|
|
Subscribe / Log in / New account

Free software for whom?

Free software for whom?

Posted Apr 10, 2018 18:54 UTC (Tue) by epa (subscriber, #39769)
Parent article: Prospects for free software in cars

The discussion about GPL3 touches on an important issue. Is it really ‘free software’ in your car if you have no ability to change it? Under legal pressure the manufacturer might grudgingly release a tarball of source code, but you can’t even be sure that corresponds to what is running, let alone use it to build and install a modified version.

If free is to be about freedom, not price, then talking of free software in cars is a misnomer. It would be better to say ‘Linux in cars’, or ‘locked-down software systems where you can possibly view the source code’.


to post comments

Free software for whom?

Posted Apr 10, 2018 21:53 UTC (Tue) by ay (guest, #79347) [Link] (6 responses)

From the vendor side, it's important that the units (in this case let's say various control units) run the binaries the vendor tested and shipped and not some modified binary. There may be safety, security, and reliability/compliance issues. For example I could attack some car system, get the ability to reflash an ECU, and cause something to go wide open throttle and injure people, a dealer tech could reflash the wrong unit, etc. As such these systems boot signed code, which is where GPL3 becomes a problem. Should the vendor compromise security and safety for textbook-definition software freedom? Probably not. Should they have to provide infrastructure for me to put the ECUs into 'development, I own it!' mode and provide signing infrastructure for my own hobby binaries? Probably not, that's a lot of effort and expense, they would need to give me a way to enroll my own keys, sign the binary, etc. and test that. I doubt the underlying bootloader vendor (ex: Vector) would be able to support it without a lot of work.

I've been involved in building several "Tivoized" devices, it was never about DRM or locking people out of freedom and always about security (usually for the customers: assurance they aren't running hacked code) and safety. Ultimately this isn't going to get resolved and I'm afraid GPL3 systems will simply go away in production. Everywhere I've recently dealt with had a "no GPL3" policy for those reasons.

Free software for whom?

Posted Apr 11, 2018 8:20 UTC (Wed) by epa (subscriber, #39769) [Link] (2 responses)

Yes, these are all good reasons why software running in your car is never likely to be free. So let’s stop pretending and let’s stop calling it free software.

Free software for whom?

Posted Apr 11, 2018 16:44 UTC (Wed) by ballombe (subscriber, #9523) [Link] (1 responses)

I completely agree.

On the other hand, I would not be unhappy if closed devices I buy came will full source code and a binding statement that the source code matches the firmware code certified by a third-party.

Free software for whom?

Posted Apr 19, 2018 10:47 UTC (Thu) by Wol (subscriber, #4433) [Link]

In other words, "Open but not Free".

And yes, I don't know how happy I am with that, but it seems reasonable for safety-critical code.

The other option - which would permit GPL3 - is for the law to recognise that after-market software is the same as aftermarket parts. Then the system could be configured such that the user could add *their* *own* signing key for aftermarket software, and at least if anything happens it's clear whether it's original or aftermarket.

Mind you, it might be interesting to look at what happened with Vauxhall/Opel and the Mark II Zafira recently. I don't remember/know much of the detail, but bearing in mind these vehicles went out of production a good few years ago, and the problem was traced to an aftermarket part, Vauxhall had their dealerships check any suspect vehicle for free. They possibly even fixed it for free. (This was the "Zafiras are bursting into flames" news story...)

Cheers,
Wol

Free software for whom?

Posted Apr 11, 2018 15:39 UTC (Wed) by miahfost (guest, #51602) [Link] (1 responses)

I don't think that safety was Tivo's reason for locking their product, but I'm not familiar with their motivation.

What would you say to using an exception in the GPLv3 to permit the car maker to withhold installation information (but still release all the source code)? RMS says using exceptions is okay, the GPLv3 has a robust mechanism for using them, and there apparently a clause vetted by experienced lawyers available that would allow one to provide an exception to section 6 of the GPLv3. This way you would get all of the benefits of the GPLv3 (which is a better license than v2) plus you'd be excepted from supplying the install info like private encryption keys.

Free software for whom?

Posted Apr 11, 2018 21:28 UTC (Wed) by ay (guest, #79347) [Link]

I suspect that for GPLv3 to have any real future (at least in markets like the one discussed here) RMS would need to be very vocal about exceptions and how they work and really worth to educate legal teams about them. At this point GPLv3 is simply forbidden (certain build systems have a GPLv3 filter to disable external packages with that license). On that note, the last time I had to "remove all GPLv3 code" it was really simple, all we had to replace was rsyslog and that's not terribly compelling as a reason to have GPLv3 by itself (there are after all many syslog implementations and rsyslog features are rarely needed in embedded systems). Actually digging through Yocto or buildroot "package" lists, if you were to drop all GPLv3 ones, is anything of value (to the vendor) lost? I really wonder if the battle (assuming there was one) is already lost and it's too late to discuss exceptions and acceptable ways to ship GPLv3 code simply because no one "needs to".

Looking more broadly, new toolchains are LLVM-based (rust, etc), Google is developing Fuchsia which replaces the Linux kernel, uses an LLVM-based toolchain, and replaces pretty much everything else in the "stack", and so on. There might not be much GPL code left if that succeeds and picks up momentum.

Free software for whom?

Posted Apr 11, 2018 21:24 UTC (Wed) by jhhaller (guest, #56103) [Link]

There are ways around GPL3 anti-Tivoization requirements through governmental regulations. For example, I could imagine a requirement that stated using software not signed by the manufacturer makes the vehicle not legal for street use, with a very restrictive exception process. Even getting access to a signing key for your device might be reason to subject you to file for the exception process before being able to be street legal, with the manufacturer notifying which VINs have had firmware keys released. The exception process is likely required even for the manufacturer to validate their software before deploying it. So, an individual might be able to go through the exception, but it might require 300 8-hour road days on private property before being allowed on public streets. Self driving functionality might require 3 vehicle-years of use before a safety driver was not required.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds