Java cryptography and free distributions
Warren Togami recently posted a couple of possibilities for how Fedora might be able to ship JSS. They were:
- The Fedora team builds the JSS module, then compares it to the
Sun-signed version. Assuming they match, Fedora has proved that it
can rebuild the software. So the project can declare Mission
Accomplished, dump the module it just built, and ship Sun's version.
A variation on this approach suggested later on involved having Red
Hat obtain an approved key and sign the modules that Fedora would
distribute; in this way, Fedora could add its own modifications.
- Fedora ships an unsigned version of JSS. Applications would then have to be recoded to load the module in a way which shorts out the signature check. Any applications not fixed up in this way would fail.
The first option, at first blush, would appear to work. Fedora would be able to build its own module and ship the source. It falls down, however, as soon as a Fedora user tries to make a change; that user will not be able to rebuild the patched module in a way that will actually work. Derivative distributions would run into the same problem. As a result, it would appear that Fedora stopped considering this option fairly quickly.
Not signing the module at all has obvious problems as well. It seems likely that many potential JSS users have their own applications in mind. If those applications do not work, they will rightly see Fedora as not having support for the features they are looking for.
Other alternatives have been considered; one is to emphasize the use of the GCJ compiler and try to steer users away from Sun's virtual machine. That approach would certainly offer a higher degree of freedom, at the cost of not really providing what many Java users appear to want. Additionally, not everybody is convinced that GCJ has achieved the level of maturity that many users would expect.
In an interesting way, this is really just the Tivo problem under a different guise. Locked-down hardware refuses to run software which lacks the expected signatures. In this case, we have virtual hardware, in the form of the Java virtual machine, which is doing the same thing. The result is the same as well: the software is available and nominally free, but the users of that software cannot create their own versions and expect to be able to run them.
If Sun follows through on its desire to move to GPLv3, and if that license retains its requirement that any needed signing keys be distributed with the source, Sun may find itself in an interesting position. It is hard to see how the current policy would be compliant with the new GPL's requirements.
The upcoming GPL Java release would appear to be the best hope for
distributors trying to deal with this situation. Once the code is free,
distributors can patch it to make the whole of Java distributable as free
software. So the real solution to shipping JSS with a distribution which
insists on freedom would appear to be to wait for a free Java.
| Index entries for this article | |
|---|---|
| Security | Signing code |
Posted Mar 15, 2007 11:33 UTC (Thu)
by gouyou (guest, #30290)
[Link] (5 responses)
Posted Mar 15, 2007 13:32 UTC (Thu)
by nim-nim (subscriber, #34454)
[Link] (2 responses)
Posted Mar 15, 2007 15:20 UTC (Thu)
by gouyou (guest, #30290)
[Link] (1 responses)
Posted Mar 15, 2007 15:30 UTC (Thu)
by nim-nim (subscriber, #34454)
[Link]
JVMs as packaged by SUN however are. All their "config" parts are reinitialized on updates
Posted Mar 15, 2007 16:50 UTC (Thu)
by nosnilmot (subscriber, #746)
[Link] (1 responses)
Posted Mar 15, 2007 17:30 UTC (Thu)
by gouyou (guest, #30290)
[Link]
Posted Mar 15, 2007 17:25 UTC (Thu)
by iabervon (subscriber, #722)
[Link]
I don't see any problem with the idea that, if you want to use JSS from Fedora, you need to have a JVM from Fedora, or at least have the Fedora package manager reconfigure the JVM you're using after it's installed. It seems like the obvious Free Software and public key interaction is this: for all public keys that go into a system, the end user needs to either have the private key, or needs to be able to replace the public key, in the copy that user will use, with a public key that the user does have the private key for. This gives the end user two important abilities: be trusted by the software, and cause the software to trust a selected other person. (I would go so far as to say that it would be "not free" to make it legally impossible for the end user to decide to trust Sun without having Sun's private key.)
Posted Mar 16, 2007 20:01 UTC (Fri)
by landley (guest, #6789)
[Link] (1 responses)
So all this means is that Sun can't afford to accept third party
Posted Mar 16, 2007 20:43 UTC (Fri)
by giraffedata (guest, #1954)
[Link]
Sun can't afford to accept third party contributions under GPL3.
Whether Sun redistributes under GPL3 or some other license is irrelevant to Sun's obligation to divulge keys even with third party contributions.
BTW, you don't enforce a license. A license is permission and can't be used against anyone but the licensor. You enforce copyright. More specifically, you can enforce conditions of a copyright license.
Posted Mar 22, 2007 10:58 UTC (Thu)
by robilad (guest, #27163)
[Link]
This problem only comes up with 'unpatched' proprietary VMs, which are not in Fedora anyway, and their users can go get a signed binary for Fedora wherever they get the proprietary VMs.
IIRC the user could also add a certificate to the trusted certificate store used by Java, which IMHO is the correct solution.Java cryptography and free distributions
And what happens when he updates his sun-provided jvm?Java cryptography and free distributions
There is a per user configuration file for setting this things, but I think the problem is more general:
Java cryptography and free distributions
A distribution handles these things fine - it's not monolithicJava cryptography and free distributions
JCE signing certificates are not issued by CAs in, or verified against, the conventional trusted certificate store, and end users do not have any way to extend the list of trusted authorities for JCE provider certificate verification.Java cryptography and free distributions
My bad after doing a bit of research on JCE, I found a nice article explaining the situation, and it looks like a clear case of software DRM: Who Trusts the Trustees?.
Java cryptography and free distributions
It should be fine to have the JVM use a set of public keys from a configuration file alongside the JVM binary (as far as security, if someone can replace the keys, they could just replace the JVM binary), and the Sun distribution could distribute Sun public keys (as "mere aggregation"), and the installer could put the Sun keys in the location where they'll be used. Anybody else who wanted to distribute Java, and who wanted to be able to sign security modules, could include their public keys.Java cryptography and free distributions
If sun is the only copyright holder in java, then you can't enforce the Java cryptography and free distributions
license against it (you haven't got standing, only a copyright holder can
sue to enforce the license).
contributions from the open source community into Java, or else those
contributors could then enforce the license against it and sue it for the
key. But they can release it under any license they want because they
don't need the license to distribute so violating its' terms means
nothing
to them.
Java cryptography and free distributions
So all this means is that Sun can't afford to accept third party
contributions from the open source community into Java,
once Sun's class library implementation is out there as open source. Just patch it