Prospects for free software in cars

Posted Apr 13, 2018 17:14 UTC (Fri) by brouhaha (subscriber, #1698)
Parent article: Prospects for free software in cars

GPLv3 doesn't require anyone to publish their private keys. The requirements can be met by providing a means whereby the user can install one or more additional keys which the device will accept for signature validation. As shipped, the product doesn't need to contain any additional keys, and until and unless additional keys are installed, the product doesn't have to accept software from sources other than the vendor.

The procedure to install additional keys doesn't even need to be especially user-friendly, but it needs to be documented, and plausible that a technically competent person could do it.

Prospects for free software in cars

Posted Apr 14, 2018 0:48 UTC (Sat) by ay (guest, #79347) [Link] (1 responses)

We generally build products to meet customer and business requirements. Being able to provision your own keys on an embedded device is rarely if ever a legitimate requirement so simply not using GPL3 code is the most sensible option to businesses.

I've only seen implications of "replace rsyslog with something else", nothing "of value" was lost when scrubbing a system of GPL3 code.

I personally think that battle is lost and the industry has moved on. They'll tollerate GPL2 especially with the termination clause having been clarified but almost no one is going to accept GPL3 on secure devices.

Prospects for free software in cars

Posted Apr 14, 2018 23:01 UTC (Sat) by mpr22 (subscriber, #60784) [Link]

Under property rights, if you own (rather than renting) the embedded device, and it is possible to load new software onto the device but only if it has a signature the device can verify, then being able to provision your own signing keys is (to a decent zero'th approximation) always a legitimate requirement.

There are exceptions, but the number of those exceptions is a lot smaller than a lot of manufacturers would like.