[U-Boot] U-book and GPLv3? (fwd)
Mike Frysinger
vapier at gentoo.org
Thu Jun 25 15:53:32 CEST 2009
On Thursday 25 June 2009 07:04:07 Detlev Zundel wrote:
> >> >> > but when customers absolutely state their requirements are secure
> >> >> > boot and the ability to lock their hardware so no one else can run
> >> >> > things, then i'm not about to argue with them. their response is
> >> >> > simply "fine, we'll move on to the next guy who will satisfy our
> >> >> > requirements".
> >> >>
> >> >> It is your decision if you don't want to even understand your
> >> >> customers needs.
> >> >
> >> > wrong, we've actually done the opposite. we know what they want to do
> >> > and it is doable with GPLv2. it is not doable with GPLv3.
> >>
> >> From what I read, I do not get this impression. "Locking people out" is
> >> not a ulterior motive but the outcome of a perceived threat to a
> >> business model. It was this business model that I wanted to get a clear
> >> picture of. It seems I cannot get any more informatino here.
> >
> > locking down a machine is part of due diligence as well when it comes to
> > certification. not taking measures to prevent uncertified code from
> > running is a legal liability for companies.
>
> An aircraft is also a certified product - won't you think? Do you
> believe that an airline carrier ships its planes to the manufacturer if
> they need to replace a screw? Obviously there must be ways to ensure
> certification even in such cases. Why should those methods not be
> applicable to other fields as well?
>
> It is this "certification is only possible like we say" attitude which I
> seriously question.
whether you question this attitude doesnt matter. you arent a lawyer in
general, you arent a lawyer for these companies, and you arent indemnifying
them. their legal review says that it's a requirement, so it is now a
requirement for the software. anything beyond that is irrelevant.
> >> >> > they arent generally trying to lock out people who just want to
> >> >> > toy, they're targeting people who want to clone their hardware or
> >> >> > functionality to create knockoffs or they're trying to guarantee
> >> >> > lock down so they can get certified (like medical devices).
> >> >>
> >> >> How does GPLv3 vs. GPLv2 touch the "we will get cloned" question?
> >> >> Maybe I do not see the obvious here, but sourcecode to binaries under
> >> >> either license must be available, so what's the difference?
> >> >
> >> > if you dont have the decryption keys, you cant read the end program.
> >> > having access to the u-boot source doesnt matter.
> >>
> >> Having access to the physical device will. How long do you think will
> >> it take to get broken into? Unfortunately physics do not follow wishes
> >> of companies as seen over and over in the past.
> >
> > and companies understand that. i never said locking the device is a 100%
> > guarantee to prevent cloning -- nothing in life is 100%. it does however
> > significantly make it harder to reverse engineer a black box that is
> > wiggling pins than it is to disassemble code and memory. the companies i
> > work with are concerned with delaying clones for most of that product
> > generation's life span, not eternity. if the clone comes in after the
> > company has gotten their fair share out of it, then that's fine by them.
> > clones are an unfortunate aspect of commercial life. without the secure
> > boot aspect, people are able to create knockoffs with enough turn around
> > time to do quite a bit of damage to the product's life span.
>
> It's not the first time I hear this mantra. Can you give me some facts
> to back this up?
i dont know what kind of "facts" you're looking for. i didnt make this
scenario up, it was described to me by a customer in the US and their
experience with Chinese cloners. i'm not going to give customer information
or name names if that's what you want.
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.denx.de/pipermail/u-boot/attachments/20090625/5288a36d/attachment.pgp
More information about the U-Boot
mailing list