|
|
Subscribe / Log in / New account

Linux Foundation Welcomes LVFS Project (Linux.com)

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Mar 31, 2019 1:32 UTC (Sun) by intgr (subscriber, #39733)
In reply to: Linux Foundation Welcomes LVFS Project (Linux.com) by pabs
Parent article: Linux Foundation Welcomes LVFS Project (Linux.com)

Well it's a package manager and update system for firmware images. It doesn't really dictate whether they were compiled from open or closed source.

Unless you were expecting ordinary users to have to download compilers and specialized tools for all sorts of weird architectures and build the firmwares on their computer every time?

to post comments

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Mar 31, 2019 4:09 UTC (Sun) by pabs (subscriber, #43278) [Link] (18 responses)

The design of LVFS is heavily biased toward proprietary firmware, as far as I can tell there is no mechanism for source code distribution, which is often required for open source firmware (which is usually GPLed) and should be done even if it is not required.

https://fwupd.org/lvfs/device/40338ceb-b966-4eae-adae-9c3...
https://fwupd.org/lvfs/device/2082b5e0-7a64-478a-b1b2-e34...
https://fwupd.org/lvfs/device/84f40464-9272-4ef7-9399-cd9...
https://fwupd.org/lvfs/device/9c9871fe-75bd-5fde-9425-699...

Interestingly, LVFS are claiming that their distribution of the AltusMetrum ChaosKey firmware is proprietary and are not distributing any source code, but AltusMetrum themselves distribute the firmware under the GPL and provide source code.

https://fwupd.org/lvfs/device/b62500d7-c981-595b-a798-eb6...
https://altusmetrum.org/ChaosKey/

Seems like LVFS might be violating the GPL here.

For open source firmware I'd expect something like Debian packages (automatically built from source using properly packaged open source tools) to be available, same as for any other binary I install.

Indeed, for the AltusMetrum case, altos and the ChaosKey firmware are available as proper packages from Debian and are even reproducibly buildable.

https://tracker.debian.org/pkg/altos
https://tests.reproducible-builds.org/debian/rb-pkg/unsta...

Another case of properly packaged open source firmware is ath9k_htc.fw:

https://github.com/qca/open-ath9k-htc-firmware/
https://wireless.wiki.kernel.org/en/users/Drivers/ath9k_h...
https://tracker.debian.org/pkg/open-ath9k-htc-firmware

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Mar 31, 2019 7:25 UTC (Sun) by Wol (subscriber, #4433) [Link] (2 responses)

> Seems like LVFS might be violating the GPL here.

Not if (a) Altus Metrum don't include 3rd-party code and (b) Altus Metrum explicitly provide the code to LVFS.

Not saying you're not right, but people are far to eager to jump to the conclusion "OMG!!! GPL violation!!!", even to the extent of claiming that people are violating the GPL *on their own code*, which any decent lawyer will tell you is an impossibility.

As I say, the obvious explanation is that Altus have put the code on LVFS and, absent any 3rd-party code, it's all legal and above board.

(Think of all the shenanigans on YouTube, where Marketing would upload videos, only for Legal to promptly demand they be taken down. Copyright - as implemented - is a badly mis-understood mess!)

Cheers,
Wol

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Mar 31, 2019 7:28 UTC (Sun) by pabs (subscriber, #43278) [Link] (1 responses)

The GPL comment was referring to both Altus and the other instances of GPL firmware in LVFS.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Mar 31, 2019 17:14 UTC (Sun) by Wol (subscriber, #4433) [Link]

Who uploaded that firmware to LVFS?

Without that, you can't come to any conclusions whatsoever.

Cheers,
Wol

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Mar 31, 2019 12:28 UTC (Sun) by intgr (subscriber, #39733) [Link] (5 responses)

Have you talked to Richard Hughes about this?

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 2, 2019 16:27 UTC (Tue) by hughsient (subscriber, #52199) [Link] (4 responses)

I wish someone would have emailed me rather than create all this drama... Hanlon's razor was at work, nothing more sinister: The firmware was mislabeled, and I've just changed it to GPLv2+ as it should have been from the start. Now https://fwupd.org/lvfs/device/b62500d7-c981-595b-a798-eb6... shows the license with a clickable link back to the source code.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 4, 2019 11:37 UTC (Thu) by mgedmin (subscriber, #34497) [Link] (3 responses)

Mild suggestion: when I see a clickable link saying "GPL-2.0+", I assume that clicking on it will lead me to the full text of the licence, rather than the source code of the firmware.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 4, 2019 12:35 UTC (Thu) by madscientist (subscriber, #16861) [Link]

Agreed: I would never guess that clicking that link would bring me to the source code.

And in the spirit of other comments here hoping we can boost the profile of FOSS firmware vendors, it would be a nice bonus to them if there were a separate line in the table labelled "Source code" explicitly, with a link for vendors that provide it and "unavailable" for those that don't.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 5, 2019 15:22 UTC (Fri) by hughsient (subscriber, #52199) [Link] (1 responses)

Can you file that as an issue here please: https://github.com/hughsie/lvfs-website/issues

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 5, 2019 15:29 UTC (Fri) by mgedmin (subscriber, #34497) [Link]

Here you are: https://github.com/hughsie/lvfs-website/issues/309

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 1, 2019 2:47 UTC (Mon) by medicalwei (subscriber, #103028) [Link] (4 responses)

If AltusMetrum has complete right to the source code (haven't fact checked that, but they seems to have right on most of the parts), they can of course license the firmware as proprietary, while providing GPL source code for users to build when necessary. It doesn't need to be strictly free software to comply the law. That also avoids the issue to require LVFS to distribute the source code per GPL.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 1, 2019 9:43 UTC (Mon) by nim-nim (subscriber, #34454) [Link] (3 responses)

And that fully validates the first comment “LVFS is a proprietary software distribution scheme”.

It's so proprietary oriented, you have to proprietarize free software firmware to use it.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 1, 2019 11:06 UTC (Mon) by pabs (subscriber, #43278) [Link] (2 responses)

On a related note: most of the LVFS is UEFI firmware. Why is UEFI firmware always proprietary? It is mostly forks of TianoCore, seems like there would be zero reason to not make such forks open source, or at least open except for the parts that involve Intel. Is it a culture thing? Are there important trade secrets? Do the vendor forks introduce any interesting features? Are UEFI vendors actually violating patents galore and like to obfuscate that?

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 1, 2019 16:15 UTC (Mon) by nix (subscriber, #2304) [Link]

Is the UEFI vendors' code just so entirely shit that they'd be embarrassed to show their work? (If pre-UEFI firmware is any guide: not only yes but hell yes).

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 3, 2019 17:11 UTC (Wed) by BenHutchings (subscriber, #37955) [Link]

The DRAM and CPU model-specific initialisation code is often treated as a trade secret by the CPU vendor.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 1, 2019 19:46 UTC (Mon) by Uraeus (guest, #33755) [Link] (3 responses)

All firmware on LVFS are provided by the vendors themselves, so if AltusMetrum provides the source code there is no GPL violation. I assume AltusMetrum allows you to download the source code from their website and to quote the GPL3 rules you are in compliance with the GPL if you : (2) access to copy the Corresponding Source from a network server at no charge.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 1, 2019 20:58 UTC (Mon) by Wol (subscriber, #4433) [Link] (2 responses)

Sorry wrong!

If as you say, provided the code is all owned by Altus Metrium, the GPL doesn't apply so it can't be violated. There is absolutely NO need whatsoever to comply with the GPL.

It is IMPOSSIBLE for the owner of the code to violate the licence - any licence. End of.

Cheers,
Wol

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 1, 2019 21:01 UTC (Mon) by Wol (subscriber, #4433) [Link] (1 responses)

Just to add - if Altus Metrium *have* included 3rd-party GPL code in their firmware, then LVFS are violating the GPL by distributing it without source - certainly with GPL2 they can't refer to Altus' source and I'm not sure of the situation with GPL3.

Cheers,
Wol

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 3, 2019 0:08 UTC (Wed) by xtifr (guest, #143) [Link]

From the GPL3 section 6d:
> "If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements."

So LVFS must provide clear directions, and have taken on responsibility for ensuring that the source hosted by Altus Metrium remains available. But as long as they do that, I believe they should be fine--if the code is GPL3.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds