I want to react to the signature FUD: GPLv3 is clearly a superior copyleft license to GPLv2 despite Linus' latently permissive opinion on the anti-TiVoization clause.
It's not FUD, and GPLv3 is not clearly a superior license. It may surprise you to learn that different people value different things and have different opinions, and so want different licenses. GPLv3 is really a pretty extreme license that imposes a lot of restrictions that a lot of people simply don't want. If GPLv3 does what you want, by all means use it, but don't denigrate the choices other people make.
I wonder if people even know what those restrictions are and how exactly the anti-tivoisation clause works. It does not forbid anyone from running software on tivoised devices, which is what some people seem to think it does. All that it requires is that if you distribute the software primarily to be used on a User Product (as GPLv3 calls it), then as part of the installation information (which in GPLv2 used to just mean install and build scripts), you must also provide the signing keys for the hardware.
This also does not mean that GPLv3 makes software signing impossible and that you must forbid users from rejecting unsigned software if they so wish. It doesn't mean that you have to distribute every secret key that you use for signing software. It merely means that you have to give your users a way to install software on the User Product as they see fit, if they see fit. It's up to the user to decide to override any signing feature or not. It's very much in spirit with GPLv2 that required installation scripts. As far as GPLv3, hardware signing keys are just another part of installation scripts (the actual term used in GPLv3 is "Installation Information").
Or to put it another way, GPLv3 mandates that your hardware be insecure (because you cannot prevent a malicious actor from installing malicious software on someone's device, which would normally be done by requiring all updates to be codesigned by the manufacturer). And it's not just limited to software that would be installed on the hardware; companies like Apple won't even allow employees to install GPLv3 software on their work computer because if a single piece of GPLv3-licensed code makes it into iOS, even completely accidentally, the license demands that Apple release their root signing keys to the world, completely destroying the security of hundreds of millions of devices.
Also don't forget the patent stuff in GPLv3. That's not quite as scary as the anti-TiVoization stuff, but it's still pretty significant for large companies.
> GPLv3 mandates that your hardware be insecure (because you cannot prevent a malicious actor from installing malicious software on someone's device, which would normally be done by requiring all updates to be codesigned by the manufacturer).
> I use public key cryptography to sign my code to assure its authenticity. Is it true that GPLv3 forces me to release my private signing keys? (#GiveUpKeys)
> No. The only time you would be required to release signing keys is if you conveyed GPLed software inside a User Product, and its hardware checked the software for a valid cryptographic signature before it would function. In that specific case, you would be required to provide anyone who owned the device, on demand, with the key to sign and install modified software on his device so that it will run. If each instance of the device uses a different key, then you need only give each purchaser the key for his instance.
It sounds like a manufacturer could ship a GPLv3-compliant User Product with two signing keys: a secret one known only to the manufacturer, and a second per-device key than can be used by the end-user to install modified software. Such a manufacturer wouldn't be forced to disclose their signing key because the user already has access to an equivalent.
I also imagine it would be kosher for the device to provide the user the option, in the name of security, to permanently clear the second per-device key, so only manufacturer updates can ever be installed.
> companies like Apple won't even allow employees to install GPLv3 software on their work computer because if a single piece of GPLv3-licensed code makes it into iOS, even completely accidentally, the license demands that Apple release their root signing keys to the world, completely destroying the security of hundreds of millions of devices.
If Apple is behaving that way, it's Apple's own fault, not the GPLv3's. They could have chosen to design their software in a way that would have given them better options if they are ever forced to comply with the GPLv3, but they chose not to.
What you've just described is a completely insecure hardware platform. Giving out a second private key that can still be used to install third-party updates is just as insecure as giving out their normal private key, the only real difference is if anyone actually looks at the code signature they can tell the difference between third-party and first-party code. Allowing the user to lock out that second key doesn't fix anything because 99.99% of users will never do that, or even know it exists.
> If Apple is behaving that way, it's Apple's own fault, not the GPLv3's. They could have chosen to design their software in a way that would have given them better options if they are ever forced to comply with the GPLv3, but they chose not to.
That makes no sense. What you said is basically equivalent to "That's Apple's fault, they could have just designed their hardware platform to be completely insecure".
GPLv3 is fundamentally incompatible with having a secure hardware platform. This is absolutely GPLv3's fault.
> Allowing the user to lock out that second key doesn't fix anything because 99.99% of users will never do that, or even know it exists.
That's easily solved: On initial device setup, the user could be asked to explicitly disable the key by asking something like "Would you like to secure your device by permanently disallowing the installation of untrusted software? Y/N"
Also, as someone else clarified below, the alternate key I was proposing is unique to the device. So any attack against you would have to be tailored to your device. That leaves the main threats as: 1) an NSA-like shipment-interception and 2) someone getting access to your user key after the device is in your possession. 1) can be mitigated by buying your device in a random retail shop, and 2) can be prevented by immediately permanently clearing the user the key.
Actually, I think Apple is already more or less compliant with this part of GPLv3, as they allow developers to self-sign the software, right? You just have to pay for a self-signing key. That's sufficient, because it means you can run modified software. All they have to do is lift the restriction to pay for the self-signing key.
Is there a problem with, say, printing the key on the device case, as is done with administrator passwords for consumer routers? Or, if you're worried about casual skimming, inside the case? Under a tamper seal if it makes you feel better? You're basically at the Chromebook security model by that point, which seems well-regarded around here.
It's pointless anyway trying to "secure" hardware against a sufficiently determined attacker with physical access. There's an argument to be made that physical access should equal software ownership, philosophically.
It's also worth noting that requiring all updates to be signed by the manufacturer does not protect you from malicious code, as manufacturer updates can also be malicious. Ultimately, the "owner" of the device should be at the top of the pyramid of trust.
Physical access should not equal ownership. Haven't you been paying attention at all to the Apple vs FBI case? Apple works very hard to keep devices secure even when they're in the possession of someone else. Obviously in this particular case a third-party firm was able to crack the iPhone (though without saying how), but you can bet Apple is doing everything they can to figure out how and fix it.
Oh please. It really doesn't, it merely mandates that the user is able to override a manufacturer's lockdown. Not that any nitwit should be able to override a user's lockdown.
A platform that is insecure-by-default and relies on users being knowledgeable and motivated enough to learn how to lock down their own devices is still an insecure platform.
People have taken their time to draw you a picture of a solution you could have come up with yourself. They are not talking about opt-in security, you are the only one.
GPLv3 does not hinder security. You are furthering FUD.
> Also don't forget the patent stuff in GPLv3. That's not quite as scary as the anti-TiVoization stuff, but it's still pretty significant for large companies.
The Apache license has a nearly identical clause (in fact, I believe GPLv3 was inspired from the Apache license) and companies like Google and Apple have used the Apache license without destroying their business. Anti-retaliation clauses don't seem to be a death knell.
GPLv3's patent clause is effectively identical to Apache License, Version 2.0? I wasn't aware of that. I haven't done much research on the patent angle, I only brought it up because I actually talked to one of Apple's lawyers at one point about GPLv3 and they brought up the patent stuff as an issue.
I explicitly said a superior copyleft license. That is, I stated the value I presuppose, and in this context GPLv3's superiority to GPLv3 is clear.
What's "extreme" is denying users control of their own devices, not the reverse.
GPLv3 is still not clearly superior to GPLv2. GPLv3 is only superior if you agree with the new restrictions added in GPLv3, but again, not everybody does. And you know damn well that this is purely opinion, because you already referenced Linus Torvalds's stance on this matter.
There's two issues at play with copyleft licenses. The first is making the source available to others, and the second is allowing others to install modified versions of the software. GPLv3 mandates both. GPLv2 was certainly intended to mandate both, but ends up mostly just mandating the first. If all you care about is having other people who use your software release the source to their modified versions, then GPLv2 is clearly superior to GPLv3 because it has fewer restrictions. Similarly, if you care about having source made available but you also want to have your software become as popular as possible, you may opt for GPLv2 because it's a lot more likely for companies to use your software than if it's GPLv3.
Copyleft is those user-protecting restrictions. I'll refrain from repeating myself.
By your "fewer restrictions" logic, permissive licenses would be the ones most copyleft. Again, the purpose of copyleft is proliferating "freedom-respecting" software, not amassing - open source. Code that is open, but you can't utilize freely because of a locked-down device or a patent - "misses the point". Preceding references emerged organically and... whoa.
Most GPLv2 bias which isn't caused by Linux' licensing is due to the kind of FUD you've perpetuated in this thread, not any actual issue with GPLv3.
> By your "fewer restrictions" logic, permissive licenses would be the ones most copyleft
Please don't strawman me. I already explained how there's two different freedoms that copyleft licenses seek to protect, and it's perfectly valid for someone to care only about the first freedom but not the second, and for such a person the GPLv2 is superior.
> Most GPLv2 bias which isn't caused by Linux' licensing is due to the kind of FUD you've perpetuated in this thread, not any actual issue with GPLv3.
Contrary to what you may believe, FUD is not defined as "any opinion you disagree with". And by calling my arguments FUD instead of actually trying to address the points I made, you're just telling me that you can't actually argue against what I said so you'd rather try and discredit me.