[U-Boot] U-book and GPLv3? (fwd)

Mike Frysinger vapier at gentoo.org
Thu Jun 25 15:53:32 CEST 2009 

On Thursday 25 June 2009 07:04:07 Detlev Zundel wrote:
> >> >> > but when customers absolutely state their requirements are secure
> >> >> > boot and the ability to lock their hardware so no one else can run
> >> >> > things, then i'm not about to argue with them.  their response is
> >> >> > simply "fine, we'll move on to the next guy who will satisfy our
> >> >> > requirements".
> >> >>
> >> >> It is your decision if you don't want to even understand your
> >> >> customers needs.
> >> >
> >> > wrong, we've actually done the opposite.  we know what they want to do
> >> > and it is doable with GPLv2.  it is not doable with GPLv3.
> >>
> >> From what I read, I do not get this impression.  "Locking people out" is
> >> not a ulterior motive but the outcome of a perceived threat to a
> >> business model.  It was this business model that I wanted to get a clear
> >> picture of.  It seems I cannot get any more informatino here.
> >
> > locking down a machine is part of due diligence as well when it comes to
> > certification.  not taking measures to prevent uncertified code from
> > running is a legal liability for companies.
>
> An aircraft is also a certified product - won't you think?  Do you
> believe that an airline carrier ships its planes to the manufacturer if
> they need to replace a screw?  Obviously there must be ways to ensure
> certification even in such cases.  Why should those methods not be
> applicable to other fields as well?
>
> It is this "certification is only possible like we say" attitude which I
> seriously question.

whether you question this attitude doesnt matter.  you arent a lawyer in 
general, you arent a lawyer for these companies, and you arent indemnifying 
them.  their legal review says that it's a requirement, so it is now a 
requirement for the software.  anything beyond that is irrelevant.

> >> >> > they arent generally trying to lock out people who just want to
> >> >> > toy, they're targeting people who want to clone their hardware or
> >> >> > functionality to create knockoffs or they're trying to guarantee
> >> >> > lock down so they can get certified (like medical devices).
> >> >>
> >> >> How does GPLv3 vs. GPLv2 touch the "we will get cloned" question? 
> >> >> Maybe I do not see the obvious here, but sourcecode to binaries under
> >> >> either license must be available, so what's the difference?
> >> >
> >> > if you dont have the decryption keys, you cant read the end program.
> >> > having access to the u-boot source doesnt matter.
> >>
> >> Having access to the physical device will.  How long do you think will
> >> it take to get broken into?  Unfortunately physics do not follow wishes
> >> of companies as seen over and over in the past.
> >
> > and companies understand that.  i never said locking the device is a 100%
> > guarantee to prevent cloning -- nothing in life is 100%.  it does however
> > significantly make it harder to reverse engineer a black box that is
> > wiggling pins than it is to disassemble code and memory.  the companies i
> > work with are concerned with delaying clones for most of that product
> > generation's life span, not eternity.  if the clone comes in after the
> > company has gotten their fair share out of it, then that's fine by them. 
> > clones are an unfortunate aspect of commercial life.  without the secure
> > boot aspect, people are able to create knockoffs with enough turn around
> > time to do quite a bit of damage to the product's life span.
>
> It's not the first time I hear this mantra.  Can you give me some facts
> to back this up?

i dont know what kind of "facts" you're looking for.  i didnt make this 
scenario up, it was described to me by a customer in the US and their 
experience with Chinese cloners.  i'm not going to give customer information 
or name names if that's what you want.
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.denx.de/pipermail/u-boot/attachments/20090625/5288a36d/attachment.pgp

More information about the U-Boot mailing list