Slashdot Mirror
The FSF, GPLv3 and DRM
whats-life-without-gpl writes "FSF has a thing against DRM. This article tries to explain why RMS isn't a DRM (Note that NewsForge is also owned by OSTG) fan and how GPLv3 is gearing up to protect against it. "
← Back to Stories (view on slashdot.org)
One is a person, the other an ill conceived business plan...
No sig for the moment.
Linus Torvalds, has a problem with this. He says that he himself signs the Linux kernel, and that that's his way of telling everyone, "You can trust this, it's from me." In an email message to the Linux Kernel Mailing List (LKML) on 23 April, he says that there are two types of keys: "One is an external key that is applied _to_ the kernel (OK, and outside the license), and the other one is embedding a key _into_ the kernel."
GPLv3 says that if any GPLed software carries an embedded key, this key should me made available to the users, but it makes no demands on the first kind of key. Linus has said that he would never distribute his signing keys, but the GPLv3 does not require him to release them. The key he talks about only describe the trustworthiness of the kernel. It in no way affects the freedoms of copyleft. It's only the embedded keys, which can be used to nullify the freedoms offered by copyleft, that need to be released.
I'm already busy gearing up to protect myself against acronyms overload, thank you.
There, fixed it for you
Obama likes poor people so much, he wants to make more of them.
FSF has a thing against DRM. This article tries to explain why RMS isn't a DRM (Note that NewsForge is also owned by OSTG)
We'd better get the CIA and FBI involved, along with the RIAA, NTSB, MPAA, ABC, CBS, CNN, AOL, MSN, and NBC. Oh, and be sure to alert the EFF and NRA while you're at it. Note that I am not affiliated with the RNC or DNC, although I am a FOB.
One of them tries to control what you can do by enforcing a system of burdensome legal restrictions, and the other is a system for managing digital rights.
TMA, too many acronyms.
why RMS isn't a DRM (Note that NewsForge is also owned by OSTG) fan Could you POSSIBLY have picked a worse place to insert that annoying conflict-of-interest disclaimer? Secondly, do you really think anyone cares if you guys happen to link to NewsForge?
Viper is the preferred editor of the Emacs operating system.
FYI, that article really ID's the SNAFUs with DRM and OSS as pertaining to the GPL. I was KO'd when I read it - IANAL, but I wonder if it's BS or OK. Maybe I'll keep it on the QT until I know. Gotta run - I need to have a BM so I can leave for my AA meeting ASAP.
It is pitch black. You are likely to be eaten by a grue.
Hardly. Slashdot features some of the most anti-GPL trolls around =- they can put the Microsoft Marketing department to shame on occasion.
*waves to the trolls* Hi! This is for you!
1) The GPL is only ever a problem for you if you want to distribute someone else's work that they already let you use for free.
2) See point 1.
Gift horse, mouth, examination via the anus... all those are things that spring to mind when I hear complaints about how restrictive the GPL is.
Suppose MS wanted to run Free Software on the next XBOX and didn't want people to mess around with it. They could have Intel modify a processor any number of ways (change the opcodes for a SIMPLE example) and provide a proprietary tool chain to compile the code. No DRM, yet the users have no way to modify and run the code on that hardware. Does GPL need to require a complete tool chain be provided when binaries are provided? It seems overkill, but custom (closed) hardware running free software defeats the GPL in the same way as DRM. I need to read the new draft, but I think it suggests the broader concept of denying freedom more than DRM in particular. Thoughts?
I hope that Tivo get's taken to court. It would be a triumph for open source efforts.
Worst Summary Ever
nothing
TFA gets it wrong. Richard Stallman is opposed to DRM; look at the 'Defective By Design' real-world protests of earlier this year. But that's not the point here.
Since the beginning the idea of free software (as rms sees it) is that if you use a program, you should have the freedom to modify it, among other freedoms. So if you have a Tivo, you should have the freedom to modify the software that runs on your Tivo. If Linux is GPLed, then it's clearly not allowed for the Tivo manufacturers to ship it with a label saying 'we forbid modifying the software'. It's also not allowed under the GPL for them to try blocking your freedom another way by withholding the source code. But under GPLv2 your freedom to change the program can still be taken away, by the manufacturer making the device only execute signed binaries (for which nobody but the manufacturer has the signing key). GPLv3 as proposed is about making sure your freedom to change the software running on your computer (or Tivo) isn't taken away like this.
Of course anyone can write GPLed software that has DRM restrictions. But if you use it, you should have the right to modify it, and remove the DRM if you don't want DRM on your computer. That is the important point.
Analogously: there is nothing in the GPL against charging a sum of money for the software. You can sell it for as much as you like. But if you do, the person who receives it still gets all the freedoms to use, share and change the program.
-- Ed Avis ed@membled.com
... you hit the nail on the head. The problem here is that RMS and the FSF are trying to protect freedoms by placing restrictions on them. Kind of funny, if you think about it...
I hope that Tivo get's taken to court. It would be a triumph for open source efforts.
Er, TiVo's one of the good guys, they release their source in compliance with the GPL.
..they can lose their precious movies even without DRM-crippling them useless
:-)
Yes, that's right, I'm from europe and I'd crap myself when I saw that article...
Bison (GNU's version of YACC) used to have the restriction that the output of Bison, since it was a large amount of code, was GPL. As a result, nobody used Bison except for GCC, because the liscence was untenible.
I fear that GPLv3, by trying to force RMS's notion of "Liberty" more strongly (anti-DRM provisions, anti-closed-hardware provisions) will be a repeat: GPLv3 based software will only be used by the real FSF zealots. Everyone else will avoid it.
Let us be thankful that Linus Torvald has more of a "tit for tat" notion rather than a liberty notion, and thus selected GPLv2 only.
Test your net with Netalyzr
If the GPL alone made it so that software no could no longer fit in with a business model, the business has only two options: 1. change the business model, 2. find something that fits the business model. My guess is that the latter is most common. Let's take tivo for example. If the GPL3 condems their practices, and we assume it is not an option for them to simply use source that falls under the previous GPL, then what would they do? I agree with provisions to protect against DRM in many if not most cases, but how do such provisions safely provide a means to protect against this while still offering enough flexibility to fit business needs similar to Tivo? It's not easy to fit niche needs of business and government - especially when niche seems to be the norm.
Say, if I compiled my C++ program on linux using the GPL-ed includes and libs, does my program automatically become GPL?
Thanks
Obama likes poor people so much, he wants to make more of them.
Verifying the code (the TiVo portion that RMS hates) is equivelent to verifying Linus's key: Is this code released by the entity you trust. The only major difference is TiVo is more concerned, so it only RUNS code that has been signed by the trusted entity.
Test your net with Netalyzr
Something I never understood about this argument and how 'horrible' this is. If you have the hardware and it matters that much to you that you need to run software with a differnt signature, then change the key in the hardware. Requiring that you distribute the hardware keys seems like the wrong solution.
"You may not impose any further restrictions on the recipients' exercise of the rights granted herein."
Doesn't this mean that - since GPL 3 is more restrictive - that already GPL'ed software cannot be distributed under GPL 3?
Yet another TLA....
Media that can be recorded and distributed can be recorded and distributed.
-kfg
"*waves to the trolls* Hi! This is for you!"
Hi Mr AC! Did you bake me a cake?
"Gift horse, mouth, examination via the anus... all those are things that spring to mind when I hear complaints about how restrictive the GPL is."
Let me put it to you as plainly as possible. The GPL needs the world, more than the world needs the GPL. Got it? Good.*
*Now if you had said open standards (but you didn't), it would be an entirely different matter.
He doesn't have to make the kernel GPL3. He can stay at GPL2.
DRM has nothing to do with the software, and nothing to do with its license. This is like including provisions in the license that say you cannot eat bananas. Its irrelivant, makes the license less likely to stand up legally (a license is not a contract), and isn't about freedom at all. DRM does not prevent you from having the freedom on the software that the FSF loves so much. It prevents you from having the freedom on the hardware. You can still modify the software, distribute it, etc. You just can't run it on that particular hardware, because the hardware has no freedom. So run the software on some other hardware. The hardware is not covered by software licenses.
Excuse me, sir. Seeing as how the VP is such a VIP, shouldn't we keep the PC on the QT? 'Cause if it leaks to the VC he could end up MIA, and then we'd all be put out in KP.
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
So the FSF is GPLv3 and DRM with the RMS and what now? I'm in the military and therefore quite good at decoding stupid acronyms, but this is pushing it. . .
It may off-topic but it seems to me that allowing people to mod a Tivo would be a good thing for everyone. I don't understand why they locked the code down in the first place.
"The ferrets, they're every where I tell you!"
Complying with the letter of the license is not the same thing as complying with the spirit and intent of it. The GPL is designed to ensure that the user always has control over his hardware; since the TiVo won't run modified code, the user does not have this control. QED.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
The second problem is that this is illegal in the US under the DMCA.
If I license my software under a license like the GPLv3, I don't want to have to take my damned computer apart in order to modify and run software I wrote. Nor should other people need to tear apart their computers to modify and run my software.
We don't see the world as it is, we see it as we are.
-- Anais Nin
Now they're even using Root-Mean-Square against us? Is nothing sacred? Next they'll be taking away our sine waves!
Coder's Stone: The programming language quick ref for iPad
FSF: Free Software Foundation
DRM: Digital Rights Management
RMS: Richard M. Stallman (founder of the free software movement, the GNU Project, the Free Software Foundation, and the League for Programming Freedom).
OSTG: The Open Source Technology Group.
GPLv3: GNU Public License version 3.
As a Slashdot discussion grows longer, the probability of an analogy involving cars approaches one.
This argument keeps surfacing even though it has been debunked time and again. The GPL v3 only requires you to provide the embedded key if it is necessary to run the software. That's the letter and the spirit of the GPL v3. The second discussion draft clearly words out:
Victims of 9/11: <3000. Traffic in the US: >30,000/y
The GPL is about freedom of code. The BSD is about freedom of ideas.
Let's just site down and admit it. Linus does not now, and probably never has, believed completely in the mission of the FSF or the freedoms given by the GPL.
He is a very smart guy, and knows that his argument doesn't hold water which is why he is declining to speak about it further. The truth is that Linus is buddying up with lots of companies, he's part of the corporate side of open source now not the community side. The relationship between money and open source has been great until now, when the needs of freedom are now coming in opposition to some of the buisness needs of open source money.
Linus didn't build the entire Linux kernel, a community did. If he is unwilling, or the companies supporting him are unwilling, to move the license forward in the interest and popular support of the linux community then we can branch the code now and start extending and reworking the linux kernel under the GPLv3. They know that, and they don't want to loose the communities support so they are trying to make it sound like the FSF is imposing their will on the community, rather than Linus and a hand full of companies imposing their will on the community that builds their product.
The provision in GPLv3 that Linus opposes refernces "Tivoization" in it's text, and if you look back Linus and others he's worked for and with have never viewed Tivo's products as a negative imposition on the rights of software and software developers.
I don't understand. One side says "DRM is EVIL! We hate the RIAA!" and "If you don't support GPLv3, MS will lock your machine out of Linux!" (which they could do anyone regardless of what the GPL says) This is absurd.
DRM can be used for good. Let's say you want to build an electronic voting machine properly. You use entirely GPL source code. All parts are off-the-shelf and well known. Everything is open to public review. However, when you actually go to send the machines out, you want to be damn sure those machines are running the same code you put on them at the factory. That means locked and tagged boxes, and that also means DRM. Under the GPLv3 draft, you'd have to publish the secret key to the world, making that security worthless.
Another case: Let's say I make a system that monitors building security. I want to be open about how it all works, so I use GPL'd hardware. However, even my customers want to make sure that the software isn't tampered with. That means DRM. Again, if I have to publish the secret key, someone could write a modified version, sign it with my key, and get it on the machine.
The GPLv3 draft makes it impossible to create tamper-resistant software. (Note, I didn't say tamper-proof, there would still be ways around it, but as part of a layered security, it is necessary.)
Of course, one could always make a fork of some particular project and allow GPLv2 only. Yet starting from this point it is impossible to reuse any GPLv3 code in it. Whole libraries might become not suitable for this GPLv2 fork, at least the new versions of these libraries. Maintaining such GPLv2 forks may become really difficult. Linux kernel is probably one of few projects which may stay with GPLv2 for a long time. Most small projects are likely to make a transition to GPLv3, either willingly or by using some GPLv3 code.
As long as they provide the source that they used before they signed, I think that's fair enough.
I'm with Linus, I don't think the license should be used as a "crowbar" into the hardware too. The GPL3 sounds like it places even MORE restrictions on what the user and/or developer and/or companies may do, not less... I'm against how they went about it too... it doesn't sound like the FSF even took anyone's opinions into account, RS and the rest just created an even more onerous license than the original. I don't see too many companies adopting it....
Take for instance, the following possible situation.... As a developer and small business man, this type of situation entirely possible, I've run up against this using GPL code. Company X developes a brand new, extra-cool heart monitor and defibulator widget based upon embedded linux. The product has been carefully tested at the factory, with good records kept, etc. The product uses a signed image to verify that it's the same image that went through tests and hasn't been modified. Product is FDA accepted and on the market, the company that developed the product feels fine taking the responsibility for the code. I know the license doesn't confer responsibility to the other developers, but the company has tested this particular image and they assume liability.
Now, some fool at the calibration outlet decides he's going to load some updated packages into the image, without telling anyone and without proper testing. He's creating a dangerous situation by running software that wasn't tested for it's particular use. According to the GPL3, he can resign the binaries and create a potentially injurious product, exposing company X to VERY SERIOUS liability that they had no part in.... Remember that company X did NOT want to release the signing keys, did NOT load the untested software on, but they will be held liable for any injury that results from it's being ABLE to be loaded. Company X here also may become the "deep pockets" defendant in this case, with the repair guy skating away....
No, this is totally wrong.... GPL3 should NOT be able to force this situation.
I don't like what TIVO is doing, and I sure don't like DRM, but I like what the FSF is doing even less. How about an open comment period. How about querying the free software developer as to what they want. I didn't receive any survey, I didn't find any place where I could provide feedback or vote either. They propose to speak for me, but I have not found any way to tell them what I want. People using stuff that I write will find the "either version 2, or (at your option)any later version" missing from any of my new works.
@*&% the GPL3!
The GPL is, and always has been, about using your code to further RMS's political views not about keeping open source open... v3 makes this more obvious but it has always been true.
I don't use it for precisely this reason, instead I have always used MPL or BSD style licensing for the open source stuff that I author.
They can't stop you legally from doing anything you want with the device (or let's assume that for now), but there's no reason for you to expect that it is capable of anything other than what the manufacturer intended. They are perfectly free to cripple their product for whatever reason they like, so long as it is sold as such.
You did a good job of making the point I was trying to make in my last post.
The problem with GPLv3 is that it goes beyond requiring that you be able to run modified software. It requires that if a signed binary could access content that belongs to someone else, you must be given the keys to let a modified version access that content.
This is the essence of being anti-DRM - it demands the right to ignore other people's rights.
If you read GPLv3 and think outside the "it's all about DRM" box you find that GPLv3 requires that you give away everything it takes to create perfect rootkits. The "cannot distinguish" words mean that it must be impossible to perform any kind of post-installation integrity test of the system. If you always boot from verified read-only media, you may be able to protect your own system but a GPLv3 OS would otherwise guarantee that your system can be controlled by anyone who has managed to acquire your rights for a moment.
I haven't really looked into it, but what if instead of checking a key, they just put the software on a ROM? They could even put a GPL OS on a ROM and then have a signed non-GPL userland image on flash. Sure it's probably not practical, but would it work? It would take a hardware mod to bypass, but that's all most DRM systems would take anyway. Does that fail the GPL3 test, and if so, does that mean all devices using GPL have to be field updatable?
I friend of mine dropped by yesterday with an interesting story. He had a pile of CD's which he wanted 'ripped' to try out on his recently purchased mp3/wma player. He doesn't have an internet connection at home, so to save himself the effort of typing in all the track listings by hand he took his CD's to another friend's place, ripped them in Windows Media Player, made sure they all played properly, and burned them to a CDR to take home.
Surprise, surprise, he can't play them at home. Not on his computer, and not on his new media player. Still at least it was only an afternoon wasted, he could have bought a few tracks online at his friend's house and ended up with 1-dollar-a-track unplayable music instead.
455fe10422ca29c4933f95052b792ab2
From a freedom standpoint, I'd say RMS is dead on correct. Torvalds' is effectively rejecting our contemporary nation of free software. (And the GPL - like the US Constitution is and should be a living dcoument that adjusts over time.) The upshot is that - from my reading - Linus is embracing what is far closer to a BSD license.
But here is here it gets really odd: What about Debian and the rest of the wonderful purists? If the kernel lags behind in a (relatively) antiquated GPL 2 status, why should free software embrace it at all? Would that mean the sudden surge of the Hurd?
Lots to think about here...
Personally, if the kernel stays at GPL 2, I'm finally ditching linux for good in favor of FreeBSD. At least their licensing viewpoint is not hypocritcal.
I think he's trying to say choose proprietary* and leave the GPL alone. I'd recommend doing so, and leave the consequences to the team of RMS and FSF.
*Actually you don't have to go that far(1). There's plenty of non-GPL (but F/OSS) software out there, with some of the same (dis)advantages as the GPL.
(1) A side note. Most people with a pro-GPL stance have the presumption that all software relationships are abusive. Microsofts may be. SCO's may be. However that doesn't mean everyone's are (in fact some contracts give the purchaser the source code. They just can't distribute it to others).
No, that's where you're wrong. That major difference is the ENTIRE point.
You can choose to ignore whether it is signed by Linus or not. You CANNOT choose to use unsigned software on the TiVo device, and therefore you are prevented from making changes and running your own modified code.
And that is the entire core of the GPL.
It's an interesting thought experiment, to be sure, but it's really of no consequence in the real world. Linus' kernel doesn't have spyware. And we may place a fairly high probability on the prediction that it never will contain spyware. That being the case, this is a purely hypothetical issue.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
Let me get this straight - you're talking about DRM software which itself is GPL, so the GPLv3 would force the author to release the key to decrypt the DRM (and access the DRMed content) along with the source code. That's the only case where the GPLv3 would ignore the rights of others - and it's not the GPL's fault but the author's.
See, the GPLv3 is a very open public licence - it's not like someone is forcing any author to release their software under this licence. If they don't like the terms, or if the terms defeat the purpose of their software, they can very well choose another licence.
Freedom is not worth having if it does not include the freedom to make mistakes. - Mahatma Gandhi
If the hardware works *only* with that gpl-code, its derived work in a way? Basically "linked" to it.
to use the over-emotive rhetoric of the RIAA/BSA, if Tivo want to steal code from others then they should be jailed.
Freeloders could *buy* GPL code and have it relicensed. They could make their own. They could buy off someone else.
They cannot steal the code of others.
If buying code is too expensive, then Tivo either give up entirely or allow non-signed or self-signed code on the machine.
Or should businesses be allowed to use unlicensed MS software because their profit margins are too small to pay for licenses?
My main concern here is that the proposed GPLv3 is hostile to strong integrity. The motivation is hatred of DRM, but the narrow focus on DRM seems to have blinded people to what else will be affected.
Fortunately Linus Torvalds seems to one of those who can see beyond the narrow DRM focus and he has apparently come to the conclusion that GPLv3 will be inappropriate for Linux. I agree with him in that - GPLv3 will be a very bad license for infrastructure software such as an OS where GPLv2 has been a good license.
Yes, people have a choice about which license to use. Linus seems to have looked clearly, thought carefully, and made a choice. Some people are now besmirching his good name by asserting that he has "misunderstood" GPLv3 and ought to be persuaded to adopt it.
Perhaps the strong GPLv3 advocates should put some effort into getting Hurd up to scratch - I assume it will be GPLv3 licensed given its provenance. If you really think Linus is wrong, get on with making something that will displace Linux by sheer force of merit, and its vastly superior license.
- bad thing:
- Tivo sign their kernels using their secret key.
- Tivo's bootloader refuses to boot any kernel not signed by tivo
- good thing (prevents trojan LKMs):
- RH sign their LKMs using their secret key.
- A RH kernel binary refuses to load any LKM not signed by RH.
As far as i understood the discussion, GPLv3 thinks that (1.1) is the problem, so it demands publishing the secret key. But that's wrong and renders (2) useless.Instead, the problem is (1.2): i cannot append my own pubkey to the bootloaders list of approved binary signing keys, although i "own" that bootloader. Instead with (2.2), i can build and run my own kernel image embedding a different list of acceptable LKM signing keys.
So if one wants to prevent such a mess like tivo, (s)he should use a licence that demands that the software is not run on devices with a write protected TC pubkey list. I'd perfectly happy with TC if i could enter the fingerprints of valid TC-pubkeys into the BIOS.
Just my 2ct, m.
The GPLv3 says that:
IF:
1. you are going to use GPLv3'd software,
2. to distribute it with some hardware,
3. and said hardware demands the software to be signed,
THEN:
you must release some way/key to sign other (potentially modified) versions of the same software to run in the same hardware.
HTH
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
Actually, the GPL'ed output of bison it was considered a feature for some time. Enough time for byacc to gain ground. The exception was inserted because of the existence of byacc ment that the ability to use bison was no longer a incentive to release code as GPL.
The appropriate popularity comparison would be between byacc and bison.
Because they did work and got no compensation for that work from you.
...). Don't release someone else's code BSD.
Or would you go "hey, I wasn't actually *hurt*" if your boss says "sorry, won't pay you this month"?
And, for your fouth reason, that is fine with code you wrote, but why are you deciding that for other coders? Release your code GPL and BSD (MIT, SharedSouce,
Unless it's MS's code, of course. It will be amusing to see you squirm explaining this to the judge and solicitors...
is that you have to say that the code they have given you is not suitable for running on that hardware. Which is rediculous because they are running that software on the hardware. Since this is inherently incomptible, they must either
a) Allow you to sign binaries for the hardware
b) Allow you to run unsigned binaries on the hardware
If Tivo really want to keep it locked down, stop "stealing" the code off others and make their own. Or they can go out of business, source software elsewhere or even obey the spirit of the GPL. But I don't see why Tivo should be saving money by leeching off the hard work of others without playing ball.
"And they have - you can modify it and redistribute as you see fit"
..."
i don't think so.
"The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means
What do you think "an executable work" means?
BTW legends says RMS wanted to fix a printer and was not able to do it, because not able to reprogram that thing. Which is one reason for the GPL. I doubt he would put out a license which would say "have fun typing a bit in the source" when his original reason was to fix *that* printer. (Sure lawyers may have messed it up, don't know, IANAL)