FSF should separate GPLv3 changes (Linux.com)
Posted Oct 19, 2006 11:12 UTC (Thu) by Zack
In reply to: FSF should separate GPLv3 changes (Linux.com)
Parent article: FSF should separate GPLv3 changes (Linux.com)
I think I understand your objections, but I'm not sure whether the problems you pose are insurmountable.
>Note we LEASED the appliances, so they where ours, yet we where clearly distributing software.
For the remainder please assume I'm arguing from a "SOLD" and not "LEASED" perspective to simplify.
>Also the customers actually LIKED this since this allowed them to sleep better at night knowing they did not have to trust anyone else other than us.
Then your customers were somewhat foolish and may not have been informed enough to see the implications of their behaviour. Their minds may have been not so at ease if they considered the possibility of bankruptcy, or a possible compromise of security on your side divulging keys common between unrelated customers or devices.
One of the basic rules of security is that you should never be forced to trust anyone.
>We would completelly break their trust (and maybe some contract agreement) if we gave our keys to anyone else.
The solution may have been to have per-customer or per-device keys.
This may have been more expensive, but on the other hand "you can trust us if you want to, not because you have to" is a valuable sales argument when it comes to security.
>It would be imposible for the company to include any GPLv3 software in that device. If most of the tools moved to GPLv3, we would not be able to use linux at all,
It should be perfectly possible for the receiving end to say, "We do not wish to directly receive the unlocking mechanism for our devices and would like you (or a third party) to, under contract, safekeep these in escrow for us because we do not feel anyone within our organisation can be safely entrusted with it."
This combined with a suspension of service and/or warranty upon retrieval of the customers/devices private key would give them the necessary freedoms should they opt to exercise them.
>The company is very gratefull to the linux kernel developers and busybox developers for not going to the GPLv3 as it would most likelly bankrupt the company.
Few companies go bankrupt for adapting their practices and making a good faith effort to ensure customer independence.
>On all the time I was there, I NEVER heard anyone complain or even want to modify the code inside the appliance. Quite the opposite, customers where relieved when told about this feature. Developers also did not care, they happily received our patches and NEVER complained.
And many probably never would make use of their private key under GPLv3, assuming that your company provides a valuable and honest service. So very little would change in that regard.
So yes, the GPLv3 as currently envisioned might complicate things for a distributor (especially those in the embedded market) and increase costs, but it's not impossible to work out a solution that respects the four software freedoms yet provides true "trusted computing".
to post comments)