[U-Boot-Users] GPL 2 "or later" concern

[Andy Green]

Hi folks -

Nice work on U-boot!  We are using it with good success on an ARM9 
embedded device that is just coming to production.

Late last week the busybox project maintainer decided that the next 
version will be licensed as "GPL v2 only", matching the Linux kernel 
license, this is a change from an effective "GPL v2 'or later'" license 
like U-boot currently has.

During the discussions about this I became aware that there may be some 
conflict between GPL v3 and using privately signed crypto hashes to 
validate GPL v2 "or later" binaries, some people at least (Linus) hold 
that the GPL v3 will allow recipients of the binaries to demand private 
signing keys.  I am uncertain what the facts are, especially as GPL V3 
is not done yet, but looking at it the "or later" license it allows the 
FSF to decide anything they like at any later date and it can cause the 
distributor trouble accordingly because the GPL V2 "or later" clause 
arguably at least signs him up for complying with 
$TO_BE_DETERMINED_BY_FSF_WHEN_THEY_WANT, since a recipient can at any 
time decide he applies V3 or Vn.

I audited the packages we use and I find more or less of an issue with 
three: one we use one small file from and it can be rewritten; one only 
has the "or later" copyright on files we are not distributing the binary 
for, and lastly there is U-boot, which is currently pretty solidly in 
the V2 "or later" camp in grep's opinion :-)

Since all U-boot users who may use signatures to verify the provenance 
of a package are in the same boat, I am wondering what the general 
opinion about this situation is, and what the feeling would be about a 
Linux kernel/busybox-style GPL V2-only license.

-Andy