LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

openSUSE and the distribution of proprietary software

LPC: What's happening with webcams

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Entitlements are not DRM

Entitlements are not DRM

Posted May 20, 2008 13:51 UTC (Tue) by michaelkjohnson (subscriber, #41438)
In reply to: A review of rPath Linux 2.0 (LinuxDevices) by bhepple
Parent article: A review of rPath Linux 2.0 (LinuxDevices)

Entitlements are not DRM. They are data for access control, like a username/password pair or an ssh keypair. Not only are they not "DRM", they do not even implement license management. They are specifically the implementation of access control for Conary repositories.

rBuilder Online is a gratis web service which is available to create freely-redistributable appliances (in accordance with the terms of service, of course). Entitlements are not a feature of rBuilder Online. Data in rBuilder Online repositories is publicly-visible, by implementation and terms of service.

rBuilder Appliance is proprietary software (yes, built on top of open source software including Linux, and all the source code to the open source components is available) which includes the ability for customers to limit access to software updates to their appliances using entitlements.

An important feature of the Conary repository format is that it makes it easy for vendors to comply with license requirements to provide source code that corresponds to binaries. Conary builds binaries into a Conary repository from sources stored in a repository, and records with every binary build exactly which sources the binary was built from, along with enough information to recreate the build environment. This includes (among other things) the environment variables set when the package was built, and the exact binary versions of every package that was required for the build.

You are not the first to confound DRM with access control, as I see it. Richard Stallman famously refused to add wheel group limitations to GNU's version of the su command because it would have been inconvenient for him long ago when he broke into the administrative account on a computer. He strongly considered that access control to be "non-free", though I don't think that the term "Digital Rights Management" had been invented at that point. However, it is accepted at least in the Open Source mainstream that access control is appropriate; witness the widespread outrage in response to the recent discovery of weaknesses in generating OpenSSL keypairs in Debian distributions.

I hope this requested discussion is useful for you. Cheers!

(Log in to post comments)

Entitlements are not DRM

Posted May 20, 2008 15:49 UTC (Tue) by skitching (subscriber, #36856) [Link] 

So does this mean that...

1. a manufacturer can sell an appliance which can install patches and upgrades from a conary
repository available at a public address, while the data is not accessable to the general
public?

2. the manufacturer can block an individual appliance from accessing parts of the repository
(eg "you have only paid for module X")?

3. the manufacturer can block an individual appliance from accessing the repository at all (eg
"your license has expired, so no more updates for you")?

Or is this more about allowing a manufacturer who is a Conary customer access to Conary's
central repo of modules so they can build their own (non-updatable) software bundles, but only
from the bits they have paid for access to?

I'm not criticising, just curious...

Entitlements provide access control

Posted May 20, 2008 17:23 UTC (Tue) by michaelkjohnson (subscriber, #41438) [Link]

First, I'd like to mention that rPath's documentation is available on our wiki and that we have a forum for discussing rPath products and technologies. So while I don't mind answering questions here, I'd suggest that more detailed discussion might reasonably be pursued in an rPath context, since we're going well beyond anything related to the article to which LWN linked here.

That said: Entitlements control repository access. So yes, (1) a conary repository server can be available at a public address and have a mix of accessible and inaccessible data, controlled by entitlements. The client presents the entitlement data as its credentials for repository access. (2) Prior to Conary 2.0, access control was by "label" (from a user point of view, think "branch"), controlled by a regular expression. Conary 2.0 added the ability for more fine-grained control, down to individual "troves" (packages and things like packages, including groups of packages). A loose analogy might be .htaccess/.htpasswd files providing fine-grained access to individual files and scripts being served by a web server. (3) Yes, the administrator of the repository can modify the rights which are available based on any particular entitlement; again, removing lines from .htaccess/.hgpasswd files would be a loose analogy.

We at rPath use this facility ourselves to provide our customers access to our proprietary products such as rBuilder Appliance. We do not restrict read access to rPath Linux by entitlement. rPath Appliance Platform Linux Service is an entitled product (with access to source code for everyone who has access to binaries) which is built from the rPath Linux core but is restricted to components for which rPath provides customers an SLA. The "software bundles" you refer to (we call them "appliances") are intentionally updateable. That is part of our relationship with our customers, and reliable, testable updates are a critical component of Conary design.

Again, while I very much enjoy describing the technical features of Conary that make all this possible, I don't want to "hijack" this link from LWN, and suggest that rPath's forum might be a more useful place to discuss the details, since someone else looking for information on Conary would probably look there before here.

Thanks for the questions!

Entitlements provide access control

Posted May 20, 2008 21:41 UTC (Tue) by drag (subscriber, #31333) [Link] 


And everybody keep in mind that Conary and such is free software. To understand Conary think
"RPM, but designed for online distribution of software and easy package creation"

rPath isn't the only people that use Conary.  Foresight Linux, the people that make it easy to
test brand-new Gnome releases, base their distribution on the Conary package management
system. Easy package creation and effortless uninstall/rollback capabilities makes it much
easier to work with then, say, Debian or Fedora in terms of packages and system updates. (ps.
Foresight Linux has begun to ship on Shuttle's KPC line of small form factor PCs)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds