[clue-tech] The Great GPL v3 Debate Thread

marcus hall marcus at tuells.org
Tue Jan 31 09:10:13 MST 2006 

On Fri, Jan 27, 2006 at 09:25:26AM -0700, Jed S. Baer wrote:
> [quote (GPLv3)]
> Complete Corresponding Source Code also includes any encryption or
> authorization codes necessary to install and/or execute the source code of
> the work, perhaps modified by you, in the recommended or principal context
> of use, such that its functioning in all circumstances is identical to
> that of the work, except as altered by your modifications. It also
> includes any decryption codes necessary to access or unseal the work's
> output. Notwithstanding this, a code need not be included in cases where
> use of the work normally implies the user already has it.
> [/quote]
> 
> This doesn't sound to me like "private signing keys" in the normal usage
> of that term. No doubt, this is part of Stallman's anti-DRM thinking,
> except that under the source code availability provisions, it'd be
> difficult to "hide" a decryption key in a GPL'd copy protection program.
> Could be I'm missing something obvious.

There are certainly many potential applications of that part of GPLv3, but
the one that comes to my mind as an example is the TiVo.  TiVo runs on
Linux.  The kernel and an initrd image are signed by TiVo.  The firmware
loads the kernel and initrd from disk, then verifies that the signature
is valid before executing the kernel.

This attempts to ensure that nothing is added or modified in the system,
to protect the digital content (the DirectTV TiVo gets digital content
directly from the satellite and this seems to be what has driven TiVo
to implement this).

The GPLv3 seems to me to frown on this practice.  The GPL intent is that
since the Linux kernel is GPL'd, then the source should be available to
me along with everything I need to be able to make any modificaitons I
see fit and use it in place of the kernel TiVo supplied.  However, since
I cannot sign my version of the kernel, I cannot make it run on the hardware.
Therefore, GLPv3 would require TiVo to distribute some mechanism to sign
a kernel I have built so that it can run fully functionally on the hardware.

So, as it currently stands, TiVo has made use of the GPLv2 linux kernel.
They have provided the source for this kernel, and their modifications, as
required by GPLv2, but it is currently "impossible" for a user to use
this source to produce a kernel that they can run on the hardware.  This
certainly defeats the spirit of the GPL, but not the letter of the GPLv2.
(In fact, there are hacks around the problem..)

This sort of thing is what people are talking about in creating a chain of
trust for implementing DRM schemes, so it certainly does have some bearing
on that topic.


-- 
marcus hall
marcus at tuells.org
_______________________________________________
CLUE-tech mailing list
CLUE-tech at cluedenver.org
http://cluedenver.org/mailman/listinfo/clue-tech

More information about the clue-tech mailing list