Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LGPL and tivoization #10

Open
chrysn opened this issue Feb 23, 2021 · 4 comments
Open

LGPL and tivoization #10

chrysn opened this issue Feb 23, 2021 · 4 comments
Labels
content This deals with adding, removing, or changing content.

Comments

@chrysn
Copy link
Member

chrysn commented Feb 23, 2021

The current "Why LGPL?" text states:

LGPL will improve final user experience, security and privacy, by hindering device lock-down, favoring up-to-date, and field-upgradable code.

Unless we go for LGPL 3 (currently we use 2.1) that is not the case. (Frankly I'm not even sure it's the case with LGPL 3; it is with GPL 3).

GPL 3 added provisions for "Installation Information" to mitigate "tivoization", a term coined when TiVo brought Linux devices to the market that complied with the GPL by giving the relevant sources, but had their bootloader locked so that you could use the software on own devices (have fun building an unlocked TiVo from scratch -- but you could still port it), but never upgrade your own device.

LGPL 2.1 has no such provisions, and thus we don't get the effect from the license. (In a sense we do still get the effect that RIOT devices tend to better upgradable, but that's more because vendors don't know the license well enough and thus just go for other OSes, and not because LGPL enforces this).

(It may also be worth noting that the field of firmware lockdown has become more diverse. Back in the TiVo days, if you could sign your firmware you'd have been good to go. Nowadays, there may be multiple firmware upgrade ways, some destructive to keys on the device. On some that's clearly legitimate -- if you could upgrade your USB 2FA token and keep the keys on it, that'd be terrible security. With others, that renders the device practically unusable -- think of an Android system where you can unlock the bootloader and then all its DRM (anti-, but that's not the point here) features are gone. If that device's purpose was to stream encrypted video from the network and show it on TV, yes you have upgraded the firmware, but unlike the aforementioned TiVo it doesn't serve its purpose any more.)


So what to do here ... if this is just a localized misunderstanding, let's find better text. If not and there is a larger disagreement on what LGPL entails, this may warrant wider discussion through the mailing lists or other venues.

@tcschmidt
Copy link
Member

@chrysn not sure, whether this discussion regarding TiVo is really hitting at what was meant by the RIOT comment on licensing. But I agree that we should first identify terms and clarify the semantics of what we want to say on the website.

My understanding: we want to prevent code cloning, which should be covered by LGPL 2.1. Device lock-down should then work as long as devices are community-supported by public LGPL 2.1 code. I don't think the statement intends to refer to a lock-down protection other than that.

@chrysn
Copy link
Member Author

chrysn commented Feb 26, 2021

Device lock-down should then work as long as devices are community-supported by public LGPL 2.1 code. I don't think the statement intends to refer to a lock-down protection other than that.

I don't fully understand what you mean by that.

A vendor can legally write secret firmware, link it against RIOT according to the bindist example, and provide users with both the suitable (possibly vendored) RIOT source and their own object files. They can later sign their (and only their) full firmware images, and only these will be accepted by the hardware they shipped.

The current FAQ statement is on the license helping with final user experience, security and privacy, and those users are not helped by it.

@tcschmidt
Copy link
Member

A vendor can legally write secret firmware, link it against RIOT according to the bindist example, and provide users with both the suitable (possibly vendored) RIOT source and their own object files. They can later sign their (and only their) full firmware images, and only these will be accepted by the hardware they shipped.

Yes, and my understanding is that nobody wanted to claim otherwise.

The current FAQ statement is on the license helping with final user experience, security and privacy, and those users are not helped by it.

As said: the statement should be sharpened and clarified, yes.

@waehlisch waehlisch added the content This deals with adding, removing, or changing content. label Mar 1, 2021
@chrysn
Copy link
Member Author

chrysn commented May 10, 2021

It may be worth pointing out here that other OSes under LGPL (3, in that case), have yet different views on what it means on an OS: https://github.com/particle-iot/device-os#license-faq

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
content This deals with adding, removing, or changing content.
Projects
None yet
Development

No branches or pull requests

3 participants