Root login credentials v GPL2

Andy Green andy at warmcat.com
Sat Sep 16 21:01:14 UTC 2006


Rich Felker wrote:

> On what machine? The obvious answer is the same machine the binary was
> made for, and in fact without the hash it is NOT EXECUTABLE on this
> machine.

Nowhere is there any requirement about this in the GPL2.

>>> The hash plus the hashless binary is definitely not a case of "mere
>>> aggregation". They're intended to be used together and one is useless
>>> without the other.
>> It seems Linus disagrees with your viewpoint, since one of his main 
>> complaints was that GPL3 would require people to give up their signing 
>> keys, therefore it seems he believes GPL2 does not give this power over 
>> the kernel sources.
> 
> I couldn't care less what Linus thinks. He has no dedication to free
> software nor to principle, just to "world domination" of Linux which

I do care what he thinks, about binary modules for example, it 
definitely makes a difference in the real world what that guy thinks due 
to his influence over the kernel.  If Linus says "no it's fine to have 
crypto-locked kernel implementations", which I think is pretty much his 
position, that does have implications for your position that differs 
since your claim is a blanket one on the whole population of GPL2 code.

>> At some point (I propose immediately or very shortly afterwards) the 
>> logic of "derivation contamination" makes no sense.  The whole hardware 
>> platform for a dedicated device may be "intended to be used together 
>> [with the GPL'd software] and one is useless without the other", must 
> 
> No. This topic has been discussed plenty before and it's not at all
> gray like you're trying to make it out to be. Programs can be intended
> to be used together, but the line is drawn where one program cannot
> perform its function without something else. See the ObjectiveC case
> for a good example.

Has this really been discussed plenty before that a signed executable is 
a whole derived work requiring private keys to be handed out?  I never 
heard this about GPL2 before your opinion.

> The point being: you're talking the usual nonsense FUD of the
> anti-key-clause crowd.

But there is no GPL2 key clause, and it is GPL2 we discuss.

>>>> I expect that one to be appealed to at least a circuit court.  Dunno if the 
>>>> supremes would be interested...
>>> Actually I doubt it will go to court at all. The types who will use
>>> disgusting code signing like this are way too paranoid of GPL already.
>> What, like that well-known GPL scofflaw Redhat, which send out signed 
>> RPMs you mean?  If RHAT include any of your code in RHEL or Fedora but 
>> fail to give you their private signing keys, they can "expect to see 
>> [you] in court"?
> 
> No because it's possible to run modified binaries without the keys. As
> soon as they start distributing signed binaries for special hardware
> that cannot run unsigned binaries they can expect to see me in court.

Errr hold on either there is an absolute requirement to be able to 
regenerate the signed package via the keys, because the hash generated 
from the keys are part of the derived work represented by the signed 
package, or there isn't.  The signature is sat there the same 
independent of what a particular device's policy on seeing it is.  IIRC 
yum comes out of the box demanding sigs on packages or it won't install.

I mean I can't install packages on a box without a root login either, 
the login system uses crypto password hashes too.  If I am given or rent 
a "managed box" where I don't have root access (but I was given GPL'd 
packages on it) what is your proposal then?  Everyone must have the root 
password on receipt of GPL2 binaries to empower them to install 
modifications?  You think this demand would fly despite there is no 
language about it in the license?

>> Crypto can be for you or against you like any lock, depends on who has 
>> the keys and why.  I definitely prefer my bank and distro keeps their 
>> private keys private.
> 
> This argument has nothing to do about your bank or your distro. It's

Point being having a private key kept from you and others can be in your 
interest.

-Andy



More information about the busybox mailing list