware sells pretty good in the meantime. Who buys
routers
capable of running OpenWRT because of their original firmware?
then let your wallet/politicians do the talking. i certainly do -- i
avoid
purchasing any music/games encumbered with DRM, or companies that
employ such
methods. but i'm above going around and forcing people to think the
way i do
with licenses.
agreed with Mike.
Second that.
- KSI@home KOI8 Net < > The impossible we do immediately.
Third that.
On Mon, Jun 29, 2009 at 4:56 PM, Arno Fischera.f.dns@novotech.co.at wrote:
In article Pine.LNX.4.64ksi.0906271550150.14063@home-gw.koi8.net, ksi@koi8.net says...
On Sat, 27 Jun 2009, Jean-Christophe PLAGNIOL-VILLARD wrote:
and this is why i dislike the GPLv3. the GPLv2 was all about the
source, so
the conversation between developers and everyone else was "you can
take my
source and modify it all you want, but i want to see the changes".
sounds
fair.
GPLv3 (ignoring the fix for the loophole with web applications) adds
*nothing*
to this premise. instead, it's used as an ideological club such that
the
conversation is now "i have all these ideas about how software should
and
shouldnt be utilized, so if you want to use my software, you too now
have to
subscribe to my way of thinking and you have to show me the changes".
so what does moving from GPLv2 to GPLv3 gain us in terms of
protections ?
nothing. it does however allow us to restrict the people who want to
use u-
boot to using it in only ways we've "blessed". that's plain wrong in
my eyes
and none of our business in the first place.
I think it is not a coincidence that devices which can be updated
with
arbitrary firmware sells pretty good in the meantime. Who buys
routers
capable of running OpenWRT because of their original firmware?
then let your wallet/politicians do the talking. i certainly do -- i
avoid
purchasing any music/games encumbered with DRM, or companies that
employ such
methods. but i'm above going around and forcing people to think the
way i do
with licenses.
agreed with Mike.
Second that.
- KSI@home KOI8 Net < > The impossible we do immediately.
Third that.
Arno: I thought only "main developers" could state their opinion regarding this? You don't seem to be that according to git-log.
Detlev: If one-line patch contributers are allowed to vote (which may not be fair), my vote goes for GPLv3. Keep fighting for freedom ;-)
U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
On Monday 29 June 2009 11:27:35 Frank Svendsbøe wrote:
On Mon, Jun 29, 2009 at 4:56 PM, Arno Fischera.f.dns@novotech.co.at wrote:
Third that.
Arno: I thought only "main developers" could state their opinion regarding this? You don't seem to be that according to git-log.
the question is posed to the community -mike
Hi Frank,
Arno: I thought only "main developers" could state their opinion regarding this? You don't seem to be that according to git-log.
Detlev: If one-line patch contributers are allowed to vote (which may not be fair), my vote goes for GPLv3. Keep fighting for freedom ;-)
We're not holding a formal vote here - reread the beginning - Wolfgang wrote:
I know that we have had similar discussions before (see for example http://thread.gmane.org/gmane.comp.boot-loaders.u-boot/24029), but I would like to take the chance and re-poll what the community's opinion about this is.
The fact that you read this mailing list is probably a good proof that you both are part of the U-Boot community, so actually I appreciate both inputs.
Thanks Detlev
Mike Frysinger wrote:
Obviously the second item here will become void if vendor lockout of updates becomes common. So what will be left of the essential freedoms? I can study the code, I can modify it, but I am not allowed to run it. Excellent.
and this is why i dislike the GPLv3. the GPLv2 was all about the source, so the conversation between developers and everyone else was "you can take my source and modify it all you want, but i want to see the changes". sounds fair.
GPLv3 (ignoring the fix for the loophole with web applications) adds *nothing* to this premise. instead, it's used as an ideological club such that the conversation is now "i have all these ideas about how software should and shouldnt be utilized, so if you want to use my software, you too now have to subscribe to my way of thinking and you have to show me the changes".
so what does moving from GPLv2 to GPLv3 gain us in terms of protections ? nothing. it does however allow us to restrict the people who want to use u- boot to using it in only ways we've "blessed". that's plain wrong in my eyes and none of our business in the first place.
Wow, I was just about to compose a mail summarizing my point of view when I realized you had done it already :-)
While I think fighting for extensible and "hackable" hardware is good, I think a software license is the wrong way to go about it. Let's stick to the proven model of GPLv2: You can use my software if I get to use your improvements. Trying to impose restrictions on this model in order to fight a different battle against restricted hardware will only make the software less attractive and hurt us in the long run.
I think it is not a coincidence that devices which can be updated with arbitrary firmware sells pretty good in the meantime. Who buys routers capable of running OpenWRT because of their original firmware?
then let your wallet/politicians do the talking. i certainly do -- i avoid purchasing any music/games encumbered with DRM, or companies that employ such methods. but i'm above going around and forcing people to think the way i do with licenses.
Exactly. Hardware manufacturers already seem to recognize that open hardware designs lead to better sales, and that has _nothing_ to do with GPLv3 (though it may or may not have something to do with the Defective By Design campaign.)
These are only my personal opinions; I'm not speaking for Atmel as a whole.
Haavard
Dear Haavard Skinnemoen,
In message 20090707135141.7979827c@hskinnemoen-d830 you wrote:
While I think fighting for extensible and "hackable" hardware is good, I think a software license is the wrong way to go about it. Let's stick to the proven model of GPLv2: You can use my software if I get to use your improvements. Trying to impose restrictions on this model in order
The point is that GPLv2 results in situations where you cannot use and modify your own software any more because it is "protected" and any versions you build don't run.
Best regards,
Wolfgang Denk
Wolfgang Denk wrote:
In message 20090707135141.7979827c@hskinnemoen-d830 you wrote:
While I think fighting for extensible and "hackable" hardware is good, I think a software license is the wrong way to go about it. Let's stick to the proven model of GPLv2: You can use my software if I get to use your improvements. Trying to impose restrictions on this model in order
The point is that GPLv2 results in situations where you cannot use and modify your own software any more because it is "protected" and any versions you build don't run.
But this is a problem with the _hardware_, not the software. I think placing restrictions on the hardware design is way outside the scope of a software license.
Even if the hardware is restricted this way, you can still take the software, modify it, and run it on a different, better piece of hardware. If you play your cards right, you might even come out with a healthy profit as people see that your product based on unrestricted hardware is simply _better_ (which is a term I think covers "more free" as well.)
In my experience, the most popular AVR-based boards are the ones that not only allow the firmware to be replaced freely, but which actively encourage modification by making lots of signals available through expansion headers. This kind of "hackability" can never be enforced through any kind of software license.
Haavard
Dear Haavard,
In message 20090707155005.2e4a4d6d@hskinnemoen-d830 you wrote:
The point is that GPLv2 results in situations where you cannot use and modify your own software any more because it is "protected" and any versions you build don't run.
But this is a problem with the _hardware_, not the software. I think placing restrictions on the hardware design is way outside the scope of a software license.
I'm only talking about software (code and data) here. If I cannot change (or just rebuild) the (Free!) software any more because to actually run it I need some secret data (like a signature) then this is still a software problem. One that can be prevented by releasing the software under adequate licensing terms.
In my experience, the most popular AVR-based boards are the ones that not only allow the firmware to be replaced freely, but which actively encourage modification by making lots of signals available through expansion headers. This kind of "hackability" can never be enforced through any kind of software license.
Agreed. Hardware should be hackable, too :-) (which includes documentation where you don't have to sell your soul and sign NDAs that are plain evil).
Best regards,
Wolfgang Denk
Wolfgang Denk wrote:
I'm only talking about software (code and data) here. If I cannot change (or just rebuild) the (Free!) software any more because to actually run it I need some secret data (like a signature) then this is still a software problem. One that can be prevented by releasing the software under adequate licensing terms.
The mechanism preventing reprogramming of the target device is not part of the software being licensed. So I just don't think it's reasonable for us to prevent the software from being used on such devices, even though I don't particularly like such restrictions either.
This assuming GPLv3 actually does prevent such problems, of course. There seems to be a few loopholes in there, as others have pointed out (though I won't claim to fully understand it, which is another reason I'm not particularly fond of it.)
Agreed. Hardware should be hackable, too :-) (which includes documentation where you don't have to sell your soul and sign NDAs that are plain evil).
Absolutely.
Haavard
On Tue, Jul 7, 2009 at 10:43 AM, Wolfgang Denkwd@denx.de wrote:
Dear Haavard,
In message 20090707155005.2e4a4d6d@hskinnemoen-d830 you wrote:
The point is that GPLv2 results in situations where you cannot use and modify your own software any more because it is "protected" and any versions you build don't run.
But this is a problem with the _hardware_, not the software. I think placing restrictions on the hardware design is way outside the scope of a software license.
I'm only talking about software (code and data) here. If I cannot change (or just rebuild) the (Free!) software any more because to actually run it I need some secret data (like a signature) then this is still a software problem. One that can be prevented by releasing the software under adequate licensing terms.
In my experience, the most popular AVR-based boards are the ones that not only allow the firmware to be replaced freely, but which actively encourage modification by making lots of signals available through expansion headers. This kind of "hackability" can never be enforced through any kind of software license.
Agreed. Hardware should be hackable, too :-) (which includes documentation where you don't have to sell your soul and sign NDAs that are plain evil).
I agree -- all ATMs, voting machines, slot machines, electricity meters, traffic lights, navigation systems, safety interlocks, etc should be hackable. I'm sure that no idiot teenager is going to change the firmware and allow an unsuspecting person to use the device.
Best regards,
Wolfgang Denk
-- DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd@denx.de ######## This message was made from 100% recycled electrons. ######## _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
Dear Jon Smirl,
In message 9e4733910907070828o7517b17td411ff88c62a8902@mail.gmail.com you wrote:
I agree -- all ATMs, voting machines, slot machines, electricity meters, traffic lights, navigation systems, safety interlocks, etc should be hackable. I'm sure that no idiot teenager is going to change the firmware and allow an unsuspecting person to use the device.
Aren't they? Just break the seal and use a screw driver and some other tools. And when it comes to some voting machines you don't even need this.
You don't understand at all what we are talking about, or what security means and how gets implemented, or what certification procedures are about. There is no difference between conventional (even softwre-free electro-mechanical devices) and software. There is just a lot of clueless people.
Wolfgang Denk
Hi,
since this threads gets more and more interesting, just a question out of my curiosity:
which operating systems, that get typically booted using U-Boot are already under GPL3?
I know that the license of the Boot Loader has nothing to do with the license of the booted software, what is the "political benefit" to put the boot loader under GPLv3, when the major OS of the software (e.g. linux) are under GPLv2?
wkr,
Thomas Doerfler.
Wolfgang Denk schrieb:
Hello,
I was asked about relicensing U-Boot as GPLv3:
------- Forwarded Message
Date: Thu, 18 Jun 2009 09:17:28 -0400 From: Richard Stallman rms@gnu.org To: Wolfgang Denk wd@denx.de Subject: U-book and GPLv3?
I really enjoy the name U-boot. What are the advantages of U-boot over PMON?
Have you considered moving U-boot to "GPLv3-or-later"?
------- End of Forwarded Message
I know that we have had similar discussions before (see for example http://thread.gmane.org/gmane.comp.boot-loaders.u-boot/24029), but I would like to take the chance and re-poll what the community's opinion about this is.
Comments welcome...
[I intend to summarize and send this summary to RMS and post it here.]
Best regards,
Wolfgang Denk
On Thu, 25 Jun 2009, Thomas Doerfler wrote:
Hi,
since this threads gets more and more interesting, just a question out of my curiosity:
which operating systems, that get typically booted using U-Boot are already under GPL3?
I know that the license of the Boot Loader has nothing to do with the license of the booted software, what is the "political benefit" to put the boot loader under GPLv3, when the major OS of the software (e.g. linux) are under GPLv2?
There is none. It is plain and simple case of paranoia that begs for clinical treatment.
--- ****************************************************************** * KSI@home KOI8 Net < > The impossible we do immediately. * * Las Vegas NV, USA < > Miracles require 24-hour notice. * ******************************************************************
On Thursday 25 June 2009 14:46:10 Thomas Doerfler wrote:
which operating systems, that get typically booted using U-Boot are already under GPL3?
I know that the license of the Boot Loader has nothing to do with the license of the booted software, what is the "political benefit" to put the boot loader under GPLv3, when the major OS of the software (e.g. linux) are under GPLv2?
typically the operating systems that u-boot would load are in the opposite licensing direction, i.e. BSD or commercial variants none of which require releasing any real details let alone restrict usage. i'm not aware of any OS that is under the GPL-3. ironically, it seems even GNU/Hurd is GPL-2. -mike
The discussion has mostly been emotional to date. Here are some statistics (not necessarily perfect, but pretty close)...
Total number of files (after removing the .git files): $ find . -type f | wc -l 6055
Number of files that are identified as being copyrighted: $ grep -l -i -r 'Copyright' * | wc -l 5173
List of files with copyrights: $ grep -l -i -r 'Copyright' * | sort > ~/ucopy.txt
List of all files: $ find . -type f | sed 's/.///' | sort > ~/ufiles.txt
List of files *WITHOUT* the string "copyright" in them: $ comm -3 ~/ufiles.txt ~/ucopy.txt > ~/nocopyright.txt
Of the above, 130 of the files have the GPL in the header but not the string "copyright" - incomplete headers: for file in `cat ~/nocopyright.txt` ; do grep -il 'General Public License' $file ; done | wc -l 130
---------------------------------------------------------------------
Total number of files that are GPLv2: $ grep -i -r 'Free Software Foundation' * | grep -i 'version 2' > ~/ugplv2.txt $ wc -l ~/ugplv2.txt 4588
Number of files that are GPLv2 *or later*: $ grep -i -r 'Free Software Foundation' * | grep -i 'either version 2' | wc -l 4512
76 files are GPLv2 *ONLY*: $ grep -i -v 'either version 2' ~/ugplv2.txt | awk '{print $1}' | sed 's/:$//' board/stxgp3/ddr.c board/netstar/eeprom_start.S board/sbc8560/ddr.c board/mpc8540eval/ddr.c board/socrates/ddr.c board/pm856/ddr.c board/freescale/p2020ds/ddr.c board/freescale/mpc8541cds/ddr.c board/freescale/mpc8641hpcn/ddr.c board/freescale/mpc8555cds/ddr.c board/freescale/mpc8536ds/ddr.c board/freescale/mpc8568mds/ddr.c board/freescale/mpc8548cds/ddr.c board/freescale/mpc8610hpcd/ddr.c board/freescale/mpc8544ds/ddr.c board/freescale/mpc8560ads/ddr.c board/freescale/mpc8572ds/ddr.c board/freescale/mpc8569mds/ddr.c board/freescale/mpc8540ads/ddr.c board/atum8548/ddr.c board/stxssa/ddr.c board/xes/xpedite5200/ddr.c board/voiceblue/voiceblue.c board/voiceblue/eeprom_start.S board/voiceblue/setup.S board/pm854/ddr.c board/sbc8641d/ddr.c board/sbc8548/ddr.c common/ddr_spd.c cpu/mpc86xx/fdt.c cpu/mpc86xx/ddr-8641.c cpu/mpc85xx/ddr-gen3.c cpu/mpc85xx/ddr-gen2.c cpu/mpc85xx/ddr-gen1.c cpu/mpc8xxx/ddr/ctrl_regs.c cpu/mpc8xxx/ddr/Makefile cpu/mpc8xxx/ddr/ddr.h cpu/mpc8xxx/ddr/ddr2_dimm_params.c cpu/mpc8xxx/ddr/common_timing_params.h cpu/mpc8xxx/ddr/ddr1_dimm_params.c cpu/mpc8xxx/ddr/options.c cpu/mpc8xxx/ddr/main.c cpu/mpc8xxx/ddr/util.c cpu/mpc8xxx/ddr/ddr3_dimm_params.c cpu/mpc8xxx/ddr/lc_common_dimm_params.c drivers/gpio/pca953x.c drivers/pci/fsl_pci_init.c drivers/misc/ds4510.c drivers/mtd/nand/nand.c drivers/i2c/fsl_i2c.c drivers/usb/host/ehci-pci.c drivers/usb/host/r8a66597.h drivers/usb/host/ehci.h drivers/usb/host/r8a66597-hcd.c drivers/usb/host/ehci-core.h drivers/usb/host/ehci-hcd.c drivers/mmc/omap3_mmc.c include/asm-ppc/fsl_ddr_sdram.h include/asm-ppc/fsl_i2c.h include/asm-ppc/fsl_dma.h include/asm-ppc/mpc8xxx_spi.h include/asm-ppc/fsl_ddr_dimm_params.h include/pca953x.h include/ds4510.h include/configs/MPC8610HPCD.h include/configs/voiceblue.h include/spi_flash.h include/ddr_spd.h include/asm-m68k/fsl_i2c.h include/addr_map.h include/sha1.h include/nand.h include/asm-arm/arch-omap3/mmc.h include/asm-arm/arch-omap3/mmc_host_def.h lib_generic/sha1.c lib_generic/addr_map.c
Number of files that are BSD licensed (but the seven (7) libfdt files are dual-licensed "GPLv2 or later" / BSD): $ grep -r 'EXPRESS OR IMPLIED WARRANTIES' * | wc -l 156
Number of doc/* files (most have no copyright statement): $ find doc/ -type f | wc -l 147
Number of doc/* files that *do* have a copyright statement: $ grep -il copyright doc/* | wc -l 15
This implies... 156 - 7 = 149 files use the BSD license (7 dual licensed) 5173 - 4588 - 149 = 436 files have license header problems or a different license? 6055 - 5173 = 882 files don't have a copyright statement in them. 147 - 15 = 132 doc/* files have no copyright 882 - 132 = 750 files are not doc/* files and don't have copyright
Best regards, gvb
Files without a copyright notice and a license notice are a legal problem.
Legally, every file is copyrighted. If there's no copyright notice, that just means it gives no info about who the copyright holder is.
The lack of a license notice is a problem. If the file is trivial, just a few lines, maybe it does not matter. But otherwise, if there is no license, that means it doesn't give people permission to copy or change or redistribute the file. Perhaps even the U-boot developers don't have this permission.
Richard Stallman wrote:
Files without a copyright notice and a license notice are a legal problem.
Legally, every file is copyrighted. If there's no copyright notice, that just means it gives no info about who the copyright holder is.
The lack of a license notice is a problem. If the file is trivial, just a few lines, maybe it does not matter. But otherwise, if there is no license, that means it doesn't give people permission to copy or change or redistribute the file. Perhaps even the U-boot developers don't have this permission.
Agreed. I was just doing a simplistic grep looking for "fingerprints" of GPL and BSD licenses and I did not find them in 436 files. I looked at a couple of files to confirm that my greping wasn't over simplistic (it wasn't in the cases I checked). I also did not see any licenses other than GPL or BSD, but I did not look at many of the files in question so it is possible that there are other licenses out there, but probably not.
I did *not* analyze the files for complexity and appropriateness of copyright/license information in the file. That should be done regardless of the results of the GPLv3 debate and the files that should have copyright/license information in their headers need to be either fixed or replaced.
Best regards, gvb
Hi Jerry,
thanks a lot for your work of analyzing the current situation - I appreciate that very much.
I did *not* analyze the files for complexity and appropriateness of copyright/license information in the file. That should be done regardless of the results of the GPLv3 debate and the files that should have copyright/license information in their headers need to be either fixed or replaced.
Yes indeed - it has become more than clear that we have to get clean on this front now, regardless of any licensing changes.
Everyone who wants to help on this front is invited to do so. Hopefully git can help us track down people if we need to. If it turns out to be of help, I can surely dig up the last CVS repository before the conversion to git.
Cheers Detlev
BTW, thanks for that, and GCC, and all that follows...
I am glad it is useful. I hope people will recall once in a while that I did this so that users could control their computing. I wrote the GNU GPL (all versions) towards this same end.
On Mon, Jun 29, 2009 at 10:03:09PM -0400, Jerry Van Baren wrote:
Total number of files that are GPLv2: $ grep -i -r 'Free Software Foundation' * | grep -i 'version 2' > ~/ugplv2.txt $ wc -l ~/ugplv2.txt 4588
This assumes "version 2" and "Free Software Foundation" are on the same line...
76 files are GPLv2 *ONLY*: $ grep -i -v 'either version 2' ~/ugplv2.txt | awk '{print $1}' | sed 's/:$//'
...causing drivers/mtd/nand/nand_base.c, for example, to be missed here.
-Scott
Jerry Van Baren wrote:
The discussion has mostly been emotional to date. Here are some statistics (not necessarily perfect, but pretty close)...
Total number of files (after removing the .git files): $ find . -type f | wc -l 6055
Number of files that are identified as being copyrighted: $ grep -l -i -r 'Copyright' * | wc -l 5173
List of files with copyrights: $ grep -l -i -r 'Copyright' * | sort > ~/ucopy.txt
List of all files: $ find . -type f | sed 's/.///' | sort > ~/ufiles.txt
List of files *WITHOUT* the string "copyright" in them: $ comm -3 ~/ufiles.txt ~/ucopy.txt > ~/nocopyright.txt
Of the above, 130 of the files have the GPL in the header but not the string "copyright" - incomplete headers: for file in `cat ~/nocopyright.txt` ; do grep -il 'General Public License' $file ; done | wc -l 130
Improving my fingerprinting (thanks, Scott):
Total number of files that are GPLv2. Sometimes the FSF and GPL strings are split across lines. This assumes that one of the two strings is all on one line. Still simplistic, but less so.
Another important disclaimer: a lot of the GPLv2-ONLY files come from the linux kernel (see the list below). If and when we move to the U-Boot v2 driver interface, where we will be able to use linux drivers more easily, the number of GPLv2-ONLY driver files will likely increase.
$ grep -i -l -r 'Free Software Foundation' * | sort > ufsf.txt $ grep -i -l -r 'General Public License' * | sort > ugpl.txt $ cat ufsf.txt ugpl.txt | sort -u > ugplv2.txt
$ wc -l ugplv2.txt 4798 ugplv2.txt
$ cat ugplv2.txt | xargs grep 'either version 2' | awk '{print $1}' | sed 's/:#*//' > ugplv2-or-later.txt
$ wc -l ugplv2-or-later.txt 4539 ugplv2-or-later.txt
$ for file in `cat ugplv2.txt` ; do grep -il 'version 2' $file ; done | wc -l 4763
Looking for GPLv2 ONLY files (has some false positives): $ comm -23 ugplv2.txt ugplv2-or-later.txt > ugplv2-only.txt
After reviewing the files, I come up with 233 GPLv2-only files: $ wc -l ugplv2-only.txt 233 ugplv2-only.txt
$ cat ugplv2-only.txt board/amirix/ap1000/ap1000.c board/amirix/ap1000/ap1000.h board/amirix/ap1000/init.S board/atum8548/ddr.c board/freescale/common/pq-mds-pib.c board/freescale/common/pq-mds-pib.h board/freescale/mpc8323erdb/mpc8323erdb.c board/freescale/mpc8536ds/ddr.c board/freescale/mpc8540ads/ddr.c board/freescale/mpc8541cds/ddr.c board/freescale/mpc8544ds/ddr.c board/freescale/mpc8548cds/ddr.c board/freescale/mpc8555cds/ddr.c board/freescale/mpc8560ads/ddr.c board/freescale/mpc8568mds/ddr.c board/freescale/mpc8569mds/ddr.c board/freescale/mpc8572ds/ddr.c board/freescale/mpc8610hpcd/ddr.c board/freescale/mpc8641hpcn/ddr.c board/freescale/p2020ds/ddr.c board/linkstation/hwctl.c board/micronas/vct/smc_eeprom.c board/ml2/flash.c board/ml2/init.S board/ml2/ml2.c board/mpc8540eval/ddr.c board/mvblue/mvblue.c board/netstar/crcek.S board/netstar/eeprom.c board/netstar/eeprom_start.S board/pm854/ddr.c board/pm856/ddr.c board/sbc8548/ddr.c board/sbc8560/ddr.c board/sbc8641d/ddr.c board/socrates/ddr.c board/stxgp3/ddr.c board/stxssa/ddr.c board/voiceblue/eeprom.c board/voiceblue/eeprom_start.S board/voiceblue/Makefile board/voiceblue/setup.S board/voiceblue/voiceblue.c board/xes/xpedite5200/ddr.c common/cmd_onenand.c common/cmd_ubi.c common/ddr_spd.c cpu/arm926ejs/omap/cpuinfo.c cpu/mpc85xx/ddr-gen1.c cpu/mpc85xx/ddr-gen2.c cpu/mpc85xx/ddr-gen3.c cpu/mpc86xx/ddr-8641.c cpu/mpc86xx/fdt.c cpu/mpc8xxx/ddr/common_timing_params.h cpu/mpc8xxx/ddr/ctrl_regs.c cpu/mpc8xxx/ddr/ddr1_dimm_params.c cpu/mpc8xxx/ddr/ddr2_dimm_params.c cpu/mpc8xxx/ddr/ddr3_dimm_params.c cpu/mpc8xxx/ddr/ddr.h cpu/mpc8xxx/ddr/lc_common_dimm_params.c cpu/mpc8xxx/ddr/main.c cpu/mpc8xxx/ddr/Makefile cpu/mpc8xxx/ddr/options.c cpu/mpc8xxx/ddr/util.c drivers/bios_emulator/atibios.c drivers/bios_emulator/besys.c drivers/gpio/pca953x.c drivers/i2c/fsl_i2c.c drivers/misc/ds4510.c drivers/mmc/omap3_mmc.c drivers/mmc/pxa_mmc.h drivers/mtd/mtdcore.c drivers/mtd/nand/nand_base.c drivers/mtd/nand/nand_bbt.c drivers/mtd/nand/nand.c drivers/mtd/nand/nand_ids.c drivers/mtd/nand/nand_util.c drivers/mtd/onenand/onenand_base.c drivers/mtd/onenand/onenand_bbt.c drivers/mtd/onenand/onenand_uboot.c drivers/mtd/ubi/crc32.c drivers/net/5701rls.c drivers/net/5701rls.h drivers/net/ax88180.c drivers/net/ax88180.h drivers/net/bcm570x_autoneg.c drivers/net/bcm570x_autoneg.h drivers/net/bcm570x_bits.h drivers/net/bcm570x_debug.h drivers/net/bcm570x_lm.h drivers/net/bcm570x_mm.h drivers/net/bcm570x_queue.h drivers/net/dnet.c drivers/net/dnet.h drivers/net/natsemi.c drivers/net/nicext.h drivers/net/ns8382x.c drivers/net/tigon3.c drivers/net/tigon3.h drivers/net/vsc7385.c drivers/pci/fsl_pci_init.c drivers/rtc/rs5c372.c drivers/serial/arm_dcc.c drivers/usb/host/ehci-core.h drivers/usb/host/ehci.h drivers/usb/host/ehci-hcd.c drivers/usb/host/ehci-pci.c drivers/usb/host/r8a66597.h drivers/usb/host/r8a66597-hcd.c drivers/usb/musb/musb_core.h examples/82559_eeprom.c examples/eepro100_eeprom.c fs/cramfs/cramfs.c fs/cramfs/uncompress.c fs/jffs2/compr_rtime.c fs/jffs2/compr_rubin.c fs/jffs2/compr_zlib.c fs/jffs2/jffs2_1pass.c fs/ubifs/budget.c fs/ubifs/crc16.c fs/ubifs/crc16.h fs/ubifs/debug.c fs/ubifs/debug.h fs/ubifs/io.c fs/ubifs/key.h fs/ubifs/log.c fs/ubifs/lprops.c fs/ubifs/lpt.c fs/ubifs/lpt_commit.c fs/ubifs/master.c fs/ubifs/misc.h fs/ubifs/orphan.c fs/ubifs/recovery.c fs/ubifs/replay.c fs/ubifs/sb.c fs/ubifs/scan.c fs/ubifs/super.c fs/ubifs/tnc.c fs/ubifs/tnc_misc.c fs/ubifs/ubifs.c fs/ubifs/ubifs.h fs/ubifs/ubifs-media.h fs/yaffs2/devextras.h fs/yaffs2/Makefile fs/yaffs2/yaffscfg.c fs/yaffs2/yaffscfg.h fs/yaffs2/yaffs_checkptrw.c fs/yaffs2/yaffs_checkptrw.h fs/yaffs2/yaffs_ecc.c fs/yaffs2/yaffs_ecc.h fs/yaffs2/yaffs_flashif.h fs/yaffs2/yaffsfs.c fs/yaffs2/yaffsfs.h fs/yaffs2/yaffs_guts.c fs/yaffs2/yaffs_guts.h fs/yaffs2/yaffsinterface.h fs/yaffs2/yaffs_malloc.h fs/yaffs2/yaffs_mtdif2.c fs/yaffs2/yaffs_mtdif2.h fs/yaffs2/yaffs_mtdif.c fs/yaffs2/yaffs_mtdif.h fs/yaffs2/yaffs_nand.c fs/yaffs2/yaffs_nandemul2k.h fs/yaffs2/yaffs_nand.h fs/yaffs2/yaffs_packedtags1.c fs/yaffs2/yaffs_packedtags1.h fs/yaffs2/yaffs_packedtags2.c fs/yaffs2/yaffs_packedtags2.h fs/yaffs2/yaffs_qsort.h fs/yaffs2/yaffs_ramdisk.h fs/yaffs2/yaffs_tagscompat.c fs/yaffs2/yaffs_tagscompat.h fs/yaffs2/yaffs_tagsvalidity.c fs/yaffs2/yaffs_tagsvalidity.h fs/yaffs2/ydirectenv.h fs/yaffs2/yportenv.h include/addr_map.h include/asm-arm/arch-ixp/ixp425.h include/asm-arm/arch-omap3/mmc.h include/asm-arm/arch-omap3/mmc_host_def.h include/asm-arm/arch-pxa/hardware.h include/asm-arm/arch-pxa/pxa-regs.h include/asm-arm/atomic.h include/asm-arm/hardware.h include/asm-arm/io.h include/asm-arm/memory.h include/asm-arm/posix_types.h include/asm-arm/proc-armv/domain.h include/asm-arm/proc-armv/processor.h include/asm-arm/proc-armv/ptrace.h include/asm-arm/proc-armv/system.h include/asm-arm/processor.h include/asm-arm/setup.h include/asm-m68k/fsl_i2c.h include/asm-ppc/fsl_ddr_dimm_params.h include/asm-ppc/fsl_ddr_sdram.h include/asm-ppc/fsl_dma.h include/asm-ppc/fsl_i2c.h include/asm-ppc/mpc8xxx_spi.h include/asm-sh/io.h include/bcd.h include/configs/AP1000.h include/configs/ML2.h include/configs/MPC8323ERDB.h include/configs/MPC8610HPCD.h include/configs/voiceblue.h include/ddr_spd.h include/ds4510.h include/jffs2/jffs2.h include/linux/mc146818rtc.h include/linux/mtd/bbm.h include/linux/mtd/nand_ecc.h include/linux/mtd/nand.h include/linux/mtd/nand_ids.h include/linux/mtd/nand_legacy.h include/linux/mtd/ndfc.h include/linux/mtd/onenand.h include/linux/mtd/onenand_regs.h include/nand.h include/onenand_uboot.h include/pca953x.h include/pcmcia/cirrus.h include/pcmcia/i82365.h include/pcmcia/ss.h include/pcmcia/ti113x.h include/pcmcia/yenta.h include/sha1.h include/spi_flash.h include/ubi_uboot.h include/usb/omap1510_udc.h include/vsc7385.h lib_generic/addr_map.c lib_generic/sha1.c
Files that have incomplete GPL license statements in their headers (typically missing which version of GPL applies). The Broadcom (bcm*.*) files mention GPL and reference the gentle reader to a file "LICENSE" for more information, but we don't have a "LICENSE" file, much less /their/ "LICENSE" file.
board/linkstation/hwctl.c board/mvblue/mvblue.c drivers/net/5701rls.c drivers/net/5701rls.h drivers/net/bcm570x_autoneg.c drivers/net/bcm570x_autoneg.h drivers/net/bcm570x_bits.h drivers/net/bcm570x_debug.h drivers/net/bcm570x_lm.h drivers/net/bcm570x_mm.h drivers/net/bcm570x_queue.h drivers/net/natsemi.c drivers/net/nicext.h drivers/net/ns8382x.c drivers/net/tigon3.c drivers/net/tigon3.h examples/82559_eeprom.c examples/eepro100_eeprom.c lib_ppc/ppcstring.S
LzmaDecode.[ch] is dual licensed LGPL and Common Public License (CPL), but the version of LGPL or CPL is not specified. Ahh, the directory has a file lib_generic/lzma/LGPL.txt that specifies LGPL 2.1 or later.
lib_generic/lzma/LzmaDecode.c lib_generic/lzma/LzmaDecode.h
Trivia: There are a few dual-licensed with MPL: include/pcmcia/cirrus.h include/pcmcia/i82365.h include/pcmcia/ss.h include/pcmcia/ti113x.h include/pcmcia/yenta.h
...and some dual-licensed with the Red Hat eCos Public License: board/cogent/lcd.c board/cogent/lcd.h fs/jffs2/compr_rtime.c fs/jffs2/compr_rubin.c fs/jffs2/compr_zlib.c fs/jffs2/jffs2_1pass.c include/jffs2/jffs2.h
[snip]
Best regards, gvb
participants (25)
-
Arno Fischer -
Chris Morgan -
Detlev Zundel -
Eric Nelson -
Frank Svendsbøe -
Graeme Russ -
Grant Likely -
Haavard Skinnemoen -
Jean-Christian de Rivaz -
Jean-Christophe PLAGNIOL-VILLARD -
Jerry Van Baren -
Jerry Van Baren -
Jon Smirl -
ksi@koi8.net -
Larry Johnson -
Matthew Lear -
Mike Frysinger -
Pink Boy -
Richard Stallman -
Robin Getz -
Scott Wood -
Thomas Doerfler -
Thomas Dörfler
-
Wolfgang Denk -
wolfgang@leila.ping.de