UserBusybox

[Rich Felker]

On Fri, Sep 15, 2006 at 02:12:30PM +0100, Andy Green wrote:
> Rich Felker wrote:
> 
> >>GPL2 just talks about giving sources and build scripts to regenerate the 
> >>binary, it says nothing about "intended hardware" or the ability to run 
> >
> >You can't generate the same binary you received if you don't have the
> >keys. Thus they're part of the source. A pre-signed binary or a script
> 
> Hum 'regenerating the binary' is my language, it does not appear in the 
> GPL2.

It's a separate license, but in any case read the LGPL too; it's
perhaps even stronger in this sense. It makes it clear that there must
be a way to link your modified version of the library code back into
the work using the library such that the resulting program can be run,
as long as your modified version of the library has a compatible
interface. Obviously this is not possible if you don't have the keys
to sign the modified code.

> ''For an executable work, complete source
> code means all the source code for all modules it contains, plus any
> associated interface definition files, plus the scripts used to
> control compilation and installation of the executable.''
> 
> You could try to stretch "associated interface definition files" to mean 
> crypto keys, but it seems to me to refer to API includes.

Personally I consider it part of the script used to control
compilation, since this is where the signing takes place normally.

> >If you don't believe GPLv2 is specific enough about this, then all you
> 
> A belief I would apparently share with the author of it, given what is 
> in GPL3... the hope of liberating crypto keys from GPL2-only licensed 
> implementations seems to me to be wishful thinking.

A belief the author pushes because he wants to force everyone to
"upgrade" to GPLv3. I'm sorry but I don't accept the doctrine of
forced upgrades, in software or in licenses. And I don't think the
license author's highly biased opinion is relevant on this matter when
it's clear that he has a political agenda to push. What's relevant is
the intent of the copyright holders licensing the software under
GPLv2.

> As a user I resonate to the wish for such abilities.  If you look into 
> the hard crypto-based monitoring in new chips like Freescale iMX31 
> (XBOX260-style hardware RAM block SHA-1 hash checking ongoing at 
> runtime; permanent key deletion on tamper detect based on failed JTAG 
> challenge-response) GPL3 demand for keys and a patent umbrella is 
> commendable, visionary and ahead of its time.  But for me today is 
> better served with a GPL2 busybox, since I can feed my kids thereby.

GPL is really irrelevant to these systems since they're not using GPL
code anyway (or rather they're using it but lying that they don't and
covering their tracks well). The solution is not to try to control the
people doing these evil things with a license that does not apply to
them, but to boycott DRM hardware and push legislation making such
anti-consumer mal[hard]ware illegal. It probably already _is_ illegal
under various consumer protection laws but getting those laws applied
and extended if necessary is a lot of work, but it's the area where
the effort should be placed.

Rich