LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Distributions page

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

A review of rPath Linux 2.0 (LinuxDevices)

[Posted May 19, 2008 by jake]

LinuxDevices has a brief overview and review of rPath Linux 2.0. "rPath Linux is a specialized Linux distribution designed for use by ISVs (independent software vendors) wishing to deliver their products as pre-installed hardware appliances, or as 'software appliances.' The latter are pre-configured Linux server stacks suitable for installation by users on real or virtual commodity hardware."
(Log in to post comments)

A review of rPath Linux 2.0 (LinuxDevices)

Posted May 20, 2008 2:16 UTC (Tue) by bhepple (guest, #2581) [Link] 

What doesn't seem to get much coverage is the Digital Rights stuff built into rPath and its
place in the FOSS world. 

eg. You can't run the rBuilder binary (except as a very limited web app) without negotiating
an unspecified fee with rPath and getting an "Entitlements" file aka a digital key. No source
to rBuilder is available - rPath claim that it's completely within the licence requirements
(and I have no reason to doubt that). 

Similarly, the appliances that are created by rBuilder can be bound up with DRM
("Entitlements") - this seems to be designed to appeal to companies that want to release
DRM-encumbered products.

No-one is compelled to release source for things they own just because they run on Linux after
all, but it does all rather fly in the face of the spirit of things. Isn't DRM somewhat
discredited these days?

Discuss please ...

GPLv3 is designed to combat such things

Posted May 20, 2008 13:17 UTC (Tue) by khim (subscriber, #9252) [Link]

We'll see. If DRM will be stopped by some other means - GPLv3 will be just "something FSF is using". If DRM will become the real problem - we'll see fast switch to the GPLv3 and the world will be split in two: old GPLv2 world (locked away with keys) and new GPLv3 world (free as designed). Not a good scenario, but better then alternatives.

Entitlements are not DRM

Posted May 20, 2008 13:51 UTC (Tue) by michaelkjohnson (subscriber, #41438) [Link]

Entitlements are not DRM. They are data for access control, like a username/password pair or an ssh keypair. Not only are they not "DRM", they do not even implement license management. They are specifically the implementation of access control for Conary repositories.

rBuilder Online is a gratis web service which is available to create freely-redistributable appliances (in accordance with the terms of service, of course). Entitlements are not a feature of rBuilder Online. Data in rBuilder Online repositories is publicly-visible, by implementation and terms of service.

rBuilder Appliance is proprietary software (yes, built on top of open source software including Linux, and all the source code to the open source components is available) which includes the ability for customers to limit access to software updates to their appliances using entitlements.

An important feature of the Conary repository format is that it makes it easy for vendors to comply with license requirements to provide source code that corresponds to binaries. Conary builds binaries into a Conary repository from sources stored in a repository, and records with every binary build exactly which sources the binary was built from, along with enough information to recreate the build environment. This includes (among other things) the environment variables set when the package was built, and the exact binary versions of every package that was required for the build.

You are not the first to confound DRM with access control, as I see it. Richard Stallman famously refused to add wheel group limitations to GNU's version of the su command because it would have been inconvenient for him long ago when he broke into the administrative account on a computer. He strongly considered that access control to be "non-free", though I don't think that the term "Digital Rights Management" had been invented at that point. However, it is accepted at least in the Open Source mainstream that access control is appropriate; witness the widespread outrage in response to the recent discovery of weaknesses in generating OpenSSL keypairs in Debian distributions.

I hope this requested discussion is useful for you. Cheers!

Entitlements are not DRM

Posted May 20, 2008 15:49 UTC (Tue) by skitching (subscriber, #36856) [Link] 

So does this mean that...

1. a manufacturer can sell an appliance which can install patches and upgrades from a conary
repository available at a public address, while the data is not accessable to the general
public?

2. the manufacturer can block an individual appliance from accessing parts of the repository
(eg "you have only paid for module X")?

3. the manufacturer can block an individual appliance from accessing the repository at all (eg
"your license has expired, so no more updates for you")?

Or is this more about allowing a manufacturer who is a Conary customer access to Conary's
central repo of modules so they can build their own (non-updatable) software bundles, but only
from the bits they have paid for access to?

I'm not criticising, just curious...

Entitlements provide access control

Posted May 20, 2008 17:23 UTC (Tue) by michaelkjohnson (subscriber, #41438) [Link]

First, I'd like to mention that rPath's documentation is available on our wiki and that we have a forum for discussing rPath products and technologies. So while I don't mind answering questions here, I'd suggest that more detailed discussion might reasonably be pursued in an rPath context, since we're going well beyond anything related to the article to which LWN linked here.

That said: Entitlements control repository access. So yes, (1) a conary repository server can be available at a public address and have a mix of accessible and inaccessible data, controlled by entitlements. The client presents the entitlement data as its credentials for repository access. (2) Prior to Conary 2.0, access control was by "label" (from a user point of view, think "branch"), controlled by a regular expression. Conary 2.0 added the ability for more fine-grained control, down to individual "troves" (packages and things like packages, including groups of packages). A loose analogy might be .htaccess/.htpasswd files providing fine-grained access to individual files and scripts being served by a web server. (3) Yes, the administrator of the repository can modify the rights which are available based on any particular entitlement; again, removing lines from .htaccess/.hgpasswd files would be a loose analogy.

We at rPath use this facility ourselves to provide our customers access to our proprietary products such as rBuilder Appliance. We do not restrict read access to rPath Linux by entitlement. rPath Appliance Platform Linux Service is an entitled product (with access to source code for everyone who has access to binaries) which is built from the rPath Linux core but is restricted to components for which rPath provides customers an SLA. The "software bundles" you refer to (we call them "appliances") are intentionally updateable. That is part of our relationship with our customers, and reliable, testable updates are a critical component of Conary design.

Again, while I very much enjoy describing the technical features of Conary that make all this possible, I don't want to "hijack" this link from LWN, and suggest that rPath's forum might be a more useful place to discuss the details, since someone else looking for information on Conary would probably look there before here.

Thanks for the questions!

Entitlements provide access control

Posted May 20, 2008 21:41 UTC (Tue) by drag (subscriber, #31333) [Link] 


And everybody keep in mind that Conary and such is free software. To understand Conary think
"RPM, but designed for online distribution of software and easy package creation"

rPath isn't the only people that use Conary.  Foresight Linux, the people that make it easy to
test brand-new Gnome releases, base their distribution on the Conary package management
system. Easy package creation and effortless uninstall/rollback capabilities makes it much
easier to work with then, say, Debian or Fedora in terms of packages and system updates. (ps.
Foresight Linux has begun to ship on Shuttle's KPC line of small form factor PCs)

A review of rPath Linux 2.0 (LinuxDevices)

Posted May 20, 2008 12:58 UTC (Tue) by shaneo (guest, #48399) [Link] 

Evidently, I missed the "review" part.  They just picked up the rPath press release, or so it
seems...

A review of rPath Linux 2.0 (LinuxDevices)

Posted May 20, 2008 14:57 UTC (Tue) by proski (subscriber, #104) [Link]

I agree. Perhaps LWN should pay less attention to the "reviews" where the "reviewer" didn't bother to install the software being reviewed. The same applies to other garbage spewed by clueless "IT professionals".

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds