Signed RPMs v GPL2

Andy Green andy at warmcat.com
Sat Sep 16 07:59:56 UTC 2006 

Rich Felker wrote:

> On Fri, Sep 15, 2006 at 08:19:40PM -0400, Rob Landley wrote:

>> The question is whether or not the signed hash is, from a copyright 
>> perspective, a derived work of the GPLv2 binary, even if it's in a separate 
>> file...
> 
> IMO the hash by itself is not; however, if the party distributing the
> hash is also distributing the binary based on GPLv2-covered code, they
> are using the GPL (to allow them to distribute it) and thus they must
> provide the _complete_ source code needed to generate the "binary" (the
> machine-executable version of the program which includes the hash) as

But the version without the hash is also machine executable in a 
complete and general way, and delivering the sources for it in the 
normal meaning of the phrase satisfies any direct functional derivation 
in the general sources.   Like Rob says it must be argued definitively 
for a region in a court where the line is drawn.

> The hash plus the hashless binary is definitely not a case of "mere
> aggregation". They're intended to be used together and one is useless
> without the other.

It seems Linus disagrees with your viewpoint, since one of his main 
complaints was that GPL3 would require people to give up their signing 
keys, therefore it seems he believes GPL2 does not give this power over 
the kernel sources.

At some point (I propose immediately or very shortly afterwards) the 
logic of "derivation contamination" makes no sense.  The whole hardware 
platform for a dedicated device may be "intended to be used together 
[with the GPL'd software] and one is useless without the other", must 
that be opened?  Few people would say so.  Even an HTML link to the 
sources is "intended to be used together [with the GPL'd software] and 
one is useless without the other".  If the envelope containing your GPL2 
letter has wax dripped on it and is marked with the seal of a signet 
ring to show whose hands carried it, you can demand his ring?  A guy 
countersigns your letter and you demand his pen?  His hand?

>> I expect that one to be appealed to at least a circuit court.  Dunno if the 
>> supremes would be interested...
> 
> Actually I doubt it will go to court at all. The types who will use
> disgusting code signing like this are way too paranoid of GPL already.

What, like that well-known GPL scofflaw Redhat, which send out signed 
RPMs you mean?  If RHAT include any of your code in RHEL or Fedora but 
fail to give you their private signing keys, they can "expect to see 
[you] in court"?

Crypto can be for you or against you like any lock, depends on who has 
the keys and why.  I definitely prefer my bank and distro keeps their 
private keys private.

-Andy

More information about the busybox mailing list