[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Wednesday 24 June 2009 09:17:50 Detlev Zundel wrote:
> > if you want to push your agenda on your customers (i'm assuming you
> > actually have some and arent just here for fun), that's your business.
>
> Is it possible that you jump to conslusions here?  All we - on a regular
> basis - do is to talk to our customers until we understand what the
> customer needs.  Then we think about how this can or cannot be done with
> the help of Free Software.  After all nobody is forcing anyone to use
> Free Software and for some customer wishes Free Software may simply be
> not a legal option, so what?
>
> In this process it is common that customers have incomplete information
> about Free Software in general and not well-articulated fears making
> them jump to premature conclusions (e.g. "we need a closed source Linux
> kernel driver") which would prevent us from doing development for them.
> At this point it is extremely important to learn about the reasoning of
> the customer and then clearing up confusion probably leading to
> revisiting the question of using Free Software.
>
> Essentially I can only remember one customer in the last years who did
> not go further at the time after learning that we would not develop a
> non-GPL kernel module.  Incidentally this customer is now back on our
> doorstep because the market effectively forces him to use a GNU/Linux
> system from a feature perspective.  This time around closed sources
> kernel modules are not even on the agenda anymore.

and that's your prerogative.  how you choose to run your business has no 
bearing at all on how other people choose to run their businesses.

> > but when customers absolutely state their requirements are secure boot
> > and the ability to lock their hardware so no one else can run things,
> > then i'm not about to argue with them.  their response is simply
> > "fine, we'll move on to the next guy who will satisfy our
> > requirements".
>
> It is your decision if you don't want to even understand your customers
> needs.

wrong, we've actually done the opposite.  we know what they want to do and it 
is doable with GPLv2.  it is not doable with GPLv3.

yes, there are cases of ingrained perceptions about how to accomplish 
something and GPLv3 blocks those methods.  but again, it is *your* choice to 
attempt to educate people here, it is not the automatic burden of people to 
champion the GNU cause for you.

> I admit that I did not think this through completely, but how much of
> this "no one else can run things" is actually connected to the
> bootloader?  U-Boot itself will not be handling "prime content" I
> guess.  Those "secure boot" you talk about - what is it exactly and
> what are the potential attack vectors of it?  Are there vectors besides
> the bootloader?  If so, how does a "non-supporting" bootloader make the
> situation any worse?

secure boot is pretty straightforward.  the CPU has internal keys programmed 
into it and will only boot signed binaries.  this is u-boot.  u-boot in turn 
will only boot signed encrypted binaries using keys inside of the CPU that can 
only be accessed by code running on the CPU.  licensing of these binaries 
obviously doesnt matter.  the encrypted stream is transferred from external 
storage into internal CPU storage, decrypted there, and then executed from 
there.  so there is no possibility of sniffing the decrypted stream on any bus 
as it never leaves the CPU.

> > they arent generally trying to lock out people who just want to toy,
> > they're targeting people who want to clone their hardware or
> > functionality to create knockoffs or they're trying to guarantee lock
> > down so they can get certified (like medical devices).
>
> How does GPLv3 vs. GPLv2 touch the "we will get cloned" question?  Maybe
> I do not see the obvious here, but sourcecode to binaries under either
> license must be available, so what's the difference?

if you dont have the decryption keys, you cant read the end program.  having 
access to the u-boot source doesnt matter.

> > that's my practical standpoint from my job experience -- GPLv3 will cause
> > a u- boot fork and the net result is not beneficial to anyone.
>
> You must have a very good crystal ball.  Maybe if my crystal ball was
> that good I did not need to ask questions.

then you should take it in to get serviced

> > my completely personal standpoint is the same -- do not use the GPLv3.
>
> Ok, somehow this was already clear to me.
>
> On the other hand I also do believe that for a project which is here
> simply because of the benefits of the GPL, we should spend some time
> thinking this through and then base the decision of the project on a
> sound basis.  Handwaving arguments do not help much here, so thanks for
> your input.

except that licensing choice is just as much practical considerations (can XYZ 
be done with the GPLv3) as it is personal choice.  it dictates how we choose 
to *let* other people utilize the code.  i personally dont have a problem with 
people locking their hardware.  that is their choice and the GPLv2 allows them 
that freedom.  hell, i wouldnt have a problem with a public domain u-boot.  
people dont use GPLv3 because it is a "superior" license from a technical 
perspective, they use it because they want to *restrict* how others use their 
code.
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.denx.de/pipermail/u-boot/attachments/20090624/df2bc9b6/attachment.pgp