GPLv3 not going far enough?

Posted Sep 24, 2006 2:44 UTC (Sun) by ibukanov (subscriber, #3942)
In reply to: GPLv3 not going far enough? by coriordan
Parent article: Kernel developers' position on GPLv3

> The clauses that are in draft 2 of GPLv3 are judged to be the minimum required in order to prevent large scale abuse of GPL'd software.

My problem with the clause is that it would not prevent anything in the embedded world. I.e. it is possible to defeat it completely AFAICS with simple tricks that would not add any cost to the hardware. As such the clause is dangerous as it give people an illusion of anti-DRM provisions for their free software while adding extra legal complexity for already non-trivial text with unclear consequences.

Here is one detailed possibility of abusing GPLv3. A company can make a device that can run either a signed or unsigned kernel. For unsigned kernel the device would require to enter a private key, which it would then use to sign the kernel and make the kernel available for access so it can be extracted and distributed if necessary. Now the trick is that to enter the key, you would have to use an extra hardware that the company would not sell. So you would get the source, the complete build system and all the encryption keys, but still you would not be able to change the software.

to post comments

theory and practice

Posted Sep 24, 2006 3:15 UTC (Sun) by coriordan (guest, #7544) [Link] (1 responses)

The problem tackled by GPLv3 is worth tackling because someone is already doing it (Tivo). Other cases might be being ignored either because they are not yet being exploited by anyone, or because no one has suggested a good way to prevent them.

Hopefully, no company will find a commercially viable way to do what you've suggested is possible. If it becomes a problem, hopefully someone will suggest a way to fix it in the licence.

It might happen that something cannot be addressed by the licence. In the future, we might have to lobby our legislators or the hardware manufacturers. But, for whatever problems can be solved or reduced by the licence, we should figure them out the solutions this year.

theory and practice

Posted Sep 27, 2006 9:36 UTC (Wed) by RayCromwell (guest, #40771) [Link]

I'm not sure if the loopholes could be closed. Consider for example, a device which uses virtualization to run a GPLv3 kernel. The user can replace it all they want, but it will be run inside of a protected domain without full access to the underlying hardware. So no one stops you from hacks, but they do stop you from accessing 100% of your hardware.

This is probably going to be the way the Playstation 3 runs Linux for example, so that homebrew software can be written unsigned by Sony, or signed by Sony for a small fee, and the kernel may be freely upgraded and replaced, but total access to the full power of the PS3 hardware will be blocked, especially BluRay Video access, access to all of CELL and RSX hardware features.

I'm also not sure as a user, but hacker, I would even wish Sony be forced to completely open the device, since Sony is heavily subsidizing an $800-1000 device which is nearly bankrupting them for me to play games on, and selling it for $400-500. The benefits of full access for me, as well as a vast library of high-definition movies, probably outweigh the costs of not having it hackable at all.

What if Tivo "tivo-ized" their boxes with virtualization by allowing you to upload and run whatever kernel you want, except that the components of the system which capture video systems and store them to disk, as well as dump them into the framebuffer of the display chip, were run outside the Linux kernel in a trusted module. The kernel and user applications could view information about the show database, channel guide, and could control media functions like play, rewind, fastforward, but all aspects of video decoding were delegated to special proprietary chips and protected code running in another domain?

Seems to me that there are routes for DRM devices to take where they can leverage GPL software while still locking down the media content on the device so that it cannot be circumvented by modifications to the kernel and userspace programs. As an extreme example, for a video player, they can simply stick a sufficiently powerful co-processor/media decoder chip that runs a mini-OS that does nothing but decrypt and decompress media streams. This will increase the cost of the HW, but their business model may include subsidizing hardware anyway.

This would not satisfy those clamoring for user freedom because your usage of content you purchased would still be managed on lease/rent/copy restricted rights management.

-Ray Cromwell

p.s. one other comment, is there are a number of people acting like licenses with non-viral clauses aren't successful because people make private changes and don't give back. But I use a large amount of code licensed under Apache, and I would argue strenuously with anyone who claims the Apache projects are failures or that corporate interests aren't giving back code. Perhaps it is possible to have freedom and benefits of open source without force, as long as there is a critical mass of fair minded people willing to work. The "Prisonner's Dilemma" keeps getting brought up, but this is really the "Volunteer's Dilemma". Much of our civil society rests on the fact that an astonishingly high number of people are honest and fair. Yes, there are plenty of leeches in the system, we here about abuses of government services and charity all the time, but IMHO, true freedom is also the ability to tolerate some level of failure, that some people will cheat, and some projects will fail.

Ironically, GPLv3 (and to a lesser extent, GPL overall) seems like "DRM for developers and device manufacturers". Content producers don't want to tolerate that a small percentage of people will be software pirates and take without paying authors, and it seems the GPL doesn't want to take the chance that a small number of people will be code leeches.