[U-Boot-Users] GPL 2 "or later" concern

Andy Green andy at warmcat.com
Tue Sep 19 12:46:08 CEST 2006 

Alex Zeffertt wrote:
> Andy Green wrote:
>>
>> Since all U-boot users who may use signatures to verify the provenance 
>> of a package are in the same boat, I am wondering what the general 
>> opinion about this situation is, and what the feeling would be about a 
>> Linux kernel/busybox-style GPL V2-only license.

> I am curious as to what worries you about GPL v3.
> 
> Is it that you wish to build a version of u-boot that will only load a 
> kernel
> that has been signed with your private key?
> 
> If so, then your customers will not be free to modify their kernel even 
> though
> they may access its source.
> 
> This seems to go against the spirit of the GPL.  However, I can also see 
> that
> for some products linux will only be used if it can be shown to be 
> tamper proof.

Hi Alex -

My main concern is in fact updates, currently we package our updates, 
including U-boot in RPMs and I intend to sign them, and check the 
signature before allowing install.  In this embedded device the user 
does not have root access.  We use RPM so we can completely and easily 
fulfill the requirement for sources that match any binaries we ship by 
capturing them into SRPMs.

It seems to me possible for a GPL 2 "or later" user to argue that he 
should have the signing keys on the basis that he is choosing to 
"modify" the code on the provisions of GPL 3, not GPL 2 and despite that 
the distributor says he gave the sources on GPL 2 rules.  (Last week on 
another mailing list a guy was arguing that even GPL2-only code would 
qualify for the same treatment, but I can't see how that can be).

Because the hardware is fixed, and the special nature of what U-boot 
does, a workaround for me might be to never update U-boot, but obviously 
that is less than fully desirable.  That way we ship U-boot in the 
flash, provide sources for it, but never distribute a signed update 
avoiding the proposed potential problem.

I audited the sources for all the packages we will ship, and there is 
only one other relatively small source file in net-tools that is GPL2 
"or later", so I am considering making sure everything non-proprietary 
we ship is GPL2-only or more liberal.

-Andy

More information about the U-Boot mailing list