Load signing incase if Linux kernel moves to GPLv3 - Security

This is a discussion on Load signing incase if Linux kernel moves to GPLv3 - Security ; Our company product plan to move to Linux, we are looking into this. But we are concerned about this GPLv3 because our product load also needs to be signed and can't give out private keys. But we are concerned about ...

+ Reply to Thread
Results 1 to 18 of 18

Thread: Load signing incase if Linux kernel moves to GPLv3

  1. Load signing incase if Linux kernel moves to GPLv3

    Our company product plan to move to Linux, we are looking into this.
    But we are concerned about this GPLv3 because our product load also
    needs to be signed and can't give out private keys. But we are
    concerned about Linux kernel move to GPLv3.

    http://weblog.infoworld.com/article/...MMERCIAL+LINUX

    Any pointers or anybody has any solution to get around this incase if
    Linux decides to move to GPLv3? (either hardware or software)

    If you have solution or any links that discuss about solution please
    direct to satamara@yahoo.com.

    thanks all.


  2. Re: Load signing incase if Linux kernel moves to GPLv3

    satamara@yahoo.com wrote:
    > Our company product plan to move to Linux, we are looking into this.
    > But we are concerned about this GPLv3 because our product load also
    > needs to be signed and can't give out private keys. But we are
    > concerned about Linux kernel move to GPLv3.
    >
    > http://weblog.infoworld.com/article/...MMERCIAL+LINUX
    >
    > Any pointers or anybody has any solution to get around this incase if
    > Linux decides to move to GPLv3? (either hardware or software)
    >
    > If you have solution or any links that discuss about solution please
    > direct to satamara@yahoo.com.
    >
    > thanks all.


    If you want to distribute a system that will in fact *not* be free
    software, then you should probably look for some alternative OS kernel
    that permits distribution of proprietary versions.

    NetBSD, FreeBSD, and OpenBSD are plausible alternatives perhaps you
    should consider them.
    --
    (format nil "~S@~S" "cbbrowne" "gmail.com")
    http://linuxdatabases.info/info/nonrdbms.html
    "It goes against the grain of modern education to teach children to
    program. What fun is there in making plans, acquiring discipline in
    organizing thoughts, devoting attention to detail and learning to be
    self-critical?" -- Alan Perlis

  3. Re: Load signing incase if Linux kernel moves to GPLv3

    satamara@yahoo.com wrote:

    > Our company product plan to move to Linux, we are looking into this.
    > But we are concerned about this GPLv3 because our product load also
    > needs to be signed and can't give out private keys. But we are
    > concerned about Linux kernel move to GPLv3.
    >
    >

    http://weblog.infoworld.com/article/...MMERCIAL+LINUX
    >
    > Any pointers or anybody has any solution to get around this incase if
    > Linux decides to move to GPLv3? (either hardware or software)
    >
    > If you have solution or any links that discuss about solution please
    > direct to satamara@yahoo.com.
    >
    > thanks all.


    If you research this enough, Linus has stated that the kernel WILL NOT go o
    gplv3... ever...


    --

    Jerry McBride

  4. Re: Load signing incase if Linux kernel moves to GPLv3

    On 20 Apr 2006, in the Usenet newsgroup comp.os.linux.security, in article
    <1145575715.131188.245710@j33g2000cwa.googlegroups. com>, satamara@yahoo.com
    wrote:

    >Our company product plan to move to Linux, we are looking into this.
    >But we are concerned about this GPLv3 because our product load also
    >needs to be signed and can't give out private keys. But we are
    >concerned about Linux kernel move to GPLv3.


    Wander on down to your favorite computer book store, and grab a copy of
    the Linux Journal for May 2006 - turn to page 48 and read the article
    titled "Linux Takes a Pass on the New GPL Draft" - about 4.5 pages.
    Then pull your head out, and subscribe to the Linux-Kernel-Mailing-List
    where this was hashed out around the end of January mainly in the thread
    "GPL V3 and Linux -- Dead Copywright Holders". Depending on what your
    access to Usenet looks like, this mailing list is mirrored as several
    different newsgroups. Imagine that! Also, the LJ article is a column
    (Doc Searls' "Linux For Suits"), so you might even find a copy on the
    www.linuxjournal.com web site.

    >Any pointers or anybody has any solution to get around this incase if
    >Linux decides to move to GPLv3? (either hardware or software)


    Linus wrote on Feb. 02 2006:



    I'm not arguing against the GPLv3.

    I'm arguing that the GPLv3 is wrong for me, and it's not the license I
    ever chose."



    But rather than attempting to get legal advice from Usenet, why don't
    you consult the company legal staff?

    >If you have solution or any links that discuss about solution please
    >direct to satamara@yahoo.com.


    Post here - read here.

    Old guy

  5. Re: Load signing incase if Linux kernel moves to GPLv3

    Jerry McBride writes:

    >satamara@yahoo.com wrote:


    >> Our company product plan to move to Linux, we are looking into this.
    >> But we are concerned about this GPLv3 because our product load also
    >> needs to be signed and can't give out private keys. But we are
    >> concerned about Linux kernel move to GPLv3.
    >>
    >>

    >http://weblog.infoworld.com/article/...MMERCIAL+LINUX
    >>
    >> Any pointers or anybody has any solution to get around this incase if
    >> Linux decides to move to GPLv3? (either hardware or software)
    >>
    >> If you have solution or any links that discuss about solution please
    >> direct to satamara@yahoo.com.
    >>
    >> thanks all.


    >If you research this enough, Linus has stated that the kernel WILL NOT go o
    >gplv3... ever...



    What is there about gplv3 that has people worried?


  6. Re: Load signing incase if Linux kernel moves to GPLv3

    Unruh kirjoitti:
    > Jerry McBride writes:
    >
    >> satamara@yahoo.com wrote:

    >
    >>> Our company product plan to move to Linux, we are looking into this.
    >>> But we are concerned about this GPLv3 because our product load also
    >>> needs to be signed and can't give out private keys. But we are
    >>> concerned about Linux kernel move to GPLv3.
    >>>
    >>>

    >> http://weblog.infoworld.com/article/...MMERCIAL+LINUX
    >>> Any pointers or anybody has any solution to get around this incase if
    >>> Linux decides to move to GPLv3? (either hardware or software)
    >>>
    >>> If you have solution or any links that discuss about solution please
    >>> direct to satamara@yahoo.com.
    >>>
    >>> thanks all.

    >
    >> If you research this enough, Linus has stated that the kernel WILL NOT go o
    >> gplv3... ever...

    >
    >
    > What is there about gplv3 that has people worried?
    >


    The DRM stuff - you'd have to give your private signing keys to everyone
    which makes business uneasy...

    Aki Tuomi

  7. Re: Load signing incase if Linux kernel moves to GPLv3

    Aki Tuomi writes:

    >Unruh kirjoitti:
    >> Jerry McBride writes:
    >>
    >>> satamara@yahoo.com wrote:

    >>
    >>>> Our company product plan to move to Linux, we are looking into this.
    >>>> But we are concerned about this GPLv3 because our product load also
    >>>> needs to be signed and can't give out private keys. But we are
    >>>> concerned about Linux kernel move to GPLv3.
    >>>>
    >>>>
    >>> http://weblog.infoworld.com/article/...MMERCIAL+LINUX
    >>>> Any pointers or anybody has any solution to get around this incase if
    >>>> Linux decides to move to GPLv3? (either hardware or software)
    >>>>
    >>>> If you have solution or any links that discuss about solution please
    >>>> direct to satamara@yahoo.com.
    >>>>
    >>>> thanks all.

    >>
    >>> If you research this enough, Linus has stated that the kernel WILL NOT go o
    >>> gplv3... ever...

    >>
    >>
    >> What is there about gplv3 that has people worried?
    >>


    >The DRM stuff - you'd have to give your private signing keys to everyone
    >which makes business uneasy...


    So can't we have one universal GPL key pair which everyone uses to sign
    such stuff to comply with the law?




    >Aki Tuomi


  8. Re: Load signing incase if Linux kernel moves to GPLv3

    Why accept a new regulatory requirement(s) and try to inititiate a
    work-around when the current licensing works superbly?

    Not only does it make businesses uneasy; end-users are affected as
    well. I would rather move to a different operating system than
    hand-over more of my rights to privacy --- especially in todays digital
    world.


  9. Re: Load signing incase if Linux kernel moves to GPLv3

    Unruh kirjoitti:
    > Aki Tuomi writes:
    >
    >> Unruh kirjoitti:
    >>> Jerry McBride writes:
    >>>
    >>>> satamara@yahoo.com wrote:
    >>>>> Our company product plan to move to Linux, we are looking into this.
    >>>>> But we are concerned about this GPLv3 because our product load also
    >>>>> needs to be signed and can't give out private keys. But we are
    >>>>> concerned about Linux kernel move to GPLv3.
    >>>>>
    >>>>>
    >>>> http://weblog.infoworld.com/article/...MMERCIAL+LINUX
    >>>>> Any pointers or anybody has any solution to get around this incase if
    >>>>> Linux decides to move to GPLv3? (either hardware or software)
    >>>>>
    >>>>> If you have solution or any links that discuss about solution please
    >>>>> direct to satamara@yahoo.com.
    >>>>>
    >>>>> thanks all.
    >>>> If you research this enough, Linus has stated that the kernel WILL NOT go o
    >>>> gplv3... ever...
    >>>
    >>> What is there about gplv3 that has people worried?
    >>>

    >
    >> The DRM stuff - you'd have to give your private signing keys to everyone
    >> which makes business uneasy...

    >
    > So can't we have one universal GPL key pair which everyone uses to sign
    > such stuff to comply with the law?
    >


    Would you encrypt your data with a key that anyone can get to decrypt
    your data? The point of a secret key is the fact that, it is, indeed,
    secret and not publicly available...

    Aki Tuomi

  10. Re: Load signing incase if Linux kernel moves to GPLv3

    "Secure Buddha" writes:

    >Why accept a new regulatory requirement(s) and try to inititiate a
    >work-around when the current licensing works superbly?


    >Not only does it make businesses uneasy; end-users are affected as
    >well. I would rather move to a different operating system than
    >hand-over more of my rights to privacy --- especially in todays digital
    >world.


    No idea what you mean. This would AFAICS have no effect whatsoever on the
    user. It is only affecting people who distribute their changes to the
    software.

    The question is whether or not the law will make DRM mandatory. If not,
    then I would agree that DRM is at loggerheads with GPL. Why in the world
    would you insert something to control people's ability to copy when the
    whole purpose of the GPL is to make sure that people can copy it. On the
    otherhand if it becomes mandatory-- eg the CPU checks every program it runs
    to see if it has the right to run, and refuses to run the program
    otherwise, then things become complicated. A universal key would be one
    way, but if such compulsion came in by law, then the lawmakers would
    presumably quickly make exposure of your private to to anyone else a crime
    as well. (And yes, after Bush I could well imagine such laws, tied of
    course to terrorism and stopping them from using computers).

    V3 seems to be an attempt to close off a number of the doors that people
    have tried to use to restrict the effect of the GPL (eg Redhat's attampts
    to use trademark law to restict your rights to copy clearly GPL software).

    As a result I guess I could see how it could make businesses more worried
    than they already have been about the GPL.




  11. Re: Load signing incase if Linux kernel moves to GPLv3

    Aki Tuomi writes:

    >Unruh kirjoitti:
    >> Aki Tuomi writes:
    >>
    >>> Unruh kirjoitti:
    >>>> Jerry McBride writes:
    >>>>
    >>>>> satamara@yahoo.com wrote:
    >>>>>> Our company product plan to move to Linux, we are looking into this.
    >>>>>> But we are concerned about this GPLv3 because our product load also
    >>>>>> needs to be signed and can't give out private keys. But we are
    >>>>>> concerned about Linux kernel move to GPLv3.
    >>>>>>
    >>>>>>
    >>>>> http://weblog.infoworld.com/article/...MMERCIAL+LINUX
    >>>>>> Any pointers or anybody has any solution to get around this incase if
    >>>>>> Linux decides to move to GPLv3? (either hardware or software)
    >>>>>>
    >>>>>> If you have solution or any links that discuss about solution please
    >>>>>> direct to satamara@yahoo.com.
    >>>>>>
    >>>>>> thanks all.
    >>>>> If you research this enough, Linus has stated that the kernel WILL NOT go o
    >>>>> gplv3... ever...
    >>>>
    >>>> What is there about gplv3 that has people worried?
    >>>>

    >>
    >>> The DRM stuff - you'd have to give your private signing keys to everyone
    >>> which makes business uneasy...

    >>
    >> So can't we have one universal GPL key pair which everyone uses to sign
    >> such stuff to comply with the law?
    >>


    >Would you encrypt your data with a key that anyone can get to decrypt
    >your data? The point of a secret key is the fact that, it is, indeed,
    >secret and not publicly available...


    But if you encrypt your data, you remove the right of others to copy and
    use it, and the whole purpose of the GPL is to give others the right to
    copy and use your changes to GPL material. It sort of makes the GPL pretty
    useless if Redhat encrypts most of their distribution, and then charges you
    to decrypt it for you.

    Ie, the goals of DRM ( comming soon to a processor near you where you will
    not be allowed to run software on your computer if it has not been signed)
    is to restrict copying. The whole purpose of the GPL is to encourage it.



    >Aki Tuomi


  12. Re: Load signing incase if Linux kernel moves to GPLv3

    I , as well as many others like me, have published and developed or
    hacked up various portions of the linux sources. I am by no means a
    "kernel" developer or a business entity. And yet the GPLv3 would have a
    lasting effect on me and any resources that I felt should be
    contributed to the community at large.

    For instance, a few years ago I published a quick 4 line patch for one
    of the aic series scsi device drivers for an update vanilla kernel with
    SuSE patches applied. With the new version of the GPL this contribution
    would be greatly affected.

    This issue has a very wide berth of effectivity.


  13. Re: Load signing incase if Linux kernel moves to GPLv3

    "Secure Buddha" writes:

    >I , as well as many others like me, have published and developed or
    >hacked up various portions of the linux sources. I am by no means a
    >"kernel" developer or a business entity. And yet the GPLv3 would have a
    >lasting effect on me and any resources that I felt should be
    >contributed to the community at large.


    >For instance, a few years ago I published a quick 4 line patch for one
    >of the aic series scsi device drivers for an update vanilla kernel with
    >SuSE patches applied. With the new version of the GPL this contribution
    >would be greatly affected.


    Why would they have been affected? I do not see anything in GPLv3 that
    would have changed anything you did. But I read it quickly, so you may
    have deeper insight.

    >This issue has a very wide berth of effectivity.



  14. Re: Load signing incase if Linux kernel moves to GPLv3

    satamara@yahoo.com wrote:
    > Our company product plan to move to Linux, we are looking into this.
    > But we are concerned about this GPLv3 because our product load also
    > needs to be signed and can't give out private keys. But we are
    > concerned about Linux kernel move to GPLv3.


    1. The kernel isn't going to GPLv3.
    2. Unless your product will be a derivative work of the kernel,
    licensing should be a non-issue, anyway.

    > If you have solution or any links that discuss about solution please
    > direct to satamara@yahoo.com.


    I you have aspirations of participating in Usenet, don't expect private
    replies. ;->

    --
    Cheers,
    Rick Moen Habetis bona deum.
    rick@linuxmafia.com

  15. Re: Load signing incase if Linux kernel moves to GPLv3

    Rick Moen writes:

    >satamara@yahoo.com wrote:
    >> Our company product plan to move to Linux, we are looking into this.
    >> But we are concerned about this GPLv3 because our product load also
    >> needs to be signed and can't give out private keys. But we are
    >> concerned about Linux kernel move to GPLv3.


    >1. The kernel isn't going to GPLv3.
    >2. Unless your product will be a derivative work of the kernel,
    > licensing should be a non-issue, anyway.


    It is unclear what a derivative work of the kernel is. For example, is a
    device driver a derivative work? I think at least an argument could be made
    that it is even under GPL2.

    But I have still not heard any argument as to what the problem with GPL3
    is. The DRM signing would seem to me to be in direct contradiction to any
    version of GPL in so far as it controls the copies that anyone can make of
    the work and can pass on to others. DRM is all about controlling of copies,
    not about making copies free to be copied.

    As I said if the law, or the chipset manufacturers demand DRM signing to
    allow the program to be run at all, then having a public set of
    public/private keys that all GPL are signed with would seem a way out of
    that hole. ( Unless of course law makers then make it illegal for anyone to
    reveal any private key they have )





    >> If you have solution or any links that discuss about solution please
    >> direct to satamara@yahoo.com.


    >I you have aspirations of participating in Usenet, don't expect private
    >replies. ;->


    >--
    >Cheers,
    >Rick Moen Habetis bona deum.
    >rick@linuxmafia.com


  16. Re: Load signing incase if Linux kernel moves to GPLv3

    Unruh wrote:

    > It is unclear what a derivative work of the kernel is.


    To _truly_ understand the meaning of the legal term of art "derivative work"
    in this context, you would have to read applicable software caselaw in
    whatever will be the applicable jurisdiction. Apologies for not being
    current on such matters in Canada; however, I'm much better versed than
    most non-lawyers about the state of that body of law in the USA.

    In the USA, the courts, strictly speaking, would look for substantive
    copying of literal elements, and also would apply, in looking for
    non-literal copying, the "abstraction, filtration, comparison" test of
    CAI v. Altai, Inc. (FN53: 982 F.2d 693, 23 USPQ2d 1241 2d Cir. 1992),
    as affirmed in Gates Rubber v. Bando Chemical, FN57: 9 F.3d 823, 28
    USPQ2d 1503 10th Cir. 1993 and succeeding cases. Which please see:

    http://www.bitlaw.com/source/cases/copyright/altai.html

    Loosely speaking, one creative work is likely to be judged derivative of
    another if it substantially copies copyrightable elements (those not
    required for efficiency, or taken from the public domain, or dictated by
    external factors).

    > For example, is a device driver a derivative work? I think at least an
    > argument could be made that it is even under GPL2.


    I would guestimate that, per USA legal tests, device drivers that use
    headers or other code taken from the kernel (including non-literal
    copies per the Altai test) would indeed be judged to be derivative.


    However, you seem to have VERY comprehensively missed my point: Most
    proprietary code designed for Linux is very clearly _not_ legally
    derivative of the kernel. Only producers of code intimately concerned
    with the kernel would need be concerned at all.

    Therefore, most of this random alarmed noise from the business world
    about GPLv3 and the Linux kernel is -- same as always -- merely
    confusion and misinformation (even aside from the fact that the kernel
    will not be going there, anyway).


    > But I have still not heard any argument as to what the problem with GPL3
    > is.


    Entirely irrelevant, under the circumstances. Doubly so.

    --
    Cheers,
    Rick Moen Habetis bona deum.
    rick@linuxmafia.com

  17. Re: Load signing incase if Linux kernel moves to GPLv3

    On 25 Apr 2006, in the Usenet newsgroup comp.os.linux.security, in article
    , Unruh wrote:

    >But I have still not heard any argument as to what the problem with GPL3
    >is.


    Up-thread, I pointed to the "current" edition (issue 145 = "May 2006")
    of the Linux Journal where Doc Searls has an article on this on page 48,
    summarizing the rather extensive discussion on the Linux Kernel Mailing
    List from around the end of January 'mostly in the thread "GPL V3 and
    Linux - Dead Copyright Holders"'. If you can't find the magazine,
    contact your news admin, and see which of the many newsgroup mirrors of
    the Linux Kernel Mailing List you have access to. OR - simple search for
    the thread on google.

    Web Results 1 - 10 of about 11,700 for "GPL V3 and Linux - Dead
    Copyright Holders". (0.44 seconds)

    It's not like this is being debated in secret.

    Old guy

  18. Re: Load signing incase if Linux kernel moves to GPLv3

    ibuprofin@painkiller.example.tld (Moe Trin) writes:

    >On 25 Apr 2006, in the Usenet newsgroup comp.os.linux.security, in article
    >, Unruh wrote:


    >>But I have still not heard any argument as to what the problem with GPL3
    >>is.


    >Up-thread, I pointed to the "current" edition (issue 145 = "May 2006")
    >of the Linux Journal where Doc Searls has an article on this on page 48,
    >summarizing the rather extensive discussion on the Linux Kernel Mailing
    >List from around the end of January 'mostly in the thread "GPL V3 and
    >Linux - Dead Copyright Holders"'. If you can't find the magazine,
    >contact your news admin, and see which of the many newsgroup mirrors of
    >the Linux Kernel Mailing List you have access to. OR - simple search for
    >the thread on google.


    > Web Results 1 - 10 of about 11,700 for "GPL V3 and Linux - Dead
    > Copyright Holders". (0.44 seconds)


    >It's not like this is being debated in secret.


    "I have not heard" and "in secret" are not (yet) synonymous. Perhaps if my
    name were Rumsfeld,....

    This seems to be the relevant controvertial section of the GPLV3.
    ***************
    Complete Corresponding Source Code also includes any encryption or
    authorization codes necessary to install and/or execute the source code of
    the work, perhaps modified by you, in the recommended or principal context
    of use, such that its functioning in all circumstances is identical to that
    of the work, except as altered by your modifications. It also includes any
    decryption codes necessary to access or unseal the work's output.
    Notwithstanding this, a code need not be included in cases where use of the
    work normally implies the user already has it.o
    ****************

    I simply do not understant why this implies that say Linus would have to
    give up his private keys, or does anything but ensure that you do not use
    encryption to hide the source code. "Sure I gave him the source code. So
    what if I encrypted it. He has it, and tough **** if he is incapable of
    reading it. I have complied with the GPL"

    I am not saying that there is not a concern, I just fail to preceive it.





    > Old guy


+ Reply to Thread