Signed RPMs v GPL2

Rich Felker dalias at aerifal.cx
Sat Sep 16 16:42:03 UTC 2006 

On Sat, Sep 16, 2006 at 08:59:56AM +0100, Andy Green wrote:
> Rich Felker wrote:
> 
> > On Fri, Sep 15, 2006 at 08:19:40PM -0400, Rob Landley wrote:
> 
> >> The question is whether or not the signed hash is, from a copyright 
> >> perspective, a derived work of the GPLv2 binary, even if it's in a separate 
> >> file...
> > 
> > IMO the hash by itself is not; however, if the party distributing the
> > hash is also distributing the binary based on GPLv2-covered code, they
> > are using the GPL (to allow them to distribute it) and thus they must
> > provide the _complete_ source code needed to generate the "binary" (the
> > machine-executable version of the program which includes the hash) as
> 
> But the version without the hash is also machine executable in a 

On what machine? The obvious answer is the same machine the binary was
made for, and in fact without the hash it is NOT EXECUTABLE on this
machine.

> > The hash plus the hashless binary is definitely not a case of "mere
> > aggregation". They're intended to be used together and one is useless
> > without the other.
> 
> It seems Linus disagrees with your viewpoint, since one of his main 
> complaints was that GPL3 would require people to give up their signing 
> keys, therefore it seems he believes GPL2 does not give this power over 
> the kernel sources.

I couldn't care less what Linus thinks. He has no dedication to free
software nor to principle, just to "world domination" of Linux which
means making the dirty authors of proprietary kernel modules and
non-free derivative works happy. I believe he's even been quoted
before as saying that if he had it to do over again he would have
licensed Linux with a non-copyleft license. (Can anyone confirm?) So
of course he's going to try to give the weakest possible
interpretation of the GPL he can pull out of his ass.

> At some point (I propose immediately or very shortly afterwards) the 
> logic of "derivation contamination" makes no sense.  The whole hardware 
> platform for a dedicated device may be "intended to be used together 
> [with the GPL'd software] and one is useless without the other", must 

No. This topic has been discussed plenty before and it's not at all
gray like you're trying to make it out to be. Programs can be intended
to be used together, but the line is drawn where one program cannot
perform its function without something else. See the ObjectiveC case
for a good example.

If you don't like the "contamination" of GPL then don't use it.
However some of us demand our software free.

> one is useless without the other".  If the envelope containing your GPL2 
> letter has wax dripped on it and is marked with the seal of a signet 
> ring to show whose hands carried it, you can demand his ring?  A guy 
> countersigns your letter and you demand his pen?  His hand?

No because this is not part of the program and not necessary to use
it, unless your machine involves an optical recognition device that
requires you to insert the envelope with the seal on it before it
mechanically opens the envelope, pulls the media out of it, reads it,
and runs the code on it....

The point being: you're talking the usual nonsense FUD of the
anti-key-clause crowd.

> >> I expect that one to be appealed to at least a circuit court.  Dunno if the 
> >> supremes would be interested...
> > 
> > Actually I doubt it will go to court at all. The types who will use
> > disgusting code signing like this are way too paranoid of GPL already.
> 
> What, like that well-known GPL scofflaw Redhat, which send out signed 
> RPMs you mean?  If RHAT include any of your code in RHEL or Fedora but 
> fail to give you their private signing keys, they can "expect to see 
> [you] in court"?

No because it's possible to run modified binaries without the keys. As
soon as they start distributing signed binaries for special hardware
that cannot run unsigned binaries they can expect to see me in court.

> Crypto can be for you or against you like any lock, depends on who has 
> the keys and why.  I definitely prefer my bank and distro keeps their 
> private keys private.

This argument has nothing to do about your bank or your distro. It's
about DENYING the freedoms that the GPL REQUIRES you to grant
recipients of the code via technical means and via refusing to give
them part of the source code.

Rich

More information about the busybox mailing list