Re: [DRAFT] resolving DFSG violations - Debian

This is a discussion on Re: [DRAFT] resolving DFSG violations - Debian ; Le vendredi 07 novembre 2008 * 17:15 +0100, Johannes Wiedersich a écrit : > Josselin Mouette wrote: > > This reasoning, as any security-by-obscurity one, is completely flawed. > > As long as the firmware is distributed separately, you can ...

+ Reply to Thread
Page 5 of 5 FirstFirst ... 3 4 5
Results 81 to 98 of 98

Thread: Re: [DRAFT] resolving DFSG violations

  1. Re: Leverage in licensing discussions

    Le vendredi 07 novembre 2008 * 17:15 +0100, Johannes Wiedersich a
    écrit :
    > Josselin Mouette wrote:
    > > This reasoning, as any security-by-obscurity one, is completely flawed.
    > > As long as the firmware is distributed separately, you can modify it,
    > > whether it is open source or not. Not having the source never prevented
    > > people from making modifications.

    >
    > Even if it is no guarantee for prevention of modifications, it makes
    > those much more difficult.


    Or so you think. There are people who can read assembly and hex just as
    easily as I read C sources. It would probably take only a few days of
    testing for a hacker with the appropriate skills to remove firmware
    restrictions for reaching a frequency range, for example.

    > It is not a bug that certain _hardware_ has more capabilities than is
    > reasonable to offer the user to tweak. Even if a physical radio
    > transmitter (wifi, cell phone, radio,) is technically capable of
    > transmitting/receiving at many frequencies, it is usually not desirable
    > to have any average user actually _use_ it at any frequency they wish.
    >
    > I'm fully in favour of open source and people tweaking the code running
    > on their computers, but I'd have to stop leaving the house, if people
    > started to mess with the software controlling the breaks of their cars...


    Being in favor of open-sourcing firmwares (including those controlling
    critical security devices in cars) does not mean being in favor of
    letting anyone ship their own version. In such cases, there needs to be
    some appropriate process to validate the new versions and to enforce it
    legally. Just like you are not allowed to make any modification you like
    in your engine, you should not be allowed to make modifications in the
    car’s firmware. And just like modifying the engine without the original
    plans makes it more likely to fail, the same holds for a firmware you’d
    modify without source.

    > > Bull****. You’ll have a hard time finding a court that will conclude
    > > that the manufacturer is liable instead of the person who has actually
    > > modified and distributed the firmware. Especially if the manufacturer
    > > disclaims clearly any responsibility for modifying it in the
    > > documentation.

    >
    > You'll have a hard time to prove that it was some modified firmware...
    > - that killed the person with the pace maker or
    > - that caused the accident by differently controlling the car's
    > electronics or
    > - that causes the connection problems in your flat (via neighbours
    > trying to increase the range of their wireless).


    Indeed. But you can still use a modified firmware, even without the
    source. If ill-intentioned people wanted to do it, this would already be
    quite feasible.

    > >> Such sensibel stuff must be protected...

    > >
    > > It will NEVER be protected by ideas as stupid as just keeping the source
    > > closed.

    >
    > Closed source might not indefinitely protect it. But open source in some
    > cases might outright jeopardize it.


    Sure. We all know how closing the source of DVD decoders and Wii
    firmwares prevented people from cracking them.

    If people have the motivation to ship modified versions, they *will*
    ship modified versions. Closing your eyes will not stop it from
    happening.

    To go back to the wifi transmitter example: the average hacker doesn’t
    care of being able to reach frequencies that are not standard for Wifi,
    except if he wants to see people dressed in black search in the
    surroundings. However, a spy may be interested in making such
    modifications to jam military frequencies, for example. Currently there
    is nothing preventing him to do so. If the firmware was open source,
    nothing of this would change.

    > Don't forget that there is good reason why even our beloved Debian
    > employs 'security by obscurity' before the DSA is out and patched
    > packages are available...


    I don’t see how this is related.

    > Again that's not to say that closed source guarantees security. But maybe
    > it helps in certain cases.


    This is what those keeping their sources closed wish. But there are no
    fairies to grant this wish.

    --
    .''`.
    : :' : We are debian.org. Lower your prices, surrender your code.
    `. `' We will add your hardware and software distinctiveness to
    `- our own. Resistance is futile.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iD8DBQBJFIJNrSla4ddfhTMRAjF1AJ4rncq/F2POqGIr/6Y5W/SIIGz2UgCg9vvM
    eIb7nFwAOlUc4fgPZDHgTwE=
    =XHpB
    -----END PGP SIGNATURE-----


  2. Re: Leverage in licensing discussions

    Josselin Mouette wrote:
    [...]
    > Or so you think. There are people who can read assembly and hex just as
    > easily as I read C sources. It would probably take only a few days of
    > testing for a hacker with the appropriate skills to remove firmware
    > restrictions for reaching a frequency range, for example.


    I believe that most if not all firmware images these days are signed or
    encrypted.

    [...]
    > In such cases, there needs to be
    > some appropriate process to validate the new versions and to enforce it
    > legally.


    Yup. Unlike most software, wireless stuff is rather indiscriminate about
    what it interacts with. Wired ethernet is easy to control, wireless is
    much less so; your right to experiment with wireless protocols does not
    extend to preventing me making emergency calls.

    The EM spectrum is very subject to tragedy-of-the-commons abuses. It's
    in everybody's interest to ensure that people follow the rules when
    using the EM spectrum, which is why regulators like the FCC have the
    powers they do.

    [...]
    > This is what those keeping their sources closed wish. But there are no
    > fairies to grant this wish.


    Actually, I strongly suspect this is because most firmware images
    contain proprietary embedded operating systems and/or proprietary
    third-party libraries...

    --
    David Given
    dg@cowlark.com


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  3. Re: Leverage in licensing discussions

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Josselin Mouette wrote:
    > Being in favor of open-sourcing firmwares (including those controlling
    > critical security devices in cars) does not mean being in favor of
    > letting anyone ship their own version. In such cases, there needs to be
    > some appropriate process to validate the new versions and to enforce it
    > legally. Just like you are not allowed to make any modification you like
    > in your engine, you should not be allowed to make modifications in the
    > car’s firmware. And just like modifying the engine without the original
    > plans makes it more likely to fail, the same holds for a firmware you’d
    > modify without source.


    Well, if there is some law preventing me from modifying the code, it's
    not free software any more. It's still not 'closed software' but that
    still renders it non-free and non-distributable for debian.

    > Indeed. But you can still use a modified firmware, even without the
    > source. If ill-intentioned people wanted to do it, this would already be
    > quite feasible.


    There is a difference between 'ill-intended people' (those with criminal
    intentions) and interested kiddies just downloading and tampering with
    freely available source code, having no idea of what harm they might
    cause to others.

    > Sure. We all know how closing the source of DVD decoders and Wii
    > firmwares prevented people from cracking them.


    I am fully in favour of open source. I'm just sceptical about (real live)
    security relevant messing with everything. There is probably less
    incentive to reverse engineer a working firmware than there was for DVDs
    which did not work at all for linux (and still don't on Debian-only).

    > To go back to the wifi transmitter example: the average hacker doesn’t
    > care of being able to reach frequencies that are not standard for Wifi,
    > except if he wants to see people dressed in black search in the
    > surroundings.


    .... or tweaking the maximum permissible signal levels, never mind that
    their neighbour's wifi won't work any more...

    > However, a spy may be interested in making such
    > modifications to jam military frequencies, for example. Currently there
    > is nothing preventing him to do so. If the firmware was open source,
    > nothing of this would change.


    Open sourcing certain firmware might make it easier for 'random script
    kid' to just try some things out and accidentally causing problems to
    innocent bystanders.

    >> Don't forget that there is good reason why even our beloved Debian
    >> employs 'security by obscurity' before the DSA is out and patched
    >> packages are available...

    >
    > I don’t see how this is related.


    'Security by obscurity' is sometimes important and sometimes it even
    works. You didn't convince me, that free firmware is _always_ at least as
    secure as closed firmware.

    We both agree that it would be nice to see as much free software as
    possible. I'm just concerned that 'real life' is sometimes a bit more
    complicated than an ideal world. ;-)

    Debian rules! Free software for everyone! At least on the computer.

    Cheers,

    Johannes

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iEYEARECAAYFAkkUlssACgkQC1NzPRl9qEWakACbB8b3RaoOOQ/IFPBUk9iewYuT
    Pa0An1sPVwkgKooOIFSOiGGH/dfsIjLL
    =Jgxi
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  4. Re: Leverage in licensing discussions

    On Fri, Nov 07, 2008 at 05:15:33PM +0100, Johannes Wiedersich wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Josselin Mouette wrote:
    > > Le vendredi 07 novembre 2008 00:27 +0100, Michelle Konzack a crit :
    > >> The problem is, that even if it is mass production since some time, I
    > >> can not distribute the firmware as open source since it change the
    > >> behavour of the hardware which then can distrurb the GSM network.

    > >
    > > This reasoning, as any security-by-obscurity one, is completely flawed.
    > > As long as the firmware is distributed separately, you can modify it,
    > > whether it is open source or not. Not having the source never prevented
    > > people from making modifications.

    >
    > Even if it is no guarantee for prevention of modifications, it makes
    > those much more difficult.
    >
    > > This is precisely a reason why manufacturers should actually distribute
    > > the sources for such firmware files. Having the source available helps
    > > fixing bugs and in the end you can make a new, improved firmware that
    > > can be submitted, if necessary in your country, to the local authorities
    > > for being allowed for use on production hardware.

    >
    > It is not a bug that certain _hardware_ has more capabilities than is
    > reasonable to offer the user to tweak. Even if a physical radio
    > transmitter (wifi, cell phone, radio,) is technically capable of
    > transmitting/receiving at many frequencies, it is usually not desirable
    > to have any average user actually _use_ it at any frequency they wish.
    >
    > I'm fully in favour of open source and people tweaking the code running
    > on their computers, but I'd have to stop leaving the house, if people
    > started to mess with the software controlling the breaks of their cars...


    Up until 1968 the same reasoning wasused to present people from
    connecting anything but phones provided by Bell to the Bell telephone
    network. You were not even allowed to connect a modem through an
    accustic coupler.

    http://en.wikipedia.org/wiki/Modem#T...rfone_decision

    If the networks that the operators are that badly designed, I worry
    about how easy it would be when someone would actively try to DoS them.

    --
    Tzafrir Cohen | tzafrir@jabber.org | VIM is
    http://tzafrir.org.il | | a Mutt's
    tzafrir@cohens.org.il | | best
    ICQ# 16849754 | | friend


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  5. Re: Leverage in licensing discussions

    Tzafrir Cohen wrote:
    [...]
    > Up until 1968 the same reasoning wasused to present people from
    > connecting anything but phones provided by Bell to the Bell telephone
    > network. You were not even allowed to connect a modem through an
    > accustic coupler.


    If I recall correctly, back in the old days, it was possible to phone
    someone up, so making a physical copper connection between your
    telephone and theirs, and then send a high voltage pulse down the line
    and fry their phone (and possibly injure them). So there would have been
    a certain amount of sense to the restrictions. The acoustic coupler
    business was sheer lunacy, though...

    [...]
    > If the networks that the operators are that badly designed, I worry
    > about how easy it would be when someone would actively try to DoS them.


    That's one of the problems with fragile mission-critical systems --- at
    a certain point it becomes too risky to try and fix them because of the
    risk of downtime. Opening (and hardening) the GSM protocols would
    probably result in a much more robust mobile phone network, but would
    also probably cause short-term breakages... comp.risks is full of
    stories about such systems. For example, datacentres where the cost of
    downtime is so great they can't afford to test the power failover
    systems, in case they fail!

    Anyway, in an attempt to try and steer the discussion back on track, I
    believe we were at:

    1. Some devices require firmware blobs with no source available. Because
    of this, such firmware can't be distributed in Debian.

    2. For at least some of these devices, even if the source code was
    available it would add no value, because of legal restrictions governing
    which firmware blobs can be used on that hardware.

    3. These devices tend to be quite common and cheap, therefore it would
    be nice if Debian could somehow support them.

    Therefore, is there a case for having a non-Debian but associated
    archive of firmware images, which Debian could optionally refer to at
    the user's discretion, in the interest of making life easier for the user?

    --
    ┌─── dg*cowlark.com ───── http://www.cowlark.com ─────

    │ ⍎'⎕',∊N⍴⊂S←'←⎕←(3=T)⋎M⋏2=T ⊃+/(V⌽"⊂M),(V⊝"M),(V,⌽V)⌽"(V,V←1⎺1)⊝"⊂M)'
    │ --- Conway's Game Of Life, in one line of APL


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFJFJ6df9E0noFvlzgRAkGpAJ9I7L9qgGnidZ1Bf0n9u3 K96f6/aQCgqugs
    5PcAAt9WUrPVZWr9h//5S+k=
    =9f6A
    -----END PGP SIGNATURE-----


  6. Re: Leverage in licensing discussions

    On Fri, 2008-11-07 at 20:01 +0000, David Given wrote:
    >
    > 1. Some devices require firmware blobs with no source available.
    > Because
    > of this, such firmware can't be distributed in Debian.


    ack.

    > 2. For at least some of these devices, even if the source code was
    > available it would add no value, because of legal restrictions
    > governing
    > which firmware blobs can be used on that hardware.


    I don't agree with this point: there may be no added value for *most
    users* - but if I had the firmware source I could e.g. fix a bug to get
    a region the manufacturer had not bothered to certify in to certify the
    device. Or open up the power/frequency to ranges I hold a licence to
    operate in.

    > 3. These devices tend to be quite common and cheap, therefore it would
    > be nice if Debian could somehow support them.


    ack,

    -Rob
    --
    GPG key available at: .

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQBJFKZ2hnv5qfvT644RAowxAKCQBKARD8VMIqYUwbFyP4 EgZgcG5gCfZPGS
    OpJC5D32VYuQHmQKEAhVmUg=
    =qGgh
    -----END PGP SIGNATURE-----


  7. Re: Leverage in licensing discussions

    On Fri, 2008-11-07 at 18:27 +0000, David Given wrote:
    > Josselin Mouette wrote:
    > [...]
    > > Or so you think. There are people who can read assembly and hex just as
    > > easily as I read C sources. It would probably take only a few days of
    > > testing for a hacker with the appropriate skills to remove firmware
    > > restrictions for reaching a frequency range, for example.

    >
    > I believe that most if not all firmware images these days are signed or
    > encrypted.


    Often very weakly! In some cases there's just a checksum to reduce the
    risk of accidental corruption, rather than deliberate modification of
    the firmware.

    > [...]
    > > In such cases, there needs to be
    > > some appropriate process to validate the new versions and to enforce it
    > > legally.

    >
    > Yup. Unlike most software, wireless stuff is rather indiscriminate about
    > what it interacts with. Wired ethernet is easy to control, wireless is
    > much less so; your right to experiment with wireless protocols does not
    > extend to preventing me making emergency calls.
    >
    > The EM spectrum is very subject to tragedy-of-the-commons abuses. It's
    > in everybody's interest to ensure that people follow the rules when
    > using the EM spectrum, which is why regulators like the FCC have the
    > powers they do.
    >
    > [...]
    > > This is what those keeping their sources closed wish. But there are no
    > > fairies to grant this wish.

    >
    > Actually, I strongly suspect this is because most firmware images
    > contain proprietary embedded operating systems and/or proprietary
    > third-party libraries...


    Many of them don't have operating systems. But proprietary libraries,
    yes, this is one of the reasons Intel has such onerous restrictions on
    distribution of ipw2100 and ipw2200 firmware.

    Ben.


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iD8DBQBJFLpL79ZNCRIGYgcRAo3qAJ9Dpe0XBQaHJ9xZck6iBd pRryDPngCg4HuF
    nhHd/f9Z6CDpXsSF1IZe2Vo=
    =tIfH
    -----END PGP SIGNATURE-----


  8. Re: Leverage in licensing discussions

    On Fri, 2008-11-07 at 20:28 +0100, Johannes Wiedersich wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Josselin Mouette wrote:
    > > Being in favor of open-sourcing firmwares (including those controlling
    > > critical security devices in cars) does not mean being in favor of
    > > letting anyone ship their own version. In such cases, there needs to be
    > > some appropriate process to validate the new versions and to enforce it
    > > legally. Just like you are not allowed to make any modification you like
    > > in your engine, you should not be allowed to make modifications in the
    > > car’s firmware. And just like modifying the engine without the original
    > > plans makes it more likely to fail, the same holds for a firmware you’d
    > > modify without source.

    >
    > Well, if there is some law preventing me from modifying the code, it's
    > not free software any more. It's still not 'closed software' but that
    > still renders it non-free and non-distributable for debian.

    [...]

    That's not true. DFSG only requires that the copyright holder grants
    certain permissions, regardless of whether the law of some jurisdiction
    overrides those permissions. Software could be included in main even if
    it is illegal to modify it in certain ways, so long as that restriction
    is not imposed by the copyright holder. Of course, if it is illegal
    even to distribute the unmodified software (particularly if that is the
    case in the US where the ftpmaster host is) then it would have to be
    excluded.

    Ben.


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iD8DBQBJFLyf79ZNCRIGYgcRAlWYAJoD/J3clx2IY98My3isLTN4WbO3mACeImJY
    H+KQTDH5dqrJqcJsNE7UQHU=
    =X4fP
    -----END PGP SIGNATURE-----


  9. Re: Leverage in licensing discussions

    Robert Collins writes:

    > On Fri, 2008-11-07 at 20:01 +0000, David Given wrote:
    > > 2. For at least some of these devices, even if the source code was
    > > available it would add no value, because of legal restrictions
    > > governing which firmware blobs can be used on that hardware.

    >
    > I don't agree with this point: there may be no added value for *most
    > users* - but if I had the firmware source I could e.g. fix a bug to get
    > a region the manufacturer had not bothered to certify in to certify the
    > device. Or open up the power/frequency to ranges I hold a licence to
    > operate in.


    I argue that this *does* represent added value for most users.

    If you, as a competent hacker, are free to modify and implement such
    an improvement, and you're free to then redistribute the modified
    version, then many other users *do* benefit because such improvements
    as are widely useful will tend to be distributed widely.

    In this way, freedom to modify and redistribute is beneficial to *all*
    users, whether or not they want to excercise it themselves; just as
    freedom to modify my kitchen appliance and sell it back to me (or sell
    me the service of doing so) benefits me even if that freedom is only
    exercised by my friendly independent appliance-modification shop.

    --
    \ “If I melt dry ice, can I swim without getting wet?” —Steven |
    `\ Wright |
    _o__) |
    Ben Finney


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  10. Re: Leverage in licensing discussions

    Johannes Wiedersich writes:

    > Josselin Mouette wrote:
    > > This reasoning, as any security-by-obscurity one, is completely
    > > flawed. As long as the firmware is distributed separately, you can
    > > modify it, whether it is open source or not. Not having the source
    > > never prevented people from making modifications.

    >
    > Even if it is no guarantee for prevention of modifications, it makes
    > those much more difficult.


    Much more difficult than what? One of the main arguments we've seen
    presented in the past month is that many of these firmware blobs *have
    no other form*, and modifications are *primarily* made to the binary
    blob, even by the vendor.

    Ergo, for these cases, any recipient of the binary blob is equally
    capable of modifying and redistributing whether the blob is free
    software or not.

    --
    \ “I may disagree with what you say, but I will defend to the |
    `\ death your right to mis-attribute this quote to Voltaire.” |
    _o__) —Avram Grumer, rec.arts.sf.written, May 2000 |
    Ben Finney


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  11. Re: Leverage in licensing discussions

    Johannes Wiedersich wrote:
    > Open sourcing certain firmware might make it easier for 'random script
    > kid' to just try some things out and accidentally causing problems to
    > innocent bystanders.


    How is this different from open source software? This sounds a bit like
    the argument that OSS is less secure than proprietary software, because
    people cannot read the source and find security holes. But proprietary
    software has not prevented people from exploiting bugs.

    Making anything closed source to prevent modifications does not make
    anything more secure. Otherwise, should e.g. Apache be made closed
    software so that 'random script kids' cannot create random security
    holes (and let their computers become part of a bot net causing problems
    to others)?

    Regards,
    Ansgar

    --
    PGP: 1024D/595FAD19 739E 2D09 0969 BEA9 9797 B055 DDB0 2FF7 595F AD19


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  12. Re: Leverage in licensing discussions

    David Given wrote:
    > I believe that most if not all firmware images these days are signed or
    > encrypted.
    >

    If they were strongly signed, then there should be no problem
    distributing the source code, right? People won't be able to make
    modifications. It may not help with DFSG compliance though...

    Part of the problem, AFAIK, is with law. If so, we are not going to fix
    problems with the law by pointing out how silly it is on this mailing
    list. In fact, changing the law in multiple parts of the world is
    probably outside the scope of Debian.

    As such we are essentially sending the message to manufacturers that
    they need to distribute firmware on the hardware itself (ROM) instead of
    distributing it with the software, because they aren't legally allowed
    to distribute the source and we don't want to distribute the firmware
    without the source.

    Even if it is not law, but an excuse by the manufacturers (there seems
    to be some disagreement here), we still aren't going to get the
    manufacturers to change their mind by discussing how silly it is here,
    or by encouraging people to buy hardware with the firmware on ROM.

    Brian May


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  13. Re: Leverage in licensing discussions

    Hello Ben and *,

    Am 2008-11-07 22:09:35, schrieb Ben Hutchings:
    > That's not true. DFSG only requires that the copyright holder grants
    > certain permissions, regardless of whether the law of some jurisdiction
    > overrides those permissions. Software could be included in main even if
    > it is illegal to modify it in certain ways, so long as that restriction
    > is not imposed by the copyright holder. Of course, if it is illegal
    > even to distribute the unmodified software (particularly if that is the
    > case in the US where the ftpmaster host is) then it would have to be
    > excluded.


    OK, if I distribute the firmware as open source, I have to distribute
    the firmware with it since the from ME build firmware IS certified to
    meet exact the specifications. I have the checksums and whatelse from
    the firmware blob, which I need to prove, the from me distibuted
    firmware is OK. In case of problems, the original firmware blob must be
    availlable

    So the question is:
    Does Debian distribut it together?
    (the certified firmware blob and the non-certified source)

    Thanks, Greetings and nice Day/Evening
    Michelle Konzack
    Systemadministrator
    24V Electronic Engineer
    Tamay Dogan Network
    Debian GNU/Linux Consultant


    --
    Linux-User #280138 with the Linux Counter, http://counter.li.org/
    ##################### Debian GNU/Linux Consultant #####################
    Michelle Konzack Apt. 917 ICQ #328449886
    +49/177/9351947 50, rue de Soultz MSN LinuxMichi
    +33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (GNU/Linux)

    iD8DBQFJFpV2C0FPBMSS+BIRAsmtAJ9AF490J0E+jjuZYCqE85 bBGcFaFgCbBQu9
    k90bzrezpdDPTAwdsc6ssEc=
    =VD9T
    -----END PGP SIGNATURE-----


  14. Re: Leverage in licensing discussions

    Am 2008-11-08 07:35:02, schrieb Robert Collins:
    > On Fri, 2008-11-07 at 20:01 +0000, David Given wrote:
    > > 2. For at least some of these devices, even if the source code was
    > > available it would add no value, because of legal restrictions
    > > governing
    > > which firmware blobs can be used on that hardware.

    >
    > I don't agree with this point: there may be no added value for *most
    > users* - but if I had the firmware source I could e.g. fix a bug to get
    > a region the manufacturer had not bothered to certify in to certify the
    > device. Or open up the power/frequency to ranges I hold a licence to
    > operate in.


    You can not certify the software, because it is bound to the hardware.
    Only the combination can be certified.

    However, if you find a bug and fix it, you can send it back to the
    manufacturer of the hardware/software, they can test and re-certify the
    software which will be much more cheaper then the original certification

    Thanks, Greetings and nice Day/Evening
    Michelle Konzack
    Systemadministrator
    24V Electronic Engineer
    Tamay Dogan Network
    Debian GNU/Linux Consultant


    --
    Linux-User #280138 with the Linux Counter, http://counter.li.org/
    ##################### Debian GNU/Linux Consultant #####################
    Michelle Konzack Apt. 917 ICQ #328449886
    +49/177/9351947 50, rue de Soultz MSN LinuxMichi
    +33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (GNU/Linux)

    iD8DBQFJFppcC0FPBMSS+BIRAjC7AKCQZpCYYiAtzBw7zQPfzW UBc2jXkQCfT5SH
    I15Ay7QPVLGYoGwTKqEG2/M=
    =UGSc
    -----END PGP SIGNATURE-----


  15. Re: [DRAFT] resolving DFSG violations

    * Michelle Konzack [081109 09:31]:
    > Now the original soucre is "worthless" and can be distributed WITH the
    > firmware blob. The license for the source and the blob must say clearly
    > that ONLY the blob is certified und permited to use on the device.
    >
    > If now there is a hacker called "Ben" and find an error and fix it, he
    > can not legaly use use the fixed software because it must be recertified
    > together WITH the hardware. (point 3 and 5)


    This is not really new. It is (was?) the same with ISDN cards. There
    hardware and firmware had to be certified together to be allowed to
    connect them to the ISDN net here in Germany.

    And there was still open source drivers. They were simply signed and
    people prominently told that using an modified version needs them to
    relicense their device, or only use it in other countries.

    Hochachtungsvoll,
    Bernhard R. Link


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  16. Re: Leverage in licensing discussions

    Ansgar Burchardt wrote:
    > Johannes Wiedersich wrote:
    >> Open sourcing certain firmware might make it easier for 'random script
    >> kid' to just try some things out and accidentally causing problems to
    >> innocent bystanders.

    >
    > How is this different from open source software? This sounds a bit like
    > the argument that OSS is less secure than proprietary software, because
    > people cannot read the source and find security holes. But proprietary
    > software has not prevented people from exploiting bugs.
    >
    > Making anything closed source to prevent modifications does not make
    > anything more secure. Otherwise, should e.g. Apache be made closed
    > software so that 'random script kids' cannot create random security
    > holes (and let their computers become part of a bot net causing problems
    > to others)?


    Do you think it is a risk to anyone's health or life, if someone modifies
    apache's source code and sets up a web site using a modified apache?
    Or modifies any other code running on her/his computer?

    Everyone can simply avoid using anyone else's computer or software, but
    you cannot leave the house without encountering other people's cars (at
    least in the places were most of us live).

    > Regards,
    > Ansgar


    Cheers,
    Johannes


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  17. [OT] Ignorance is no defence. (was ... Re: Leverage in licensing discussions)

    On Fri, Nov 07, 2008 at 08:28:16PM +0100, Johannes Wiedersich wrote:
    > Josselin Mouette wrote:
    > > Being in favor of open-sourcing firmwares (including those controlling
    > > critical security devices in cars) does not mean being in favor of
    > > letting anyone ship their own version. In such cases, there needs to be
    > > some appropriate process to validate the new versions and to enforce it
    > > legally. Just like you are not allowed to make any modification you like
    > > in your engine, you should not be allowed to make modifications in the
    > > car’s firmware. And just like modifying the engine without the original
    > > plans makes it more likely to fail, the same holds for a firmware you’d
    > > modify without source.

    >
    > Well, if there is some law preventing me from modifying the code, it's
    > not free software any more. It's still not 'closed software' but that
    > still renders it non-free and non-distributable for debian.
    >
    > > Indeed. But you can still use a modified firmware, even without the
    > > source. If ill-intentioned people wanted to do it, this would alreadybe
    > > quite feasible.

    >
    > There is a difference between 'ill-intended people' (those with criminal
    > intentions) and interested kiddies just downloading and tampering with
    > freely available source code, having no idea of what harm they might
    > cause to others.


    Not in the "eyes of the law". Ignorance is not a defence. Although, with
    a "decent" lawyer you "should" be OK. Unfortunately, this is also true
    for the 'ill-intended people'.

    --
    Chris.
    ======
    I contend that we are both atheists. I just believe in one fewer god
    than you do. When you understand why you dismiss all the other
    possible gods, you will understand why I dismiss yours.
    -- Stephen F Roberts


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  18. Re: Leverage in licensing discussions (was: [DRAFT] resolving DFSG violations)

    Michelle Konzack dijo [Sun, Nov 09, 2008 at 08:24:44AM +0100]:
    > Sorry, I am not nativ english spaker...
    > And yes is is what I have meant...


    Neither am I, so I'll try to get this point across one last time.

    > And there are several 100 cases where in general the projects are 100%
    > open, but for some security reasons there are major parts NOT OPEN and
    > since such software/firmware is the KEY of the device, it is useless
    > without the blob.
    >
    > Maybe Debian should allow (very exceptionel) such sensible software to
    > ship in main together with the Main-Software...
    >
    > My Hardware is no exception...
    > (...)
    > Now, if non-free is not on the CD/DVD or the firmware is not shiped with
    > main you are unable to install Debian on a TablePC or such because you
    > can not access the internet...


    Debian has long been known for putting its promises (SC) first. And
    without judging your (or other's) motivations and needs not to
    publicly distribute the sources for your firmware. I'm not saying it's
    bad that you keep it closed - you have completely legitimate reasons
    to do that.

    Now, what about the fact that Debian cannot be installed from its
    official ISOs if your hardware is in use? Maybe it's a wireless card,
    maybe a hard disk controller. Sadly, the official CD-ROM won't be able
    to use it.

    But - If you put the Extra Firmware udev, available as a simple file
    you can put on a USB stick or a spare CD-ROm, the installation will
    happily proceed.

    Enough for you?

    --
    Gunnar Wolf - gwolf@gwolf.org - (+52-55)5623-0154 / 1451-2244
    PGP key 1024D/8BB527AF 2001-10-23
    Fingerprint: 0C79 D2D1 2C4E 9CE4 5973 F800 D80E F35A 8BB5 27AF


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

+ Reply to Thread
Page 5 of 5 FirstFirst ... 3 4 5