[U-Boot] U-book and GPLv3? (fwd)

[U-Boot] U-book and GPLv3? (fwd)

[Wolfgang Denk]

Hello,

I was asked about relicensing U-Boot as GPLv3:

------- Forwarded Message

Date:    Thu, 18 Jun 2009 09:17:28 -0400
From:    Richard Stallman <rms@gnu.org>
To:      Wolfgang Denk <wd@denx.de>
Subject: U-book and GPLv3?

I really enjoy the name U-boot.
What are the advantages of U-boot over PMON?

Have you considered moving U-boot to "GPLv3-or-later"?


------- End of Forwarded Message


I know that we have had similar discussions before (see for example
http://thread.gmane.org/gmane.comp.boot-loaders.u-boot/24029), but I
would like to take the chance and re-poll what the community's
opinion about this is.

Comments welcome...

[I intend to summarize and send this summary to RMS and post it here.]

Best regards,

Wolfgang Denk

-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
I have often regretted my speech, never my silence.

[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Thursday 18 June 2009 10:51:28 Wolfgang Denk wrote:
> From:    Richard Stallman <rms@gnu.org>
>> Have you considered moving U-boot to "GPLv3-or-later"?
>
> I know that we have had similar discussions before (see for example
> http://thread.gmane.org/gmane.comp.boot-loaders.u-boot/24029), but I
> would like to take the chance and re-poll what the community's
> opinion about this is.
>
> Comments welcome...

i think it's a bad idea.  it'll almost certainly lead to forks as people use 
it on systems where they dont want to let people boot custom builds.  i.e. 
customers absolutely want to lock their hardware such that only their builds 
run on it.  GPLv2 allows this while GPLv3 does not.

Linux has taken a realistic stance here and i think U-Boot should follow suit 
(well, i dont care about the "or later" part, just that the base from denx is 
GPLv2).  also, it would make code sharing with Linux a nightmare since many 
pieces have moved to explicitly GPLv2 -- no one is going to audit code flowing 
between to make sure things can move safely.
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.denx.de/pipermail/u-boot/attachments/20090618/bce64f3a/attachment.pgp 

[U-Boot] U-book and GPLv3? (fwd)

[Jean-Christophe PLAGNIOL-VILLARD]

On 16:51 Thu 18 Jun     , Wolfgang Denk wrote:
> 
> Hello,
> 
> I was asked about relicensing U-Boot as GPLv3:
I'm not for the GPLv3 I've the same opinion as Linus Torvald

And as we share a lot's of code with Linux we should continue and not use the
GPLv3 at all

Please also note that we have code that is GPLv2 Only
1nd I do known a lot of firms that will stop to use and dev under U-Boot
if we switch to the v3

so I'm against it

Best Regards,
J.

[U-Boot] U-book and GPLv3? (fwd)

[Jon Smirl]

On Thu, Jun 18, 2009 at 11:46 AM, Jean-Christophe
PLAGNIOL-VILLARD<plagnioj@jcrosoft.com> wrote:
> On 16:51 Thu 18 Jun ? ? , Wolfgang Denk wrote:
>>
>> Hello,
>>
>> I was asked about relicensing U-Boot as GPLv3:
> I'm not for the GPLv3 I've the same opinion as Linus Torvald
>
> And as we share a lot's of code with Linux we should continue and not use the
> GPLv3 at all

Isn't there a practical consideration too? Since copyright assignment
isn't required on u-boot contributions, you would have to track down
all of the contributors and get their permission for the licensing
change. Mozilla had to do this when they changed their license and it
took them two years to find everyone.  Linus has stated that tracking
down all of the contributors to the kernel is virtually impossible.


>
> Please also note that we have code that is GPLv2 Only
> 1nd I do known a lot of firms that will stop to use and dev under U-Boot
> if we switch to the v3
>
> so I'm against it
>
> Best Regards,
> J.
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> http://lists.denx.de/mailman/listinfo/u-boot
>



-- 
Jon Smirl
jonsmirl at gmail.com

[U-Boot] U-book and GPLv3? (fwd)

[Jerry Van Baren]

Wolfgang Denk wrote:
> Hello,
> 
> I was asked about relicensing U-Boot as GPLv3:
> 
> ------- Forwarded Message
> 
> Date:    Thu, 18 Jun 2009 09:17:28 -0400
> From:    Richard Stallman <rms@gnu.org>
> To:      Wolfgang Denk <wd@denx.de>
> Subject: U-book and GPLv3?
> 
> I really enjoy the name U-boot.

^_^

s/U-boot/U-Boot/  Wolfgang specifies that somewhere, but I cannot find 
it now.  :-P

> What are the advantages of U-boot over PMON?

This PMON?
   <http://www.linux-mips.org/wiki/PMON>

OK, this looks a little fresher:
   <http://olph.gdium.com/wiki/doku.php/system:pmon>
   <http://dev.lemote.com/code/pmon>
   <http://www.opsycon.se/PMON2000/Main>

Quotes below are from the <http://www.linux-mips.org/wiki/PMON> site 
since it is more quotable. ;-)

1) PMON supports MIPS.  Only MIPS?  Before Y2K.  After Y2K?  Sorta.

U-Boot supports many processors and processor families. The current list 
include the PowerPC, ARM family (many different manufacturers), AVR32, 
Blackfin, Coldfire, Microblaze, MIPS, NIOS, NIOS2, SuperH, LEON, and 
i386 (poorly, but /that/ ain't our fault).

2) "Everything about the PMON 2000 site is shaky at best. An updated 
version promised in March of 2005 never materialized. The knowledgebase 
is a joke and the documentation is a mixed bag."

U-Boot has a very active community.  While the u-boot mail list isn't 
quite the firehose that the linux mail list is, it is pretty easy to get 
overwhelmed.

U-Boot has a passable knowledgebase <http://www.denx.de/wiki/DULG/Faq> 
and a pretty good user's manual 
<http://www.denx.de/wiki/view/DULG/UBoot>.  Asking questions on the 
email list generally results in quick and helpful responses, assuming 
the question was a smart question 
<http://catb.org/esr/faqs/smart-questions.html>.

3) "CVS access is supposed to be available but is not."

U-Boot "gits" it.  OK, bad pun, but the point is, U-Boot has excellent 
source control modeled after the linux development methods (two levels 
with one BDFL and many custodians) and using the git distributed SCM tool.
   <http://www.denx.de/wiki/U-Boot/Custodians>

4) It appears PMON is BSD-licensed.  That is good for companies with 
proprietary code, not so good for sharing and standing on the shoulders 
of giants.

U-Boot is GPLv2 (sometimes "or later").  While that doesn't have as 
sharp of teeth as GPLv3, unlike BSD it gives the community a legal lever 
to pry code out of semi- and un-cooperative corporations.

---

U-Boot has a *lot* of functionality.  It has a lot of helpful "board 
bring up" commands, a (hacked) ash-ish command handler, ability to boot 
an OS (linux or many others) over ethernet/TFTP or from a file system in 
flash or from a USB disk or a hard disk or a SD card, or raw from flash 
or over the serial link or...

This all fits inside 128K++, depending on the features and commands 
compiled in.  OK, mostly 256K, often bumping above that.

[snip]

Best regards,
gvb

[U-Boot] U-book and GPLv3? (fwd)

[Grant Likely]

Personally not interested.  I don't want to license my code under GPLv3

g.

On Jun 18, 2009 8:51 AM, "Wolfgang Denk" <wd@denx.de> wrote:


Hello,

I was asked about relicensing U-Boot as GPLv3:

------- Forwarded Message

Date:    Thu, 18 Jun 2009 09:17:28 -0400
From:    Richard Stallman <rms@gnu.org>
To:      Wolfgang Denk <wd@denx.de>
Subject: U-book and GPLv3?

I really enjoy the name U-boot.
What are the advantages of U-boot over PMON?

Have you considered moving U-boot to "GPLv3-or-later"?


------- End of Forwarded Message


I know that we have had similar discussions before (see for example
http://thread.gmane.org/gmane.comp.boot-loaders.u-boot/24029), but I
would like to take the chance and re-poll what the community's
opinion about this is.

Comments welcome...

[I intend to summarize and send this summary to RMS and post it here.]

Best regards,

Wolfgang Denk

--
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
I have often regretted my speech, never my silence.
_______________________________________________
U-Boot mailing list
U-Boot at lists.denx.de
http://lists.denx.de/mailman/listinfo/u-boot

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Hi Jon,

> On Thu, Jun 18, 2009 at 11:46 AM, Jean-Christophe
> PLAGNIOL-VILLARD<plagnioj@jcrosoft.com> wrote:
>> On 16:51 Thu 18 Jun ? ? , Wolfgang Denk wrote:
>>>
>>> Hello,
>>>
>>> I was asked about relicensing U-Boot as GPLv3:
>> I'm not for the GPLv3 I've the same opinion as Linus Torvald
>>
>> And as we share a lot's of code with Linux we should continue and not use the
>> GPLv3 at all
>
> Isn't there a practical consideration too? Since copyright assignment
> isn't required on u-boot contributions, you would have to track down
> all of the contributors and get their permission for the licensing
> change. Mozilla had to do this when they changed their license and it
> took them two years to find everyone.  Linus has stated that tracking
> down all of the contributors to the kernel is virtually impossible.

If code is licensed under the "GPLv2 or later" clause, it can be moved
without permission from the author.  It's really "GPLv2 only" which
needs confirmation.

Cheers
  Detlev

-- 
#define KSAMTIB_CIGAM_2SFFJ 0x8519 /* For detecting wrong-endian fs */
                              -- include/linux/jffs2.h
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Hi Wolfgang,

> I was asked about relicensing U-Boot as GPLv3:
>
> From:    Richard Stallman <rms@gnu.org>
> Subject: U-book and GPLv3?
> To:      Wolfgang Denk <wd@denx.de>
> Date:    Thu, 18 Jun 2009 09:17:28 -0400
>
>
> I really enjoy the name U-boot.
> What are the advantages of U-boot over PMON?
>
> Have you considered moving U-boot to "GPLv3-or-later"?
>
>
> ----------
>
>
>
> I know that we have had similar discussions before (see for example
> http://thread.gmane.org/gmane.comp.boot-loaders.u-boot/24029), but I
> would like to take the chance and re-poll what the community's
> opinion about this is.

For what it's worth, I would appreciate moving to GPLv3.  Sparing
details, my reasoning is the following.  Basically I think most people
appreciate the GPL for what it means in pratical terms:

    * the freedom to use the software for any purpose,
    * the freedom to change the software to suit your needs,
    * the freedom to share the software with your friends and neighbors,
    * and
    * the freedom to share the changes you make.

Obviously the second item here will become void if vendor lockout of
updates becomes common.  So what will be left of the essential freedoms?
I can study the code, I can modify it, but I am not allowed to run it.
Excellent.

I think it is not a coincidence that devices which can be updated with
arbitrary firmware sells pretty good in the meantime.   Who buys routers
capable of running OpenWRT because of their original firmware?

Of course vendors do still have the possibility to reject any form of
warranty or liability once a firmware not provided by them is applied,
but still the choice should be made by the person who owns the device.
Just think about the "owns" in the previous sentence.  Do you really own
a device anymore if you cannot fix it?  Would you buy a car that you are
not allowed to change the tires by yourselves?

Well I get carried away, so I'd rather stop ;)

Cheers
  Detlev

-- 
I propose that each copy of the OS should ship with an orange jumpsuit and
sensory deprivation goggles, since all Vista users have been unilaterally
declared 'enemy combatants' by the content apparatchiki" - Daniel Nevin.
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

There's only one thing about U-Boot that doesn't seem so good:

    U-Boot is GPLv2 (sometimes "or later").

To have some parts which are GPLv2 only is unfortunate.
Is there any chance of convincing those authors to change that?

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Hello Richard,

> There's only one thing about U-Boot that doesn't seem so good:
>
>     U-Boot is GPLv2 (sometimes "or later").
>
> To have some parts which are GPLv2 only is unfortunate.

This is due to us many times (re-)using Linux drivers inside U-Boot.

Also this is one of the objections worded on the mailing list, namely
that such a cooperation will be impossible in the future if U-Boot moves
to GPLv3.

As a base for reasonable discussion, I think we need to evaluate those
claims and back them up by actual figures.  Only then the real effort
needed to move and the potential loss of "code immigration" can be
estimated.

> Is there any chance of convincing those authors to change that?

Apart from the the above reasons, currently most people who voiced their
opinion (not too many right now) oppose the move.  The reasoning seems
to be that companies using U-Boot inside a commercial product consider
it to be "a neccessary precondition to only accept blessed firmware
upgrades" (my wording).  What motivates this argument is not completely
clear to me.  Maybe it is fear of being liable as a product vendor to
faulty sw upgrades.

A common theme in the embedded community is the fear of "getting copied
by cheap labor countries" - which should not be the case here, but I
cannot say for sure.

I believe that without discussing this question seriously with all its
implications we will not get enough momentum to even start defining the
work for a switch.

We should also start to actively inform the regularly appearing people
on this mailing list complaining that they cannot get the source code to
U-Boot of "device xyz" that with a GPLv2 U-Boot this may become a
theoretical question in the future when they cannot install the changed
binary anymore.

Cheers
  Detlev

-- 
Die meisten schaetzen nicht, was sie verstehen; aber was sie nicht fassen
koennen, verehren sie.  Um geschaetzt zu werden, muessen die Sachen Muehe
kosten; daher wird geruehmt, wer nicht verstanden wird.
                                    --- Baltasar Gracian
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

[U-Boot] U-book and GPLv3? (fwd)

[Scott Wood]

On Tue, Jun 23, 2009 at 06:33:53PM +0200, Detlev Zundel wrote:
> Also this is one of the objections worded on the mailing list, namely
> that such a cooperation will be impossible in the future if U-Boot moves
> to GPLv3.
> 
> As a base for reasonable discussion, I think we need to evaluate those
> claims and back them up by actual figures.  Only then the real effort
> needed to move and the potential loss of "code immigration" can be
> estimated.

The NAND subsystem is from Linux and is GPL v2 only, as is the
u-boot-specific NAND code in drivers/mtd/nand.  nand_ecc.c is an
exception, which not only has the "or later" language but also has an
exception that makes it non-viral.

env_nand.c is v2-or-later.
cmd_nand.c has no explicit license.

In summary: If you switch to v3, you lose much of NAND.  Unless RMS
volunteers to rewrite it. :-)

> > Is there any chance of convincing those authors to change that?
> 
> Apart from the the above reasons, currently most people who voiced their
> opinion (not too many right now) oppose the move.  The reasoning seems
> to be that companies using U-Boot inside a commercial product consider
> it to be "a neccessary precondition to only accept blessed firmware
> upgrades" (my wording).  What motivates this argument is not completely
> clear to me.  Maybe it is fear of being liable as a product vendor to
> faulty sw upgrades.

Regardless of what motivates it, people who sell hardware to such
customers (and who also contribute to u-boot) may not want to risk losing
that business by pushing GPLv3 on them.

-Scott

[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Tuesday 23 June 2009 15:26:35 Scott Wood wrote:
> On Tue, Jun 23, 2009 at 06:33:53PM +0200, Detlev Zundel wrote:
> > Apart from the the above reasons, currently most people who voiced their
> > opinion (not too many right now) oppose the move.  The reasoning seems
> > to be that companies using U-Boot inside a commercial product consider
> > it to be "a neccessary precondition to only accept blessed firmware
> > upgrades" (my wording).  What motivates this argument is not completely
> > clear to me.  Maybe it is fear of being liable as a product vendor to
> > faulty sw upgrades.
>
> Regardless of what motivates it, people who sell hardware to such
> customers (and who also contribute to u-boot) may not want to risk losing
> that business by pushing GPLv3 on them.

indeed.  expecting businesses to push other peoples' agenda isnt realistic, 
especially when the conversation is pretty much a net customer loss for said 
businesses.  customers arent going to appear because your business is now 
pushing GPLv3 instead of GPLv2, but they will certainly disappear.
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.denx.de/pipermail/u-boot/attachments/20090623/1873a5a7/attachment.pgp 

[U-Boot] U-book and GPLv3? (fwd)

[Jean-Christophe PLAGNIOL-VILLARD]

On 15:41 Tue 23 Jun     , Mike Frysinger wrote:
> On Tuesday 23 June 2009 15:26:35 Scott Wood wrote:
> > On Tue, Jun 23, 2009 at 06:33:53PM +0200, Detlev Zundel wrote:
> > > Apart from the the above reasons, currently most people who voiced their
> > > opinion (not too many right now) oppose the move.  The reasoning seems
> > > to be that companies using U-Boot inside a commercial product consider
> > > it to be "a neccessary precondition to only accept blessed firmware
> > > upgrades" (my wording).  What motivates this argument is not completely
> > > clear to me.  Maybe it is fear of being liable as a product vendor to
> > > faulty sw upgrades.
> >
> > Regardless of what motivates it, people who sell hardware to such
> > customers (and who also contribute to u-boot) may not want to risk losing
> > that business by pushing GPLv3 on them.
> 
> indeed.  expecting businesses to push other peoples' agenda isnt realistic, 
> especially when the conversation is pretty much a net customer loss for said 
> businesses.  customers arent going to appear because your business is now 
> pushing GPLv3 instead of GPLv2, but they will certainly disappear.
200% agree
I can assure you that today If we switch the V2 to the v3 we will lose a lot of
customers and soc that use secure boot as example which is not a progression but a
problematic regression

And force to give the private key which use to sign the code is not reallist
it's a security flaw

so U-Boot will close itself to a lots of business and customers

Best Regards,
J.

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Hi Scott,

> On Tue, Jun 23, 2009 at 06:33:53PM +0200, Detlev Zundel wrote:
>> Also this is one of the objections worded on the mailing list, namely
>> that such a cooperation will be impossible in the future if U-Boot moves
>> to GPLv3.
>> 
>> As a base for reasonable discussion, I think we need to evaluate those
>> claims and back them up by actual figures.  Only then the real effort
>> needed to move and the potential loss of "code immigration" can be
>> estimated.
>
> The NAND subsystem is from Linux and is GPL v2 only, as is the
> u-boot-specific NAND code in drivers/mtd/nand.  

Ok, thanks for that info.  Subtracting the drivers this is ~5k LOC,
right?

> nand_ecc.c is an exception, which not only has the "or later" language
> but also has an exception that makes it non-viral.

Why do you refer to one of the most important aspects of the
effectiveness of the GPL as being viral?  GPLd software neither attacks
nor infects software so the wording is actively misleading.

> env_nand.c is v2-or-later.  cmd_nand.c has no explicit license.
>
> In summary: If you switch to v3, you lose much of NAND.  Unless RMS
> volunteers to rewrite it. :-)
>
>> > Is there any chance of convincing those authors to change that?
>> 
>> Apart from the the above reasons, currently most people who voiced their
>> opinion (not too many right now) oppose the move.  The reasoning seems
>> to be that companies using U-Boot inside a commercial product consider
>> it to be "a neccessary precondition to only accept blessed firmware
>> upgrades" (my wording).  What motivates this argument is not completely
>> clear to me.  Maybe it is fear of being liable as a product vendor to
>> faulty sw upgrades.
>
> Regardless of what motivates it, people who sell hardware to such
> customers (and who also contribute to u-boot) may not want to risk losing
> that business by pushing GPLv3 on them.

Actually I want to understand why people fear to "loose business" with
GPLv3.  What is the exact scenario that is so threatening?  Unless this
is understood, it is hard to argue in any way.

Cheers
  Detlev

-- 
"It's amazing I won. I was running against peace, prosperity, and
incumbency."
  --  George H.W. Bush, 06/14/2001, talking to Swedish prime
      minister Goran Perrson, unaware that a live tv camera was still on
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Hi Mike,

> On Tuesday 23 June 2009 15:26:35 Scott Wood wrote:
>> On Tue, Jun 23, 2009 at 06:33:53PM +0200, Detlev Zundel wrote:
>> > Apart from the the above reasons, currently most people who voiced their
>> > opinion (not too many right now) oppose the move.  The reasoning seems
>> > to be that companies using U-Boot inside a commercial product consider
>> > it to be "a neccessary precondition to only accept blessed firmware
>> > upgrades" (my wording).  What motivates this argument is not completely
>> > clear to me.  Maybe it is fear of being liable as a product vendor to
>> > faulty sw upgrades.
>>
>> Regardless of what motivates it, people who sell hardware to such
>> customers (and who also contribute to u-boot) may not want to risk losing
>> that business by pushing GPLv3 on them.
>
> indeed.  expecting businesses to push other peoples' agenda isnt realistic, 
> especially when the conversation is pretty much a net customer loss for said 
> businesses.

It seems so clear for you, but it isn't for me - where is this net loss
for them, what exactly do they loose?

> customers arent going to appear because your business is now pushing
> GPLv3 instead of GPLv2, but they will certainly disappear.

Why will they disappear?

Cheers
  Detlev

-- 
error compiling committee.c: too many arguments to function
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Hi Jean-Christophe,

> On 15:41 Tue 23 Jun     , Mike Frysinger wrote:
>> On Tuesday 23 June 2009 15:26:35 Scott Wood wrote:
>> > On Tue, Jun 23, 2009 at 06:33:53PM +0200, Detlev Zundel wrote:
>> > > Apart from the the above reasons, currently most people who voiced their
>> > > opinion (not too many right now) oppose the move.  The reasoning seems
>> > > to be that companies using U-Boot inside a commercial product consider
>> > > it to be "a neccessary precondition to only accept blessed firmware
>> > > upgrades" (my wording).  What motivates this argument is not completely
>> > > clear to me.  Maybe it is fear of being liable as a product vendor to
>> > > faulty sw upgrades.
>> >
>> > Regardless of what motivates it, people who sell hardware to such
>> > customers (and who also contribute to u-boot) may not want to risk losing
>> > that business by pushing GPLv3 on them.
>> 
>> indeed.  expecting businesses to push other peoples' agenda isnt realistic, 
>> especially when the conversation is pretty much a net customer loss for said 
>> businesses.  customers arent going to appear because your business is now 
>> pushing GPLv3 instead of GPLv2, but they will certainly disappear.
> 200% agree
> I can assure you that today If we switch the V2 to the v3 we will lose a lot of
> customers and soc that use secure boot as example which is not a progression but a
> problematic regression

What exactly is secure boot?

> And force to give the private key which use to sign the code is not reallist
> it's a security flaw

That's interesting to hear.  Where exactly is there "security" involved
and why should security be implementable by signed binaries only?  Does
that mean that for example I have *no secure* software on my computer
right now?  Don't you mistake "security" for "authenticity"?

> so U-Boot will close itself to a lots of business and customers

As you are not trying to give concrete examples, let me try to formulate
your "facts": U-Boot will not be usable within DRM systems.  Is that
what you are saying?

Cheers
  Detlev

-- 
0x2B | ~0x2B
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Wednesday 24 June 2009 05:12:01 Detlev Zundel wrote:
> > On Tuesday 23 June 2009 15:26:35 Scott Wood wrote:
> >> On Tue, Jun 23, 2009 at 06:33:53PM +0200, Detlev Zundel wrote:
> >> > Apart from the the above reasons, currently most people who voiced
> >> > their opinion (not too many right now) oppose the move.  The reasoning
> >> > seems to be that companies using U-Boot inside a commercial product
> >> > consider it to be "a neccessary precondition to only accept blessed
> >> > firmware upgrades" (my wording).  What motivates this argument is not
> >> > completely clear to me.  Maybe it is fear of being liable as a product
> >> > vendor to faulty sw upgrades.
> >>
> >> Regardless of what motivates it, people who sell hardware to such
> >> customers (and who also contribute to u-boot) may not want to risk
> >> losing that business by pushing GPLv3 on them.
> >
> > indeed.  expecting businesses to push other peoples' agenda isnt
> > realistic, especially when the conversation is pretty much a net customer
> > loss for said businesses.
>
> It seems so clear for you, but it isn't for me - where is this net loss
> for them, what exactly do they loose?
>
> > customers arent going to appear because your business is now pushing
> > GPLv3 instead of GPLv2, but they will certainly disappear.
>
> Why will they disappear?

if you want to push your agenda on your customers (i'm assuming you actually 
have some and arent just here for fun), that's your business.  but when 
customers absolutely state their requirements are secure boot and the ability 
to lock their hardware so no one else can run things, then i'm not about to 
argue with them.  their response is simply "fine, we'll move on to the next 
guy who will satisfy our requirements".

they arent generally trying to lock out people who just want to toy, they're 
targeting people who want to clone their hardware or functionality to create 
knockoffs or they're trying to guarantee lock down so they can get certified 
(like medical devices).

that's my practical standpoint from my job experience -- GPLv3 will cause a u-
boot fork and the net result is not beneficial to anyone.  my completely 
personal standpoint is the same -- do not use the GPLv3.
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.denx.de/pipermail/u-boot/attachments/20090624/934afcea/attachment.pgp 

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Hi Mike,

> On Wednesday 24 June 2009 05:12:01 Detlev Zundel wrote:
>> > On Tuesday 23 June 2009 15:26:35 Scott Wood wrote:
>> >> On Tue, Jun 23, 2009 at 06:33:53PM +0200, Detlev Zundel wrote:
>> >> > Apart from the the above reasons, currently most people who voiced
>> >> > their opinion (not too many right now) oppose the move.  The reasoning
>> >> > seems to be that companies using U-Boot inside a commercial product
>> >> > consider it to be "a neccessary precondition to only accept blessed
>> >> > firmware upgrades" (my wording).  What motivates this argument is not
>> >> > completely clear to me.  Maybe it is fear of being liable as a product
>> >> > vendor to faulty sw upgrades.
>> >>
>> >> Regardless of what motivates it, people who sell hardware to such
>> >> customers (and who also contribute to u-boot) may not want to risk
>> >> losing that business by pushing GPLv3 on them.
>> >
>> > indeed.  expecting businesses to push other peoples' agenda isnt
>> > realistic, especially when the conversation is pretty much a net customer
>> > loss for said businesses.
>>
>> It seems so clear for you, but it isn't for me - where is this net loss
>> for them, what exactly do they loose?
>>
>> > customers arent going to appear because your business is now pushing
>> > GPLv3 instead of GPLv2, but they will certainly disappear.
>>
>> Why will they disappear?
>
> if you want to push your agenda on your customers (i'm assuming you actually 
> have some and arent just here for fun), that's your business.

Is it possible that you jump to conslusions here?  All we - on a regular
basis - do is to talk to our customers until we understand what the
customer needs.  Then we think about how this can or cannot be done with
the help of Free Software.  After all nobody is forcing anyone to use
Free Software and for some customer wishes Free Software may simply be
not a legal option, so what?

In this process it is common that customers have incomplete information
about Free Software in general and not well-articulated fears making
them jump to premature conclusions (e.g. "we need a closed source Linux
kernel driver") which would prevent us from doing development for them.
At this point it is extremely important to learn about the reasoning of
the customer and then clearing up confusion probably leading to
revisiting the question of using Free Software.

Essentially I can only remember one customer in the last years who did
not go further at the time after learning that we would not develop a
non-GPL kernel module.  Incidentally this customer is now back on our
doorstep because the market effectively forces him to use a GNU/Linux
system from a feature perspective.  This time around closed sources
kernel modules are not even on the agenda anymore.

> but when customers absolutely state their requirements are secure boot
> and the ability to lock their hardware so no one else can run things,
> then i'm not about to argue with them.  their response is simply
> "fine, we'll move on to the next guy who will satisfy our
> requirements".

It is your decision if you don't want to even understand your customers
needs.  I surely do and this is what I try to understand in this thread.

I admit that I did not think this through completely, but how much of
this "no one else can run things" is actually connected to the
bootloader?  U-Boot itself will not be handling "prime content" I
guess.  Those "secure boot" you talk about - what is it exactly and
what are the potential attack vectors of it?  Are there vectors besides
the bootloader?  If so, how does a "non-supporting" bootloader make the
situation any worse?

> they arent generally trying to lock out people who just want to toy, they're 
> targeting people who want to clone their hardware or functionality to create 
> knockoffs or they're trying to guarantee lock down so they can get certified 
> (like medical devices).

How does GPLv3 vs. GPLv2 touch the "we will get cloned" question?  Maybe
I do not see the obvious here, but sourcecode to binaries under either
license must be available, so what's the difference?

> that's my practical standpoint from my job experience -- GPLv3 will cause a u-
> boot fork and the net result is not beneficial to anyone.

You must have a very good crystal ball.  Maybe if my crystal ball was
that good I did not need to ask questions.

> my completely personal standpoint is the same -- do not use the GPLv3.

Ok, somehow this was already clear to me.

On the other hand I also do believe that for a project which is here
simply because of the benefits of the GPL, we should spend some time
thinking this through and then base the decision of the project on a
sound basis.  Handwaving arguments do not help much here, so thanks for
your input.

Cheers
  Detlev

-- 
I haven't lost my mind, I know exactly where I left it.
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

[U-Boot] U-book and GPLv3? (fwd)

[Matthew Lear]

Hi Detlev,
> What exactly is secure boot?

Jean-Christophe - if I may interject...
Embedded systems using core soc silicon from a number of manufacturers
have started to use what is known as 'secure boot'. This is typically the
case in applications which utilise conditional access system software to
protect content. The emphasis on using secure boot is largely driven by
the conditional access industry itself.

Secure boot basically means that internally in the soc, fuses are blown
that provide some semblance of a low-level hw signature. This signature is
combined with additional information from a conditional access / security
vendor who may provide tools/utilities for 'signing' bootloader and/or
application software binary code images. Consider the case where the soc
is boot-strapped by low-level 'secure boot' code. Even before the
bootloader's main() is entered, the boot code validates the image using
secure features such as private keys. If validation succeeds the platform
bootstrap continues to main(). If the licensing of U-Boot changed and
U-Boot contained secure boot code and/or features such as these in its
low-level bootstrap code, it is feasible that the secure features would
have to be made public, thus there would be a rather large security flaw.

> Don't you mistake "security" for "authenticity"?

In this context, I believe both terms are interchangeable and effectively
mean the same thing. It is secure because only authenticated code is
allowed to be executed, thus another step to avoid piracy, hacking of
conditional access systems etc.

Hope that helps.

Cheers,
--  Matt

[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Wednesday 24 June 2009 09:17:50 Detlev Zundel wrote:
> > if you want to push your agenda on your customers (i'm assuming you
> > actually have some and arent just here for fun), that's your business.
>
> Is it possible that you jump to conslusions here?  All we - on a regular
> basis - do is to talk to our customers until we understand what the
> customer needs.  Then we think about how this can or cannot be done with
> the help of Free Software.  After all nobody is forcing anyone to use
> Free Software and for some customer wishes Free Software may simply be
> not a legal option, so what?
>
> In this process it is common that customers have incomplete information
> about Free Software in general and not well-articulated fears making
> them jump to premature conclusions (e.g. "we need a closed source Linux
> kernel driver") which would prevent us from doing development for them.
> At this point it is extremely important to learn about the reasoning of
> the customer and then clearing up confusion probably leading to
> revisiting the question of using Free Software.
>
> Essentially I can only remember one customer in the last years who did
> not go further at the time after learning that we would not develop a
> non-GPL kernel module.  Incidentally this customer is now back on our
> doorstep because the market effectively forces him to use a GNU/Linux
> system from a feature perspective.  This time around closed sources
> kernel modules are not even on the agenda anymore.

and that's your prerogative.  how you choose to run your business has no 
bearing at all on how other people choose to run their businesses.

> > but when customers absolutely state their requirements are secure boot
> > and the ability to lock their hardware so no one else can run things,
> > then i'm not about to argue with them.  their response is simply
> > "fine, we'll move on to the next guy who will satisfy our
> > requirements".
>
> It is your decision if you don't want to even understand your customers
> needs.

wrong, we've actually done the opposite.  we know what they want to do and it 
is doable with GPLv2.  it is not doable with GPLv3.

yes, there are cases of ingrained perceptions about how to accomplish 
something and GPLv3 blocks those methods.  but again, it is *your* choice to 
attempt to educate people here, it is not the automatic burden of people to 
champion the GNU cause for you.

> I admit that I did not think this through completely, but how much of
> this "no one else can run things" is actually connected to the
> bootloader?  U-Boot itself will not be handling "prime content" I
> guess.  Those "secure boot" you talk about - what is it exactly and
> what are the potential attack vectors of it?  Are there vectors besides
> the bootloader?  If so, how does a "non-supporting" bootloader make the
> situation any worse?

secure boot is pretty straightforward.  the CPU has internal keys programmed 
into it and will only boot signed binaries.  this is u-boot.  u-boot in turn 
will only boot signed encrypted binaries using keys inside of the CPU that can 
only be accessed by code running on the CPU.  licensing of these binaries 
obviously doesnt matter.  the encrypted stream is transferred from external 
storage into internal CPU storage, decrypted there, and then executed from 
there.  so there is no possibility of sniffing the decrypted stream on any bus 
as it never leaves the CPU.

> > they arent generally trying to lock out people who just want to toy,
> > they're targeting people who want to clone their hardware or
> > functionality to create knockoffs or they're trying to guarantee lock
> > down so they can get certified (like medical devices).
>
> How does GPLv3 vs. GPLv2 touch the "we will get cloned" question?  Maybe
> I do not see the obvious here, but sourcecode to binaries under either
> license must be available, so what's the difference?

if you dont have the decryption keys, you cant read the end program.  having 
access to the u-boot source doesnt matter.

> > that's my practical standpoint from my job experience -- GPLv3 will cause
> > a u- boot fork and the net result is not beneficial to anyone.
>
> You must have a very good crystal ball.  Maybe if my crystal ball was
> that good I did not need to ask questions.

then you should take it in to get serviced

> > my completely personal standpoint is the same -- do not use the GPLv3.
>
> Ok, somehow this was already clear to me.
>
> On the other hand I also do believe that for a project which is here
> simply because of the benefits of the GPL, we should spend some time
> thinking this through and then base the decision of the project on a
> sound basis.  Handwaving arguments do not help much here, so thanks for
> your input.

except that licensing choice is just as much practical considerations (can XYZ 
be done with the GPLv3) as it is personal choice.  it dictates how we choose 
to *let* other people utilize the code.  i personally dont have a problem with 
people locking their hardware.  that is their choice and the GPLv2 allows them 
that freedom.  hell, i wouldnt have a problem with a public domain u-boot.  
people dont use GPLv3 because it is a "superior" license from a technical 
perspective, they use it because they want to *restrict* how others use their 
code.
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.denx.de/pipermail/u-boot/attachments/20090624/df2bc9b6/attachment.pgp 

[U-Boot] U-book and GPLv3? (fwd)

[Scott Wood]

On Wed, Jun 24, 2009 at 11:09:49AM +0200, Detlev Zundel wrote:
> > nand_ecc.c is an exception, which not only has the "or later" language
> > but also has an exception that makes it non-viral.
> 
> Why do you refer to one of the most important aspects of the
> effectiveness of the GPL as being viral?  GPLd software neither attacks
> nor infects software so the wording is actively misleading.

I was referring to the "if you link me in, the entire project must be under
my terms" clause.  I refer to it as viral because that is the typical
terminology for this sort of license -- so named because it can lead to
software being licensed under GPL that otherwise wouldn't have been just so
it can be combined with existing GPL software, and then yet more software
licenses under GPL so it can link with *that* software (now devoid of the
original code whose author explicitly chose GPL), etc.

Whether it is a good thing is a matter of personal opinion, which I was
trying to keep out of that e-mail.

Looks like I failed. :-)

> > Regardless of what motivates it, people who sell hardware to such
> > customers (and who also contribute to u-boot) may not want to risk losing
> > that business by pushing GPLv3 on them.
> 
> Actually I want to understand why people fear to "loose business" with
> GPLv3.  What is the exact scenario that is so threatening?  Unless this
> is understood, it is hard to argue in any way.

U-boot contributor A wants to sell hardware to customer B, who wants secure
boot, or for any other reason does not want to involve themselves in GPL3. 
I'm not going to provide names, but this is not hypothetical.  If nobody
wanted to do the things that GPLv3 prevents, there wouldn't be a GPLv3. :-)

U-boot goes GPLv3.  A has a choice to continue developing on mainline
u-boot, in which case one of these happens:

1. A develops *another* bootloader in parallel (possibly based on old GPLv2
u-boot) for customer B,
2. B develops (or acquires) their own firmware, or
3. B buys hardware from someone else who provides non-GPL3 firmware.

#2 seems unlikely if #3 is a reasonable option -- and if A is going to do
#1, why wouldn't they develop *only* that non-GPL3 firmware if it is a
superset of usefulness to A (who doesn't particularly care about the GPL3
agenda)?  In other words, a fork.

-Scott

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Hi Mike,

> On Wednesday 24 June 2009 09:17:50 Detlev Zundel wrote:
>> > if you want to push your agenda on your customers (i'm assuming you
>> > actually have some and arent just here for fun), that's your business.
>>
>> Is it possible that you jump to conslusions here?  All we - on a regular
>> basis - do is to talk to our customers until we understand what the
>> customer needs.  Then we think about how this can or cannot be done with
>> the help of Free Software.  After all nobody is forcing anyone to use
>> Free Software and for some customer wishes Free Software may simply be
>> not a legal option, so what?
>>
>> In this process it is common that customers have incomplete information
>> about Free Software in general and not well-articulated fears making
>> them jump to premature conclusions (e.g. "we need a closed source Linux
>> kernel driver") which would prevent us from doing development for them.
>> At this point it is extremely important to learn about the reasoning of
>> the customer and then clearing up confusion probably leading to
>> revisiting the question of using Free Software.
>>
>> Essentially I can only remember one customer in the last years who did
>> not go further at the time after learning that we would not develop a
>> non-GPL kernel module.  Incidentally this customer is now back on our
>> doorstep because the market effectively forces him to use a GNU/Linux
>> system from a feature perspective.  This time around closed sources
>> kernel modules are not even on the agenda anymore.
>
> and that's your prerogative.  how you choose to run your business has no 
> bearing at all on how other people choose to run their businesses.

All I said is that we have a pretty good idea of what is legal
and what isn;t and that we will not start work in an area where we
belive we could actually be liable by law.  How you come to the
conclusion that this is "prerogative" completely escapes me.  Are you
sure that you are interested in what I say?

>> > but when customers absolutely state their requirements are secure boot
>> > and the ability to lock their hardware so no one else can run things,
>> > then i'm not about to argue with them.  their response is simply
>> > "fine, we'll move on to the next guy who will satisfy our
>> > requirements".
>>
>> It is your decision if you don't want to even understand your customers
>> needs.
>
> wrong, we've actually done the opposite.  we know what they want to do and it 
> is doable with GPLv2.  it is not doable with GPLv3.

[U-Boot] U-book and GPLv3? (fwd)

[Jon Smirl]

There is an enormous practical consideration stopping the licensing
change. u-boot has not required copyright assignment. This means that
every single person that has contributed code to u-boot needs to give
their permission for the change. This includes the authors of code
copied from the Linux kernel.  It isn't good enough to just post to
the email list and ask for the change, you have to make sure that
every single person has been asked even if they aren't paying
attention to the list. If any of these people object (and some already
have objected) their contribution will need to be identified, removed
and rewritten.

This is not a comment on the merits or faults of the GPL v3. It is
just an assessment of the logistical effort required to do the change.
IMHO it would be easier to just write a new boot loader from scratch,
require copyright assignment on contributions and start off with the
GPL v3 initially.

-- 
Jon Smirl
jonsmirl at gmail.com

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Hi Matthew,

thanks for the explanation.

>> Don't you mistake "security" for "authenticity"?
>
> In this context, I believe both terms are interchangeable and effectively
> mean the same thing.

This is generally not true.  These concepts have well defined meanings.
I can have a secure communicatins channel with someone I did not
authenticate.  Also I can have a non-secure communications channel with
someone who authenticated himself by some means to me.

> It is secure because only authenticated code is allowed to be
> executed, thus another step to avoid piracy, hacking of conditional
> access systems etc.

Running only authenticated code does *not* ensure security, no matter
how much this is wished for.

But no matter, I now understand that "security" seems to mean "data can
only be handled in the way intended by the owners of the data" which is
a different concept to me.

Cheers
  Detlev

-- 
FORTRAN's tragic fate has been its wide acceptance, mentally chaining thousands
and thousands of programmers to our past mistakes. I pray daily that more of my
fellow-programmers  may find the means of  freeing themselves from the curse of
compatibility.                          -- Edsger W. Dijkstra
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Hi Jon,

> There is an enormous practical consideration stopping the licensing
> change. u-boot has not required copyright assignment. This means that
> every single person that has contributed code to u-boot needs to give
> their permission for the change.

This is not correct.  People who wrote code under "GPLv2 or later"
licenses would not need to be queried.  The project could use the
sources under a later version.

Cheers
  Detlev

-- 
X-Windows has to be the most expensive way ever of popping up an Emacs
window.
                                          -- The UNIX Haters Handbook
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

[U-Boot] U-book and GPLv3? (fwd)

[Scott Wood]

Detlev Zundel wrote:
>> i personally dont have a problem with people locking their hardware.
>> that is their choice and the GPLv2 allows them that freedom.
> 
> You have a strange definition of freedom - for you it is limited to the
> provider of the devices not to the users of the devices.  I guess this
> is what this all boils down to.

No, it is "let the device providers and the users who have *chosen* to 
use those devices sort it out themselves, *I'm* not restricting anyone".

It's not "strange" or "standing on your head", it's just a different 
opinion.

-Scott

[U-Boot] U-book and GPLv3? (fwd)

[Grant Likely]

On Tue, Jun 23, 2009 at 10:33 AM, Detlev Zundel<dzu@denx.de> wrote:
>> Is there any chance of convincing those authors to change that?
>
> Apart from the the above reasons, currently most people who voiced their
> opinion (not too many right now) oppose the move. ?The reasoning seems
> to be that companies using U-Boot inside a commercial product consider
> it to be "a neccessary precondition to only accept blessed firmware
> upgrades" (my wording). ?What motivates this argument is not completely
> clear to me. ?Maybe it is fear of being liable as a product vendor to
> faulty sw upgrades.

That isn't my reasoning.  I license under GPLv2 because I like that
license.  I don't like GPLv3 because I think it is too complex and it
tries to solve things that are non-problems for me.

GPLv2 expresses well how I want to license my code.
GPLv3 does not.

g.

-- 
Grant Likely, B.Sc., P.Eng.
Secret Lab Technologies Ltd.

[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Wednesday 24 June 2009 12:34:40 Detlev Zundel wrote:
> > On Wednesday 24 June 2009 09:17:50 Detlev Zundel wrote:
> >> > if you want to push your agenda on your customers (i'm assuming you
> >> > actually have some and arent just here for fun), that's your business.
> >>
> >> Is it possible that you jump to conslusions here?  All we - on a regular
> >> basis - do is to talk to our customers until we understand what the
> >> customer needs.  Then we think about how this can or cannot be done with
> >> the help of Free Software.  After all nobody is forcing anyone to use
> >> Free Software and for some customer wishes Free Software may simply be
> >> not a legal option, so what?
> >>
> >> In this process it is common that customers have incomplete information
> >> about Free Software in general and not well-articulated fears making
> >> them jump to premature conclusions (e.g. "we need a closed source Linux
> >> kernel driver") which would prevent us from doing development for them.
> >> At this point it is extremely important to learn about the reasoning of
> >> the customer and then clearing up confusion probably leading to
> >> revisiting the question of using Free Software.
> >>
> >> Essentially I can only remember one customer in the last years who did
> >> not go further at the time after learning that we would not develop a
> >> non-GPL kernel module.  Incidentally this customer is now back on our
> >> doorstep because the market effectively forces him to use a GNU/Linux
> >> system from a feature perspective.  This time around closed sources
> >> kernel modules are not even on the agenda anymore.
> >
> > and that's your prerogative.  how you choose to run your business has no
> > bearing at all on how other people choose to run their businesses.
>
> All I said is that we have a pretty good idea of what is legal
> and what isn;t and that we will not start work in an area where we
> belive we could actually be liable by law.  How you come to the
> conclusion that this is "prerogative" completely escapes me.  Are you
> sure that you are interested in what I say?

i think you are interpreting the word incorrectly.  it is your prerogative -- 
your right -- to run your business however you want.

> >> > but when customers absolutely state their requirements are secure boot
> >> > and the ability to lock their hardware so no one else can run things,
> >> > then i'm not about to argue with them.  their response is simply
> >> > "fine, we'll move on to the next guy who will satisfy our
> >> > requirements".
> >>
> >> It is your decision if you don't want to even understand your customers
> >> needs.
> >
> > wrong, we've actually done the opposite.  we know what they want to do
> > and it is doable with GPLv2.  it is not doable with GPLv3.
>
> From what I read, I do not get this impression.  "Locking people out" is
> not a ulterior motive but the outcome of a perceived threat to a
> business model.  It was this business model that I wanted to get a clear
> picture of.  It seems I cannot get any more informatino here.

locking down a machine is part of due diligence as well when it comes to 
certification.  not taking measures to prevent uncertified code from running 
is a legal liability for companies.  you can chalk these use cases up as 
"perceived threads to a business model" all you like.  many customers arent 
going to change because of your opinion, and while you may not business with 
them, i dont have a problem with doing it.

> > yes, there are cases of ingrained perceptions about how to accomplish
> > something and GPLv3 blocks those methods.  but again, it is *your* choice
> > to attempt to educate people here, it is not the automatic burden of
> > people to champion the GNU cause for you.
>
> What kind of axe do you have to grind here?  We (as a project) were
> asked about our stance to move to GPLv3 which is a perfectly good
> question to pose.  All I want to do is collect facts - your allegation
> that I want other people to carry a "burden" shows me that this way will
> bear no more fruit.

i wasnt directing all of these comments directly at you.  i dont know you nor 
do i care.  if the GNU project wants people to use the GPLv3 and people have a 
perception of it being crap, then it's their problem to address it.

> >> > they arent generally trying to lock out people who just want to toy,
> >> > they're targeting people who want to clone their hardware or
> >> > functionality to create knockoffs or they're trying to guarantee lock
> >> > down so they can get certified (like medical devices).
> >>
> >> How does GPLv3 vs. GPLv2 touch the "we will get cloned" question?  Maybe
> >> I do not see the obvious here, but sourcecode to binaries under either
> >> license must be available, so what's the difference?
> >
> > if you dont have the decryption keys, you cant read the end program. 
> > having access to the u-boot source doesnt matter.
>
> Having access to the physical device will.  How long do you think will
> it take to get broken into?  Unfortunately physics do not follow wishes
> of companies as seen over and over in the past.

and companies understand that.  i never said locking the device is a 100% 
guarantee to prevent cloning -- nothing in life is 100%.  it does however 
significantly make it harder to reverse engineer a black box that is wiggling 
pins than it is to disassemble code and memory.  the companies i work with are 
concerned with delaying clones for most of that product generation's life 
span, not eternity.  if the clone comes in after the company has gotten their 
fair share out of it, then that's fine by them.  clones are an unfortunate 
aspect of commercial life.  without the secure boot aspect, people are able to 
create knockoffs with enough turn around time to do quite a bit of damage to 
the product's life span.

> >> On the other hand I also do believe that for a project which is here
> >> simply because of the benefits of the GPL, we should spend some time
> >> thinking this through and then base the decision of the project on a
> >> sound basis.  Handwaving arguments do not help much here, so thanks for
> >> your input.
> >
> > except that licensing choice is just as much practical considerations
> > (can XYZ be done with the GPLv3) as it is personal choice.  it dictates
> > how we choose to *let* other people utilize the code.
>
> Licensing ceases to be a personal choice when it is a community project.

that is plain wrong.  it is always a personal choice and by advocating it in a 
community setting, you're pushing your personal choices on others.  i want to 
stay with the GPL-2 -- i am pushing my personal preference on others.  you 
want to move to the GPL-3 -- you are pushing your personal preference on 
others.

> > i personally dont have a problem with people locking their hardware.
> > that is their choice and the GPLv2 allows them that freedom.
>
> You have a strange definition of freedom - for you it is limited to the
> provider of the devices not to the users of the devices.  I guess this
> is what this all boils down to.

no, i have a definition of freedom you cant cope with.  what i choose to do 
with my time and code i write is absolutely my choice.  i have no problem 
people taking my code and doing whatever they want with it -- that's why i 
release to public domain.

> > hell, i wouldnt have a problem with a public domain u-boot.  people
> > dont use GPLv3 because it is a "superior" license from a technical
> > perspective, they use it because they want to *restrict* how others
> > use their code.
>
> Are you standing on your head typing this?  You actually want to allow
> a few people to _massively_ restrict all the rest.  I cannot follow
> here.

and it's funny you cant cope with this simple concept.  your code, your time, 
your choice.  my code, my time, my choice.  if people take my work i give away 
freely and "massively restrict the rest", then i dont have a problem with 
that.
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.denx.de/pipermail/u-boot/attachments/20090624/dc06c1cc/attachment-0001.pgp 

[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Wednesday 24 June 2009 12:45:38 Detlev Zundel wrote:
> > It is secure because only authenticated code is allowed to be
> > executed, thus another step to avoid piracy, hacking of conditional
> > access systems etc.
>
> Running only authenticated code does *not* ensure security, no matter
> how much this is wished for.
>
> But no matter, I now understand that "security" seems to mean "data can
> only be handled in the way intended by the owners of the data" which is
> a different concept to me.

you ignored my simple straightforward example where both authenticity and 
security is provided.  cpu only loads signed u-boot -- authenticity.  u-boot 
only loads encrypted signed binaries -- security and authenticity.  since the 
binaries stay inside of the CPU, for all practical (and then some) purposes, 
the decrypted binary will never be discovered from this system.

and unless you're lumping data and code together under the term "data", that 
part is also incorrect.
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.denx.de/pipermail/u-boot/attachments/20090624/f909a27e/attachment.pgp 

[U-Boot] U-book and GPLv3? (fwd)

[Jon Smirl]

On Wed, Jun 24, 2009 at 12:56 PM, Detlev Zundel<dzu@denx.de> wrote:
> Hi Jon,
>
>> There is an enormous practical consideration stopping the licensing
>> change. u-boot has not required copyright assignment. This means that
>> every single person that has contributed code to u-boot needs to give
>> their permission for the change.
>
> This is not correct. ?People who wrote code under "GPLv2 or later"
> licenses would not need to be queried. ?The project could use the
> sources under a later version.

There is a mix of GPLv2 or later and GPLv2 code. You will have to sort
which license applies. Let's hope nobody modified a GPL v2 header in
any file to say "GPL v2 or later". That would open a giant can of
worms.

This is a giant administrative nightmare. The effort for doing this
exceeds the effort require to write a new boot loader.  Require
copyright assignment on the new boot loader and then the license can
be easily changed.

-- 
Jon Smirl
jonsmirl at gmail.com

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    > The NAND subsystem is from Linux and is GPL v2 only, as is the
    > u-boot-specific NAND code in drivers/mtd/nand.  

    Ok, thanks for that info.  Subtracting the drivers this is ~5k LOC,
    right?

Two ways of dealing with ths include (1) contacting the developers and
asking then to relicense, and (2) writing a replacement (it's not that
big).

The FSF can't offer to rewrite it, but we could halp find any 
developers who are now difficult to contact.

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    Embedded systems using core soc silicon from a number of manufacturers
    have started to use what is known as 'secure boot'. This is typically the
    case in applications which utilise conditional access system software to
    protect content. The emphasis on using secure boot is largely driven by
    the conditional access industry itself.

The principal purpose of these products is to restrict the public's
freedom.  So it is natural that their means involve restricting our
freedom too.

In DefectiveByDesign.org we organize protests against such devices.
They don't deserve help.

    In this context, I believe both terms are interchangeable and effectively
    mean the same thing. It is secure because only authenticated code is
    allowed to be executed, thus another step to avoid piracy, 

If that is meant to refer to sharing of copies of published works,
please don't call that "piracy".  That is a propaganda term which is
used to spread the assumption that sharing is bad.  See
http://www.gnu.org/philosophy/words-to-avoid.html.

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    I can assure you that today If we switch the V2 to the v3 we will lose a lot of
    customers

Are the users of U-Boot usually customers?  That term normally refers
to people that buy a commercial product or service.

    And force to give the private key which use to sign the code is not reallist
    it's a security flaw

I have a computer on which I can install any code I choose.
I don't think that is a security flaw.

On the contrary, if only one company can install a new version, that
is a grave security flaw for me as a user.

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    This is due to us many times (re-)using Linux drivers inside U-Boot.

This won't stop you from making sure all of U-Boot (aside from these
drivers) says "GPLv2 or later".  Also, you can talk with the
developers of the drivers that you need, or might need, to ask them to
release their drivers GPLv2+.

    The reasoning seems
    to be that companies using U-Boot inside a commercial product consider
    it to be "a neccessary precondition to only accept blessed firmware
    upgrades" (my wording).

What they mean is they think these companies want to tivoize it.  I
don't know whether that is true.  For discussion, let's suppose it is
true.

It has no impact whatsoever on making U-boot support GPLv2+.

However, it means that moving to GPLv3+ means a decision about values.
Is it good for companies to use your program to deny the users'
freedom?  Or is it better to defend users' freedom by saying no to
those companies?  If a company seeks softwart with which to restrict
users, would you rather tell them "Please do it with my program" or "I
don't want to share the responsibility for what you are doing?"

Is popularity the most important value?

    We should also start to actively inform the regularly appearing people
    on this mailing list complaining that they cannot get the source code to
    U-Boot of "device xyz" that with a GPLv2 U-Boot this may become a
    theoretical question in the future when they cannot install the changed
    binary anymore.

Exactly!

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

      their response is simply "fine, we'll move on to the next=
    =20
    guy who will satisfy our requirements".

When people offer to use my programs if I relax the license
requirements, my respose to them is, "If you don't use my software,
that's your loss."

[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Wednesday 24 June 2009 20:59:47 Richard Stallman wrote:
>       their response is simply "fine, we'll move on to the next=
>     =20
>     guy who will satisfy our requirements".
>
> When people offer to use my programs if I relax the license
> requirements, my respose to them is, "If you don't use my software,
> that's your loss."

feel free to go write your own bootloader then.  or improve grub2 such that it 
can actually compete with u-boot.  then you may make these statements all you 
like.
-mike

[U-Boot] U-book and GPLv3? (fwd)

[Thomas Doerfler]

Richard,

Richard Stallman wrote:
>     Embedded systems using core soc silicon from a number of manufacturers
>     have started to use what is known as 'secure boot'. This is typically the
>     case in applications which utilise conditional access system software to
>     protect content. The emphasis on using secure boot is largely driven by
>     the conditional access industry itself.
> 
> The principal purpose of these products is to restrict the public's
> freedom.  So it is natural that their means involve restricting our
> freedom too.

You are right in many cases, but on the other hand especially in the
embedded market there are lots of systems which should definitivly NOT
boot every code provided. Just some examples:

- automotive control units: Think about cars being on the highway with
many fancy features built into their electronics (from their owners),
which unfortunately are a security risk for the owner and others on the
road. If a major accident is caused by modified car control software,
who will be sued in the first run? The owner (already dead?)? Or the car
manufacturer who made the system open to changes from everyone?

- medical equipment: Think what nice features could be implemented into
these many machines located in the emergency room... Accessible to any
person who comes by.

My personal believe is that there are many examples of embedded systems,
that should only execute software that has been carefully tested.

And I don't like the idea to see this area as non-compatible with free
software like U-Boot, Linux and others.

wkr,

Thomas.

> 
> In DefectiveByDesign.org we organize protests against such devices.
> They don't deserve help.
> 
>     In this context, I believe both terms are interchangeable and effectively
>     mean the same thing. It is secure because only authenticated code is
>     allowed to be executed, thus another step to avoid piracy, 
> 
> If that is meant to refer to sharing of copies of published works,
> please don't call that "piracy".  That is a propaganda term which is
> used to spread the assumption that sharing is bad.  See
> http://www.gnu.org/philosophy/words-to-avoid.html.
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> http://lists.denx.de/mailman/listinfo/u-boot


-- 

--------------------------------------------
Embedded Brains GmbH
Thomas Doerfler        Obere Lagerstrasse 30
D-82178 Puchheim       Germany
email: Thomas.Doerfler at embedded-brains.de
Phone: +49-89-18908079-2
Fax:   +49-89-18908079-9

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Hi Scott,

> On Wed, Jun 24, 2009 at 11:09:49AM +0200, Detlev Zundel wrote:
>> > nand_ecc.c is an exception, which not only has the "or later" language
>> > but also has an exception that makes it non-viral.
>> 
>> Why do you refer to one of the most important aspects of the
>> effectiveness of the GPL as being viral?  GPLd software neither attacks
>> nor infects software so the wording is actively misleading.
>
> I was referring to the "if you link me in, the entire project must be under
> my terms" clause.  

For sure I know what you meant, but the term "virus" has a mental
baggage way too big.  I believe a metaphor only to be helpful if the
attached concepts shed new light on the "target domain", but this
is simply not the case here.

Of course I cannot forbid your using the word, but one should point out
that the connotations are misleading.

>> > Regardless of what motivates it, people who sell hardware to such
>> > customers (and who also contribute to u-boot) may not want to risk losing
>> > that business by pushing GPLv3 on them.
>> 
>> Actually I want to understand why people fear to "loose business" with
>> GPLv3.  What is the exact scenario that is so threatening?  Unless this
>> is understood, it is hard to argue in any way.
>
> U-boot contributor A wants to sell hardware to customer B, who wants secure
> boot, or for any other reason does not want to involve themselves in GPL3. 
> I'm not going to provide names, but this is not hypothetical.  If nobody
> wanted to do the things that GPLv3 prevents, there wouldn't be a GPLv3. :-)

Actually I was trying to get more information about what those "things
that GPLv3" prevents and customers want are - and what business model
they are a part of.

It may come as a surprise, but I believe that the percentage of boards
supported by U-Boot which are used in such scenarios is pretty small.
Likely many of the newly added boards will fall into this category, but
from the hundreds already supported not many will even care.

To get a better impression about this ratio should also be an important point
in this discussion.

> U-boot goes GPLv3.  A has a choice to continue developing on mainline
> u-boot, in which case one of these happens:
>
> 1. A develops *another* bootloader in parallel (possibly based on old GPLv2
> u-boot) for customer B,
> 2. B develops (or acquires) their own firmware, or
> 3. B buys hardware from someone else who provides non-GPL3 firmware.
>
> #2 seems unlikely if #3 is a reasonable option -- and if A is going to do
> #1, why wouldn't they develop *only* that non-GPL3 firmware if it is a
> superset of usefulness to A (who doesn't particularly care about the GPL3
> agenda)?  In other words, a fork.

It is good to actually get more concrete here, but I was really after
the original motiviation of people avoiding GPLv3.

Thanks
  Detlev

-- 
The limits of my language stand for the limits of my world.
                                        -- Ludwig Wittgenstein
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Hi Mike,

>> >> > but when customers absolutely state their requirements are secure boot
>> >> > and the ability to lock their hardware so no one else can run things,
>> >> > then i'm not about to argue with them.  their response is simply
>> >> > "fine, we'll move on to the next guy who will satisfy our
>> >> > requirements".
>> >>
>> >> It is your decision if you don't want to even understand your customers
>> >> needs.
>> >
>> > wrong, we've actually done the opposite.  we know what they want to do
>> > and it is doable with GPLv2.  it is not doable with GPLv3.
>>
>> From what I read, I do not get this impression.  "Locking people out" is
>> not a ulterior motive but the outcome of a perceived threat to a
>> business model.  It was this business model that I wanted to get a clear
>> picture of.  It seems I cannot get any more informatino here.
>
> locking down a machine is part of due diligence as well when it comes to 
> certification.  not taking measures to prevent uncertified code from running 
> is a legal liability for companies.

An aircraft is also a certified product - won't you think?  Do you
believe that an airline carrier ships its planes to the manufacturer if
they need to replace a screw?  Obviously there must be ways to ensure
certification even in such cases.  Why should those methods not be
applicable to other fields as well?  

It is this "certification is only possible like we say" attitude which I
seriously question.

> you can chalk these use cases up as "perceived threads to a business
> model" all you like.  many customers arent going to change because of
> your opinion, and while you may not business with them, i dont have a
> problem with doing it.

Sure, you're decision.  Although I cannot read it from what you wrote,
if you do business knowingly entering grey areas of licensing questions
(like writing closed source drivers for the Linux kernel), there is a
pretty good chance that one could go to court for "gross negligence".

This is not a joke.  Here in Germany lawyers actually evaluated if a
manager can get sued for "gross negligence" when deploying Free Software
in a company because of the "everybody can change the software" aspect.

>> > yes, there are cases of ingrained perceptions about how to accomplish
>> > something and GPLv3 blocks those methods.  but again, it is *your* choice
>> > to attempt to educate people here, it is not the automatic burden of
>> > people to champion the GNU cause for you.
>>
>> What kind of axe do you have to grind here?  We (as a project) were
>> asked about our stance to move to GPLv3 which is a perfectly good
>> question to pose.  All I want to do is collect facts - your allegation
>> that I want other people to carry a "burden" shows me that this way will
>> bear no more fruit.
>
> i wasnt directing all of these comments directly at you.  i dont know
> you nor do i care.

Yep, thanks for the confirmation.

>> >> > they arent generally trying to lock out people who just want to toy,
>> >> > they're targeting people who want to clone their hardware or
>> >> > functionality to create knockoffs or they're trying to guarantee lock
>> >> > down so they can get certified (like medical devices).
>> >>
>> >> How does GPLv3 vs. GPLv2 touch the "we will get cloned" question?  Maybe
>> >> I do not see the obvious here, but sourcecode to binaries under either
>> >> license must be available, so what's the difference?
>> >
>> > if you dont have the decryption keys, you cant read the end program. 
>> > having access to the u-boot source doesnt matter.
>>
>> Having access to the physical device will.  How long do you think will
>> it take to get broken into?  Unfortunately physics do not follow wishes
>> of companies as seen over and over in the past.
>
> and companies understand that.  i never said locking the device is a 100% 
> guarantee to prevent cloning -- nothing in life is 100%.  it does however 
> significantly make it harder to reverse engineer a black box that is wiggling 
> pins than it is to disassemble code and memory.  the companies i work with are 
> concerned with delaying clones for most of that product generation's life 
> span, not eternity.  if the clone comes in after the company has gotten their 
> fair share out of it, then that's fine by them.  clones are an unfortunate 
> aspect of commercial life.  without the secure boot aspect, people are able to 
> create knockoffs with enough turn around time to do quite a bit of damage to 
> the product's life span.

It's not the first time I hear this mantra.  Can you give me some facts
to back this up?

>> > i personally dont have a problem with people locking their hardware.
>> > that is their choice and the GPLv2 allows them that freedom.
>>
>> You have a strange definition of freedom - for you it is limited to the
>> provider of the devices not to the users of the devices.  I guess this
>> is what this all boils down to.
>
> no, i have a definition of freedom you cant cope with.

Oh, I can cope with this definition for sure.  It is rather misleading
to attach it to the word "freedom" however.

> what i choose to do with my time and code i write is absolutely my
> choice.  i have no problem people taking my code and doing whatever
> they want with it -- that's why i release to public domain.
>
>> > hell, i wouldnt have a problem with a public domain u-boot.  people
>> > dont use GPLv3 because it is a "superior" license from a technical
>> > perspective, they use it because they want to *restrict* how others
>> > use their code.
>>
>> Are you standing on your head typing this?  You actually want to allow
>> a few people to _massively_ restrict all the rest.  I cannot follow
>> here.
>
> and it's funny you cant cope with this simple concept.  your code,
> your time, your choice.  my code, my time, my choice.  

Again, no problem coping with this concept if put in these words.  Just
don't use "restriction" or "freedom" then.

> if people take my work i give away freely and "massively restrict the
> rest", then i dont have a problem with that.

So we are in accord after all - I don't want my work to be used in this
way.  Simple ;)

Cheers
  Detlev

-- 
If you currently have a 32-bit UNIX system, you are advised to
trade it in for a 64-bit one sometime before the year 2106.
 -- Andrew S. Tanenbaum: Modern Operating Systems, 2nd Edition
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Hi Mike,

> On Wednesday 24 June 2009 12:45:38 Detlev Zundel wrote:
>> > It is secure because only authenticated code is allowed to be
>> > executed, thus another step to avoid piracy, hacking of conditional
>> > access systems etc.
>>
>> Running only authenticated code does *not* ensure security, no matter
>> how much this is wished for.
>>
>> But no matter, I now understand that "security" seems to mean "data can
>> only be handled in the way intended by the owners of the data" which is
>> a different concept to me.
>
> you ignored my simple straightforward example where both authenticity and 
> security is provided.  cpu only loads signed u-boot -- authenticity.  u-boot 
> only loads encrypted signed binaries -- security and authenticity.  since the 
> binaries stay inside of the CPU, for all practical (and then some) purposes, 
> the decrypted binary will never be discovered from this system.

Obviously we differ in what "security" means.  Where I used security as
an attribute of a communications channel which seems to be a popular
interpretation in computer science, you interpret "security" to mean
"not discoverable from outside the device".  The latter interpretation
is used in the DRM systems trying to rub off the good annotations of
"security" onto those systems - but still it is not synonymous to
"security" for me.

So by definition, an authenticated, encrypted (and non-discoverable
binary) can still use non-secure communications channels.  Those things
are orthogonal and actually I do not know why we argue about that anyway
because it is beside the point of this thread.

> and unless you're lumping data and code together under the term "data", that 
> part is also incorrect.

Code is data for sure.  Using higher level languages like e.g. Lisp,
this should be extremely clear.

Cheers
  Detlev

-- 
Ich hoffe, Sie verzeihen mir meine Leidenschaft.  Ich h?tte Ihnen Ihre
auch gerne verziehen.
                                     -- Dieter Hildebrandt
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Hi Jon,

> On Wed, Jun 24, 2009 at 12:56 PM, Detlev Zundel<dzu@denx.de> wrote:
>> Hi Jon,
>>
>>> There is an enormous practical consideration stopping the licensing
>>> change. u-boot has not required copyright assignment. This means that
>>> every single person that has contributed code to u-boot needs to give
>>> their permission for the change.
>>
>> This is not correct. ?People who wrote code under "GPLv2 or later"
>> licenses would not need to be queried. ?The project could use the
>> sources under a later version.
>
> There is a mix of GPLv2 or later and GPLv2 code. You will have to sort
> which license applies. 

Sure.

> Let's hope nobody modified a GPL v2 header in any file to say "GPL v2
> or later". That would open a giant can of worms.

We can trace with through the version control - it is doable.

> This is a giant administrative nightmare. The effort for doing this
> exceeds the effort require to write a new boot loader.  Require
> copyright assignment on the new boot loader and then the license can
> be easily changed.

How do you arrive at this conclusion?  I rather say that if one was to
seriously try this it can be done in a few weeks/months by one or two
persons.  The FSF offered to help track down people even.

Reimplementing the current U-Boot code base is orders of magnitude away
from this.

Cheers
  Detlev

-- 
Q:  What does FAQ stand for?
A:  We are Frequently Asked this Question, and we have no idea.
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    > You have a strange definition of freedom - for you it is limited to the
    > provider of the devices not to the users of the devices.  I guess this
    > is what this all boils down to.

    No, it is "let the device providers and the users who have *chosen* to 
    use those devices sort it out themselves, *I'm* not restricting anyone".

More precisely stated, it's "I'm not restricting anyone, and if
someone else is, I don't care."  The difference here is between
defending freedom and standing aside while it gets lost.

Leaving the powerful few and the weak divided many to "sort it out" is
predictably likely to lead to bad results.  (That is why consumer
protection law exists -- because a market without regulation is
dangerous.  This is also why financial industry regulation exists, and
if the powerful had not sabotaged it, we wouldn't have the current
economic downturn.)

[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Thursday 25 June 2009 07:04:07 Detlev Zundel wrote:
> >> >> > but when customers absolutely state their requirements are secure
> >> >> > boot and the ability to lock their hardware so no one else can run
> >> >> > things, then i'm not about to argue with them.  their response is
> >> >> > simply "fine, we'll move on to the next guy who will satisfy our
> >> >> > requirements".
> >> >>
> >> >> It is your decision if you don't want to even understand your
> >> >> customers needs.
> >> >
> >> > wrong, we've actually done the opposite.  we know what they want to do
> >> > and it is doable with GPLv2.  it is not doable with GPLv3.
> >>
> >> From what I read, I do not get this impression.  "Locking people out" is
> >> not a ulterior motive but the outcome of a perceived threat to a
> >> business model.  It was this business model that I wanted to get a clear
> >> picture of.  It seems I cannot get any more informatino here.
> >
> > locking down a machine is part of due diligence as well when it comes to
> > certification.  not taking measures to prevent uncertified code from
> > running is a legal liability for companies.
>
> An aircraft is also a certified product - won't you think?  Do you
> believe that an airline carrier ships its planes to the manufacturer if
> they need to replace a screw?  Obviously there must be ways to ensure
> certification even in such cases.  Why should those methods not be
> applicable to other fields as well?
>
> It is this "certification is only possible like we say" attitude which I
> seriously question.

whether you question this attitude doesnt matter.  you arent a lawyer in 
general, you arent a lawyer for these companies, and you arent indemnifying 
them.  their legal review says that it's a requirement, so it is now a 
requirement for the software.  anything beyond that is irrelevant.

> >> >> > they arent generally trying to lock out people who just want to
> >> >> > toy, they're targeting people who want to clone their hardware or
> >> >> > functionality to create knockoffs or they're trying to guarantee
> >> >> > lock down so they can get certified (like medical devices).
> >> >>
> >> >> How does GPLv3 vs. GPLv2 touch the "we will get cloned" question? 
> >> >> Maybe I do not see the obvious here, but sourcecode to binaries under
> >> >> either license must be available, so what's the difference?
> >> >
> >> > if you dont have the decryption keys, you cant read the end program.
> >> > having access to the u-boot source doesnt matter.
> >>
> >> Having access to the physical device will.  How long do you think will
> >> it take to get broken into?  Unfortunately physics do not follow wishes
> >> of companies as seen over and over in the past.
> >
> > and companies understand that.  i never said locking the device is a 100%
> > guarantee to prevent cloning -- nothing in life is 100%.  it does however
> > significantly make it harder to reverse engineer a black box that is
> > wiggling pins than it is to disassemble code and memory.  the companies i
> > work with are concerned with delaying clones for most of that product
> > generation's life span, not eternity.  if the clone comes in after the
> > company has gotten their fair share out of it, then that's fine by them. 
> > clones are an unfortunate aspect of commercial life.  without the secure
> > boot aspect, people are able to create knockoffs with enough turn around
> > time to do quite a bit of damage to the product's life span.
>
> It's not the first time I hear this mantra.  Can you give me some facts
> to back this up?

i dont know what kind of "facts" you're looking for.  i didnt make this 
scenario up, it was described to me by a customer in the US and their 
experience with Chinese cloners.  i'm not going to give customer information 
or name names if that's what you want.
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.denx.de/pipermail/u-boot/attachments/20090625/5288a36d/attachment.pgp 

[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Thursday 25 June 2009 07:22:10 Detlev Zundel wrote:
> > On Wednesday 24 June 2009 12:45:38 Detlev Zundel wrote:
> >> > It is secure because only authenticated code is allowed to be
> >> > executed, thus another step to avoid piracy, hacking of conditional
> >> > access systems etc.
> >>
> >> Running only authenticated code does *not* ensure security, no matter
> >> how much this is wished for.
> >>
> >> But no matter, I now understand that "security" seems to mean "data can
> >> only be handled in the way intended by the owners of the data" which is
> >> a different concept to me.
> >
> > you ignored my simple straightforward example where both authenticity and
> > security is provided.  cpu only loads signed u-boot -- authenticity. 
> > u-boot only loads encrypted signed binaries -- security and authenticity.
> >  since the binaries stay inside of the CPU, for all practical (and then
> > some) purposes, the decrypted binary will never be discovered from this
> > system.
>
> Obviously we differ in what "security" means.  Where I used security as
> an attribute of a communications channel which seems to be a popular
> interpretation in computer science, you interpret "security" to mean
> "not discoverable from outside the device".  The latter interpretation
> is used in the DRM systems trying to rub off the good annotations of
> "security" onto those systems - but still it is not synonymous to
> "security" for me.

you really should use the standard terms of the trade then, otherwise you will 
just keep confusing people.
http://en.wikipedia.org/wiki/Information_security#Basic_principles
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.denx.de/pipermail/u-boot/attachments/20090625/2e815dac/attachment.pgp 

[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Wednesday 24 June 2009 20:59:11 Richard Stallman wrote:
>     Embedded systems using core soc silicon from a number of manufacturers
>     have started to use what is known as 'secure boot'. This is typically
> the case in applications which utilise conditional access system software
> to protect content. The emphasis on using secure boot is largely driven by
> the conditional access industry itself.
>
> The principal purpose of these products is to restrict the public's
> freedom.  So it is natural that their means involve restricting our
> freedom too.

it sure is nice to make generalities as it makes your resulting argument so 
much easier to digest.  the companies ive worked with could give two sh*ts 
about end customers tinkering with their products.  they're interested in 
keeping their product secure from other people in their respective industry 
and from malicious tampering for regulation/safety purposes.
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.denx.de/pipermail/u-boot/attachments/20090625/ae03ff68/attachment-0001.pgp 

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Hi Mike,

> you really should use the standard terms of the trade then, otherwise
> you will just keep confusing people.

I will not bother discussing this anymore with you but rather leave it
up to the reader to decide on who is confusing.

Cheers
  Detlev

-- 
"Win32 sucks so hard it could pull matter out of a Black Hole."
                                          -- Pohl Longsine
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Friday 19 June 2009 04:40:59 Detlev Zundel wrote:
> > I was asked about relicensing U-Boot as GPLv3:
> >
> > From:    Richard Stallman <rms@gnu.org>
> > Subject: U-book and GPLv3?
> > To:      Wolfgang Denk <wd@denx.de>
> > Date:    Thu, 18 Jun 2009 09:17:28 -0400
> >
> >
> > I really enjoy the name U-boot.
> > What are the advantages of U-boot over PMON?
> >
> > Have you considered moving U-boot to "GPLv3-or-later"?
> >
> >
> > ----------
> >
> >
> >
> > I know that we have had similar discussions before (see for example
> > http://thread.gmane.org/gmane.comp.boot-loaders.u-boot/24029), but I
> > would like to take the chance and re-poll what the community's
> > opinion about this is.
>
> For what it's worth, I would appreciate moving to GPLv3.  Sparing
> details, my reasoning is the following.  Basically I think most people
> appreciate the GPL for what it means in pratical terms:
>
>     * the freedom to use the software for any purpose,
>     * the freedom to change the software to suit your needs,
>     * the freedom to share the software with your friends and neighbors,
>     * and
>     * the freedom to share the changes you make.
>
> Obviously the second item here will become void if vendor lockout of
> updates becomes common.  So what will be left of the essential freedoms?
> I can study the code, I can modify it, but I am not allowed to run it.
> Excellent.

and this is why i dislike the GPLv3.  the GPLv2 was all about the source, so 
the conversation between developers and everyone else was "you can take my 
source and modify it all you want, but i want to see the changes".  sounds 
fair.

GPLv3 (ignoring the fix for the loophole with web applications) adds *nothing* 
to this premise.  instead, it's used as an ideological club such that the 
conversation is now "i have all these ideas about how software should and 
shouldnt be utilized, so if you want to use my software, you too now have to 
subscribe to my way of thinking and you have to show me the changes".

so what does moving from GPLv2 to GPLv3 gain us in terms of protections ?  
nothing.  it does however allow us to restrict the people who want to use u-
boot to using it in only ways we've "blessed".  that's plain wrong in my eyes 
and none of our business in the first place.

> I think it is not a coincidence that devices which can be updated with
> arbitrary firmware sells pretty good in the meantime.   Who buys routers
> capable of running OpenWRT because of their original firmware?

then let your wallet/politicians do the talking.  i certainly do -- i avoid 
purchasing any music/games encumbered with DRM, or companies that employ such 
methods.  but i'm above going around and forcing people to think the way i do 
with licenses.
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.denx.de/pipermail/u-boot/attachments/20090625/22c99b2b/attachment.pgp 

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Hi Mike,

>> It is this "certification is only possible like we say" attitude which I
>> seriously question.
>
> whether you question this attitude doesnt matter.  you arent a lawyer in 
> general, you arent a lawyer for these companies, and you arent indemnifying 
> them.  their legal review says that it's a requirement, so it is now a 
> requirement for the software.  anything beyond that is irrelevant.

Now was this so hard?  This is actually an important fact that it is a
legal requirement for a company - thanks.

It was a pain to find out however.

>> It's not the first time I hear this mantra.  Can you give me some facts
>> to back this up?
>
> i dont know what kind of "facts" you're looking for.  i didnt make this 
> scenario up, it was described to me by a customer in the US and their 
> experience with Chinese cloners.  i'm not going to give customer information 
> or name names if that's what you want.

Well, the problem with "facts" is that I like them to be backed up.  I
don't know whether I should believe this mantra until I have seen actual
products and/or figures.  If you don't need this - fine, your choice.

It's like the "patents strengthen innovation" mantra.  Regardless that
there was no study to ever show such effect this was repeated over and
over.  People questioning it got "shut up" replies like you deal out.
Unfortunately recent studies show the opposite of the claim, no matter
how much the mantra is still repeated.

Cheers
  Detlev

-- 
"Oh, didn't you know, the Lord did the original programming of the universe in
COBOL." - "That's why the world is the evil work of Satan. A true divine being
would have used Scheme."  -  "And, if so, Jesus would have been crucified on a
big lambda symbol."  -- K. Chafin, K. Schilling & D. Hanley, on comp.lang.lisp
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Thursday 25 June 2009 10:20:47 Detlev Zundel wrote:
> >> It's not the first time I hear this mantra.  Can you give me some facts
> >> to back this up?
> >
> > i dont know what kind of "facts" you're looking for.  i didnt make this
> > scenario up, it was described to me by a customer in the US and their
> > experience with Chinese cloners.  i'm not going to give customer
> > information or name names if that's what you want.
>
> Well, the problem with "facts" is that I like them to be backed up.  I
> don't know whether I should believe this mantra until I have seen actual
> products and/or figures.  If you don't need this - fine, your choice.

well g'luck with that.  you're going to have to find a customer yourself or 
find someone who *hasnt* signed a NDA.
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.denx.de/pipermail/u-boot/attachments/20090625/52e32cad/attachment.pgp 

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Hi Mike,

>>> It is this "certification is only possible like we say" attitude which I
>>> seriously question.
>>
>> whether you question this attitude doesnt matter.  you arent a lawyer in 
>> general, you arent a lawyer for these companies, and you arent indemnifying 
>> them.  their legal review says that it's a requirement, so it is now a 
>> requirement for the software.  anything beyond that is irrelevant.
>
> Now was this so hard?  This is actually an important fact that it is a
> legal requirement for a company - thanks.

As a quick web research did not help, if this is a legal requirement,
then can you point me to the law which requires such a thing?

Thanks
  Detlev

-- 
["From 2.4 to 2.6 to 2.7" discussing release numbering of the Linux kernel]
Let the bike-shed-painting begin.
                                     -- Linus Torvalds 
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

[U-Boot] U-book and GPLv3? (fwd)

[ksi at koi8.net]

On Thu, 25 Jun 2009, Mike Frysinger wrote:

> On Wednesday 24 June 2009 20:59:11 Richard Stallman wrote:
> >     Embedded systems using core soc silicon from a number of
> manufacturers
> >     have started to use what is known as 'secure boot'. This is
> typically
> > the case in applications which utilise conditional access system
> software
> > to protect content. The emphasis on using secure boot is largely
> driven by
> > the conditional access industry itself.
> >
> > The principal purpose of these products is to restrict the public's
> > freedom.  So it is natural that their means involve restricting our
> > freedom too.
> 
> it sure is nice to make generalities as it makes your resulting argument
> so 
> much easier to digest.  the companies ive worked with could give two
> sh*ts 
> about end customers tinkering with their products.  they're interested
> in 
> keeping their product secure from other people in their respective
> industry 
> and from malicious tampering for regulation/safety purposes.

I would like to add that sometimes regulations EXPLICITELY require secure
boot. No product can be approved without it. And this does not have anything
to do with public's freedom. Just one example is gambling industry which I
happen to work right now. Nobody cares about cloning or public's freedom
here. What they care about is that nobody can cheat on those nice shiny
machines that sometimes let a lucky person to win a multimillion jackpot.

---
******************************************************************
*  KSI at home    KOI8 Net  < >  The impossible we do immediately.  *
*  Las Vegas   NV, USA   < >  Miracles require 24-hour notice.   *
******************************************************************

[U-Boot] U-book and GPLv3? (fwd)

[Jean-Christian de Rivaz]

ksi at koi8.net a ?crit :
> On Thu, 25 Jun 2009, Mike Frysinger wrote:
> 
>> On Wednesday 24 June 2009 20:59:11 Richard Stallman wrote:
>>> The principal purpose of these products is to restrict the public's
>>> freedom.  So it is natural that their means involve restricting our
>>> freedom too.
>> it sure is nice to make generalities as it makes your resulting argument
>> so 
>> much easier to digest.  the companies ive worked with could give two
>> sh*ts 
>> about end customers tinkering with their products.  they're interested
>> in 
>> keeping their product secure from other people in their respective
>> industry 
>> and from malicious tampering for regulation/safety purposes.
> 
> I would like to add that sometimes regulations EXPLICITELY require secure
> boot. No product can be approved without it. And this does not have anything
> to do with public's freedom. Just one example is gambling industry which I
> happen to work right now. Nobody cares about cloning or public's freedom
> here. What they care about is that nobody can cheat on those nice shiny
> machines that sometimes let a lucky person to win a multimillion jackpot.

Please point out precisely the regulations that require secure boot. 
Should be trivial as regulations are by definition public.

I failed to understand how a secure booted machine can be updated by the 
manufacturer to fix a bug for example, but not by a customer.

Regards,

Jean-Christian de Rivaz

[U-Boot] U-book and GPLv3? (fwd)

[ksi at koi8.net]

On Thu, 25 Jun 2009, Jean-Christian de Rivaz wrote:

> ksi at koi8.net a ?crit :
> > On Thu, 25 Jun 2009, Mike Frysinger wrote:
> > 
> > > On Wednesday 24 June 2009 20:59:11 Richard Stallman wrote:
> > > > The principal purpose of these products is to restrict the
> public's
> > > > freedom.  So it is natural that their means involve restricting
> our
> > > > freedom too.
> > > it sure is nice to make generalities as it makes your resulting
> argument
> > > so much easier to digest.  the companies ive worked with could give
> two
> > > sh*ts about end customers tinkering with their products.  they're
> > > interested
> > > in keeping their product secure from other people in their
> respective
> > > industry and from malicious tampering for regulation/safety
> purposes.
> > 
> > I would like to add that sometimes regulations EXPLICITELY require
> secure
> > boot. No product can be approved without it. And this does not have
> anything
> > to do with public's freedom. Just one example is gambling industry
> which I
> > happen to work right now. Nobody cares about cloning or public's
> freedom
> > here. What they care about is that nobody can cheat on those nice
> shiny
> > machines that sometimes let a lucky person to win a multimillion
> jackpot.
> 
> Please point out precisely the regulations that require secure boot.
> Should be
> trivial as regulations are by definition public.

Do you happen to know what "Google" is?

This is our Nevada regulations:

http://gaming.nv.gov/stats_regs.htm

> I failed to understand how a secure booted machine can be updated by the
> manufacturer to fix a bug for example, but not by a customer.

The manufacturer can _NOT_ update his machine at will. _EACH AND EVERY_
change goes through the same approval process.

And one more hint--external hackers is _NOT_ the primary concern here. The
most important task is to make cheating by casino _EMPLOYEES_ as difficult
as it's possible.

---
******************************************************************
*  KSI at home    KOI8 Net  < >  The impossible we do immediately.  *
*  Las Vegas   NV, USA   < >  Miracles require 24-hour notice.   *
******************************************************************

[U-Boot] U-book and GPLv3? (fwd)

[Chris Morgan]

On Wed, Jun 24, 2009 at 11:35 PM, Mike Frysinger<vapier@gentoo.org> wrote:
> On Wednesday 24 June 2009 20:59:47 Richard Stallman wrote:
>> ? ? ? their response is simply "fine, we'll move on to the next=
>> ? ? =20
>> ? ? guy who will satisfy our requirements".
>>
>> When people offer to use my programs if I relax the license
>> requirements, my respose to them is, "If you don't use my software,
>> that's your loss."
>
> feel free to go write your own bootloader then. ?or improve grub2 such that it
> can actually compete with u-boot. ?then you may make these statements all you
> like.
> -mike


These kind of snide comments don't address the point and it really
bugs me, just like the typical political response of "if you don't
like 'x' then move to another country".

Richard is simply explaining how he thinks and feels, his point of
view. Most people are aware that it is within their rights to
implement software as they so choose. Be confident enough in your
opinion and viewpoint to let others opinions stand without this kind
of nonsense.

Chris

[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Thursday 25 June 2009 10:41:13 Detlev Zundel wrote:
> >>> It is this "certification is only possible like we say" attitude which
> >>> I seriously question.
> >>
> >> whether you question this attitude doesnt matter.  you arent a lawyer in
> >> general, you arent a lawyer for these companies, and you arent
> >> indemnifying them.  their legal review says that it's a requirement, so
> >> it is now a requirement for the software.  anything beyond that is
> >> irrelevant.
> >
> > Now was this so hard?  This is actually an important fact that it is a
> > legal requirement for a company - thanks.
>
> As a quick web research did not help, if this is a legal requirement,
> then can you point me to the law which requires such a thing?

nothing personal, but ...

(1) you still arent a lawyer
(2) i never said there was a law that stated this
(3) i did say "their legal team came to the conclusion that ..."

the law and your interpretation of it is irrelevant.  customers are viewing 
this as a requirement and thus it's the same thing.  if you think there is an 
image problem, then feel free to assist the GNU project in an "awareness" 
campaign.  i work in the practical realm.
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.denx.de/pipermail/u-boot/attachments/20090625/784173d9/attachment-0001.pgp 

[U-Boot] U-book and GPLv3? (fwd)

[Thomas Doerfler]

Hi,

since this threads gets more and more interesting, just a question out
of my curiosity:

which operating systems, that get typically booted using U-Boot are
already under GPL3?

I know that the license of the Boot Loader has nothing to do with the
license of the booted software, what is the "political benefit" to put
the boot loader under GPLv3, when the major OS of the software (e.g.
linux) are under GPLv2?

wkr,

Thomas Doerfler.

Wolfgang Denk schrieb:
> Hello,
> 
> I was asked about relicensing U-Boot as GPLv3:
> 
> ------- Forwarded Message
> 
> Date:    Thu, 18 Jun 2009 09:17:28 -0400
> From:    Richard Stallman <rms@gnu.org>
> To:      Wolfgang Denk <wd@denx.de>
> Subject: U-book and GPLv3?
> 
> I really enjoy the name U-boot.
> What are the advantages of U-boot over PMON?
> 
> Have you considered moving U-boot to "GPLv3-or-later"?
> 
> 
> ------- End of Forwarded Message
> 
> 
> I know that we have had similar discussions before (see for example
> http://thread.gmane.org/gmane.comp.boot-loaders.u-boot/24029), but I
> would like to take the chance and re-poll what the community's
> opinion about this is.
> 
> Comments welcome...
> 
> [I intend to summarize and send this summary to RMS and post it here.]
> 
> Best regards,
> 
> Wolfgang Denk
> 


-- 
--------------------------------------------
Embedded Brains GmbH
Thomas Doerfler           Obere Lagerstr. 30
D-82178 Puchheim          Germany
email: Thomas.Doerfler at embedded-brains.de
Phone: +49-89-18908079-2
Fax:   +49-89-18908079-9

[U-Boot] U-book and GPLv3? (fwd)

[ksi at koi8.net]

On Thu, 25 Jun 2009, Thomas Doerfler wrote:

> Hi,
> 
> since this threads gets more and more interesting, just a question out
> of my curiosity:
> 
> which operating systems, that get typically booted using U-Boot are
> already under GPL3?
> 
> I know that the license of the Boot Loader has nothing to do with the
> license of the booted software, what is the "political benefit" to put
> the boot loader under GPLv3, when the major OS of the software (e.g.
> linux) are under GPLv2?

There is none. It is plain and simple case of paranoia that begs for
clinical treatment.

---
******************************************************************
*  KSI at home    KOI8 Net  < >  The impossible we do immediately.  *
*  Las Vegas   NV, USA   < >  Miracles require 24-hour notice.   *
******************************************************************

[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Thursday 25 June 2009 14:46:10 Thomas Doerfler wrote:
> which operating systems, that get typically booted using U-Boot are
> already under GPL3?
>
> I know that the license of the Boot Loader has nothing to do with the
> license of the booted software, what is the "political benefit" to put
> the boot loader under GPLv3, when the major OS of the software (e.g.
> linux) are under GPLv2?

typically the operating systems that u-boot would load are in the opposite 
licensing direction, i.e. BSD or commercial variants none of which require 
releasing any real details let alone restrict usage.  i'm not aware of any OS 
that is under the GPL-3.  ironically, it seems even GNU/Hurd is GPL-2.
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.denx.de/pipermail/u-boot/attachments/20090625/efef3b6b/attachment.pgp 

[U-Boot] U-book and GPLv3? (fwd)

[Jean-Christian de Rivaz]

ksi at koi8.net a ?crit :
>> Please point out precisely the regulations that require secure boot.
>> Should be
>> trivial as regulations are by definition public.
> 
> Do you happen to know what "Google" is?

Yes, thanks :-)

For example this document have the term "secure boot":
http://www.dcg.virginia.gov/supplier/sup-rules/standards.shtm
The wording is this one:
"D. Electronic Bingo
[...]
3.
[...] Security measures that may be employed to comply with these
provisions include, but are not limited to the use of dongles, digital
signature comparison hardware and software; secure boot loaders,
encryption, and key and callback password systems."

The term "secure boot" is listed as a possibility, not as a requirement.

Now I don't have the time to parse every possible document that Google
propose. This is why I politely ask a precise example, as I was under
the impression that some peoples know very well this subject.

> This is our Nevada regulations:
> 
> http://gaming.nv.gov/stats_regs.htm

I don't have the time to parse all the documents listed at this URL, but
I downloaded the one I suspect is the more relevant:
http://gaming.nv.gov/stats_regs/reg14_tech_stnds.pdf
And I cannot found "secure boot" into it.

>> I failed to understand how a secure booted machine can be updated by the
>> manufacturer to fix a bug for example, but not by a customer.
> 
> The manufacturer can _NOT_ update his machine at will. _EACH AND EVERY_
> change goes through the same approval process.

Still, technically the hardware have only two possibility:
1) it can be reprogrammed.
2) it can't be reprogrammed.

If 1), I dont' see how the a boot loader can't be replaced by a less
secure one and let boot anything.

if 2), there is not point as nobody can possibly make any update, so the
firmware don't have to be secured.

Regards,

Jean-Christian de Rivaz

[U-Boot] U-book and GPLv3? (fwd)

[Scott Wood]

On Thu, Jun 25, 2009 at 12:48:12PM -0400, Chris Morgan wrote:
> These kind of snide comments don't address the point and it really
> bugs me, just like the typical political response of "if you don't
> like 'x' then move to another country".

Actually, it's more like repeatedly telling a telemarketer, "Sorry, I'm
not interested."

-Scott

[U-Boot] U-book and GPLv3? (fwd)

[ksi at koi8.net]

On Thu, 25 Jun 2009, Jean-Christian de Rivaz wrote:

> ksi at koi8.net a ?crit :
> > > Please point out precisely the regulations that require secure boot.
> > > Should be
> > > trivial as regulations are by definition public.
> > 
> > Do you happen to know what "Google" is?
> 
> Yes, thanks :-)
> 
> For example this document have the term "secure boot":
> http://www.dcg.virginia.gov/supplier/sup-rules/standards.shtm
> The wording is this one:
> "D. Electronic Bingo
> [...]
> 3.
> [...] Security measures that may be employed to comply with these
> provisions include, but are not limited to the use of dongles, digital
> signature comparison hardware and software; secure boot loaders,
> encryption, and key and callback password systems."
> 
> The term "secure boot" is listed as a possibility, not as a requirement.
> 
> Now I don't have the time to parse every possible document that Google
> propose. This is why I politely ask a precise example, as I was under
> the impression that some peoples know very well this subject.
>
> > This is our Nevada regulations:
> > 
> > http://gaming.nv.gov/stats_regs.htm
> 
> I don't have the time to parse all the documents listed at this URL, but
> I downloaded the one I suspect is the more relevant:
> http://gaming.nv.gov/stats_regs/reg14_tech_stnds.pdf
> And I cannot found "secure boot" into it.

Are you looking for a precise phrase?

> > > I failed to understand how a secure booted machine can be updated by
> the
> > > manufacturer to fix a bug for example, but not by a customer.
> > 
> > The manufacturer can _NOT_ update his machine at will. _EACH AND
> EVERY_
> > change goes through the same approval process.
> 
> Still, technically the hardware have only two possibility:
> 1) it can be reprogrammed.
> 2) it can't be reprogrammed.
> 
> If 1), I dont' see how the a boot loader can't be replaced by a less
> secure one and let boot anything.
> 
> if 2), there is not point as nobody can possibly make any update, so the
> firmware don't have to be secured.

You are trying to make sense out of the regulations. It doesn't work this
way. If regulations say "one must use a screwdriver with a red handle on
this screw" one must use the red screwdriver. No matter if it makes sense or
not. If you feel it's bullshit you should fight for the regulation to change
that is a very long (years, not months) and very difficult process. In the
meantime you _MUST_ use that red screwdriver.

Then you should read not only technical part but also a procedural one on
how approvals are given. You must persuade the Commision to give you an
approval. And they give them at their discretion. And you can NOT sue them.

Finally don't forget that your employees all want to get their salary paid
and that comes from your business revenues. No approval == No business. Good
luck fighting regulations.

---
******************************************************************
*  KSI at home    KOI8 Net  < >  The impossible we do immediately.  *
*  Las Vegas   NV, USA   < >  Miracles require 24-hour notice.   *
******************************************************************

[U-Boot] U-book and GPLv3? (fwd)

[Scott Wood]

On Thu, Jun 25, 2009 at 08:30:29AM -0400, Richard Stallman wrote:
> 
>     > You have a strange definition of freedom - for you it is limited to the
>     > provider of the devices not to the users of the devices.  I guess this
>     > is what this all boils down to.
> 
>     No, it is "let the device providers and the users who have *chosen* to 
>     use those devices sort it out themselves, *I'm* not restricting anyone".
> 
> More precisely stated, it's "I'm not restricting anyone, and if
> someone else is, I don't care."  The difference here is between
> defending freedom and standing aside while it gets lost.

Not "I don't care", but "I have different ideas of what constitutes
unreasonable restriction", or possibly "I don't want to use this
particular means to address it because it has other harmful effects".

> Leaving the powerful few and the weak divided many to "sort it out" is
> predictably likely to lead to bad results.  (That is why consumer
> protection law exists -- because a market without regulation is
> dangerous.  This is also why financial industry regulation exists, and
> if the powerful had not sabotaged it, we wouldn't have the current
> economic downturn.)

Sure.  That doesn't mean that every specific regulation is automatically
good.

-Scott

[U-Boot] U-book and GPLv3? (fwd)

[Jean-Christian de Rivaz]

ksi at koi8.net a ?crit :
> On Thu, 25 Jun 2009, Jean-Christian de Rivaz wrote:
> 
>> ksi at koi8.net a ?crit :
>>>> Please point out precisely the regulations that require secure boot.
>>>> Should be
>>>> trivial as regulations are by definition public.
>>> Do you happen to know what "Google" is?
>> Yes, thanks :-)
>>
>> For example this document have the term "secure boot":
>> http://www.dcg.virginia.gov/supplier/sup-rules/standards.shtm
>> The wording is this one:
>> "D. Electronic Bingo
>> [...]
>> 3.
>> [...] Security measures that may be employed to comply with these
>> provisions include, but are not limited to the use of dongles, digital
>> signature comparison hardware and software; secure boot loaders,
>> encryption, and key and callback password systems."
>>
>> The term "secure boot" is listed as a possibility, not as a requirement.
>>
>> Now I don't have the time to parse every possible document that Google
>> propose. This is why I politely ask a precise example, as I was under
>> the impression that some peoples know very well this subject.
>>
>>> This is our Nevada regulations:
>>>
>>> http://gaming.nv.gov/stats_regs.htm
>> I don't have the time to parse all the documents listed at this URL, but
>> I downloaded the one I suspect is the more relevant:
>> http://gaming.nv.gov/stats_regs/reg14_tech_stnds.pdf
>> And I cannot found "secure boot" into it.
> 
> Are you looking for a precise phrase?

I want to look deeper into the subject. I think that if a regulation
make a technical point as a requirement, then it must more or less
describe the technical point so that it can be implemented is a way it
work as expected. As an engineer, I think that a "secure boot" is only a
buzz word: if the system can be physically modified, it can't be
secured. If it can't be physically modified, then you don't need a
secure boot.

>>>> I failed to understand how a secure booted machine can be updated by
>> the
>>>> manufacturer to fix a bug for example, but not by a customer.
>>> The manufacturer can _NOT_ update his machine at will. _EACH AND
>> EVERY_
>>> change goes through the same approval process.
>> Still, technically the hardware have only two possibility:
>> 1) it can be reprogrammed.
>> 2) it can't be reprogrammed.
>>
>> If 1), I dont' see how the a boot loader can't be replaced by a less
>> secure one and let boot anything.
>>
>> if 2), there is not point as nobody can possibly make any update, so the
>> firmware don't have to be secured.
> 
> You are trying to make sense out of the regulations. It doesn't work this
> way. If regulations say "one must use a screwdriver with a red handle on
> this screw" one must use the red screwdriver. No matter if it makes sense or
> not. If you feel it's bullshit you should fight for the regulation to change
> that is a very long (years, not months) and very difficult process. In the
> meantime you _MUST_ use that red screwdriver.
> 
> Then you should read not only technical part but also a procedural one on
> how approvals are given. You must persuade the Commision to give you an
> approval. And they give them at their discretion. And you can NOT sue them.

In this second part, I don't make reference to regulation. I only talk
about the technical problem of reprogramming a system.

> Finally don't forget that your employees all want to get their salary paid
> and that comes from your business revenues. No approval == No business. Good
> luck fighting regulations.

Why do you think I want to fight regulation ? I actually be more
concerned about understanding how a proprietary hidden piece of code
into u-boot can possibly make a system satisfy a security regulation.

Regards,

Jean-Christian de Rivaz

[U-Boot] U-book and GPLv3? (fwd)

[ksi at koi8.net]

On Thu, 25 Jun 2009, Jean-Christian de Rivaz wrote:

> ksi at koi8.net a ?crit :
> > On Thu, 25 Jun 2009, Jean-Christian de Rivaz wrote:
> > 
> > > ksi at koi8.net a ?crit :
> > > > > Please point out precisely the regulations that require secure
> boot.
> > > > > Should be
> > > > > trivial as regulations are by definition public.
> > > > Do you happen to know what "Google" is?
> > > Yes, thanks :-)
> > > 
> > > For example this document have the term "secure boot":
> > > http://www.dcg.virginia.gov/supplier/sup-rules/standards.shtm
> > > The wording is this one:
> > > "D. Electronic Bingo
> > > [...]
> > > 3.
> > > [...] Security measures that may be employed to comply with these
> > > provisions include, but are not limited to the use of dongles,
> digital
> > > signature comparison hardware and software; secure boot loaders,
> > > encryption, and key and callback password systems."
> > > 
> > > The term "secure boot" is listed as a possibility, not as a
> requirement.
> > > 
> > > Now I don't have the time to parse every possible document that
> Google
> > > propose. This is why I politely ask a precise example, as I was
> under
> > > the impression that some peoples know very well this subject.
> > > 
> > > > This is our Nevada regulations:
> > > > 
> > > > http://gaming.nv.gov/stats_regs.htm
> > > I don't have the time to parse all the documents listed at this URL,
> but
> > > I downloaded the one I suspect is the more relevant:
> > > http://gaming.nv.gov/stats_regs/reg14_tech_stnds.pdf
> > > And I cannot found "secure boot" into it.
> > 
> > Are you looking for a precise phrase?
> 
> I want to look deeper into the subject. I think that if a regulation
> make a technical point as a requirement, then it must more or less
> describe the technical point so that it can be implemented is a way it
> work as expected. As an engineer, I think that a "secure boot" is only a
> buzz word: if the system can be physically modified, it can't be
> secured. If it can't be physically modified, then you don't need a
> secure boot.

It is not just technical measures; it is a complex of them and different
operating procedures.

When you hit a jackpot the machine should be immediately stopped (hang) in
that state and nobody should touch it. Then a controller comes into the
scene. He pulls all the EPROM chips from the machine and checks them with
MD5 or whatever is approved and checks every single piece of programmable
hardware with some procedure approved for this particular model. That would
not prevent a cheating casino employee from replacing some EPROM chip (or
whatever) with his own one but it will NOT allow for stuffing the original
one back once the jackpot is hit so the cheating will be detected.

That's only one example...

> > > > > I failed to understand how a secure booted machine can be
> updated by
> > > the
> > > > > manufacturer to fix a bug for example, but not by a customer.
> > > > The manufacturer can _NOT_ update his machine at will. _EACH AND
> > > EVERY_
> > > > change goes through the same approval process.
> > > Still, technically the hardware have only two possibility:
> > > 1) it can be reprogrammed.
> > > 2) it can't be reprogrammed.
> > > 
> > > If 1), I dont' see how the a boot loader can't be replaced by a less
> > > secure one and let boot anything.
> > > 
> > > if 2), there is not point as nobody can possibly make any update, so
> the
> > > firmware don't have to be secured.
> > 
> > You are trying to make sense out of the regulations. It doesn't work
> this
> > way. If regulations say "one must use a screwdriver with a red handle
> on
> > this screw" one must use the red screwdriver. No matter if it makes
> sense or
> > not. If you feel it's bullshit you should fight for the regulation to
> change
> > that is a very long (years, not months) and very difficult process. In
> the
> > meantime you _MUST_ use that red screwdriver.
> > 
> > Then you should read not only technical part but also a procedural one
> on
> > how approvals are given. You must persuade the Commision to give you
> an
> > approval. And they give them at their discretion. And you can NOT sue
> them.
> 
> In this second part, I don't make reference to regulation. I only talk
> about the technical problem of reprogramming a system.

Ah, that's absolutely orthogonal issue... We do NOT do something stupid from
engineering standpoint because it makes sense (and quite often it doesn't)
but because the regulations and the Commission's understanding of them
requires that.

Yes, many of those are stupid and outdated but they do a good job anyways;
there is not that much cheating in our casinos.

> > Finally don't forget that your employees all want to get their salary
> paid
> > and that comes from your business revenues. No approval == No
> business. Good
> > luck fighting regulations.
> 
> Why do you think I want to fight regulation ? I actually be more
> concerned about understanding how a proprietary hidden piece of code
> into u-boot can possibly make a system satisfy a security regulation.

It is not just hardware/software. The latter is only a part of solution. It
is NOT the machine that pays that jackpot, it is real humans. There is no
way to make the system unbreakable and impossible to cheat on. That's why an
additional layer of security is being able to DETECT that system had been
cheated on.

---
******************************************************************
*  KSI at home    KOI8 Net  < >  The impossible we do immediately.  *
*  Las Vegas   NV, USA   < >  Miracles require 24-hour notice.   *
******************************************************************

[U-Boot] U-book and GPLv3? (fwd)

[Jean-Christophe PLAGNIOL-VILLARD]

On 20:59 Wed 24 Jun     , Richard Stallman wrote:
>     I can assure you that today If we switch the V2 to the v3 we will lose a lot of
>     customers
> 
> Are the users of U-Boot usually customers?  That term normally refers
> to people that buy a commercial product or service.
This where I disagree my customer are firm that will hire me or buy me
something too. In this case the firm can require for their business secure boot.
You only see the one part of the business and the world.
> 
>     And force to give the private key which use to sign the code is not reallist
>     it's a security flaw
> 
> I have a computer on which I can install any code I choose.
> I don't think that is a security flaw.
For your personnal computer fine, but all products will not have the same
requirements or targets.
> 
> On the contrary, if only one company can install a new version, that
> is a grave security flaw for me as a user.
If I use a GPLv3 bootloader in a medical tool, a car, Point of payment terminal,
Military System, etc... it is a grave security flaw.
I'm not sure that you will be very happy if someone can modify the Firmware
freely. As you may loose money to be killed and at the extrem kill millions
of people.

I do not think the v3 is a benefit. I'll never accept the concept to an
opensource licence that will force me to use a software in a specific way that
someone will choose for me as do the v3. It will be freedom kill.

Here you try to restrict people freedom because you do not like what they do.
It will result as the same as live in jail.

Please remember I can create what product I want with opensource component
I'm free to do it If I accept the fact ot reverse code to the community or at
least to your customer.

I think you take the problem in the wrong way. You want to be able to do what
you want with your hardware fine so do not buy non upgradable hardware.
Help people as I to convince firm to develop - when it's possible - full
opensource product as the openmoko, beagle project etc...

In this case it will be a win-win in the otherway it's extremist, business and
freedom kill

In France we have this
"la libert? de chacun s'arrete ou celle d'autrui commence"
you can transalte by something like this
Your freedom will stop where the freedom of someone else will start

So the GPLv3 no

Best Regards,
J.

[U-Boot] U-book and GPLv3? (fwd)

[Jean-Christian de Rivaz]

ksi at koi8.net a ?crit :
>>>> I downloaded the one I suspect is the more relevant:
>>>> http://gaming.nv.gov/stats_regs/reg14_tech_stnds.pdf
>>>> And I cannot found "secure boot" into it.
>>> Are you looking for a precise phrase?
>> I want to look deeper into the subject. I think that if a regulation
>> make a technical point as a requirement, then it must more or less
>> describe the technical point so that it can be implemented is a way it
>> work as expected. As an engineer, I think that a "secure boot" is only a
>> buzz word: if the system can be physically modified, it can't be
>> secured. If it can't be physically modified, then you don't need a
>> secure boot.
> 
> It is not just technical measures; it is a complex of them and different
> operating procedures.

Yes, I known that. But here we specifically talk about u-boot. You still 
failed to show a description of how u-boot can be modified to secure a 
system and why this must be a hidden proprietary code.

>>>>>> I failed to understand how a secure booted machine can be
>> updated by
>>>> the
>>>>>> manufacturer to fix a bug for example, but not by a customer.
>>>>> The manufacturer can _NOT_ update his machine at will. _EACH AND
>>>> EVERY_
>>>>> change goes through the same approval process.
>>>> Still, technically the hardware have only two possibility:
>>>> 1) it can be reprogrammed.
>>>> 2) it can't be reprogrammed.
>>>>
>>>> If 1), I dont' see how the a boot loader can't be replaced by a less
>>>> secure one and let boot anything.
>>>>
>>>> if 2), there is not point as nobody can possibly make any update, so
>> the
>>>> firmware don't have to be secured.
[...]
> Ah, that's absolutely orthogonal issue... We do NOT do something stupid from
> engineering standpoint because it makes sense (and quite often it doesn't)
> but because the regulations and the Commission's understanding of them
> requires that.
> 
> Yes, many of those are stupid and outdated but they do a good job anyways;
> there is not that much cheating in our casinos.

You seem to agree that a "secure boot" is maybe not more that only a 
marketing word...

[...]
>> Why do you think I want to fight regulation ? I actually be more
>> concerned about understanding how a proprietary hidden piece of code
>> into u-boot can possibly make a system satisfy a security regulation.
> 
> It is not just hardware/software. The latter is only a part of solution. It
> is NOT the machine that pays that jackpot, it is real humans. There is no
> way to make the system unbreakable and impossible to cheat on. That's why an
> additional layer of security is being able to DETECT that system had been
> cheated on.

So why using open source at all if you think that hidden code is a way 
to make a system more secure ? It highly not consistent !

Regards,

Jean-Christian de Rivaz

[U-Boot] U-book and GPLv3? (fwd)

[ksi at koi8.net]

On Thu, 25 Jun 2009, Jean-Christian de Rivaz wrote:

> ksi at koi8.net a ?crit :
> > > > > I downloaded the one I suspect is the more relevant:
> > > > > http://gaming.nv.gov/stats_regs/reg14_tech_stnds.pdf
> > > > > And I cannot found "secure boot" into it.
> > > > Are you looking for a precise phrase?
> > > I want to look deeper into the subject. I think that if a regulation
> > > make a technical point as a requirement, then it must more or less
> > > describe the technical point so that it can be implemented is a way
> it
> > > work as expected. As an engineer, I think that a "secure boot" is
> only a
> > > buzz word: if the system can be physically modified, it can't be
> > > secured. If it can't be physically modified, then you don't need a
> > > secure boot.
> > 
> > It is not just technical measures; it is a complex of them and
> different
> > operating procedures.
> 
> Yes, I known that. But here we specifically talk about u-boot. You still
> failed to show a description of how u-boot can be modified to secure a
> system
> and why this must be a hidden proprietary code.
> 
> > > > > > > I failed to understand how a secure booted machine can be
> > > updated by
> > > > > the
> > > > > > > manufacturer to fix a bug for example, but not by a
> customer.
> > > > > > The manufacturer can _NOT_ update his machine at will. _EACH
> AND
> > > > > EVERY_
> > > > > > change goes through the same approval process.
> > > > > Still, technically the hardware have only two possibility:
> > > > > 1) it can be reprogrammed.
> > > > > 2) it can't be reprogrammed.
> > > > > 
> > > > > If 1), I dont' see how the a boot loader can't be replaced by a
> less
> > > > > secure one and let boot anything.
> > > > > 
> > > > > if 2), there is not point as nobody can possibly make any
> update, so
> > > the
> > > > > firmware don't have to be secured.
> [...]
> > Ah, that's absolutely orthogonal issue... We do NOT do something
> stupid from
> > engineering standpoint because it makes sense (and quite often it
> doesn't)
> > but because the regulations and the Commission's understanding of them
> > requires that.
> > 
> > Yes, many of those are stupid and outdated but they do a good job
> anyways;
> > there is not that much cheating in our casinos.
> 
> You seem to agree that a "secure boot" is maybe not more that only a
> marketing
> word...

No, this does not have the same strict meaning as "#6-32x1/2" slotted head
steel zinc plated machine screw." It is a set of different features. Here
is e.g. a Freescale's whitepaper on one of their SoCs:

http://www.freescale.com/files/32bit/doc/white_paper/IMX31SECURITYWP.pdf

> [...]
> > > Why do you think I want to fight regulation ? I actually be more
> > > concerned about understanding how a proprietary hidden piece of code
> > > into u-boot can possibly make a system satisfy a security
> regulation.
> > 
> > It is not just hardware/software. The latter is only a part of
> solution. It
> > is NOT the machine that pays that jackpot, it is real humans. There is
> no
> > way to make the system unbreakable and impossible to cheat on. That's
> why an
> > additional layer of security is being able to DETECT that system had
> been
> > cheated on.
> 
> So why using open source at all if you think that hidden code is a way
> to make
> a system more secure ? It highly not consistent !

Who is talking about hidden code? It can be open source. And quite often it
is. And most of that code, BTW, is written by the people who are paid to do
it. If you want to make us drop U-Boot and write our own firmware no
problems, that's just additional job security for us. But don't expect all
those people to do anything on U-Boot and forget about their contributions.

---
******************************************************************
*  KSI at home    KOI8 Net  < >  The impossible we do immediately.  *
*  Las Vegas   NV, USA   < >  Miracles require 24-hour notice.   *
******************************************************************

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    - automotive control units: Think about cars being on the highway with
    many fancy features built into their electronics (from their owners),
    which unfortunately are a security risk for the owner and others on the
    road.

I don't think cars depend on software for safety as such.  If a
computer breaks down, the engine mail run badly -- but if you run
out of gas, it might stop entirely.  You can still steer the car.

If someday cars do have computers whose proper functioning is
necessary for safety, we could use airplanes as a policy example.  If
you own a small plane, you are free to change it, but you need to get
the change inspectied for airworthiness.

    - medical equipment: Think what nice features could be implemented into
    these many machines located in the emergency room... Accessible to any
    person who comes by.

Being free to change your copy of a program does not mean you must let
anyone and everyone change your copy.  For instance, the code on my
netbook is all free software, but it is not generally accessible to
anyone but me.

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

      if the GNU project wants people to use the GPLv3 and people have
    a perception of it being crap, then it's their problem to address
    it.

I don't think there is much danger of that.  Many software packages
use GPLv3 and are appreciated by many users.

But there is a deeper point to make.  The substance of what we do is
our own responsibility, but others' "perception" of it is more
directly their responsibility than ours.  When we face an ethical
issue, we should think about what is right and then do it.  We should
not back down merely because of disparagement from those who disagree.

[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Thursday 25 June 2009 19:29:47 Richard Stallman wrote:
>       if the GNU project wants people to use the GPLv3 and people have
>     a perception of it being crap, then it's their problem to address
>     it.
>
> I don't think there is much danger of that.  Many software packages
> use GPLv3 and are appreciated by many users.
>
> But there is a deeper point to make.  The substance of what we do is
> our own responsibility, but others' "perception" of it is more
> directly their responsibility than ours.  When we face an ethical
> issue, we should think about what is right and then do it.  We should
> not back down merely because of disparagement from those who disagree.

then i guess since u-boot is already doing what is right, this thread is a big 
waste of time
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.denx.de/pipermail/u-boot/attachments/20090625/f02f10fd/attachment.pgp 

[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Thursday 25 June 2009 19:29:26 Richard Stallman wrote:
>     - automotive control units: Think about cars being on the highway with
>     many fancy features built into their electronics (from their owners),
>     which unfortunately are a security risk for the owner and others on the
>     road.
>
> I don't think cars depend on software for safety as such.  If a
> computer breaks down, the engine mail run badly -- but if you run
> out of gas, it might stop entirely.  You can still steer the car.
>
> If someday cars do have computers whose proper functioning is
> necessary for safety, we could use airplanes as a policy example.  If
> you own a small plane, you are free to change it, but you need to get
> the change inspectied for airworthiness.

this is pure wishful thinking.  people personally modifying software in their 
car are not going to go get it recertified.

>     - medical equipment: Think what nice features could be implemented into
>     these many machines located in the emergency room... Accessible to any
>     person who comes by.
>
> Being free to change your copy of a program does not mean you must let
> anyone and everyone change your copy.  For instance, the code on my
> netbook is all free software, but it is not generally accessible to
> anyone but me.

none of your scenarios are applicable to the issues Thomas raised.  public 
safety is significantly more important than a handful of hackers here.  i'm 
not going to knowingly subject myself to a medical device that emits radiation 
(e.g. x-ray machine) that allows anyone to modify it.  that sucker had better 
be locked down to prevent any uncertified (e.g. signed) software 
modifications.  companies that have access to the hardware capabilities to 
prevent this (i.e. secure boot) and dont implement it are blatantly negligent.
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.denx.de/pipermail/u-boot/attachments/20090625/e9607ee3/attachment.pgp 

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    I would like to add that sometimes regulations EXPLICITELY require secure
    boot. No product can be approved without it. And this does not have anything
    to do with public's freedom. Just one example is gambling industry which I
    happen to work right now.

Gambling machines for casinos are not consumer products, so GPLv3's
requirement to deliver installation information does not apply to
them.

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    If I use a GPLv3 bootloader in a medical tool, a car, Point of payment terminal,
    Military System, etc... it is a grave security flaw.
    I'm not sure that you will be very happy if someone can modify the Firmware
    freely. As you may loose money to be killed and at the extrem kill millions
    of people.

There is no need to exaggerate.  Millions of people modify cars
physically, and it is not a dangerous practice.

If you buy a car, or a medical tool for my own use, you deserve to be able
to change the software in it, just as you can change it physically.

The other systems that you speak of are not consumer products, so this
requirement in GPLv3 does not apply to them.

    I do not think the v3 is a benefit. I'll never accept the concept to an
    opensource licence that will force me to use a software in a specific way that
    someone will choose for me as do the v3. It will be freedom kill.

You seem to be worried about something you haven't described clearly.
I think you're afraid of shadows, but since you have not described
them clearly, I really don't know.

All I can say is that no version of the GPL was meant to be an open
source license.  Thinking of it in terms of "open source" will tend to
be an obstacle to understanding it.

[U-Boot] U-book and GPLv3? (fwd)

[Thomas Doerfler]

Richard,

Richard Stallman wrote:
>     - automotive control units: Think about cars being on the highway with
>     many fancy features built into their electronics (from their owners),
>     which unfortunately are a security risk for the owner and others on the
>     road.
> 
> I don't think cars depend on software for safety as such.  If a
> computer breaks down, the engine mail run badly -- but if you run
> out of gas, it might stop entirely.  You can still steer the car.

You are only concentrating on the motor control. I am not sure about the
technical skill of the American automotive industry (grin, grin), but at
least in Europe SOME cars already have some safety functions based on
computer systems for good reason.

> 
> If someday cars do have computers whose proper functioning is
> necessary for safety, we could use airplanes as a policy example.  If
> you own a small plane, you are free to change it, but you need to get
> the change inspectied for airworthiness.

Right. The car owner must. But what happens if he doesn't? After a major
accident, will the lawyers really sue the car owner? Or the company who
let the car owner tinker around in the ECU?

Keep in mind that for most car owners, it is much easier to understand
the safety aspects of a  mechanical modification of the car than all
safety aspects of a SW modification.
> 
>     - medical equipment: Think what nice features could be implemented into
>     these many machines located in the emergency room... Accessible to any
>     person who comes by.
> 
> Being free to change your copy of a program does not mean you must let
> anyone and everyone change your copy.  For instance, the code on my
> netbook is all free software, but it is not generally accessible to
> anyone but me.

Just out of curiousity: Which percentage of that SW is already GPLv3?

wkr,
Thomas.

> 


-- 

--------------------------------------------
Embedded Brains GmbH
Thomas Doerfler        Obere Lagerstrasse 30
D-82178 Puchheim       Germany
email: Thomas.Doerfler at embedded-brains.de
Phone: +49-89-18908079-2
Fax:   +49-89-18908079-9

[U-Boot] U-book and GPLv3? (fwd)

[Jean-Christophe PLAGNIOL-VILLARD]

On 00:50 Fri 26 Jun     , Richard Stallman wrote:
>     If I use a GPLv3 bootloader in a medical tool, a car, Point of payment terminal,
>     Military System, etc... it is a grave security flaw.
>     I'm not sure that you will be very happy if someone can modify the Firmware
>     freely. As you may loose money to be killed and at the extrem kill millions
>     of people.
> 
> There is no need to exaggerate.  Millions of people modify cars
> physically, and it is not a dangerous practice.
It is.
> 
> If you buy a car, or a medical tool for my own use, you deserve to be able
> to change the software in it, just as you can change it physically.

Certanly not when you use your car your are also on the public domain (road)
so it your car have a system faillure you can kill yourself and kill other
people. Remember that you are not allow to modify your car as your wish there
is law that will forbiden you to do this in a lot' of country.
> 
> The other systems that you speak of are not consumer products, so this
> requirement in GPLv3 does not apply to them.
in a Point of payment terminal it does not apply are sure?
There are distributed to storekeeper and you use your credit card in there
shop. So in your idea they modify it and if they stole your credit card number
and secret code and then stole your money. No Way
> 
>     I do not think the v3 is a benefit. I'll never accept the concept to an
>     opensource licence that will force me to use a software in a specific way that
>     someone will choose for me as do the v3. It will be freedom kill.
> 
> You seem to be worried about something you haven't described clearly.
> I think you're afraid of shadows, but since you have not described
> them clearly, I really don't know.
as example with the v3 you force me to give you my private key that I use
to protect the product this is not acceptable
> 
> All I can say is that no version of the GPL was meant to be an open
> source license.  Thinking of it in terms of "open source" will tend to
> be an obstacle to understanding it.
Sorry you only think about yourself and your interest, I respect the GPLv2 and
the work have been done around. But the GPLv3 is an extremism that I do not
want to go.

Best Regards,
J.

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Hi Mike,

> On Thursday 25 June 2009 10:41:13 Detlev Zundel wrote:
>> >>> It is this "certification is only possible like we say" attitude which
>> >>> I seriously question.
>> >>
>> >> whether you question this attitude doesnt matter.  you arent a lawyer in
>> >> general, you arent a lawyer for these companies, and you arent
>> >> indemnifying them.  their legal review says that it's a requirement, so
>> >> it is now a requirement for the software.  anything beyond that is
>> >> irrelevant.
>> >
>> > Now was this so hard?  This is actually an important fact that it is a
>> > legal requirement for a company - thanks.
>>
>> As a quick web research did not help, if this is a legal requirement,
>> then can you point me to the law which requires such a thing?
>
> nothing personal, but ...
>
> (1) you still arent a lawyer
> (2) i never said there was a law that stated this
> (3) i did say "their legal team came to the conclusion that ..."
>
> the law and your interpretation of it is irrelevant.

Wow, the law is irrelevant.  I give up.  You repeatedly claim stuff
without backing anything up.  There is nothing more I can gain from this
discussion, so I let it rest.

Cheers
  Detlev

-- 
Deutsches Grundgesetz Artikel 14 Absatz 2:
Eigentum verpflichtet. Sein Gebrauch soll zugleich dem Wohle der
Allgemeinheit dienen.
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Hi,

> On Thursday 25 June 2009 10:20:47 Detlev Zundel wrote:
>> >> It's not the first time I hear this mantra.  Can you give me some facts
>> >> to back this up?
>> >
>> > i dont know what kind of "facts" you're looking for.  i didnt make this
>> > scenario up, it was described to me by a customer in the US and their
>> > experience with Chinese cloners.  i'm not going to give customer
>> > information or name names if that's what you want.
>>
>> Well, the problem with "facts" is that I like them to be backed up.  I
>> don't know whether I should believe this mantra until I have seen actual
>> products and/or figures.  If you don't need this - fine, your choice.
>
> well g'luck with that.  you're going to have to find a customer yourself or 
> find someone who *hasnt* signed a NDA.

...
n  ) Proof by intimidation
n+1) Proof by vigorous handwaving
n+2) Proof by obfuscation
n+3) Proof by wishful citation
n+4) Proof by vehement assertion
n+5) Proof not available without NDA

Now, wait a minute, I think we have an original new entry here to this
list ;)

Cheers
  Detlev

-- 
F?r jemanden, der in eine Religion geboren wurde, in der das Ringen um eine
einzige Seele ein Stafettenlauf ?ber viele Jahrhunderte sein kann [..], hat
das Tempo des Christentums etwas Schwindelerregendes.   Wenn der Hinduismus
friedlich dahinflie?t wie der Ganges,  dann ist das  Christentum Toronto in
der Rushhour.                        -- Yann Martel
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

[U-Boot] U-book and GPLv3? (fwd)

[Jean-Christian de Rivaz]

ksi at koi8.net a ?crit :
>>> Ah, that's absolutely orthogonal issue... We do NOT do something
>> stupid from
>>> engineering standpoint because it makes sense (and quite often it
>> doesn't)
>>> but because the regulations and the Commission's understanding of them
>>> requires that.
>>>
>>> Yes, many of those are stupid and outdated but they do a good job
>> anyways;
>>> there is not that much cheating in our casinos.
>> You seem to agree that a "secure boot" is maybe not more that only a
>> marketing
>> word...
> 
> No, this does not have the same strict meaning as "#6-32x1/2" slotted head
> steel zinc plated machine screw." It is a set of different features. Here
> is e.g. a Freescale's whitepaper on one of their SoCs:
> 
> http://www.freescale.com/files/32bit/doc/white_paper/IMX31SECURITYWP.pdf

This paper mainly describes hardware features that are not relevant for 
u-boot. The ROM authenticate a script that authenticate the boot loader 
(u-boot) that authenticate the firmware image (kernel and RO 
filesystem). The ability to update this system is controlled by a chain 
of asymmetric keys.

It seem that the GPLv3 do not require to publish the private key if this 
is not a consumer product. I suspect that if a regulation exists for a 
product that require a security schema, then GPLv3 also do not force to 
publish the private key, but that must be carefully verified.

In a more philosophical aspect, and as a customer, I can understand that 
some code are dangerous to modify and are secured, but there is a real 
issues that the security is also used to abuse the freedom to modify a 
system that don't require a high level of security. What you will do the 
day you can't find a computer that can't boot a Open Source system ? The 
GPLv3 is maybe right by requiring to allow to modify a system as long as 
this is not restricted by a regulation for safety reason.

>> [...]
>>>> Why do you think I want to fight regulation ? I actually be more
>>>> concerned about understanding how a proprietary hidden piece of code
>>>> into u-boot can possibly make a system satisfy a security
>> regulation.
>>> It is not just hardware/software. The latter is only a part of
>> solution. It
>>> is NOT the machine that pays that jackpot, it is real humans. There is
>> no
>>> way to make the system unbreakable and impossible to cheat on. That's
>> why an
>>> additional layer of security is being able to DETECT that system had
>> been
>>> cheated on.
>> So why using open source at all if you think that hidden code is a way
>> to make
>> a system more secure ? It highly not consistent !
> 
> Who is talking about hidden code? It can be open source. And quite often it
> is. And most of that code, BTW, is written by the people who are paid to do
> it. If you want to make us drop U-Boot and write our own firmware no
> problems, that's just additional job security for us. But don't expect all
> those people to do anything on U-Boot and forget about their contributions.

Pretty aggressive position. If I understand you correctly, there is 
already a asymmetric key authentication code to secure a firmware in 
u-boot. Please point out where it is because I can't find it in the last 
GIT tree.

Regards,

Jean-Christian de Rivaz

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Hi Jean-Christophe,

> On 00:50 Fri 26 Jun     , Richard Stallman wrote:
>>     If I use a GPLv3 bootloader in a medical tool, a car, Point of payment terminal,
>>     Military System, etc... it is a grave security flaw.
>>     I'm not sure that you will be very happy if someone can modify the Firmware
>>     freely. As you may loose money to be killed and at the extrem kill millions
>>     of people.
>> 
>> There is no need to exaggerate.  Millions of people modify cars
>> physically, and it is not a dangerous practice.
> It is.
>> 
>> If you buy a car, or a medical tool for my own use, you deserve to be able
>> to change the software in it, just as you can change it physically.
>
> Certanly not when you use your car your are also on the public domain (road)
> so it your car have a system faillure you can kill yourself and kill other
> people. Remember that you are not allow to modify your car as your wish there
> is law that will forbiden you to do this in a lot' of country.

It seems that you have very strong interests on the software side, which
need to be considered separately, but here you are really distorting
actual reality.  As this example is likely best known to everybody, I'll
comment on this one - it seems currently too much work without a
prospect of any gain to comment on everything.

Of course you can modify your own car.  This is *not* forbidden - why do
you claim such a thing?  Heck you can even attach a rocket to it *as
long* as you don't use the car on public streets.  If you do, all you
got to do is to get your modifications approved.  No big deal, go to a
<insert favorite car brand here> meeting and look at the cars there.

I can even build my own car from scratch and get it certified.  

Although I wanted to restrict myself to cars - it's the same with
planes.  It is common practice for example to modify glider planes
(increasing wing span for example to be more competitive today) for
which the manufacturer even *does not exist* any more today.  Admittedly
this is some work to get it certified, but it is doable by a private
person for sure, I personally know some.

Actually I can even build my own *plane* and still get it certified
(this is not uncommon).

Cheers
  Detlev

-- 
Those who would trade safety for freedom deserve neither.
           -- Thomas Jefferson
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Friday 26 June 2009 04:25:42 Detlev Zundel wrote:
> > On Thursday 25 June 2009 10:20:47 Detlev Zundel wrote:
> >> >> It's not the first time I hear this mantra.  Can you give me some
> >> >> facts to back this up?
> >> >
> >> > i dont know what kind of "facts" you're looking for.  i didnt make
> >> > this scenario up, it was described to me by a customer in the US and
> >> > their experience with Chinese cloners.  i'm not going to give customer
> >> > information or name names if that's what you want.
> >>
> >> Well, the problem with "facts" is that I like them to be backed up.  I
> >> don't know whether I should believe this mantra until I have seen actual
> >> products and/or figures.  If you don't need this - fine, your choice.
> >
> > well g'luck with that.  you're going to have to find a customer yourself
> > or find someone who *hasnt* signed a NDA.
>
> ...
> n  ) Proof by intimidation
> n+1) Proof by vigorous handwaving
> n+2) Proof by obfuscation
> n+3) Proof by wishful citation
> n+4) Proof by vehement assertion
> n+5) Proof not available without NDA
>
> Now, wait a minute, I think we have an original new entry here to this
> list ;)

basically you're making the assertion that (1) i just made all of this sh*t 
up, (2) i'm basically a liar, and (3) i must be making these claims because i 
think this discussion is "fun".  rather than providing funny little lists, why 
dont you come straight out and call someone a filthy liar.  frankly, you can 
kiss my ass.

i attempted to provide real world experience with the information i'm allowed, 
and apparently that wasnt "good enough" for you,  how convenient for your 
little crusade to control the usage of others.
-mike

[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Friday 26 June 2009 04:21:15 Detlev Zundel wrote:
> > On Thursday 25 June 2009 10:41:13 Detlev Zundel wrote:
> >> >>> It is this "certification is only possible like we say" attitude
> >> >>> which I seriously question.
> >> >>
> >> >> whether you question this attitude doesnt matter.  you arent a lawyer
> >> >> in general, you arent a lawyer for these companies, and you arent
> >> >> indemnifying them.  their legal review says that it's a requirement,
> >> >> so it is now a requirement for the software.  anything beyond that is
> >> >> irrelevant.
> >> >
> >> > Now was this so hard?  This is actually an important fact that it is a
> >> > legal requirement for a company - thanks.
> >>
> >> As a quick web research did not help, if this is a legal requirement,
> >> then can you point me to the law which requires such a thing?
> >
> > nothing personal, but ...
> >
> > (1) you still arent a lawyer
> > (2) i never said there was a law that stated this
> > (3) i did say "their legal team came to the conclusion that ..."
> >
> > the law and your interpretation of it is irrelevant.
>
> Wow, the law is irrelevant.  I give up.  You repeatedly claim stuff
> without backing anything up.  There is nothing more I can gain from this
> discussion, so I let it rest.

why not try keeping up with the thread instead of taking things out of 
context.  the point of this subthread was that the software people doing the 
work are told to do XYZ by their legal team.  thus it is a software 
requirement irregardless of anything else.

plus, the law in these areas is hardly ever clear.  it may state one thing, 
and yet there are precedences that take it a different way.  or the laws have 
no precedence at all (which is fairly typical with open source) in which case 
lawyers are often very conservative.  after all, their screw up here could 
easily cost a company 6 or 7 figures if not worse penalties.

your demand of black and white conformance in a pure gray legal world is 
completely unrealistic.
-mike

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Hi,

> On Friday 26 June 2009 04:25:42 Detlev Zundel wrote:
>> > On Thursday 25 June 2009 10:20:47 Detlev Zundel wrote:
>> >> >> It's not the first time I hear this mantra.  Can you give me some
>> >> >> facts to back this up?
>> >> >
>> >> > i dont know what kind of "facts" you're looking for.  i didnt make
>> >> > this scenario up, it was described to me by a customer in the US and
>> >> > their experience with Chinese cloners.  i'm not going to give customer
>> >> > information or name names if that's what you want.
>> >>
>> >> Well, the problem with "facts" is that I like them to be backed up.  I
>> >> don't know whether I should believe this mantra until I have seen actual
>> >> products and/or figures.  If you don't need this - fine, your choice.
>> >
>> > well g'luck with that.  you're going to have to find a customer yourself
>> > or find someone who *hasnt* signed a NDA.
>>
>> ...
>> n  ) Proof by intimidation
>> n+1) Proof by vigorous handwaving
>> n+2) Proof by obfuscation
>> n+3) Proof by wishful citation
>> n+4) Proof by vehement assertion
>> n+5) Proof not available without NDA
>>
>> Now, wait a minute, I think we have an original new entry here to this
>> list ;)
>
> basically you're making the assertion that (1) i just made all of this sh*t 
> up, (2) i'm basically a liar, and (3) i must be making these claims because i 
> think this discussion is "fun".  rather than providing funny little lists, why 
> dont you come straight out and call someone a filthy liar.

I am not repsonsible for what you read into my mails.  I never made such
assertions.

Cheers
  Detlev

-- 
Summary [of object-oriented programming in Perl 5]
That's all about there is to it. Now you just need to go off and buy a
book about object-oriented design methodology, and bang  your forehead
with it for the next six months or so.    Larry Wall [Creator of Perl]
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Friday 26 June 2009 09:56:21 Detlev Zundel wrote:
> > On Friday 26 June 2009 04:25:42 Detlev Zundel wrote:
> >> > On Thursday 25 June 2009 10:20:47 Detlev Zundel wrote:
> >> >> >> It's not the first time I hear this mantra.  Can you give me some
> >> >> >> facts to back this up?
> >> >> >
> >> >> > i dont know what kind of "facts" you're looking for.  i didnt make
> >> >> > this scenario up, it was described to me by a customer in the US
> >> >> > and their experience with Chinese cloners.  i'm not going to give
> >> >> > customer information or name names if that's what you want.
> >> >>
> >> >> Well, the problem with "facts" is that I like them to be backed up. 
> >> >> I don't know whether I should believe this mantra until I have seen
> >> >> actual products and/or figures.  If you don't need this - fine, your
> >> >> choice.
> >> >
> >> > well g'luck with that.  you're going to have to find a customer
> >> > yourself or find someone who *hasnt* signed a NDA.
> >>
> >> ...
> >> n  ) Proof by intimidation
> >> n+1) Proof by vigorous handwaving
> >> n+2) Proof by obfuscation
> >> n+3) Proof by wishful citation
> >> n+4) Proof by vehement assertion
> >> n+5) Proof not available without NDA
> >>
> >> Now, wait a minute, I think we have an original new entry here to this
> >> list ;)
> >
> > basically you're making the assertion that (1) i just made all of this
> > sh*t up, (2) i'm basically a liar, and (3) i must be making these claims
> > because i think this discussion is "fun".  rather than providing funny
> > little lists, why dont you come straight out and call someone a filthy
> > liar.
>
> I am not repsonsible for what you read into my mails.  I never made such
> assertions.

Jon Stewart summed up this position fairly well with an example.
I'm not saying your mother is a whore.....I'm just saying, isnt it interesting 
that she has money. And I dont know what she does during the day.
-mike

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Mike Frysinger <vapier@gentoo.org> writes:

> Jon Stewart summed up this position fairly well with an example.
> I'm not saying your mother is a whore.....I'm just saying, isnt it interesting 
> that she has money. And I dont know what she does during the day.

You are disqualifying yourself here.  Go on if you like, I will not join
you on this level anymore.

Cheers
  Detlev

-- 
``The number of UNIX installations has grown to 10,
with more expected.''     Unix Programmers Manual -- 1972
The number of UNIX variants has grown to dozens,
with more expected.                               -- 2001
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Friday 26 June 2009 11:11:06 Detlev Zundel wrote:
> Mike Frysinger <vapier@gentoo.org> writes:
> > Jon Stewart summed up this position fairly well with an example.
> > I'm not saying your mother is a whore.....I'm just saying, isnt it
> > interesting that she has money. And I dont know what she does during the
> > day.
>
> You are disqualifying yourself here.  Go on if you like, I will not join
> you on this level anymore.

i'm pretty sure you missed the point completely.  review the structure, not 
the content.
-mike

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    >     Embedded systems using core soc silicon from a number of manufacturers
    >     have started to use what is known as 'secure boot'. This is typically
    > the case in applications which utilise conditional access system software
    > to protect content. The emphasis on using secure boot is largely driven by
    > the conditional access industry itself.
    >
    > The principal purpose of these products is to restrict the public's
    > freedom.  So it is natural that their means involve restricting our
    > freedom too.

    it sure is nice to make generalities as it makes your resulting argument so 
    much easier to digest.  the companies ive worked with could give two sh*ts 
    about end customers tinkering with their products.  they're interested in 
    keeping their product secure from other people in their respective industry 
    and from malicious tampering for regulation/safety purposes.

The comment I responded to talked about the "conditional access
industry" and my response was about those products too.  I stand by
what I said about them.

Your various messages suggest that you are talking about other kinds
of products, so that your experience does not conflict with what I said.

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    > The other systems that you speak of are not consumer products, so this
    > requirement in GPLv3 does not apply to them.
    in a Point of payment terminal it does not apply are sure?

I am sure.  Those are not consumer products.  They are made for
businesses only.

    > You seem to be worried about something you haven't described clearly.
    > I think you're afraid of shadows, but since you have not described
    > them clearly, I really don't know.
    as example with the v3 you force me to give you my private key that I use
    to protect the product this is not acceptable

To deny the key to the user is not acceptable.  It makes the software
non-free, and gives the developer power over the user that nobody
should have.

[U-Boot] U-book and GPLv3? (fwd)

[Thomas Doerfler]

Detlev,

Detlev Zundel schrieb:
> Hi Jean-Christophe,
> 
>> On 00:50 Fri 26 Jun     , Richard Stallman wrote:
...
>>> If you buy a car, or a medical tool for my own use, you deserve to be able
>>> to change the software in it, just as you can change it physically.
>> Certanly not when you use your car your are also on the public domain (road)
>> so it your car have a system faillure you can kill yourself and kill other
>> people. Remember that you are not allow to modify your car as your wish there
>> is law that will forbiden you to do this in a lot' of country.
> 
...
> 
> Of course you can modify your own car.  This is *not* forbidden - why do
> you claim such a thing?  Heck you can even attach a rocket to it *as
> long* as you don't use the car on public streets.  If you do, all you
> got to do is to get your modifications approved.  No big deal, go to a
> <insert favorite car brand here> meeting and look at the cars there.
> 
> I can even build my own car from scratch and get it certified.

Maybe you are right.

But for actually modifying safety critcal software (e.g. for airbag
control, ABS/ESP control, not talking about break-by-wire/steer by wire
systems) properly you will need MUCH more than the source code. You will
need the requirements specifications, the SW design documentation, the
test specifications.

Wouldn't it make sense to add a paragraph to the GPL, stating that a
company using GPL software in their system must also provide all that
documentation to their customers? Only then the SW modification can be
properly done?

Don't forget that a proper test area is also needed, which can simulate
all kind of street conditions. For ABS/Airbag you may also need a crash
test environment including soem sample cars to try thigns out.

Without access to these, you will not be able to prove proper system
behaviour to the certification authorities.

(set the irony tag wherever you find it suitable.

Back to being earnest: I think the GPL is a very important license to
generate open-source software and that the results on the SW quality are
very significant. The switch to GPLv3 may make sense for many SW
systems, mainly in the desktop/gadget area.

Even the traditional industry has learned in the last few years, that
open source software is nothing to be afraid of and that sharing the own
general know how based on SW improvements is a benefit for all.

But similar to the fact, that there is not ONE operating system fitting
all needs and ONE SW package fitting all needs, there also is not ONE OS
license, that fits to all requirements.

So once again I think GPLv3 for U-Boot would avoid using it in many
possible applications, which would be a loss for the project and its users.

wkr,
Thomas.


-- 
--------------------------------------------
Embedded Brains GmbH
Thomas Doerfler           Obere Lagerstr. 30
D-82178 Puchheim          Germany
email: Thomas.Doerfler at embedded-brains.de
Phone: +49-89-18908079-2
Fax:   +49-89-18908079-9

[U-Boot] U-book and GPLv3? (fwd)

[Thomas Doerfler]

Detlev Zundel schrieb:
> Hi Jean-Christophe,
> 
>> On 00:50 Fri 26 Jun     , Richard Stallman wrote:
>>>     If I use a GPLv3 bootloader in a medical tool, a car, Point of payment terminal,
>>>     Military System, etc... it is a grave security flaw.
>>>     I'm not sure that you will be very happy if someone can modify the Firmware
>>>     freely. As you may loose money to be killed and at the extrem kill millions
>>>     of people.
>>>
>>> There is no need to exaggerate.  Millions of people modify cars
>>> physically, and it is not a dangerous practice.
>> It is.
>>> If you buy a car, or a medical tool for my own use, you deserve to be able
>>> to change the software in it, just as you can change it physically.
>> Certanly not when you use your car your are also on the public domain (road)
>> so it your car have a system faillure you can kill yourself and kill other
>> people. Remember that you are not allow to modify your car as your wish there
>> is law that will forbiden you to do this in a lot' of country.
> 
> It seems that you have very strong interests on the software side, which
> need to be considered separately, but here you are really distorting
> actual reality.  As this example is likely best known to everybody, I'll
> comment on this one - it seems currently too much work without a
> prospect of any gain to comment on everything.
> 
> Of course you can modify your own car.  This is *not* forbidden - why do
> you claim such a thing?  Heck you can even attach a rocket to it *as
> long* as you don't use the car on public streets.  If you do, all you
> got to do is to get your modifications approved.  No big deal, go to a
> <insert favorite car brand here> meeting and look at the cars there.
> 
> I can even build my own car from scratch and get it certified.  
> 
> Although I wanted to restrict myself to cars - it's the same with
> planes.  It is common practice for example to modify glider planes
> (increasing wing span for example to be more competitive today) for
> which the manufacturer even *does not exist* any more today.  Admittedly
> this is some work to get it certified, but it is doable by a private
> person for sure, I personally know some.
> 
> Actually I can even build my own *plane* and still get it certified
> (this is not uncommon).
> 
> Cheers
>   Detlev
> 


-- 
--------------------------------------------
Embedded Brains GmbH
Thomas Doerfler           Obere Lagerstr. 30
D-82178 Puchheim          Germany
email: Thomas.Doerfler at embedded-brains.de
Phone: +49-89-18908079-2
Fax:   +49-89-18908079-9

[U-Boot] U-book and GPLv3? (fwd)

[Jean-Christophe PLAGNIOL-VILLARD]

On 17:35 Fri 26 Jun     , Richard Stallman wrote:
>     > The other systems that you speak of are not consumer products, so this
>     > requirement in GPLv3 does not apply to them.
>     in a Point of payment terminal it does not apply are sure?
> 
> I am sure.  Those are not consumer products.  They are made for
> businesses only.
Wrong, as example your cell phone can be a part of the PPT, and your also
have product on the market that allow you to use a PPT at home instead of just
write your credit card number on a website.
So your definition of consumer produts is dangerous and will not fit at all
because you can not known what we can create
>     > You seem to be worried about something you haven't described clearly.
>     > I think you're afraid of shadows, but since you have not described
>     > them clearly, I really don't know.
>     as example with the v3 you force me to give you my private key that I use
>     to protect the product this is not acceptable
> 
> To deny the key to the user is not acceptable.  It makes the software
> non-free, and gives the developer power over the user that nobody
> should have.
Certanly not, it will make the product not hackable certanly not the software
non-free.

Best Regards,
J.

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    >     - medical equipment: Think what nice features could be implemented into
    >     these many machines located in the emergency room... Accessible to any
    >     person who comes by.
    >
    > Being free to change your copy of a program does not mean you must let
    > anyone and everyone change your copy.  For instance, the code on my
    > netbook is all free software, but it is not generally accessible to
    > anyone but me.

    none of your scenarios are applicable to the issues Thomas raised. 

My argument shows that his scenario is unrealistic in supposing that
"any person who comes by" can change the software in computers in the
hospital.  If the hospital has the key to install modified software,
"any person who comes by" will not know the key.  Even most of the
staff will not know it.

There probably are ways that people could sabotage the equipment if
they were determined to do so.  Physically, that is.  A person with
experience in servicing these machines could find a way to make them
work wrong but not obviously wrong in a couple of minutes.  Computers
don't change the situation.

It makes no sense to demand a double set of bars over the window while
ignoring the flimsy door with a weak lock.

Therefore, there is no real issue with these medical devices.  But
even if there were, the requirement for installation information in
GPLv3 does not apply to products specifically for hospitals, since
they are not consumer products.

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    then i guess since u-boot is already doing what is right, this thread is a =
    big=20
    waste of time

I hope the main developers of U-Boot will conclude that it is right to move
to GPLv3.

[U-Boot] U-book and GPLv3? (fwd)

[Jean-Christophe PLAGNIOL-VILLARD]

> 
> and this is why i dislike the GPLv3.  the GPLv2 was all about the source, so 
> the conversation between developers and everyone else was "you can take my 
> source and modify it all you want, but i want to see the changes".  sounds 
> fair.
> 
> GPLv3 (ignoring the fix for the loophole with web applications) adds *nothing* 
> to this premise.  instead, it's used as an ideological club such that the 
> conversation is now "i have all these ideas about how software should and 
> shouldnt be utilized, so if you want to use my software, you too now have to 
> subscribe to my way of thinking and you have to show me the changes".
> 
> so what does moving from GPLv2 to GPLv3 gain us in terms of protections ?  
> nothing.  it does however allow us to restrict the people who want to use u-
> boot to using it in only ways we've "blessed".  that's plain wrong in my eyes 
> and none of our business in the first place.
> 
> > I think it is not a coincidence that devices which can be updated with
> > arbitrary firmware sells pretty good in the meantime.   Who buys routers
> > capable of running OpenWRT because of their original firmware?
> 
> then let your wallet/politicians do the talking.  i certainly do -- i avoid 
> purchasing any music/games encumbered with DRM, or companies that employ such 
> methods.  but i'm above going around and forcing people to think the way i do 
> with licenses.
agreed with Mike.

Best Regards,
J.

[U-Boot] U-book and GPLv3? (fwd)

[ksi at koi8.net]

On Sat, 27 Jun 2009, Jean-Christophe PLAGNIOL-VILLARD wrote:

> > 
> > and this is why i dislike the GPLv3.  the GPLv2 was all about the
> source, so 
> > the conversation between developers and everyone else was "you can
> take my 
> > source and modify it all you want, but i want to see the changes".
> sounds 
> > fair.
> > 
> > GPLv3 (ignoring the fix for the loophole with web applications) adds
> *nothing* 
> > to this premise.  instead, it's used as an ideological club such that
> the 
> > conversation is now "i have all these ideas about how software should
> and 
> > shouldnt be utilized, so if you want to use my software, you too now
> have to 
> > subscribe to my way of thinking and you have to show me the changes".
> > 
> > so what does moving from GPLv2 to GPLv3 gain us in terms of
> protections ?  
> > nothing.  it does however allow us to restrict the people who want to
> use u-
> > boot to using it in only ways we've "blessed".  that's plain wrong in
> my eyes 
> > and none of our business in the first place.
> > 
> > > I think it is not a coincidence that devices which can be updated
> with
> > > arbitrary firmware sells pretty good in the meantime.   Who buys
> routers
> > > capable of running OpenWRT because of their original firmware?
> > 
> > then let your wallet/politicians do the talking.  i certainly do -- i
> avoid 
> > purchasing any music/games encumbered with DRM, or companies that
> employ such 
> > methods.  but i'm above going around and forcing people to think the
> way i do 
> > with licenses.

> agreed with Mike.

Second that.

---
******************************************************************
*  KSI at home    KOI8 Net  < >  The impossible we do immediately.  *
*  Las Vegas   NV, USA   < >  Miracles require 24-hour notice.   *
******************************************************************

[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Saturday 27 June 2009 16:07:36 Richard Stallman wrote:
>     then i guess since u-boot is already doing what is right, this thread
>     is a big waste of time
>
> I hope the main developers of U-Boot will conclude that it is right to move
> to GPLv3.

guess that depends on what you're defining as "main developers".  if you look 
at the statistics of people who are actually doing the majority of the work, 
many have chimed in that they do not wish to move to the GPL-3.  if your 
assumption is that the "noisy" people in this thread arent doing any real work 
wrt u-boot contributions, you're sorely mistaken.
-mike

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    Wouldn't it make sense to add a paragraph to the GPL, stating that a
    company using GPL software in their system must also provide all that
    documentation to their customers? Only then the SW modification can be
    properly done?

It is not possible for a software license to require this in general.
It may be possible to require this in the case where the software is
delivered with a product.  For GPLv4, we could think about whether
this is a good idea.  But we are not yet working on a GPLv4.

    Don't forget that a proper test area is also needed, which can simulate
    all kind of street conditions. For ABS/Airbag you may also need a crash
    test environment including soem sample cars to try thigns out.

    Without access to these, you will not be able to prove proper system
    behaviour to the certification authorities.

I don't know what standards they use.  If certification is hard to
get, that may discourage people from changing this software.  Whether
that is a good or a bad outcome, I am not sure.  If the certification
is indeed necessary, and done reasonably, I suppose the outcome is
good.

Be that as it may, it does not excuse letting manufacturers restrict
the users for their own purposes.

    So once again I think GPLv3 for U-Boot would avoid using it in many
    possible applications, which would be a loss for the project and its users.

It is important for free software users to remember that they are
giving the users something, not vice versa.  If people use U-Boot,
that is their gain; if they don't use it, that is their loss.

During my work on GCC and other programs, companies often asked me to
weaken the license and in exchange we would get "more use" of the
program.  I respond to them, "More use of the program is just a
subgoal; the main goal is to give more users freedom."

Sometimes companies say that they would put a lot of effort into
improving a program if the developers change the license.  But they do
not necessarily contribute much if the developer caves.  In effect
they are asking to buy a license change on credit and won't even sign
an IOU.

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    > I am sure.  Those are not consumer products.  They are made for
    > businesses only.
    Wrong, as example your cell phone 

For the record, I do not have a cell phone, because I object to the
surveillance they do.

				      can be a part of the PPT, and your also
    have product on the market that allow you to use a PPT at home instead of just
    write your credit card number on a website.

Here is the definition from the GPL v3:

      A "User Product" is either (1) a "consumer product", which means any
    tangible personal property which is normally used for personal, family,
    or household purposes, or (2) anything designed or sold for incorporation
    into a dwelling.

I am assuming "PPT" refers to point-of-sale terminals, but I can't be
sure of that.

Sale terminals models meant for business use are not consumer products;
whether they contain a kind of cell phone does not affect the question.

If there is a terminal model made for home use, that might be a
consumer product.  If so, GPLv3 would require allowing the user to
install modified software.  It follows that the bank that the user
deals with would check for a valid credit card in its server rather
than in the device.  This is not hard.

    > To deny the key to the user is not acceptable.  It makes the software
    > non-free, and gives the developer power over the user that nobody
    > should have.
    Certanly not, it will make the product not hackable certanly not the software
    non-free.

The reason access to source code and freedom to change it are
important is so that you can use your changed version.  If the product
you bought requires changes to be authorized by someone other than
you, that freedom has been reduced to a theoretical fiction.
So the software is not free.

[U-Boot] U-book and GPLv3? (fwd)

[Thomas Doerfler]

Richard,

Richard Stallman wrote:
>     Wouldn't it make sense to add a paragraph to the GPL, stating that a
>     company using GPL software in their system must also provide all that
>     documentation to their customers? Only then the SW modification can be
>     properly done?
> 
> It is not possible for a software license to require this in general.
> It may be possible to require this in the case where the software is
> delivered with a product.  For GPLv4, we could think about whether
> this is a good idea.  But we are not yet working on a GPLv4.

Obviously I should have set the <ironic> tag explicitly. Please don't do
that. And if you do, please don't point to me as the originator of that
idea. Because I think my "idea" is bad.

wkr,
Thomas.

-- 

--------------------------------------------
Embedded Brains GmbH
Thomas Doerfler        Obere Lagerstrasse 30
D-82178 Puchheim       Germany
email: Thomas.Doerfler at embedded-brains.de
Phone: +49-89-18908079-2
Fax:   +49-89-18908079-9

[U-Boot] U-book and GPLv3? (fwd)

[Arno Fischer]

In article <Pine.LNX.4.64ksi.0906271550150.14063@home-gw.koi8.net>, 
ksi at koi8.net says...
> On Sat, 27 Jun 2009, Jean-Christophe PLAGNIOL-VILLARD wrote:
> 
> > > 
> > > and this is why i dislike the GPLv3.  the GPLv2 was all about the
> > source, so 
> > > the conversation between developers and everyone else was "you can
> > take my 
> > > source and modify it all you want, but i want to see the changes".
> > sounds 
> > > fair.
> > > 
> > > GPLv3 (ignoring the fix for the loophole with web applications) adds
> > *nothing* 
> > > to this premise.  instead, it's used as an ideological club such that
> > the 
> > > conversation is now "i have all these ideas about how software should
> > and 
> > > shouldnt be utilized, so if you want to use my software, you too now
> > have to 
> > > subscribe to my way of thinking and you have to show me the changes".
> > > 
> > > so what does moving from GPLv2 to GPLv3 gain us in terms of
> > protections ?  
> > > nothing.  it does however allow us to restrict the people who want to
> > use u-
> > > boot to using it in only ways we've "blessed".  that's plain wrong in
> > my eyes 
> > > and none of our business in the first place.
> > > 
> > > > I think it is not a coincidence that devices which can be updated
> > with
> > > > arbitrary firmware sells pretty good in the meantime.   Who buys
> > routers
> > > > capable of running OpenWRT because of their original firmware?
> > > 
> > > then let your wallet/politicians do the talking.  i certainly do -- i
> > avoid 
> > > purchasing any music/games encumbered with DRM, or companies that
> > employ such 
> > > methods.  but i'm above going around and forcing people to think the
> > way i do 
> > > with licenses.
> 
> > agreed with Mike.
> 
> Second that.
> 
> ---
> ******************************************************************
> *  KSI at home    KOI8 Net  < >  The impossible we do immediately.  
Third that.

[U-Boot] U-book and GPLv3? (fwd)

[Robin Getz]

On Thu 25 Jun 2009 10:41, Detlev Zundel pondered:
> Hi Mike,
> 
> >>> It is this "certification is only possible like we say" attitude
> >>> which I seriously question.
> >>
> >> whether you question this attitude doesnt matter.  you arent a lawyer
> >> in general, you arent a lawyer for these companies, and you arent
> >> indemnifying them.  their legal review says that it's a requirement, 
> >> so it is now a requirement for the software.  anything beyond that
> >> is irrelevant. 
> >
> > Now was this so hard?  This is actually an important fact that it is a
> > legal requirement for a company - thanks.
> 
> As a quick web research did not help, if this is a legal requirement,
> then can you point me to the law which requires such a thing?

As Mike said - there are many organisations which require this. Some from a 
legal standpoint, some from a certification standpoint. It depends on the end 
product.

Your ability not to find them doesn't change the fact that they do exist.

Search for:

  IEC 61508-3 : Functional safety of E/E/PE safety-related systems
                 Part 3: Software requirements
                http://en.wikipedia.org/wiki/IEC_61508

  IEC 601-1-4 : Safety Requirements for Programmable Electronic
                 Medical Systems

  ANSI/UL 1998 : Standard for Safety Software in Programmable Components


There are other that are industry specific - the gambling industry is a good 
one (that ksi already pointed out)

http://gaming.nv.gov/stats_regs/reg14_tech_stnds.pdf
> 1.080 Control program requirements.
>    (a) Employ a mechanism approved by the chairman which verifies that all
> control program components, including data and graphic information, are
> authentic copies of the approved components. The chairman may require tests
> to verify that components used by Nevada licensees are approved components.
> The verification mechanism must have an error rate of less than 1 in 10 to
> the 38th power and must prevent the execution of any control program
> component if any component is determined to be invalid.

That doesn't use the words secure boot - but if that is what the chairman of 
the Nevada gaming commision decides - then that is what is is...



As Mike has stated - we work on many devices who's products would fall under 
the GPL 3's ?User Products? category - who's manufactures have told us "No 
GPL3". They have this right - the right to use the software - or the right to 
choose something else. They have indicated they will exercise this right - so 
far - I believe them.

If Wolfgang decides to remove all the "GPL-2 only" code, and re-write that, 
and release U-Boot under GPL-3 - that is his right - he needs to do the 
things that let him sleep better at night. 

If he decides to do so - it just means that I will need to exercise my 
rights - and either fork, or go work on MicroMonitor - neither are really 
that appealing for me - but they are the only choice I have with a GPL-3 
U-Boot. Part of any freedom is the freedom to have an amicable disagreement, 
and make an alternative choice.

I will only need to make that choice when I see a commit to:
http://git.denx.de/cgi-bin/gitweb.cgi?p=u-boot.git;a=blob;f=COPYING;hb=HEAD
which updates it to GPL3.

Until then - it is just time wasted, when I should be doing more productive 
things. :)

-Robin



Although this is a bad analogy for the existing topic - I have always told my 
kids - part of freedom is the right to make choices, and allow others to make 
choices you don't agree with. If you choose to believe your water bottle is 
some sort of deity, and want to worship it - that is fine. I'll stand up and 
defend your rights to do so. I will still think you are nuts and will not 
join you in your water bottle worship (no offence meant to any existing, 
future or past water bottle worshippers). 

Freedom does not mean "my freedom" - it is not my right to enforce my belief 
system on you, but my obligation to stand and defend your rights to do 
something I don't like. 

Pushing one's person's belief system on another belongs in 
comp.sys.mac.advocacy and no where else.

[U-Boot] U-book and GPLv3? (fwd)

[Frank Svendsbøe]

On Mon, Jun 29, 2009 at 4:56 PM, Arno Fischer<a.f.dns@novotech.co.at> wrote:
> In article <Pine.LNX.4.64ksi.0906271550150.14063@home-gw.koi8.net>,
> ksi at koi8.net says...
>> On Sat, 27 Jun 2009, Jean-Christophe PLAGNIOL-VILLARD wrote:
>>
>> > >
>> > > and this is why i dislike the GPLv3. ?the GPLv2 was all about the
>> > source, so
>> > > the conversation between developers and everyone else was "you can
>> > take my
>> > > source and modify it all you want, but i want to see the changes".
>> > sounds
>> > > fair.
>> > >
>> > > GPLv3 (ignoring the fix for the loophole with web applications) adds
>> > *nothing*
>> > > to this premise. ?instead, it's used as an ideological club such that
>> > the
>> > > conversation is now "i have all these ideas about how software should
>> > and
>> > > shouldnt be utilized, so if you want to use my software, you too now
>> > have to
>> > > subscribe to my way of thinking and you have to show me the changes".
>> > >
>> > > so what does moving from GPLv2 to GPLv3 gain us in terms of
>> > protections ?
>> > > nothing. ?it does however allow us to restrict the people who want to
>> > use u-
>> > > boot to using it in only ways we've "blessed". ?that's plain wrong in
>> > my eyes
>> > > and none of our business in the first place.
>> > >
>> > > > I think it is not a coincidence that devices which can be updated
>> > with
>> > > > arbitrary firmware sells pretty good in the meantime. ? Who buys
>> > routers
>> > > > capable of running OpenWRT because of their original firmware?
>> > >
>> > > then let your wallet/politicians do the talking. ?i certainly do -- i
>> > avoid
>> > > purchasing any music/games encumbered with DRM, or companies that
>> > employ such
>> > > methods. ?but i'm above going around and forcing people to think the
>> > way i do
>> > > with licenses.
>>
>> > agreed with Mike.
>>
>> Second that.
>>
>> ---
>> ******************************************************************
>> * ?KSI at home ? ?KOI8 Net ?< > ?The impossible we do immediately.
> Third that.
>

Arno: I thought only "main developers" could state their opinion regarding this?
You don't seem to be that according to git-log.

Detlev: If one-line patch contributers are allowed to vote (which may not be
fair), my vote goes for GPLv3. Keep fighting for freedom ;-)

> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> http://lists.denx.de/mailman/listinfo/u-boot
>

[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Monday 29 June 2009 11:27:35 Frank Svendsb?e wrote:
> On Mon, Jun 29, 2009 at 4:56 PM, Arno Fischer<a.f.dns@novotech.co.at> wrote:
>> Third that.
>
> Arno: I thought only "main developers" could state their opinion regarding
> this? You don't seem to be that according to git-log.

the question is posed to the community
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.denx.de/pipermail/u-boot/attachments/20090629/8f6b77e4/attachment.pgp 

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Hi Frank,

> Arno: I thought only "main developers" could state their opinion regarding this?
> You don't seem to be that according to git-log.
>
> Detlev: If one-line patch contributers are allowed to vote (which may not be
> fair), my vote goes for GPLv3. Keep fighting for freedom ;-)

We're not holding a formal vote here - reread the beginning - Wolfgang wrote:

> I know that we have had similar discussions before (see for example
> http://thread.gmane.org/gmane.comp.boot-loaders.u-boot/24029), but I
> would like to take the chance and re-poll what the community's opinion
> about this is.

The fact that you read this mailing list is probably a good proof that
you both are part of the U-Boot community, so actually I appreciate both
inputs.

Thanks
  Detlev

-- 
error compiling committee.c: too many arguments to function
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    As Mike has stated - we work on many devices who's products would fall under 
    the GPL 3's  User Products  category - who's manufactures have told us "No 
    GPL3".

Would you like to describe one such product?  All the product types
discussed so far are outside the category of User Products.  The laws
you cites also seem to apply to things which are not User Products.

     They have this right - the right to use the software - or the right to 
    choose something else. They have indicated they will exercise this right - so 
    far - I believe them.

If a company seeks to restrict users like you and me, I strongly hope
my software does not help them.

[U-Boot] U-book and GPLv3? (fwd)

[Robin Getz]

On Mon 29 Jun 2009 14:48, Richard Stallman pondered:
> 
>     As Mike has stated - we work on many devices who's products would fall
>     under the GPL 3's  User Products  category - who's manufactures have
>     told us "No GPL3".
> 
> Would you like to describe one such product?

Portable hand held medical devices - such as Glucometers. They fall into both 
categories. They are medical devices, who's "bad" software could cause a user 
to give them selves too much insulin (hypoglycemia -> pass out -> seizure -> 
death), or too little insulin (Hyperglycaemia -> stupor -> coma -> death). 
Yeah, death is over the top - as most diabetics understand their body well 
enough not recognise the signs much before the pass out stages - but for the 
person who isn't familiar with things - it is possible.

They are marketted, and purchased by end consumers (Amazon shows 115 results 
in their search), and I would think that would make them fall into the "User 
Products".

> All the product types 
> discussed so far are outside the category of User Products.  The laws
> you cites also seem to apply to things which are not User Products.

I don't think I had any links to laws - only specifications.

Years ago - I helped develop a cloths dryer which needed to pass UL 1998 - 
since the cut off switch (open the door, the dryer stops spinning), was a 
GPIO on a 8-bit microcontroller...

White goods are as consumer/user products as you can get - all need to pass 
some sort of safety spec, when software failures can hurt people.


>      They have this right - the right to use the software - or the right to 
>     choose something else. They have indicated they will exercise this
>     right - so  far - I believe them.
> 
> If a company seeks to restrict users like you and me, I strongly hope
> my software does not help them.

And I think that is great that you feel like that. You have every right to 
limit the use of the software you write and support - just like I have that 
same right not to feel the same way.

I feel that companies should have the right to choose how to use the software 
I develop, as long they give things back, and I can use it on _my_ hardware 
(which the GPL2 allows/encourages) - I don't really care what they do on 
their hardware. That is their business, not mine.

I hope that you can respect my choice - and not try to convince me or others 
that your choices are superior to mine.

-Robin

[U-Boot] U-book and GPLv3? (fwd)

[Jerry Van Baren]

The discussion has mostly been emotional to date.  Here are some 
statistics (not necessarily perfect, but pretty close)...

Total number of files (after removing the .git files):
$ find . -type f | wc -l
6055

Number of files that are identified as being copyrighted:
$ grep -l -i -r 'Copyright' * | wc -l
5173

List of files with copyrights:
$ grep -l -i -r 'Copyright' * | sort > ~/ucopy.txt

List of all files:
$ find . -type f | sed 's/.\///' | sort > ~/ufiles.txt

List of files *WITHOUT* the string "copyright" in them:
$ comm -3 ~/ufiles.txt ~/ucopy.txt > ~/nocopyright.txt

Of the above, 130 of the files have the GPL in the header but not the 
string "copyright" - incomplete headers:
for file in `cat ~/nocopyright.txt` ; do grep -il 'General Public 
License' $file ; done | wc -l
130

---------------------------------------------------------------------

Total number of files that are GPLv2:
$ grep -i -r 'Free Software Foundation' * | grep -i 'version 2' > 
~/ugplv2.txt
$ wc -l ~/ugplv2.txt
4588

Number of files that are GPLv2 *or later*:
$ grep -i -r 'Free Software Foundation' * | grep -i 'either version 2' | 
wc -l
4512

76 files are GPLv2 *ONLY*:
$ grep -i -v 'either version 2' ~/ugplv2.txt | awk '{print $1}' | sed 
's/:$//'
board/stxgp3/ddr.c
board/netstar/eeprom_start.S
board/sbc8560/ddr.c
board/mpc8540eval/ddr.c
board/socrates/ddr.c
board/pm856/ddr.c
board/freescale/p2020ds/ddr.c
board/freescale/mpc8541cds/ddr.c
board/freescale/mpc8641hpcn/ddr.c
board/freescale/mpc8555cds/ddr.c
board/freescale/mpc8536ds/ddr.c
board/freescale/mpc8568mds/ddr.c
board/freescale/mpc8548cds/ddr.c
board/freescale/mpc8610hpcd/ddr.c
board/freescale/mpc8544ds/ddr.c
board/freescale/mpc8560ads/ddr.c
board/freescale/mpc8572ds/ddr.c
board/freescale/mpc8569mds/ddr.c
board/freescale/mpc8540ads/ddr.c
board/atum8548/ddr.c
board/stxssa/ddr.c
board/xes/xpedite5200/ddr.c
board/voiceblue/voiceblue.c
board/voiceblue/eeprom_start.S
board/voiceblue/setup.S
board/pm854/ddr.c
board/sbc8641d/ddr.c
board/sbc8548/ddr.c
common/ddr_spd.c
cpu/mpc86xx/fdt.c
cpu/mpc86xx/ddr-8641.c
cpu/mpc85xx/ddr-gen3.c
cpu/mpc85xx/ddr-gen2.c
cpu/mpc85xx/ddr-gen1.c
cpu/mpc8xxx/ddr/ctrl_regs.c
cpu/mpc8xxx/ddr/Makefile
cpu/mpc8xxx/ddr/ddr.h
cpu/mpc8xxx/ddr/ddr2_dimm_params.c
cpu/mpc8xxx/ddr/common_timing_params.h
cpu/mpc8xxx/ddr/ddr1_dimm_params.c
cpu/mpc8xxx/ddr/options.c
cpu/mpc8xxx/ddr/main.c
cpu/mpc8xxx/ddr/util.c
cpu/mpc8xxx/ddr/ddr3_dimm_params.c
cpu/mpc8xxx/ddr/lc_common_dimm_params.c
drivers/gpio/pca953x.c
drivers/pci/fsl_pci_init.c
drivers/misc/ds4510.c
drivers/mtd/nand/nand.c
drivers/i2c/fsl_i2c.c
drivers/usb/host/ehci-pci.c
drivers/usb/host/r8a66597.h
drivers/usb/host/ehci.h
drivers/usb/host/r8a66597-hcd.c
drivers/usb/host/ehci-core.h
drivers/usb/host/ehci-hcd.c
drivers/mmc/omap3_mmc.c
include/asm-ppc/fsl_ddr_sdram.h
include/asm-ppc/fsl_i2c.h
include/asm-ppc/fsl_dma.h
include/asm-ppc/mpc8xxx_spi.h
include/asm-ppc/fsl_ddr_dimm_params.h
include/pca953x.h
include/ds4510.h
include/configs/MPC8610HPCD.h
include/configs/voiceblue.h
include/spi_flash.h
include/ddr_spd.h
include/asm-m68k/fsl_i2c.h
include/addr_map.h
include/sha1.h
include/nand.h
include/asm-arm/arch-omap3/mmc.h
include/asm-arm/arch-omap3/mmc_host_def.h
lib_generic/sha1.c
lib_generic/addr_map.c


Number of files that are BSD licensed (but the seven (7) libfdt files 
are dual-licensed "GPLv2 or later" / BSD):
$ grep -r 'EXPRESS OR IMPLIED WARRANTIES' * | wc -l
156

Number of doc/* files (most have no copyright statement):
$ find doc/ -type f | wc -l
147

Number of doc/* files that *do* have a copyright statement:
$ grep -il copyright doc/* | wc -l
15


This implies...
    156 -    7 = 149 files use the BSD license (7 dual licensed)
   5173 - 4588 - 149 = 436 files have license header problems
                           or a different license?
   6055 - 5173 = 882 files don't have a copyright statement in them.
    147 -   15 = 132 doc/* files have no copyright
    882 -  132 = 750 files are not doc/* files and don't have copyright

Best regards,
gvb

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    Portable hand held medical devices - such as Glucometers. They fall into both 
    categories. They are medical devices, who's "bad" software could cause a user 
    to give them selves too much insulin (hypoglycemia -> pass out -> seizure -> 
    death), or too little insulin (Hyperglycaemia -> stupor -> coma -> death). 

That would be a good reason for the user not to change the software in
this device.  However, that does not mean he should be stopped.

After all, the user could also change the circuitry in the device, if
he is inclined to do so.  That too could make it give bad readings.
So what?  We do not need a nanny state stopping people from going out
of their way to take risks.  Warning them is enough.

    They are marketted, and purchased by end consumers (Amazon shows 115 results 
    in their search), and I would think that would make them fall into the "User 
    Products".

These are indeed User Products, and the user who buys them should have
control over what they do.

    I hope that you can respect my choice - and not try to convince me or others 
    that your choices are superior to mine.

If your mind is made up, I will not pointlessly annoy you by trying to
convince you.  I will continue trying to convince others.

In 1983, almost everyone thought my ideas were foolish, but I did not
let that stop me, so now we have the GNU/Linux operating system.

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

Files without a copyright notice and a license notice are a legal problem.

Legally, every file is copyrighted.  If there's no copyright notice,
that just means it gives no info about who the copyright holder is.

The lack of a license notice is a problem.  If the file is trivial,
just a few lines, maybe it does not matter.  But otherwise, if there
is no license, that means it doesn't give people permission to copy or
change or redistribute the file.  Perhaps even the U-boot developers
don't have this permission.

[U-Boot] U-book and GPLv3? (fwd)

[Jerry Van Baren]

Richard Stallman wrote:
> Files without a copyright notice and a license notice are a legal problem.
> 
> Legally, every file is copyrighted.  If there's no copyright notice,
> that just means it gives no info about who the copyright holder is.
> 
> The lack of a license notice is a problem.  If the file is trivial,
> just a few lines, maybe it does not matter.  But otherwise, if there
> is no license, that means it doesn't give people permission to copy or
> change or redistribute the file.  Perhaps even the U-boot developers
> don't have this permission.

Agreed.  I was just doing a simplistic grep looking for "fingerprints" 
of GPL and BSD licenses and I did not find them in 436 files.  I looked 
at a couple of files to confirm that my greping wasn't over simplistic 
(it wasn't in the cases I checked).  I also did not see any licenses 
other than GPL or BSD, but I did not look at many of the files in 
question so it is possible that there are other licenses out there, but 
probably not.

I did *not* analyze the files for complexity and appropriateness of 
copyright/license information in the file.  That should be done 
regardless of the results of the GPLv3 debate and the files that should 
have copyright/license information in their headers need to be either 
fixed or replaced.

Best regards,
gvb

[U-Boot] U-book and GPLv3? (fwd)

[Detlev Zundel]

Hi Jerry,

thanks a lot for your work of analyzing the current situation - I
appreciate that very much.

> I did *not* analyze the files for complexity and appropriateness of 
> copyright/license information in the file.  That should be done 
> regardless of the results of the GPLv3 debate and the files that should 
> have copyright/license information in their headers need to be either 
> fixed or replaced.

Yes indeed - it has become more than clear that we have to get clean on
this front now, regardless of any licensing changes.

Everyone who wants to help on this front is invited to do so.  Hopefully
git can help us track down people if we need to.  If it turns out to be
of help, I can surely dig up the last CVS repository before the
conversion to git.

Cheers
  Detlev

-- 
Wenn ein Kopf und ein Buch zusammenstossen und es klingt hohl; ist
denn das allemal im Buche?
                               - Lichtenberg
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

[U-Boot] U-book and GPLv3? (fwd)

[Eric Nelson]

Richard Stallman wrote:
> 
> In 1983, almost everyone thought my ideas were foolish, but I did not
> let that stop me, so now we have the GNU/Linux operating system.
> 

BTW, thanks for that, and GCC, and all that follows...

We've all been enriched by your efforts.

[U-Boot] U-book and GPLv3? (fwd)

[Scott Wood]

On Mon, Jun 29, 2009 at 10:03:09PM -0400, Jerry Van Baren wrote:
> Total number of files that are GPLv2:
> $ grep -i -r 'Free Software Foundation' * | grep -i 'version 2' > 
> ~/ugplv2.txt
> $ wc -l ~/ugplv2.txt
> 4588

This assumes "version 2" and "Free Software Foundation" are on the same
line...

> 76 files are GPLv2 *ONLY*:
> $ grep -i -v 'either version 2' ~/ugplv2.txt | awk '{print $1}' | sed 
> 's/:$//'

...causing drivers/mtd/nand/nand_base.c, for example, to be missed here.

-Scott

[U-Boot] U-book and GPLv3? (fwd)

[Robin Getz]

On Tue 30 Jun 2009 10:04, Richard Stallman pondered:
> 
>     Portable hand held medical devices - such as Glucometers. They fall 
>     into both categories. They are medical devices, who's "bad"
>     software could cause a user to give them selves too much insulin
>     (hypoglycemia -> pass out -> seizure -> death), or too little 
>     insulin (Hyperglycaemia -> stupor -> coma -> death).  
> 
> That would be a good reason for the user not to change the software in
> this device.  However, that does not mean he should be stopped.

The FDA disagrees :)

They add requirements to ensure they detect faulty devices. It is a fact of 
physics that flash devices go bad over time - I'm sure even you appreciate 
the ability to know if something in your devices is the image that you 
thought it is, and doesn't have bit errors.

When they FDA certifies a device, they need to make sure that both hardware 
and the software on the unit when it gets to you - is the same as the version 
that they approved. If hardware can go wrong - there are normally power on 
self checks that test for this - and the unit will not power on if it detects 
the hardware is modified.

> After all, the user could also change the circuitry in the device, if
> he is inclined to do so.  That too could make it give bad readings.

It is not likely that the user has a the equipment to do so - it's not 
practical to think so anymore.

All the "circuitry" are integrated circuits. There are very few (none) 
external components to modify. Test strips are connected directly to the 
measurement IC, and the measurement IC is connected directly the the 
processor.

www.analog.com/AD5933

To make any meaningful modifications (which doesn't just remove a power 
supply, and cause the unit to die) starts out with a plazma etch machine - 
not exactly something most people have access to. (Here is one for $10k if 
you want)...

http://www.2spi.com/catalog/instruments/etchers1.shtml

Yeah, you could make your own fuming nitric acid on your stove, but that is 
even more over the top - plus - most fuming acids reacts with exposed bond 
pad metallization and normally result in ball bond discontinuity - hampering 
any further analysis, and making the device stop functioning...

I don't recommend it.

> So what?  We do not need a nanny state stopping people from going out
> of their way to take risks.  Warning them is enough.

Then solve it through the legistation process - don't debate with developers.

The Federal Government (in the US) gave the FDA the requirement to do this in 
Federal Food, Drug, and Cosmetic Act (FD&C Act) of 1938 (amended since) - 
when people were accidently putting poisonous solvents in an "Elixir".
http://en.wikipedia.org/wiki/Elixir_Sulfanilamide

I'm glad they are there. When you go to Trader Joe's in Cambridge (or where 
ever you go for sustenance), Are you OK with the "nanny state" ensuring the 
food is safe to eat?

>     They are marketted, and purchased by end consumers (Amazon shows 
>     115 results in their search), and I would think that would make
>     them fall into the "User Products".
> 
> These are indeed User Products, and the user who buys them should have
> control over what they do.

That "nanny state" government that we live in - says otherwise.

Maybe I'm not fully understanding your position or what the intent of the GPL3 
is - but it appears to me that there is a gap between the certification 
required in some markets/products, (and how people apply these 
certifications), and the rights given to end users under the GPL3 that make 
them not compatible.

If a product is required to be locked down by a certifying authority, (whom 
ever that may be), they can't use GPL3 code. 

Your statements appear to me (to paraphrase) - those not willing to follow 
your rules should not have access to your code. And I'm completely fine with 
that. We contribute to various FSF projects that are under the GPL3 without 
any issue.

What I don't understand is the fact that the GPL3 seems to punish developers 
who are developing products for certain markets when their certifying 
authority (like the FDA) has requirements which are not compatible with the 
GPL3.

This really has nothing to do with tivoization, since in the Tivo case - they 
had no greater certification authority - and were just trying to restrict 
people's use.

>     I hope that you can respect my choice - and not try to convince me
>     or others that your choices are superior to mine.
> 
> If your mind is made up, I will not pointlessly annoy you by trying to
> convince you.  I will continue trying to convince others.

That is great - and I applaud your efforts. I think that the work you are 
doing is valuable, and the contributions you have made have been critically 
important to the free and closed software developments that people to today.

But attempting to convincing other developers your rules are the best, without 
providing the pros (more freedom for end users) and cons (developers of 
certain products/markets which have requirements contrary to the requirements 
of the GPL3 will be excluded from using future versions) seems to be a little 
duplicitous.

There is little a developer can do about changing the requirements of the FDA. 
Maybe you should be working with these types of certification authorities, 
rather than individual developers? You have a much more recognised name than 
most of the people on this list - I'm sure that you could get a meeting with 
Ms Hamburg or Aneesh Chopra before I could - and would have a bigger impact 
too...

http://www.fda.gov/AboutFDA/CommissionersPage/default.htm
http://www.usa.gov/dotgovbuzz/0509.html#dotgovspotlight

> In 1983, almost everyone thought my ideas were foolish, but I did not
> let that stop me, so now we have the GNU/Linux operating system.

I never said your ideas were foolish - I don't think I even implied it.

I wouldn't contribute to free software projects if I though the concepts were 
flawed or foolish.

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    > That would be a good reason for the user not to change the software in
    > this device.  However, that does not mean he should be stopped.

    The FDA disagrees :)

Governments often oppose people's freedom.  That is why fighting for
freedom is hard.

    They add requirements to ensure they detect faulty devices. It is a fact of 
    physics that flash devices go bad over time - I'm sure even you appreciate 
    the ability to know if something in your devices is the image that you 
    thought it is, and doesn't have bit errors.

That sounds like a good feature.  But if it is done in a way that
permits the manufacturer to change the software after sale, then it
can be done in a way that permits the owner to change the software
too.

    All the "circuitry" are integrated circuits. There are very few (none) 
    external components to modify. Test strips are connected directly to the 
    measurement IC, and the measurement IC is connected directly the the 
    processor.

I did not know that.  Thank you for the information.

While I probably would not want to change my glucometer, the practice
of designing hardware so that people cannot change it is becoming more
and more of a threat to our freedom in general.

    If a product is required to be locked down by a certifying authority, (whom 
    ever that may be), they can't use GPL3 code. 

If the users' freedom is protected by GPLv3, the certifying authority
that attacks users' freedom blocks the use of this code.

While I recognize that developers who get in the middle of this battle
did not  cause the  battle, I  will not surrender  the fight  just for
their sake.

    This really has nothing to do with tivoization, since in the Tivo case - they 
    had no greater certification authority - and were just trying to restrict 
    people's use.

These companies (if I understand the facts correctly from what people
have said here) are doing the same thing to the user that tivo does,
so it is equally wrong.  The wrong is not in their motive, it is in
what they do.

Suppose there were an official certification authority for video
players.  (Hollywood could probably buy such a law if it wanted to;
Obama would be glad to sign it.)  Would that make the tivo ok?
Obviously not.

Thus, the existence of a certification authority does not alter the
concluisions about the ethical issue of tivoization.

I support effective steps to protect safety for the users of medical
devices.  But, as I've explained above, that does not require
tivoization, so it does not excuse tivoization either.

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    That is great - and I applaud your efforts. I think that the work you are 
    doing is valuable, and the contributions you have made have been critically 
    important to the free and closed software developments that people to today.

If you mean that my work has contrubuted to non-free software
developments, I am not proud of that.  It is not a good thing that
people develop or use non-free software.

(I don't refer to proprietary software as "closed source", since what
I advocate is not "open source".)

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    Maybe you should be working with these types of certification authorities, 
    rather than individual developers?

I would be glad to do so.  I have no contacts in the FDA, and I am not
so famous that mere mention of my name would make them pay attention.
But maybe some of these developers could introduce me to someone
useful to talk with.  If you know them, would you like to try?

    I'm sure that you could get a meeting with 
    Ms Hamburg or Aneesh Chopra before I could

Who are they?  Can you tell me how to contact them?

    http://www.fda.gov/AboutFDA/CommissionersPage/default.htm

I will send mail to fetch that page.

If I see any chance of discussing this with them, I will at that point
want to read the relevant certifications so that I can speak with them
fully briefed.

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    BTW, thanks for that, and GCC, and all that follows...

I am glad it is useful.  I hope people will recall once in a while
that I did this so that users could control their computing.  I wrote
the GNU GPL (all versions) towards this same end.

[U-Boot] U-book and GPLv3? (fwd)

[Robin Getz]

On Tue 30 Jun 2009 15:12, Richard Stallman pondered:
> 
>     That is great - and I applaud your efforts. I think that the work
>     you are doing is valuable, and the contributions you have made have
>     been critically important to the free and closed software developments
>     that people to today. 
> 
> If you mean that my work has contrubuted to non-free software
> developments, I am not proud of that.  It is not a good thing that
> people develop or use non-free software.

Not to go down a rat hole - but as a normal part of development of non-free 
software, people use emacs, gcc, and gdb all the time - you aren't proud of 
the contributions you made to those projects?


I was trying to say that your efforts have changed the face of computing in 
general, in both that it has created the "free" and "non-free" software 
software categories, and helped inform users of their freedoms they should be 
expecting. 


To use someone else's words - an IDC 2006 study "Open Source in Global 
Software: Market Impact, Disruption, and Business Models" described free 
software and open source as "the most significant all-encompassing and 
long-term trend that the software industry has seen since the early 1980s" 
and found that over 70 percent of all developers are leveraging open-source 
and free software.

In any movement - there needs to be the golden standard - that is unwavering 
in its ethics and standards. Not everyone likes that standard - but it needs 
to be there. 

[U-Boot] U-book and GPLv3? (fwd)

[Robin Getz]

On Tue 30 Jun 2009 15:12, Richard Stallman pondered:
> While I probably would not want to change my glucometer, the practice
> of designing hardware so that people cannot change it is becoming more
> and more of a threat to our freedom in general.

It is simple economics - it is about consumers making choices.

Most people in the general public don't _want_ to change anything, so they buy 
the cheapest unit. The price of that unit drops as the volume goes up. The 
suppliers compete, and integrate more into their ICs. The price drops more, 
and consumers line up to buy more, since the price is now cheaper.

People don't know what they are loosing if they don't know it exists.


>     If a product is required to be locked down by a certifying authority,
>     (whom ever that may be), they can't use GPL3 code. 
> 
> If the users' freedom is protected by GPLv3, the certifying authority
> that attacks users' freedom blocks the use of this code.
>
> While I recognize that developers who get in the middle of this battle
> did not  cause the  battle, I  will not surrender  the fight  just for
> their sake.

So understand where the fight needs to take place. It's not at the developer 
level - its at the regulator level.

>     This really has nothing to do with tivoization, since in the Tivo
>     case - they had no greater certification authority - and were 
>     just trying to restrict people's use.
> 
> These companies (if I understand the facts correctly from what people
> have said here) are doing the same thing to the user that tivo does,
> so it is equally wrong.  The wrong is not in their motive, it is in
> what they do.
> 
> Suppose there were an official certification authority for video
> players.  (Hollywood could probably buy such a law if it wanted to;
> Obama would be glad to sign it.)  Would that make the tivo ok?
> Obviously not.
>
> Thus, the existence of a certification authority does not alter the
> concluisions about the ethical issue of tivoization.

So - why does the the GPL3 have an out for networking? (which is going to be 
abused).

From the GPL3:
> Access to a network may be denied when the modification itself materially
> and adversely affects the operation of the network or violates the rules
> and protocols for communication across the network.  

I can't see how someone can deny access to the network, while still allowing 
anyone's software to be run on the device, without some sort of key system in 
the networking hardware - is that what you had in mind?


> I support effective steps to protect safety for the users of medical
> devices.  But, as I've explained above, that does not require
> tivoization, so it does not excuse tivoization either.

I understand the moral dilemma, and your viewpoint. Unfortunately, no one who 
writes the standards is asking my (or anyone on this list's) opinion of what 
the certification process is.

-Robin

[U-Boot] U-book and GPLv3? (fwd)

[Robin Getz]

On Tue 30 Jun 2009 15:12, Richard Stallman pondered:
> 
>     Maybe you should be working with these types of certification
>     authorities, rather than individual developers?
> 
> I would be glad to do so.  I have no contacts in the FDA, and I am not
> so famous that mere mention of my name would make them pay attention.
>
> But maybe some of these developers could introduce me to someone
> useful to talk with.  If you know them, would you like to try?

Can't promise much - but I can poke around.

>     I'm sure that you could get a meeting with 
>     Ms Hamburg or Aneesh Chopra before I could
> 
> Who are they?  Can you tell me how to contact them?

Aneesh Chopra was Virginia?s Fourth Secretary of Technology, and has recently 
been sworn in as the Federal CTO.

http://radar.oreilly.com/2009/04/aneesh-chopra-great-federal-cto.html


>     http://www.fda.gov/AboutFDA/CommissionersPage/default.htm
> 
> I will send mail to fetch that page.
> 
> If I see any chance of discussing this with them, I will at that point
> want to read the relevant certifications so that I can speak with them
> fully briefed.

[U-Boot] U-book and GPLv3? (fwd)

[Jerry Van Baren]

Jerry Van Baren wrote:
> The discussion has mostly been emotional to date.  Here are some 
> statistics (not necessarily perfect, but pretty close)...
> 
> Total number of files (after removing the .git files):
> $ find . -type f | wc -l
> 6055
> 
> Number of files that are identified as being copyrighted:
> $ grep -l -i -r 'Copyright' * | wc -l
> 5173
> 
> List of files with copyrights:
> $ grep -l -i -r 'Copyright' * | sort > ~/ucopy.txt
> 
> List of all files:
> $ find . -type f | sed 's/.\///' | sort > ~/ufiles.txt
> 
> List of files *WITHOUT* the string "copyright" in them:
> $ comm -3 ~/ufiles.txt ~/ucopy.txt > ~/nocopyright.txt
> 
> Of the above, 130 of the files have the GPL in the header but not the 
> string "copyright" - incomplete headers:
> for file in `cat ~/nocopyright.txt` ; do grep -il 'General Public 
> License' $file ; done | wc -l
> 130
> 
> ---------------------------------------------------------------------

Improving my fingerprinting (thanks, Scott):

Total number of files that are GPLv2.  Sometimes the FSF and GPL strings 
are split across lines.  This assumes that one of the two strings is all 
on one line.  Still simplistic, but less so.

Another important disclaimer: a lot of the GPLv2-ONLY files come from 
the linux kernel (see the list below).  If and when we move to the 
U-Boot v2 driver interface, where we will be able to use linux drivers 
more easily, the number of GPLv2-ONLY driver files will likely increase.

$ grep -i -l -r 'Free Software Foundation' * | sort > ufsf.txt
$ grep -i -l -r 'General Public License' * | sort > ugpl.txt
$ cat ufsf.txt ugpl.txt | sort -u > ugplv2.txt

$ wc -l ugplv2.txt
4798 ugplv2.txt


$ cat ugplv2.txt | xargs grep 'either version 2' | awk '{print $1}' | 
sed 's/:#*//' > ugplv2-or-later.txt

$ wc -l ugplv2-or-later.txt
4539 ugplv2-or-later.txt

$ for file in `cat ugplv2.txt` ; do grep -il 'version 2' $file ; done | 
wc -l
4763


Looking for GPLv2 ONLY files (has some false positives):
$ comm -23 ugplv2.txt ugplv2-or-later.txt > ugplv2-only.txt

After reviewing the files, I come up with 233 GPLv2-only files:
$ wc -l ugplv2-only.txt
233 ugplv2-only.txt

$ cat ugplv2-only.txt
board/amirix/ap1000/ap1000.c
board/amirix/ap1000/ap1000.h
board/amirix/ap1000/init.S
board/atum8548/ddr.c
board/freescale/common/pq-mds-pib.c
board/freescale/common/pq-mds-pib.h
board/freescale/mpc8323erdb/mpc8323erdb.c
board/freescale/mpc8536ds/ddr.c
board/freescale/mpc8540ads/ddr.c
board/freescale/mpc8541cds/ddr.c
board/freescale/mpc8544ds/ddr.c
board/freescale/mpc8548cds/ddr.c
board/freescale/mpc8555cds/ddr.c
board/freescale/mpc8560ads/ddr.c
board/freescale/mpc8568mds/ddr.c
board/freescale/mpc8569mds/ddr.c
board/freescale/mpc8572ds/ddr.c
board/freescale/mpc8610hpcd/ddr.c
board/freescale/mpc8641hpcn/ddr.c
board/freescale/p2020ds/ddr.c
board/linkstation/hwctl.c
board/micronas/vct/smc_eeprom.c
board/ml2/flash.c
board/ml2/init.S
board/ml2/ml2.c
board/mpc8540eval/ddr.c
board/mvblue/mvblue.c
board/netstar/crcek.S
board/netstar/eeprom.c
board/netstar/eeprom_start.S
board/pm854/ddr.c
board/pm856/ddr.c
board/sbc8548/ddr.c
board/sbc8560/ddr.c
board/sbc8641d/ddr.c
board/socrates/ddr.c
board/stxgp3/ddr.c
board/stxssa/ddr.c
board/voiceblue/eeprom.c
board/voiceblue/eeprom_start.S
board/voiceblue/Makefile
board/voiceblue/setup.S
board/voiceblue/voiceblue.c
board/xes/xpedite5200/ddr.c
common/cmd_onenand.c
common/cmd_ubi.c
common/ddr_spd.c
cpu/arm926ejs/omap/cpuinfo.c
cpu/mpc85xx/ddr-gen1.c
cpu/mpc85xx/ddr-gen2.c
cpu/mpc85xx/ddr-gen3.c
cpu/mpc86xx/ddr-8641.c
cpu/mpc86xx/fdt.c
cpu/mpc8xxx/ddr/common_timing_params.h
cpu/mpc8xxx/ddr/ctrl_regs.c
cpu/mpc8xxx/ddr/ddr1_dimm_params.c
cpu/mpc8xxx/ddr/ddr2_dimm_params.c
cpu/mpc8xxx/ddr/ddr3_dimm_params.c
cpu/mpc8xxx/ddr/ddr.h
cpu/mpc8xxx/ddr/lc_common_dimm_params.c
cpu/mpc8xxx/ddr/main.c
cpu/mpc8xxx/ddr/Makefile
cpu/mpc8xxx/ddr/options.c
cpu/mpc8xxx/ddr/util.c
drivers/bios_emulator/atibios.c
drivers/bios_emulator/besys.c
drivers/gpio/pca953x.c
drivers/i2c/fsl_i2c.c
drivers/misc/ds4510.c
drivers/mmc/omap3_mmc.c
drivers/mmc/pxa_mmc.h
drivers/mtd/mtdcore.c
drivers/mtd/nand/nand_base.c
drivers/mtd/nand/nand_bbt.c
drivers/mtd/nand/nand.c
drivers/mtd/nand/nand_ids.c
drivers/mtd/nand/nand_util.c
drivers/mtd/onenand/onenand_base.c
drivers/mtd/onenand/onenand_bbt.c
drivers/mtd/onenand/onenand_uboot.c
drivers/mtd/ubi/crc32.c
drivers/net/5701rls.c
drivers/net/5701rls.h
drivers/net/ax88180.c
drivers/net/ax88180.h
drivers/net/bcm570x_autoneg.c
drivers/net/bcm570x_autoneg.h
drivers/net/bcm570x_bits.h
drivers/net/bcm570x_debug.h
drivers/net/bcm570x_lm.h
drivers/net/bcm570x_mm.h
drivers/net/bcm570x_queue.h
drivers/net/dnet.c
drivers/net/dnet.h
drivers/net/natsemi.c
drivers/net/nicext.h
drivers/net/ns8382x.c
drivers/net/tigon3.c
drivers/net/tigon3.h
drivers/net/vsc7385.c
drivers/pci/fsl_pci_init.c
drivers/rtc/rs5c372.c
drivers/serial/arm_dcc.c
drivers/usb/host/ehci-core.h
drivers/usb/host/ehci.h
drivers/usb/host/ehci-hcd.c
drivers/usb/host/ehci-pci.c
drivers/usb/host/r8a66597.h
drivers/usb/host/r8a66597-hcd.c
drivers/usb/musb/musb_core.h
examples/82559_eeprom.c
examples/eepro100_eeprom.c
fs/cramfs/cramfs.c
fs/cramfs/uncompress.c
fs/jffs2/compr_rtime.c
fs/jffs2/compr_rubin.c
fs/jffs2/compr_zlib.c
fs/jffs2/jffs2_1pass.c
fs/ubifs/budget.c
fs/ubifs/crc16.c
fs/ubifs/crc16.h
fs/ubifs/debug.c
fs/ubifs/debug.h
fs/ubifs/io.c
fs/ubifs/key.h
fs/ubifs/log.c
fs/ubifs/lprops.c
fs/ubifs/lpt.c
fs/ubifs/lpt_commit.c
fs/ubifs/master.c
fs/ubifs/misc.h
fs/ubifs/orphan.c
fs/ubifs/recovery.c
fs/ubifs/replay.c
fs/ubifs/sb.c
fs/ubifs/scan.c
fs/ubifs/super.c
fs/ubifs/tnc.c
fs/ubifs/tnc_misc.c
fs/ubifs/ubifs.c
fs/ubifs/ubifs.h
fs/ubifs/ubifs-media.h
fs/yaffs2/devextras.h
fs/yaffs2/Makefile
fs/yaffs2/yaffscfg.c
fs/yaffs2/yaffscfg.h
fs/yaffs2/yaffs_checkptrw.c
fs/yaffs2/yaffs_checkptrw.h
fs/yaffs2/yaffs_ecc.c
fs/yaffs2/yaffs_ecc.h
fs/yaffs2/yaffs_flashif.h
fs/yaffs2/yaffsfs.c
fs/yaffs2/yaffsfs.h
fs/yaffs2/yaffs_guts.c
fs/yaffs2/yaffs_guts.h
fs/yaffs2/yaffsinterface.h
fs/yaffs2/yaffs_malloc.h
fs/yaffs2/yaffs_mtdif2.c
fs/yaffs2/yaffs_mtdif2.h
fs/yaffs2/yaffs_mtdif.c
fs/yaffs2/yaffs_mtdif.h
fs/yaffs2/yaffs_nand.c
fs/yaffs2/yaffs_nandemul2k.h
fs/yaffs2/yaffs_nand.h
fs/yaffs2/yaffs_packedtags1.c
fs/yaffs2/yaffs_packedtags1.h
fs/yaffs2/yaffs_packedtags2.c
fs/yaffs2/yaffs_packedtags2.h
fs/yaffs2/yaffs_qsort.h
fs/yaffs2/yaffs_ramdisk.h
fs/yaffs2/yaffs_tagscompat.c
fs/yaffs2/yaffs_tagscompat.h
fs/yaffs2/yaffs_tagsvalidity.c
fs/yaffs2/yaffs_tagsvalidity.h
fs/yaffs2/ydirectenv.h
fs/yaffs2/yportenv.h
include/addr_map.h
include/asm-arm/arch-ixp/ixp425.h
include/asm-arm/arch-omap3/mmc.h
include/asm-arm/arch-omap3/mmc_host_def.h
include/asm-arm/arch-pxa/hardware.h
include/asm-arm/arch-pxa/pxa-regs.h
include/asm-arm/atomic.h
include/asm-arm/hardware.h
include/asm-arm/io.h
include/asm-arm/memory.h
include/asm-arm/posix_types.h
include/asm-arm/proc-armv/domain.h
include/asm-arm/proc-armv/processor.h
include/asm-arm/proc-armv/ptrace.h
include/asm-arm/proc-armv/system.h
include/asm-arm/processor.h
include/asm-arm/setup.h
include/asm-m68k/fsl_i2c.h
include/asm-ppc/fsl_ddr_dimm_params.h
include/asm-ppc/fsl_ddr_sdram.h
include/asm-ppc/fsl_dma.h
include/asm-ppc/fsl_i2c.h
include/asm-ppc/mpc8xxx_spi.h
include/asm-sh/io.h
include/bcd.h
include/configs/AP1000.h
include/configs/ML2.h
include/configs/MPC8323ERDB.h
include/configs/MPC8610HPCD.h
include/configs/voiceblue.h
include/ddr_spd.h
include/ds4510.h
include/jffs2/jffs2.h
include/linux/mc146818rtc.h
include/linux/mtd/bbm.h
include/linux/mtd/nand_ecc.h
include/linux/mtd/nand.h
include/linux/mtd/nand_ids.h
include/linux/mtd/nand_legacy.h
include/linux/mtd/ndfc.h
include/linux/mtd/onenand.h
include/linux/mtd/onenand_regs.h
include/nand.h
include/onenand_uboot.h
include/pca953x.h
include/pcmcia/cirrus.h
include/pcmcia/i82365.h
include/pcmcia/ss.h
include/pcmcia/ti113x.h
include/pcmcia/yenta.h
include/sha1.h
include/spi_flash.h
include/ubi_uboot.h
include/usb/omap1510_udc.h
include/vsc7385.h
lib_generic/addr_map.c
lib_generic/sha1.c



Files that have incomplete GPL license statements in their headers 
(typically missing which version of GPL applies).  The Broadcom (bcm*.*) 
files mention GPL and reference the gentle reader to a file "LICENSE" 
for more information, but we don't have a "LICENSE" file, much less 
/their/ "LICENSE" file.

board/linkstation/hwctl.c
board/mvblue/mvblue.c
drivers/net/5701rls.c
drivers/net/5701rls.h
drivers/net/bcm570x_autoneg.c
drivers/net/bcm570x_autoneg.h
drivers/net/bcm570x_bits.h
drivers/net/bcm570x_debug.h
drivers/net/bcm570x_lm.h
drivers/net/bcm570x_mm.h
drivers/net/bcm570x_queue.h
drivers/net/natsemi.c
drivers/net/nicext.h
drivers/net/ns8382x.c
drivers/net/tigon3.c
drivers/net/tigon3.h
examples/82559_eeprom.c
examples/eepro100_eeprom.c
lib_ppc/ppcstring.S

LzmaDecode.[ch] is dual licensed LGPL and Common Public License (CPL), 
but the version of LGPL or CPL is not specified.  Ahh, the directory has 
a file lib_generic/lzma/LGPL.txt that specifies LGPL 2.1 or later.

lib_generic/lzma/LzmaDecode.c
lib_generic/lzma/LzmaDecode.h


Trivia: There are a few dual-licensed with MPL:
include/pcmcia/cirrus.h
include/pcmcia/i82365.h
include/pcmcia/ss.h
include/pcmcia/ti113x.h
include/pcmcia/yenta.h

...and some dual-licensed with the Red Hat eCos Public License:
board/cogent/lcd.c
board/cogent/lcd.h
fs/jffs2/compr_rtime.c
fs/jffs2/compr_rubin.c
fs/jffs2/compr_zlib.c
fs/jffs2/jffs2_1pass.c
include/jffs2/jffs2.h

[snip]

Best regards,
gvb

[U-Boot] U-book and GPLv3? (fwd)

[Thomas Dörfler]

Richard,

Richard Stallman wrote:

> 
> While I probably would not want to change my glucometer, the practice
> of designing hardware so that people cannot change it is becoming more
> and more of a threat to our freedom in general.

Can you be a bit more specific on this? Which devices are you aware of,
that use GPLv2 code and avoid an update? Except the once we were
discussing here where it is questionable wheter the user actual should
refrain from doing so, like medical devices and safety critical devices?

We heard about Tivo, but what other devices are there? Or are we talking
about a possibility which has already outworn itself (like DRM media,
which seem to be getting more and more unpolular)?

wkr,
Thomas.

-- 

--------------------------------------------
Embedded Brains GmbH
Thomas Doerfler        Obere Lagerstrasse 30
D-82178 Puchheim       Germany
email: Thomas.Doerfler at embedded-brains.de
Phone: +49-89-18908079-2
Fax:   +49-89-18908079-9

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    Not to go down a rat hole - but as a normal part of development of non-free 
    software, people use emacs, gcc, and gdb all the time - you aren't proud of 
    the contributions you made to those projects?

Yes, I am, but not because they help proprietary software.

What I set out to change is not the face of computing
but rather its ethical heart.

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    Aneesh Chopra was Virginia s Fourth Secretary of Technology, and has recently 
    been sworn in as the Federal CTO.

I doubt I could get an appointment with such a high-ranked "public
servant" without help from a high-ranked public master (businessman).
But we can try.

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    I can't see how someone can deny access to the network, while still allowing 
    anyone's software to be run on the device, without some sort of key system in 
    the networking hardware - is that what you had in mind?

This is aimed at cell phone networks: it recognizes they are allowed
to make the network refuse to talk to a phone if the users's changes
cause the phone to screw up the network.

[U-Boot] U-book and GPLv3? (fwd)

[Graeme Russ]

On Wed, Jul 1, 2009 at 9:46 PM, Richard Stallman<rms@gnu.org> wrote:
>    I can't see how someone can deny access to the network, while still allowing
>    anyone's software to be run on the device, without some sort of key system in
>    the networking hardware - is that what you had in mind?
>
> This is aimed at cell phone networks: it recognizes they are allowed
> to make the network refuse to talk to a phone if the users's changes
> cause the phone to screw up the network.

Interesting, you allow the hardware & software designer to apply restrictions
on the end user because their changes could 'screw up a network' but do not
believe that the same restrictions apply when the changes could 'kill the
user'

I admire your efforts with the GPL in version 3 in order to stop a blatant
abuse of free software. However, I agree with many others in this thread,
there are cases where GPL3 went just a little too far. I think GPL3 should
have stopped where legislation requires that the software running on the
device be certified.

I know you fear 'Big Corporations' pushing around governments to pass
legislation like 'All Media Players must only allow software developed by
the manufacturer of the device' and 'Any attempt to reverse engineer audio or
video Codecs for use on non-proprietary systems is punishable by xyz'. But
this is where advocates like yourself really need to stand tall - This
argument goes way beyond Software Freedom - It bleeds into Copyright and
Patents on algorithms, business methods, mathematical formula, DNA,
arbitrary ideas - the list goes on. You seem a little reluctant to take
this battle to this second (and arguably far more important) front.

You have done a marvelous job of changing the attitudes of individuals and
corporations towards software development. There are only a few pockets of
resistance that fail to grok the fact that the more people can play with
your code, the better it becomes at a fraction of the price. These pockets
reacted by 'Tivosation' and 'Patents' - You tried to counter-punch by
saying 'You are not allowed to be part of our community' rather than doing
what you did with the source code - Prove that the system works better
without the restrictions - Make the restrictions an encumbrance on those
that embrace them just like the the non-free developers are now
encumbered by not embracing software freedom

[U-Boot] U-book and GPLv3? (fwd)

[Jerry Van Baren]

Graeme Russ wrote:
> On Wed, Jul 1, 2009 at 9:46 PM, Richard Stallman<rms@gnu.org> wrote:
>>    I can't see how someone can deny access to the network, while still allowing
>>    anyone's software to be run on the device, without some sort of key system in
>>    the networking hardware - is that what you had in mind?
>>
>> This is aimed at cell phone networks: it recognizes they are allowed
>> to make the network refuse to talk to a phone if the users's changes
>> cause the phone to screw up the network.
> 
> Interesting, you allow the hardware & software designer to apply restrictions
> on the end user because their changes could 'screw up a network' but do not
> believe that the same restrictions apply when the changes could 'kill the
> user'

The network restriction makes an explicit distinction at an ownership 
boundary.

The network statement quoted by Robin is:
> From the GPL3:
>> > Access to a network may be denied when the modification itself materially
>> > and adversely affects the operation of the network or violates the rules
>> > and protocols for communication across the network.  

Note that the network is owned by the service provider, *not* the end 
user.  The end user is free to modify his gadget to his heart's content, 
but the service provider is *also* free to disallow that modified gadget 
from interacting with his (the service provider's) network.  In other 
words, the modification permissiveness boundary matches the ownership 
boundary.

Mapping this concept to the gaming world, I would say that gaming 
machine owners should be allowed the freedom to modify a gaming machine, 
but the casino (governmental regulatory agency) would also be free to 
disallow paying out any winnings to that machine.  Public access to the 
modified machine should not be allowed because that crosses the 
ownership boundary.  IOW, if *you* game the machine, *you* can play to 
*your* heart's content, but but the gaming (in both senses) is bounded 
at the machine's boundary and the ownership boundary.

Mapping this to the medical world, you should be free to modify the 
firmware in medical devices 1) that you own and 2) are only used by 
yourself, as owner.  Beyond that, there are already enough disclaimers 
that adding another disclaimer "if you rewrite this firmware, you could 
kill yourself" would be simple to add. Percentage-wise, it would 
probably add 1% to the pages of disclaimers already present.

There are already innumerable ways of harming (many ways fatally) 
oneself with medicines and medical equipment and these are already 
(theoretically) exhaustively listed.  When I pick up a subscription from 
a pharmacy, I am forced to wait for the pharmacist to make sure I 
"understand" the pages of how I could do myself great bodily harm and 
*literally* sign a document that I was instructed in the dangers.  Add a 
firmware modification disclaimer and you are all set... theoretically.

The classic warning sticker example is stepladders:
   <http://www.michigan.gov/documents/cis_wsh_cet0403_103227_7.pdf>
Note that there is no interlock to prevent you from using the stepladder 
as a straight ladder or from using it on uneven slopes.
<tongueincheek>
Stepladder safety interlocks could be created - just think how much the 
world would save in emergency room costs if we eradicated stepladder 
injuries.
</tongueincheek>

A related classic:
<http://1.bp.blogspot.com/_XEQbaTzjzsw/SGDiFJSSyyI/AAAAAAAAB5o/0NbNlsZI_5o/s320/unsafe+ladder+on+truck.jpg>

[snip]

Best regards,
gvb

[U-Boot] U-book and GPLv3? (fwd)

[Robin Getz]

On Wed 1 Jul 2009 07:45, Richard Stallman pondered:
> 
>     Not to go down a rat hole - but as a normal part of development of
>     non-free software, people use emacs, gcc, and gdb all the time - 
>     you aren't proud of the contributions you made to those projects?
> 
> Yes, I am, but not because they help proprietary software.

http://www.fsf.org/licensing/licenses/gpl-faq.html#CanIUseGPLToolsForNF

> As it happens, Bison can also be used to develop non-free programs. This is
> because we decided to explicitly permit the use of the Bison standard
> parser program in Bison output files without restriction. We made the
> decision because there were other tools comparable to Bison which already
> permitted use for non-free programs.

If you aren't happy that they help proprietary software - why not change the 
license to make it so? You recently had the chance to do that with the gcc 
runtime libraries - but you (or the FSF/GCC steering committee) also decided 
not to.

http://www.fsf.org/licensing/licenses/gcc-exception-faq.html
> However, the FSF decided long ago to allow developers to use GCC's
> libraries to compile any program, regardless of its license.
[snip]
> We decided to permit this because forbidding it seemed likely to 
> backfire, and because using small libraries to limit the use of GCC seemed
> like the tail wagging the dog.

I don't understand the how on one hand there is the "uncompromising attitude 
on ethical issues" (at least according to wikipedia) - but the FSF decides 
the practical considerations for other projects - "the tail wagging the dog".

How is the certification authority issue - whether is is a cell carrier (which 
the GPL3 says is an acceptable certification authority) and the FDA (which 
the GPL3 does not say is acceptable) determine when something is the tail or 
the dog?

I just don't understand the difference?

-Robin

[U-Boot] U-book and GPLv3? (fwd)

[Robin Getz]

On Wed 1 Jul 2009 07:46, Richard Stallman pondered:
> 
>     I can't see how someone can deny access to the network, while still
>     allowing anyone's software to be run on the device, without some sort
>     of key system in the networking hardware - is that what you had in mind?
> 
> This is aimed at cell phone networks: it recognizes they are allowed
> to make the network refuse to talk to a phone if the users's changes
> cause the phone to screw up the network.

There is a difference between the network not talking to you, and you not able 
to be on the network.

> Access to a network may be denied when the modification itself materially
> and adversely affects the operation of the network or violates the rules
> and protocols for communication across the network.

The way I read that is that it is the unit you are on will have it's radio 
off, and you will not be able to use it, not the network will not talk to 
you.

You could apply the same thing to VoIP phones...

When XXXX manufacture makes a VoIP phone, they test it against various 
networking tests (all internal, since they are not required to release this 
info) to make sure that it acts "properly" on the network. They sign this 
image to make sure that flash is not failing. If something doesn't match the 
signature - how can the manufacture believe that is doesn't violate the rules 
or protocols of ethernet? So - it denies access to the network - by not 
booting that image. That is the only way that they can deny access to the 
network all SoC variations that I'm familiar with.

This is in no way trying to interperate the GPL3 for others (that is for 
lawyers to do) - but just a question from an interested developer - to me - 
it seems like tivo all over again. All Tivo needs to do is just make the 
network a piece of their application - and they have an out...

-Robin

[U-Boot] U-book and GPLv3? (fwd)

[Pink Boy]

Robin Getz sez,


> This is in no way trying to interperate the GPL3 for others (that is for 
> lawyers to do) - but just a question from an interested developer - to me - 
> it seems like tivo all over again. All Tivo needs to do is just make the 
> network a piece of their application - and they have an out...

I have an example using gambling machines.  Say I have a friend 
Don Drakulich who runs a small peep show empire and has bought
a five hundred slot machines from a defunct Los Vegas Casino. 
Don Drakulich thinks of himself as and honest businessman, meaning
he has free and clear title to these machines having bought them at
an auction.  And why he plans on repurposing them as adult video
peep show consoles.

They're perfect being based on slightly modified open source dev board
running Linux. But however they have 'secure boot' so he can't modify
the software so that they can legally be used in his peep show booths.

But then again because his software developer has contacts with a
board assembly house, he is able to get the secure boot processors
replaced at a mere cost of $20 per unit or $10,000 for the lot.  No big
deal.

So it sounds to me that secure boot has merely annoyed honset guys
like Don.  And not even slowed down the Serbian Mafia because they 
have a couple of their software guys working for a slot machine 
manufacturer.

But you're made it hard for someone who casually comes into 
possession  of a slot machine to re-purpose it as say a video jukebox.

Also if anyone is still reading at this point I'll say this having worked on
industrial controls that can both kill people or cause expensive damage
to machines, equipment and product.  The general trend is that the safety 
monitoring system must be separate from the command and control system.

IE, the PLC can try to turn on the $100,000 vacuum pump when the oil level 
is too low, but the safety interlock won't let the pump turn on.  That's the 
world I come out of and it's why I find all of the GPL-V3 will negative impact
product safety arguements lacking.  And why I can assure you that none 
of the people involved in those industries care about the GPL.

And I'll say this, if you are primarily relying on a piece of software to prevent 
injury or death you really need to rethink what you are doing.  For a good
example of what can happen one can view this US Chemical Safety Board
report on a accident that occurred at at facility involving controls that I 
personally worked on.

http://www.chemsafety.gov/investigations/detail.aspx?SID=30

Matt Harper.
Tehama Wireless.

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    > As it happens, Bison can also be used to develop non-free programs. This is
    > because we decided to explicitly permit the use of the Bison standard
    > parser program in Bison output files without restriction. We made the
    > decision because there were other tools comparable to Bison which already
    > permitted use for non-free programs.

    If you aren't happy that they help proprietary software - why not change the 
    license to make it so? You recently had the chance to do that with the gcc 
    runtime libraries - but you (or the FSF/GCC steering committee) also decided 
    not to.

I have a feeling those actions would backfire.  Proprietary software
is always bad, but that doesn't mean every possible attack against
proprietary software is always good.

    http://www.fsf.org/licensing/licenses/gcc-exception-faq.html
    > We decided to permit this because forbidding it seemed likely to 
    > backfire, and because using small libraries to limit the use of GCC seemed
    > like the tail wagging the dog.

    I don't understand the how on one hand there is the "uncompromising attitude 
    on ethical issues" (at least according to wikipedia) - but the FSF decides 
    the practical considerations for other projects - "the tail wagging the dog".

The decision being discussed in that page is a decision for GCC, not a
decision "for other projects".  (We can't decide for other projects.)
The text describes why we did not put a stronger condition in a
certain GCC license.

    How is the certification authority issue - whether is is a cell carrier (which 
    the GPL3 says is an acceptable certification authority) and the FDA (which 
    the GPL3 does not say is acceptable) determine when something is the tail or 
    the dog?

This has wandered rather far away from what the GPL says and from what
I said.  A cell phone carrier is not a certification authority, but
the question is irrelevant to GPLv3 since it gives no special
privilege to certification authorities.

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    > Access to a network may be denied when the modification itself materially
    > and adversely affects the operation of the network or violates the rules
    > and protocols for communication across the network.

    The way I read that is that it is the unit you are on will have it's radio 
    off,

I think you have misinterpreted those words.  Denying a user or a
machine access to a network means cutting off communication in the
network, not altering the machine.

This clause is not an exception to the requirement for installation
information.  Cell phones must offer installation information just like
other User Products.

This clause says that, if a phone network operator sells you a phone
with GPLv3-covered code, it does not thereby promise to continue
trying providing service to the phone if your changes cause it not
violate protocols and mess up network service.  The operator is
allowed to cut off service for this phone as it would any other
malfunctioning phone.

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    > While I probably would not want to change my glucometer, the practice
    > of designing hardware so that people cannot change it is becoming more
    > and more of a threat to our freedom in general.

    Can you be a bit more specific on this? Which devices are you aware of,
    that use GPLv2 code and avoid an update?

This is a partial miscommunication -- I was talking more generally of
designing hardware so that people cannot change it, so it controls
them.  Sometimes the hardware might contain tivoized software too, but
that is an evil we already understand.  The point that just struck me
is that the hardware can be a system of control even aside from
possible tivoization.

But I don't have a list of examples.

    about a possibility which has already outworn itself (like DRM media,
    which seem to be getting more and more unpolular)?

I wish we could regard DRM as a fading threat.  In music we see a
retreat from DRM, but in e-books the threat is increasing.

I hope that our campaign against DRM is succeeding in building
opposition.  See DefectiveByDesign.org if you want to participate.

[U-Boot] U-book and GPLv3? (fwd)

[Jon Smirl]

On Thu, Jul 2, 2009 at 9:56 AM, Richard Stallman<rms@gnu.org> wrote:
> ? ?about a possibility which has already outworn itself (like DRM media,
> ? ?which seem to be getting more and more unpolular)?
>
> I wish we could regard DRM as a fading threat. ?In music we see a
> retreat from DRM, but in e-books the threat is increasing.
>
> I hope that our campaign against DRM is succeeding in building
> opposition. ?See DefectiveByDesign.org if you want to participate.

You'd make me happy if I was able to access cable TV signals I have
paid for without DRM. I can't stand having to rent cable boxes
everywhere for the sole purpose of decoding DRM that I don't want.

> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> http://lists.denx.de/mailman/listinfo/u-boot
>



-- 
Jon Smirl
jonsmirl at gmail.com

[U-Boot] U-book and GPLv3? (fwd)

[Robin Getz]

On Thu 2 Jul 2009 09:56, Richard Stallman pondered:
> 
>     > Access to a network may be denied when the modification itself
>     > materially and adversely affects the operation of the network
>     > or violates the rules and protocols for communication across
>     > the network. 
> 
>     The way I read that is that it is the unit you are on will have it's
>     radio off,
> 
> I think you have misinterpreted those words.  Denying a user or a
> machine access to a network means cutting off communication in the
> network, not altering the machine.

If the cell phone operator's "rule" says that operating of a modified device 
should not effect non-modified devices in close proximity (jamming - which I 
think meets the "materially and adversely affects the operation of the 
network" statement) - in a TDMA network (like GSM is) - the only way to 
enforce that rule - is on the client side - not on the network side. There is 
nothing on the network side you can do to stop that that I'm aware of.

I'm aware that most devices today separate the datapump and the application 
processor, but this doesn't seem to be the trend - the trend is run both on 
the same CPU (as it decreases the cost).

> This clause is not an exception to the requirement for installation
> information.  Cell phones must offer installation information just like
> other User Products.

Right - but the cell phone provider should have the ability to alter the state 
of the device (not allow the radio to be turned on), so it can't "adversely 
affects the operation of the network" - shouldn't they?

Or is this where one person's freedom (the ability to modify their phone, and 
turn it into a jamming device), is more important than the freedom of 
everyone else to actually use their phones on the same network. (Which 
actually - wouldn't be a completely bad idea - when I have been standing near 
someone talking too loud into their phone in a public place, I often wish for 
a jam the network app on my phone :)

[U-Boot] U-book and GPLv3? (fwd)

[Mike Frysinger]

On Thursday 02 July 2009 10:44:39 Jon Smirl wrote:
> On Thu, Jul 2, 2009 at 9:56 AM, Richard Stallman<rms@gnu.org> wrote:
> >    about a possibility which has already outworn itself (like DRM media,
> >    which seem to be getting more and more unpolular)?
> >
> > I wish we could regard DRM as a fading threat.  In music we see a
> > retreat from DRM, but in e-books the threat is increasing.
> >
> > I hope that our campaign against DRM is succeeding in building
> > opposition.  See DefectiveByDesign.org if you want to participate.
>
> You'd make me happy if I was able to access cable TV signals I have
> paid for without DRM. I can't stand having to rent cable boxes
> everywhere for the sole purpose of decoding DRM that I don't want.

i'm fairly certain you can sue over that.  i recall comcast or charter or some 
other large cable company getting spanked because they forced a lock in to 
their cable boxes thus preventing the consumer from using any other cable box 
provider.
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.denx.de/pipermail/u-boot/attachments/20090702/ca11c674/attachment.pgp 

[U-Boot] U-book and GPLv3? (fwd)

[Larry Johnson]

Robin Getz wrote:
> On Thu 2 Jul 2009 09:56, Richard Stallman pondered:
>>     > Access to a network may be denied when the modification itself
>>     > materially and adversely affects the operation of the network
>>     > or violates the rules and protocols for communication across
>>     > the network. 
>>
>>     The way I read that is that it is the unit you are on will have it's
>>     radio off,
>>
>> I think you have misinterpreted those words.  Denying a user or a
>> machine access to a network means cutting off communication in the
>> network, not altering the machine.
> 
> If the cell phone operator's "rule" says that operating of a modified device 
> should not effect non-modified devices in close proximity (jamming - which I 
> think meets the "materially and adversely affects the operation of the 
> network" statement) - in a TDMA network (like GSM is) - the only way to 
> enforce that rule - is on the client side - not on the network side. There is 
> nothing on the network side you can do to stop that that I'm aware of.
> 
> I'm aware that most devices today separate the datapump and the application 
> processor, but this doesn't seem to be the trend - the trend is run both on 
> the same CPU (as it decreases the cost).
> 
>> This clause is not an exception to the requirement for installation
>> information.  Cell phones must offer installation information just like
>> other User Products.
> 
> Right - but the cell phone provider should have the ability to alter the state 
> of the device (not allow the radio to be turned on), so it can't "adversely 
> affects the operation of the network" - shouldn't they?
> 
> Or is this where one person's freedom (the ability to modify their phone, and 
> turn it into a jamming device), is more important than the freedom of 
> everyone else to actually use their phones on the same network. (Which 
> actually - wouldn't be a completely bad idea - when I have been standing near 
> someone talking too loud into their phone in a public place, I often wish for 
> a jam the network app on my phone :)

In the United States, most radio transmitters must be type accepted
(certified) by the Federal Communications Commission.  Modification
voids the type acceptance, so operating a modified mobile phone on its
original frequencies would be illegal regardless of what the phone
company's rules say.  However, no certification is necessary for
transmitters operated according to the rules for the Amateur Radio
Service.  Thus, an licensed amateur could legally use a modified mobile
phone, provided it transmitted on frequencies allocated for amateur
radio and met the other requirements for amateur operation, including
not causing harmful interference to other services.

This has been the situation in the US for many years, and I believe
almost all countries are at least as restrictive.

Best regards,
Larry

[U-Boot] U-book and GPLv3? (fwd)

[Robin Getz]

On Thu 2 Jul 2009 12:11, Larry Johnson pondered:
>
> In the United States, most radio transmitters must be type accepted
> (certified) by the Federal Communications Commission.  Modification
> voids the type acceptance, so operating a modified mobile phone on its
> original frequencies would be illegal regardless of what the phone
> company's rules say.  However, no certification is necessary for
> transmitters operated according to the rules for the Amateur Radio
> Service.  Thus, an licensed amateur could legally use a modified mobile
> phone, provided it transmitted on frequencies allocated for amateur
> radio and met the other requirements for amateur operation, including
> not causing harmful interference to other services.

Assuming that the _licensed_ amateur could modify the phone enough that it 
_could_ operate on frequencies allocated for amateur use.

The only thing that would be potentially close is a European GSM phone:

            Rx           Tx
E-GSM-900   880.0?915.0  925.0?960.0 MHz
R-GSM-900   876.0?915.0  921.0?960.0 MHz
T-GSM-900   870.4?876.0  915.4?921.0 MHz

& the US amateur band at 902 - 928 MHz.

I don't think any of the CDMA phones are close enough to the amateur bands to 
have a hope of working - but I'm not as familiar with CDMA as GSM.

[U-Boot] U-book and GPLv3? (fwd)

[Jean-Christian de Rivaz]

Robin Getz a ?crit :
> On Thu 2 Jul 2009 09:56, Richard Stallman pondered:
>> This clause is not an exception to the requirement for installation
>> information.  Cell phones must offer installation information just like
>> other User Products.
> 
> Right - but the cell phone provider should have the ability to alter the state 
> of the device (not allow the radio to be turned on), so it can't "adversely 
> affects the operation of the network" - shouldn't they?
> 
> Or is this where one person's freedom (the ability to modify their phone, and 
> turn it into a jamming device), is more important than the freedom of 
> everyone else to actually use their phones on the same network. (Which 
> actually - wouldn't be a completely bad idea - when I have been standing near 
> someone talking too loud into their phone in a public place, I often wish for 
> a jam the network app on my phone :)

An operator can only deny the access to his network. It can't *legaly* 
modify the user device without the user agreement. A user is 
*technically* free to modify a device to do what he want. But it can't 
*legaly* emit a signal not in conformance to the relevant regulations. 
There is a lot of them in the case of the a GSM/3G device: 
http://www.3gpp.mobi/specifications

Jean-Christian de Rivaz

[U-Boot] U-book and GPLv3? (fwd)

[Pink Boy]

Robin Getz sez,

> Assuming that the _licensed_ amateur could modify the phone enough 
> that it _could_ operate on frequencies allocated for amateur use.

> The only thing that would be potentially close is a European GSM phone:

>             Rx           Tx
> E-GSM-900   880.0?915.0  925.0?960.0 MHz
> R-GSM-900   876.0?915.0  921.0?960.0 MHz
> T-GSM-900   870.4?876.0  915.4?921.0 MHz

> & the US amateur band at 902 - 928 MHz.

That would be the US ISM band.

> I don't think any of the CDMA phones are close enough to the amateur bands to 
> have a hope of working - but I'm not as familiar with CDMA as GSM.

Since I actually do wireless work I'll make another comment.  

There are research and development exemptions to the licensing requirements.
Ergo I can build, test or modify any radio I want for research purposes no license
required.

What I can't do is deploy or sell them.

Even with licensed devices changes to the hardware or firmware are 
allowed as long an an engineer believes that the changes will not have 
any effect on the radio's meeting the applicable standards.

Also for radios operating on the cellular band there are really two 
licenses.  One is the regulatory license.  The other is the carriers 
certification.

Matt Harper
Tehama Wireless

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    You'd make me happy if I was able to access cable TV signals I have
    paid for without DRM.

I think it is not quite correct to call cable scrambling DRM.  DRM
restricts the use of data you have a copy of.  Cable scrambling
prevents you from getting the data if you do not pay for the
descrambler; however, as far as I know, once you do have the
descrambler, and do get the data, it does not seriously impede your
use of the data.

So this is more akin to buying a copy than to DRM.  When I speak of
abolishing DRM, it doesn't include this.

[U-Boot] U-book and GPLv3? (fwd)

[Richard Stallman]

    If the cell phone operator's "rule" says that operating of a modified device 
    should not effect non-modified devices in close proximity (jamming - which I 
    think meets the "materially and adversely affects the operation of the 
    network" statement)

It makes no difference, because the text in GPLv3 says nothing about
this.  It does not say that the network operator power gets all power
he might "need" to enforce whatever rules he may make.  It only
recognizes that he is allowed to deny access to use his own network.

    Right - but the cell phone provider should have the ability to
    alter the state of the device (not allow the radio to be turned
    on), so it can't "adversely affects the operation of the network"
    - shouldn't they?

No, they should not have such power.  And in fact they do not have
such power, with phones not tied to one provider.

It is impossible to stop people from making radio jammers, so it is
pointless to go to excess just to block one of the many possible
methods.

[U-Boot] U-boot and GPLv3? (fwd)

[Wolfgang Wegner]

On Fri, Jul 03, 2009 at 09:47:20AM -0400, Richard Stallman wrote:
>     You'd make me happy if I was able to access cable TV signals I have
>     paid for without DRM.
> 
> I think it is not quite correct to call cable scrambling DRM.  DRM
> restricts the use of data you have a copy of.  Cable scrambling
> prevents you from getting the data if you do not pay for the
> descrambler; however, as far as I know, once you do have the
> descrambler, and do get the data, it does not seriously impede your
> use of the data.

This is not correct (any more).
With the advent of CI+ for DVB (the european-originated version of
digital TV meanwhile used in several parts of the world), the cable
operators have the possibility to only allow descrambling by CI+
capable receivers/descrambling modules. However, to be CI+ compliant,
all receivers and descrambling modules have to be certified and have
to authenticate against each other to prevent CI+-compliant operation
if this authentication fails. This is necessary because the CI+
specification mandates that any receiver operating a CI+ descrambling
module honors the operator-sent bits specifying what you are allowed
to do with the "descrambled" signal: analog/digital outputs, store
on a disk (the time to stay there can be limited by the operator), and
so on.

Needless to mention that you have to prove secure boot to get CI+
certification (and thus a valid certificate).

There's much more to this, but I hope you get the idea.

Regards,
Wolfgang

[U-Boot] U-boot and GPLv3? (fwd)

[Richard Stallman]

    With the advent of CI+ for DVB (the european-originated version of
    digital TV meanwhile used in several parts of the world), the cable
    operators have the possibility to only allow descrambling by CI+
    capable receivers/descrambling modules. However, to be CI+ compliant,
    all receivers and descrambling modules have to be certified and have
    to authenticate against each other to prevent CI+-compliant operation
    if this authentication fails.

Cable decoders as such are not DRM, but CI+ is DRM.

Products designed to meet this specification are an attack on people's
freedom.  Making these products is inexcusable.  People should protest
them, not buy them.

    Needless to mention that you have to prove secure boot to get CI+
    certification (and thus a valid certificate).

    There's much more to this, but I hope you get the idea.

I get the idea: the plan is simply evil.  It is designed to subjugate
users.  The reason for the installation info requirements in GPLv3 is
so that our software cannot be used for this.

Governments which have passed such laws are the enemies of their citizens.
Fighting back against the companies which make these products
is the first step for the citizens to reconquer their own countries.
DRM systems like this ought to be illegal.

[U-Boot] U-book and GPLv3? (fwd)

[Jon Smirl]

On Fri, Jul 3, 2009 at 9:47 AM, Richard Stallman<rms@gnu.org> wrote:
> ? ?You'd make me happy if I was able to access cable TV signals I have
> ? ?paid for without DRM.
>
> I think it is not quite correct to call cable scrambling DRM. ?DRM
> restricts the use of data you have a copy of. ?Cable scrambling
> prevents you from getting the data if you do not pay for the
> descrambler; however, as far as I know, once you do have the
> descrambler, and do get the data, it does not seriously impede your
> use of the data.
>
> So this is more akin to buying a copy than to DRM. ?When I speak of
> abolishing DRM, it doesn't include this.

The encrypted digital cable signal comes out from the cable box as
HDCP encrypted HDMI. Your TV securely decrypts this.

A complex loop hole exists in the ability to re-digitize the analog
component out signals. This is what a SlingBox does. The cable
industry is on a schedule to remove component out two years from now.
When component out is gone there will be no more analog hole.

Broadcast TV signals are carried in the clear. That's five out of the
600 channels on a normal cable system. The other 595 are encrypted.

Digital TV spells the end for the MythTV project and to some extent
the death of TIVO.  The only DVR you will be able to use is the one
you rent from the cable company.

So I am paying for those 595 channels with no ability  to archive them
under my control unless I rent a secured DVR from the cable company.
I took the disk out of mine, the information on the disk is encrypted.

Recently the head of the MPAA has been quoted as saying that the only
fair use exemption is to use a video camera to photograph your TV.

-- 
Jon Smirl
jonsmirl at gmail.com

[U-Boot] U-book and GPLv3?

[Wolfgang Denk]

Dear Richard,

In message <E1MHHUe-00046l-SR@fencepost.gnu.org> you wrote:
> 
> Have you considered moving U-boot to "GPLv3-or-later"?

I apologize for the late reply, but  I  have  been  on  vacation  and
completely offline for more than two weeks. But as I saw you got well
involved  in  the discussion on the U-Boot mailing list that resulted
from my forwarding your question  to  the  list,  trying  to  get  an
understanding what the U-Boot community is thinking.


Now about your question: yes, I  have  considered  moving  U-boot  to
GPLv3.  I  have to admit that I don't understand all the consequences
of GPLv3 yet; I am not a lawyer, and it took me long enough to get  a
somewhat  thorough  understanding  of  what  GPLv2  means - the basic
ideas, it's application in real live including it's interpretation by
layers in different (US and German) legal systems, and some  of  it's
deficiencies.  It will take me some time to get equally familiar with
GPLv3. Fact is, that I don't like the idea that somebody can take the
code I've been developing as Free Software for the last 9  years  and
use it in a device in such a way that I cannot modify my own code any
more even when the vendor strictly complies with the license (GPLv2).
This  fact  alone is reason enough for me to strive for moving U-Boot
to a license that prevents such usage models - i. e. going GPLv3.


But let's first have a little look at the discussion of this topic on
the U-Boot mailing list - it must be one of the  longest  threads  we
ever had:


Discussion on U-Boot Mailing list
        from:    Thu, 18 Jun 2009 16:51:28 CEST
        through: Sun,  5 Jul 2009 12:14:18 CEST
        = 17 days

References:
        http://thread.gmane.org/gmane.comp.boot-loaders.u-boot/61801
        http://lists.denx.de/pipermail/u-boot/2009-June/054540.html

Total postings:
(including initial posting):    143

Number of different posters
(including initial posting):     21

Current number of subscribers: 1712

Posters, Number of Postings, Percentage, and Total:
------------------------------------------------------
Richard Stallman                :  32 = 22.4% [ 22.4%]
Detlev Zundel                   :  24 = 16.8% [ 39.2%]
Mike Frysinger                  :  23 = 16.1% [ 55.2%]
Robin Getz                      :  10 =  7.0% [ 62.2%]
ksi at koi8.net                    :   7 =  4.9% [ 67.1%]
Thomas Doerfler                 :   7 =  4.9% [ 72.0%]
Scott Wood                      :   6 =  4.2% [ 76.2%]
Jean-Christophe PLAGNIOL-VILLARD:   6 =  4.2% [ 80.4%]
Jean-Christian de Rivaz         :   6 =  4.2% [ 84.6%]
Jon Smirl                       :   5 =  3.5% [ 88.1%]
Jerry Van Baren                 :   5 =  3.5% [ 91.6%]
Pink Boy                        :   2 =  1.4% [ 93.0%]
Grant Likely                    :   2 =  1.4% [ 94.4%]
Wolfgang Denk                   :   1 =  0.7% [ 95.1%]
Matthew Lear                    :   1 =  0.7% [ 95.8%]
Larry Johnson                   :   1 =  0.7% [ 96.5%]
Graeme Russ                     :   1 =  0.7% [ 97.2%]
Frank Svendsb?e                 :   1 =  0.7% [ 97.9%]
Eric Nelson                     :   1 =  0.7% [ 98.6%]
Chris Morgan                    :   1 =  0.7% [ 99.3%]
Arno Fischer                    :   1 =  0.7% [100.0%]

More than 50% of all postings -  3 posters
More than 60% of all postings -  4 posters
More than 70% of all postings -  6 posters
More than 80% of all postings -  8 posters
More than 90% of all postings - 11 posters


Posters, Vote, Role (commits since 2006-01-01), Reasoning:
[Total commits since 2006-01-01: 5845 by 314 Authors]

Richard Stallman                : pro
                                  software freedom activist
                                  defend users' freedom
Detlev Zundel                   : pro
                                  developer (38)
                                  defend users' freedom
Mike Frysinger                  : con
                                  developer, custodian (311)
                                  Some customers don't want to let users run modified code.
Robin Getz                      : con
                                  developer (1)
                                  Many organizations which require this,
                                  some from a legal standpoint,
                                  some from a certification standpoint
ksi at koi8.net                    : con
                                  developer (5)
                                  sometimes regulations require secure boot
Thomas Doerfler                 : no clear statement - con
                                  lurker, never showed up before (0)
                                  fears that GPLv3 would prevent use in
                                  "many possible applications"
Scott Wood                      : no clear statement - con
                                  developer, custodian (48)
                                  fears that GPLv3 would result in a fork
Jean-Christophe PLAGNIOL-VILLARD: con
                                  developer, custodian (320)
                                  "I've the same opinion as Linus Torvalds"
Jean-Christian de Rivaz         : no clear statement - pro
                                  lurker, never showed up before (0)
                                  some arguments pro GPLv3
Jon Smirl                       : no statement
                                  developer (5)
                                  fears the amount of effort needed to go GPLv3
Jerry Van Baren                 : no clear statement - pro
                                  developer (56)
                                  points out the current situation and the effort needed
Pink Boy                        : pro
                                  mostly lurker, 15 postings before this thread (0)
                                  none of the people involved in product safety care about GPL
Grant Likely                    : con
                                  developer (63)
                                  "Personally not interested.
                                  I don't want to license my code under GPLv3"
Wolfgang Denk                   : pro (*)
                                  project maintainer (635)
                                  defend users' freedom
Matthew Lear                    : no clear statement - con?
                                  developer? (0)
                                  fears that publication of security features might result in
                                  "a rather large security flaw"
Larry Johnson                   : no statement
                                  developer (38)
                                  -
Graeme Russ                     : no clear statement - con?
                                  developer (21)
                                  "there are cases where GPL3 went just a little too far"
Frank Svendsb?e                 : pro
                                  developer (1)
                                  Keep fighting for freedom
Eric Nelson                     : no statement
                                  developer? (0)
                                  -
Chris Morgan                    : no statement
                                  developer? (0)
                                  -
Arno Fischer                    : con
                                  developer? (0)
                                  just agrees with another con-posting,
                                  no own reasons

(*) I did not participate in this discussion yet - mostly  because  I
    was  on vacation and strictly abstinent from any Internet access,
    but also because I wanted to get an uninfluenced picture  of  the
    situation.
    
    So here goes my statement: if I own a device that is running  any
    Free  Software, and I decide I want to hack it, I want to able to
    do  this.  I  accept  all  the   arguments   about   safety   and
    certifications  and  such,  but  in  my opinion this has actually
    nothing to do with allowing me to change the code or not. If it's
    based on Free Software, that software must remain free.  I  don't
    want  to  see my own code, which I released under a Free Software
    license, being used in a device such that I cannot  even  fix  my
    own bugs any more.

    I am definitely _pro_ going for GPLv3. I am  also  realizing  the
    efforts and the time this will take.


Observations:
=============

1) If we take into consideration that you are not subscribed  to  the
   list, only 20 out of 1712 subscribers (less than 1.2%) bothered to
   comment at all.

2) Some of these 20 posters did not take a firm  stand  whether  they
   are  pro  or con moving to GPLv3; an unweighted count gives 6 more
   or less clear votes pro GPLv3 versus 10 votes against such a move.

3) It seems reasonable to me to  add  some  weight  to  these  votes,
   taking   into   consideration   how   much  the  posters  actually
   contributed to the U-Boot project.

   Since Jan 01, 2006 we had a total of 5845 commits by 314 authors.

   The "pro"-voters add up to a total of 730 commits  (12.5%),  while
   the "con"-voters have 769 commits (13.2%).

4) There is a repeating pattern in the arguments against GPLv3:  some
   customers/vendors intentionally want to lock down their users, and
   moving  U-Boot  to  GPLv3 might mean that we lose these customers.
   Various reasons are listed, but usually they boil  down  to  legal
   requirements  [which  usually translates into guidelines issued by
   the business management], security and certification requirements.
   In all these cases, little or no seizable facts are provided.


Current Status:
===============

It is a known fact, that we have not always been  careful  enough  to
check  licensing  terms  of  all contributed code. In the result, the
current U-Boot code base contains a number files with  licenses  that
are  incompatible  with  the  GPLv2  (or later) which is the intended
license for current U-Boot versions. This  has  been  addressed  with
commit 78237df5, see "doc/feature-removal-schedule.txt":

---------------------------
 
What:   GPL cleanup
When:   August 2009
Why:    Over time, a couple of files have sneaked in into the U-Boot
        source code that are either missing a valid GPL license
        header or that carry a license that is incompatible with the 
        GPL.
        Such files shall be removed from the U-Boot source tree.
        See
http://www.denx.de/wiki/pub/U-Boot/TaskGplCleanup/u-boot-1.1.2-files
        for an old and probably incomplete list of such files.
 
Who:    Wolfgang Denk <wd@denx.de> and board maintainers
 
---------------------------

Checking the code base using the Open Source License Checker V.3 (see
http://forge.ow2.org/projects/oslcv3/) gives this result:

-> java -jar oslc.jar -x /home/wd/git/u-boot/master/.git -s /home/wd/git/u-boot/master

Source files:       4117
License files:      1
All files:          6178
Distinct licenses:  11
Conflicts (ref):    435
Conflicts (global): 34

License        Count   Incompatible with
all_rights_reserved-f 285     apache-1.1 apache-2.0-s gpl-2.0-l gpl-2.0-only-s gpl-2.0-s lgpl-2.1-s mpl-1.1-s nokos-1.0a-s
apache-1.1     163     all_rights_reserved-f gpl-2.0-l gpl-2.0-only-s gpl-2.0-s lgpl-2.1-s mpl-1.0-s mpl-1.1-s nokos-1.0a-s
apache-2.0-s   1       all_rights_reserved-f gpl-2.0-l gpl-2.0-only-s gpl-2.0-s lgpl-2.1-s mpl-1.0-s mpl-1.1-s nokos-1.0a-s
bsd            170     
gpl-2.0-l      1       all_rights_reserved-f apache-1.1 apache-2.0-s mpl-1.0-s mpl-1.1-s nokos-1.0a-s
gpl-2.0-only-s 196     all_rights_reserved-f apache-1.1 apache-2.0-s mpl-1.0-s mpl-1.1-s nokos-1.0a-s
gpl-2.0-s      3007    all_rights_reserved-f apache-1.1 apache-2.0-s mpl-1.0-s mpl-1.1-s nokos-1.0a-s
lgpl-2.1-s     16      all_rights_reserved-f apache-1.1 apache-2.0-s mpl-1.0-s mpl-1.1-s nokos-1.0a-s
mpl-1.0-s      2       apache-1.1 apache-2.0-s gpl-2.0-l gpl-2.0-only-s gpl-2.0-s lgpl-2.1-s
mpl-1.1-s      5       all_rights_reserved-f apache-1.1 apache-2.0-s gpl-2.0-l gpl-2.0-only-s gpl-2.0-s lgpl-2.1-s
nokos-1.0a-s   5       all_rights_reserved-f apache-1.1 apache-2.0-s gpl-2.0-l gpl-2.0-only-s gpl-2.0-s lgpl-2.1-s
-> 

We have a lot of files with licenses which conflict with  GPLv2  (and
later);  if  the  OSLC  results are correct, there are 461 such files
(7.5% of all files) - these must be cleaned up in any case.

Compared to that, the 196 "GPLv2 only" files (3.2% of all files) seem
to be an easier task, but this may be a delusion - most of  the  con-
flicting  files above are strictly board-specific code, and the worst
thing that can happen is that we just  remove  these  files  (if  the
respective board maintainers cannot or do not want to provide fixes),
which would result in a number of boards breaking, without any signi-
ficant  impact  on  the  majority of the supported boards. The "GPLv2
only" files are mostly global  code  that  is  related  to  important
features  of  U-Boot,  so  just  dropping  these is not an attractive
solution. On the other hand, it should not be that  hard  to  analyze
which  features  are  affected, and eventually isolate these. Then we
might evaluate what we'd lose when going GPLv3 anyway.


So it seems we can set up something like a plan:

Short term goal:

        Clean up the existing license conflicts in U-Boot. This is  a
        task that is completely independent of the GPLv2 versus GPLv3
        discussion - it must be done in any case.

Medium term goal:

        Analyze which parts of U-Boot are implemented  by  GPLv2-only
        code, and evaluate options to convert these into GPLv2+later.

Long term goal:

	Move U-Boot to GPLv3.


All in all I must say that the whole  discussion  reminds  me  pretty
much  to the situation back 10 years ago when I started trying to use
GNU/Linux for  embedded  systems.  By  then,  it  usually  took  long
discussions and lots of convincing both on engineering and especially
on  management  levels  to  get a Linux based solution accepted for a
real-life industrial project. The arguments then were pretty much the
same we hear today: systems would be less secure when  everybody  can
read  the  code, intellectual property would get lost to competitors,
it would be impossible to get the required certifications, and so  on
and on.

And what happened? Today we see GNU/Linux systems everywhere,  inclu-
ding  safety-critical  applications  that require certifications, and
including communication devices (like mobile  phones)  that  need  to
pass approval procedures, homologation testing etc.

I am convinced that time will work for GPLv3 acceptance.


Thanks a lot, Richard, for bringing up this topic.

Best regards,

Wolfgang Denk

-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty not safety." - Benjamin Franklin, 1759

[U-Boot] U-book and GPLv3?

[Jon Smirl]

On Mon, Jul 6, 2009 at 6:55 AM, Wolfgang Denk<wd@denx.de> wrote:
> Dear Richard,
>
> In message <E1MHHUe-00046l-SR@fencepost.gnu.org> you wrote:
>>
>> Have you considered moving U-boot to "GPLv3-or-later"?

If u-boot goes GPLv3 it will simply cause the people that need secure
boot to switch boot loaders. That will result in a loss of u-boot
developers. It is also a lot of pointless administrative work changing
licenses and rewriting code. Even worse, you'll could cause a u-boot
fork at the point of the license change since the code in front of the
change will still be licensed GPLv2 and it can't be retracted.

Why do you want to take on a bunch of pointless administrative work
that is going to result in losing developers? That time could be spent
productively writing code.

-- 
Jon Smirl
jonsmirl at gmail.com

[U-Boot] U-book and GPLv3?

[Wolfgang Denk]

Dear Jon,

In message <9e4733910907060541i6d59561asaa406522ae6558a2@mail.gmail.com> you wrote:
>
> If u-boot goes GPLv3 it will simply cause the people that need secure
> boot to switch boot loaders. That will result in a loss of u-boot
> developers. It is also a lot of pointless administrative work changing
> licenses and rewriting code. Even worse, you'll could cause a u-boot
> fork at the point of the license change since the code in front of the
> change will still be licensed GPLv2 and it can't be retracted.

There is of course a certain probability that U-Boot might fork.
That's OK - it's Free Software, and it's a community project.

And I don't share your pessimistic point of view. I've  been  through
the  same  thing  before  when it came to using GNU/Linux in embedded
systems ten years ago. Now look where we are today...

And I don't expect that we will have a GPLV3 release of U-Boot in the
next few days or weeks :-)  This is a process...

> Why do you want to take on a bunch of pointless administrative work
> that is going to result in losing developers? That time could be spent
> productively writing code.

I already explained this in my posting. No need to repeat it.

Best regards,

Wolfgang Denk

-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
A direct quote from the Boss: "We passed over a lot of good people to
get the ones we hired."

[U-Boot] U-book and GPLv3?

[Jerry Van Baren]

Wolfgang Denk wrote:
> Dear Richard,
> 
> In message <E1MHHUe-00046l-SR@fencepost.gnu.org> you wrote:
>> Have you considered moving U-boot to "GPLv3-or-later"?

[snip]

> So it seems we can set up something like a plan:
> 
> Short term goal:
> 
>         Clean up the existing license conflicts in U-Boot. This is  a
>         task that is completely independent of the GPLv2 versus GPLv3
>         discussion - it must be done in any case.
> 
> Medium term goal:
> 
>         Analyze which parts of U-Boot are implemented  by  GPLv2-only
>         code, and evaluate options to convert these into GPLv2+later.

 From what I saw, most of the GPLv2-only code was from the linux drivers 
that we've adopted and adapted.

Observations:
1) U-Boot v2 is taking the approach of plug-in drivers to allow U-Boot 
to use the linux drivers directly.

2) While it is controversial, there is a long established precedent in 
the linux kernel that loadable modules with GPLv2-only incompatible 
licenses are acceptable.

3) U-Boot currently has an explicit license to run "stand alone 
applications" that have a GPL-incompatible license.

Questions:
Would U-Boot be willing to have as much GPLv2++ (GPLv3) as possible, and 
supporting a run time plug-in system to accommodate GPLv2-only modules? 
  If we accommodate GPLv2-only modules, will we allow proprietary 
modules? Depending on what we accept and how, proprietary modules may be 
allowed as a side effect of allowing GPLv2 modules - is that a problem?

Note that drivers are not the only potentially modular item - if we 
redid the command handler #defines and some glue code, I believe we 
could easily change the commands to being plug-in as well.

Richard, Wolfgang, U-Boot List, how do you view a "loadable module 
loophole" fitting in with GPLv3
(a) legally and
(b) philosophically?

[snip]

> Thanks a lot, Richard, for bringing up this topic.
> 
> Best regards,
> 
> Wolfgang Denk

Thanks,
gvb

[U-Boot] U-book and GPLv3?

[ksi at koi8.net]

On Mon, 6 Jul 2009, Jon Smirl wrote:

> On Mon, Jul 6, 2009 at 6:55 AM, Wolfgang Denk<wd@denx.de> wrote:
> > Dear Richard,
> >
> > In message <E1MHHUe-00046l-SR@fencepost.gnu.org> you wrote:
> >>
> >> Have you considered moving U-boot to "GPLv3-or-later"?
> 
> If u-boot goes GPLv3 it will simply cause the people that need secure
> boot to switch boot loaders. That will result in a loss of u-boot
> developers. It is also a lot of pointless administrative work changing
> licenses and rewriting code. Even worse, you'll could cause a u-boot
> fork at the point of the license change since the code in front of the
> change will still be licensed GPLv2 and it can't be retracted.
> 
> Why do you want to take on a bunch of pointless administrative work
> that is going to result in losing developers? That time could be spent
> productively writing code.

I totally agree with all the above. And if this happened I will be among
those who move to the new forked code.

---
******************************************************************
*  KSI at home    KOI8 Net  < >  The impossible we do immediately.  *
*  Las Vegas   NV, USA   < >  Miracles require 24-hour notice.   *
******************************************************************

[U-Boot] U-book and GPLv3? (fwd)

[Scott Wood]

On Fri, Jul 03, 2009 at 09:47:20AM -0400, Richard Stallman wrote:
> 
>     You'd make me happy if I was able to access cable TV signals I have
>     paid for without DRM.
> 
> I think it is not quite correct to call cable scrambling DRM.  DRM
> restricts the use of data you have a copy of.  Cable scrambling
> prevents you from getting the data if you do not pay for the
> descrambler; however, as far as I know, once you do have the
> descrambler, and do get the data, it does not seriously impede your
> use of the data.

It requires that I use a specific tuner, whereas unscrambled channels
allow me to use any tuner (including one built into the TV, VCR, DVR,
etc).  Often this tuner must be rented from the cable company on a per-TV
basis, in addition to the cost of subscribing to the channels -- and
channel changing from a DVR must happen via a sluggish and sometimes
error-prone infrared interface.

It's not as bad as full DRM, sure, but it's more annoying than if they'd
just filtered out the unsubscribed channels.

-Scott

[U-Boot] U-book and GPLv3?

[Wolfgang Denk]

Dear Jerry Van Baren,

In message <4A521BD5.8080806@ge.com> you wrote:
>
> 3) U-Boot currently has an explicit license to run "stand alone 
> applications" that have a GPL-incompatible license.

Thanks for mentioning this. But  this  is  explicitly  restricted  to
"stand  alone  applications",  with  a  pretty tightly limited set of
functions exported to such code. It is not intended  to  be  extended
into  something  like  loadable  modules that can access much more of
U-Boot's internal code.

> Questions:
> Would U-Boot be willing to have as much GPLv2++ (GPLv3) as possible, and 
> supporting a run time plug-in system to accommodate GPLv2-only modules? 

This would quickly render the whole effort of going to GPLv3 useless,
as vendors would put all the "interesting" stuff into such GPLv2-only
modules, and the result would be the same as with an all-GPLv2 system.
Thus the answer can only be: if we go for GPLv3, then we have to do it
right, which forbids such an exception.

>   If we accommodate GPLv2-only modules, will we allow proprietary 
> modules? Depending on what we accept and how, proprietary modules may be 
> allowed as a side effect of allowing GPLv2 modules - is that a problem?

We don't  intend  to  support  proprietary  modules  -  the  existing
exception  for  "stand  alone  applications"  already  allows  to run
priprietary code if somebody really feels he must do that,  but  then
they  please  also  take  the  burdon  of developing _all_ their code
themself. I don't intend to give them all of the existing U-Boot code
for free to be used in their proprietary  modules  -  that  would  be
stupid.  We  could  use  a  BSD  license then as well. This maight be
interesting to some, but it is definitely not acceptable to me.

> Richard, Wolfgang, U-Boot List, how do you view a "loadable module 
> loophole" fitting in with GPLv3
> (a) legally and
> (b) philosophically?

I think there would be no big problems to set this up  legally  (just
give an experienced laywer enough $$$), but it does not fit in philo-
sophically - and not only not with GPLv3, but already now.

Best regards,

Wolfgang Denk

-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
"There is nothing new under the sun, but there are lots of old things
we don't know yet."                                  - Ambrose Bierce

[U-Boot] U-book and GPLv3?

[Richard Stallman]

In my experience, people who want a more permissive license
typically claim that their participation is absolutely necessary,
and doing without it would be a disaster.  It tends to be somewhat
of an exaggeration.

[U-Boot] U-book and GPLv3?

[Richard Stallman]

    Richard, Wolfgang, U-Boot List, how do you view a "loadable module 
    loophole" fitting in with GPLv3
    (a) legally and
    (b) philosophically?

Legally, the copyright holders of U-boot can give permission for
linking with drivers under other licenses.  The developers of Linux
have in effect done this informally.  It would be better to state this
in an explicit exception.  The exception can be broad or narrow.  The
set of activities permitted can be whatever you choose.  It can apply
to drivers loaded dynamically, or drivers linked statically, or both.
It can specify particular kinds of code, such as "drivers" or "drivers
taken from Linux as found on kernel.org", or whatever.  It can permit
one other license, such as GPLv2, or a range of other licenses.

To use GPLv2-covered drivers in this way would require a second
exception -- on the drivers, to permit combining them with code under
GPLv3.  Perhaps the driver developers would agree to such an
exception, or agree to license the drivers under GPLv2|GPLv3, or under
LGPLv2.1.  Either one would do the job.

Ethically, to permit non-free drivers would be a big step backward,
since this would effectively make U-boot no longer free as used in
practice.  Allowing non-free drivers in Linux has caused a lasting
weakness in our community, as it fails to pressure the manufacturers
to permit free drivers.

To permit GPLv2-only drivers does not raise an ethical issue, since
they are free.  It only raises the legal issue which can be resolved
as described above.

[U-Boot] U-book and GPLv3? (fwd)

[Haavard Skinnemoen]

Mike Frysinger wrote:
> > Obviously the second item here will become void if vendor lockout of
> > updates becomes common.  So what will be left of the essential freedoms?
> > I can study the code, I can modify it, but I am not allowed to run it.
> > Excellent.  
> 
> and this is why i dislike the GPLv3.  the GPLv2 was all about the source, so 
> the conversation between developers and everyone else was "you can take my 
> source and modify it all you want, but i want to see the changes".  sounds 
> fair.
> 
> GPLv3 (ignoring the fix for the loophole with web applications) adds *nothing* 
> to this premise.  instead, it's used as an ideological club such that the 
> conversation is now "i have all these ideas about how software should and 
> shouldnt be utilized, so if you want to use my software, you too now have to 
> subscribe to my way of thinking and you have to show me the changes".
> 
> so what does moving from GPLv2 to GPLv3 gain us in terms of protections ?  
> nothing.  it does however allow us to restrict the people who want to use u-
> boot to using it in only ways we've "blessed".  that's plain wrong in my eyes 
> and none of our business in the first place.

Wow, I was just about to compose a mail summarizing my point of view
when I realized you had done it already :-)

While I think fighting for extensible and "hackable" hardware is good,
I think a software license is the wrong way to go about it. Let's stick
to the proven model of GPLv2: You can use my software if I get to use
your improvements. Trying to impose restrictions on this model in order
to fight a different battle against restricted hardware will only make
the software less attractive and hurt us in the long run.

> > I think it is not a coincidence that devices which can be updated with
> > arbitrary firmware sells pretty good in the meantime.   Who buys routers
> > capable of running OpenWRT because of their original firmware?  
> 
> then let your wallet/politicians do the talking.  i certainly do -- i avoid 
> purchasing any music/games encumbered with DRM, or companies that employ such 
> methods.  but i'm above going around and forcing people to think the way i do 
> with licenses.

Exactly. Hardware manufacturers already seem to recognize that open
hardware designs lead to better sales, and that has _nothing_ to do
with GPLv3 (though it may or may not have something to do with the
Defective By Design campaign.)

These are only my personal opinions; I'm not speaking for Atmel as a
whole.

Haavard

[U-Boot] U-book and GPLv3? (fwd)

[Wolfgang Denk]

Dear Haavard Skinnemoen,

In message <20090707135141.7979827c@hskinnemoen-d830> you wrote:
>
> While I think fighting for extensible and "hackable" hardware is good,
> I think a software license is the wrong way to go about it. Let's stick
> to the proven model of GPLv2: You can use my software if I get to use
> your improvements. Trying to impose restrictions on this model in order

The point is that GPLv2 results in situations where  you  cannot  use
and modify your own software any more because it is "protected" and
any versions you build don't run.

Best regards,

Wolfgang Denk

-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
Philosophy:  A route of many roads leading from nowhere to nothing.
- Ambrose Bierce

[U-Boot] U-book and GPLv3?

[Robin Getz]

On Mon 6 Jul 2009 06:55, Wolfgang Denk pondered:
> 
>     I am definitely _pro_ going for GPLv3. I am  also  realizing  the
>     efforts and the time this will take.

I'm also glad that you acknowledge that you will loose developers, and 
users...

> So it seems we can set up something like a plan:
> 
> Short term goal:
> 
>         Clean up the existing license conflicts in U-Boot. This is  a
>         task that is completely independent of the GPLv2 versus GPLv3
>         discussion - it must be done in any case.
> 
> Medium term goal:
> 
>         Analyze which parts of U-Boot are implemented  by  GPLv2-only
>         code, and evaluate options to convert these into GPLv2+later.
> 
> Long term goal:
> 
> 	Move U-Boot to GPLv3.

And -- since some of us will require to fork at this time (it is not a threat, 
it is not "I don't like GPLv3", it is just me trying to plainly state the 
facts) - can we _plan_ for this, as part of the Long term goal?

Where someone else takes over the code base - pre switching to GPLv3 (or 
pre-dropping features when switching to GPLv2+later).

That way - contributors who still wish to place their contributions under a 
GPLv2 license, can do so? Contributors who wish to provide features under 
GPLv3 only can do so as well...

[U-Boot] U-book and GPLv3? (fwd)

[Haavard Skinnemoen]

Wolfgang Denk wrote:
> In message <20090707135141.7979827c@hskinnemoen-d830> you wrote:
> >
> > While I think fighting for extensible and "hackable" hardware is good,
> > I think a software license is the wrong way to go about it. Let's stick
> > to the proven model of GPLv2: You can use my software if I get to use
> > your improvements. Trying to impose restrictions on this model in order  
> 
> The point is that GPLv2 results in situations where  you  cannot  use
> and modify your own software any more because it is "protected" and
> any versions you build don't run.

But this is a problem with the _hardware_, not the software. I think
placing restrictions on the hardware design is way outside the scope of
a software license.

Even if the hardware is restricted this way, you can still take the
software, modify it, and run it on a different, better piece of
hardware. If you play your cards right, you might even come out with a
healthy profit as people see that your product based on unrestricted
hardware is simply _better_ (which is a term I think covers "more free"
as well.)

In my experience, the most popular AVR-based boards are the ones that
not only allow the firmware to be replaced freely, but which actively
encourage modification by making lots of signals available through
expansion headers. This kind of "hackability" can never be enforced
through any kind of software license.

Haavard

[U-Boot] U-book and GPLv3? (fwd)

[Wolfgang Denk]

Dear Haavard,

In message <20090707155005.2e4a4d6d@hskinnemoen-d830> you wrote:
>
> > The point is that GPLv2 results in situations where  you  cannot  use
> > and modify your own software any more because it is "protected" and
> > any versions you build don't run.
> 
> But this is a problem with the _hardware_, not the software. I think
> placing restrictions on the hardware design is way outside the scope of
> a software license.

I'm only talking about software (code and data)  here.  If  I  cannot
change  (or  just  rebuild)  the (Free!) software any more because to
actually run it I need some secret data (like a signature) then  this
is  still  a software problem. One that can be prevented by releasing
the software under adequate licensing terms.

> In my experience, the most popular AVR-based boards are the ones that
> not only allow the firmware to be replaced freely, but which actively
> encourage modification by making lots of signals available through
> expansion headers. This kind of "hackability" can never be enforced
> through any kind of software license.

Agreed.  Hardware  should  be  hackable,  too  :-)  (which   includes
documentation  where  you  don't have to sell your soul and sign NDAs
that are plain evil).

Best regards,

Wolfgang Denk

-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
######## This message was made from 100% recycled electrons. ########

[U-Boot] U-book and GPLv3? (fwd)

[Haavard Skinnemoen]

Wolfgang Denk wrote:
> I'm only talking about software (code and data)  here.  If  I  cannot
> change  (or  just  rebuild)  the (Free!) software any more because to
> actually run it I need some secret data (like a signature) then  this
> is  still  a software problem. One that can be prevented by releasing
> the software under adequate licensing terms.

The mechanism preventing reprogramming of the target device is not part
of the software being licensed. So I just don't think it's reasonable
for us to prevent the software from being used on such devices, even
though I don't particularly like such restrictions either.

This assuming GPLv3 actually does prevent such problems, of course.
There seems to be a few loopholes in there, as others have pointed out
(though I won't claim to fully understand it, which is another reason
I'm not particularly fond of it.)

> Agreed.  Hardware  should  be  hackable,  too  :-)  (which   includes
> documentation  where  you  don't have to sell your soul and sign NDAs
> that are plain evil).

Absolutely.

Haavard

[U-Boot] U-book and GPLv3? (fwd)

[Jon Smirl]

On Tue, Jul 7, 2009 at 10:43 AM, Wolfgang Denk<wd@denx.de> wrote:
> Dear Haavard,
>
> In message <20090707155005.2e4a4d6d@hskinnemoen-d830> you wrote:
>>
>> > The point is that GPLv2 results in situations where ?you ?cannot ?use
>> > and modify your own software any more because it is "protected" and
>> > any versions you build don't run.
>>
>> But this is a problem with the _hardware_, not the software. I think
>> placing restrictions on the hardware design is way outside the scope of
>> a software license.
>
> I'm only talking about software (code and data) ?here. ?If ?I ?cannot
> change ?(or ?just ?rebuild) ?the (Free!) software any more because to
> actually run it I need some secret data (like a signature) then ?this
> is ?still ?a software problem. One that can be prevented by releasing
> the software under adequate licensing terms.
>
>> In my experience, the most popular AVR-based boards are the ones that
>> not only allow the firmware to be replaced freely, but which actively
>> encourage modification by making lots of signals available through
>> expansion headers. This kind of "hackability" can never be enforced
>> through any kind of software license.
>
> Agreed. ?Hardware ?should ?be ?hackable, ?too ?:-) ?(which ? includes
> documentation ?where ?you ?don't have to sell your soul and sign NDAs
> that are plain evil).

I agree -- all ATMs, voting machines, slot machines, electricity
meters, traffic lights, navigation systems, safety interlocks, etc
should be hackable. I'm sure that no idiot teenager is going to change
the firmware and allow an unsuspecting person to use the device.


>
> Best regards,
>
> Wolfgang Denk
>
> --
> DENX Software Engineering GmbH, ? ? MD: Wolfgang Denk & Detlev Zundel
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
> Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
> ######## This message was made from 100% recycled electrons. ########
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> http://lists.denx.de/mailman/listinfo/u-boot
>



-- 
Jon Smirl
jonsmirl at gmail.com

[U-Boot] U-book and GPLv3? (fwd)

[Wolfgang Denk]

Dear Jon Smirl,

In message <9e4733910907070828o7517b17td411ff88c62a8902@mail.gmail.com> you wrote:
>
> I agree -- all ATMs, voting machines, slot machines, electricity
> meters, traffic lights, navigation systems, safety interlocks, etc
> should be hackable. I'm sure that no idiot teenager is going to change
> the firmware and allow an unsuspecting person to use the device.

Aren't they? Just break the seal and use  a  screw  driver  and  some
other tools. And when it comes to some voting machines you don't even
need this.

You don't understand at all  what  we  are  talking  about,  or  what
security  means  and  how  gets  implemented,  or  what certification
procedures are about. There is  no  difference  between  conventional
(even softwre-free electro-mechanical devices) and software. There is
just a lot of clueless people.

Wolfgang Denk

-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
The problem ... is typical to internet  discussions  where  the  less
complex  the  problem is, the more idiots come in and think they have
something to contribute :-)
             Ben Herrenschmidt in <1243495925.3171.134.camel@pasglop>

[U-Boot] U-book and GPLv3?

[Scott Wood]

On Tue, Jul 07, 2009 at 06:05:35AM -0400, Richard Stallman wrote:
> In my experience, people who want a more permissive license
> typically claim that their participation is absolutely necessary,
> and doing without it would be a disaster.  It tends to be somewhat
> of an exaggeration.

Talk about exaggerations...

I didn't see anyone say that the "no gpl3" crowd was "absolutely
necessary" or that there "would be a disaster" -- just that it's
something to factor in when considering whether the project would be
better off switching.

And it's not as if the anti-permissive crowd ever makes potentially
exaggerated claims about what participation would be lost with a
BSD-style license (both corporate contributions that would stay private,
and individual contributions from GPL fans that would fork (or not be
done in the first place) to prevent the former)...

-Scott

[U-Boot] U-book and GPLv3?

[Remy Bohmer]

Hello Wolfgang,

2009/7/6 Wolfgang Denk <wd@denx.de>:
> Dear Jerry Van Baren,
>
>> 3) U-Boot currently has an explicit license to run "stand alone
>> applications" that have a GPL-incompatible license.
>
> Thanks for mentioning this. But ?this ?is ?explicitly ?restricted ?to
> "stand ?alone ?applications", ?with ?a ?pretty tightly limited set of
> functions exported to such code. It is not intended ?to ?be ?extended
> into ?something ?like ?loadable ?modules that can access much more of
> U-Boot's internal code.

AFAIK this limitation of extension is not stated anywhere in the
documentation that is delivered with U-boot. (If I am wrong, please
point me to the location where this is stated)

So, I guess every user of U-boot is allowed to extend that interface
to even the complete symbol map of U-boot, without doing anything in
conflict with the license. You can now say it is not intended, but it
is not restricted.

Kind Regards,

Remy

[U-Boot] U-book and GPLv3?

[Remy Bohmer]

Hello Wolfgang,

2009/7/6 Wolfgang Denk <wd@denx.de>:
> 1) If we take into consideration that you are not subscribed ?to ?the
> ? list, only 20 out of 1712 subscribers (less than 1.2%) bothered to
> ? comment at all.

FWIW, I did not comment on this so far, because from what I felt what
I had to say was already said. This might be true for others as well.

> 2) Some of these 20 posters did not take a firm ?stand ?whether ?they
> ? are ?pro ?or con moving to GPLv3; an unweighted count gives 6 more
> ? or less clear votes pro GPLv3 versus 10 votes against such a move.
>
> 3) It seems reasonable to me to ?add ?some ?weight ?to ?these ?votes,
> ? taking ? into ? consideration ? how ? much ?the ?posters ?actually
> ? contributed to the U-Boot project.

As far as I understand it, a move to gpl3 will need the approval of
_all_ copyright holders to make such a switch. (not all names are
listed in the headers)
While U-boot contains a lot of imported code from other projects (like
Linux and others) it will need the approval from the original authors
of that code (not in the first place the person who integrated that
code in U-boot). This sounds like an impossible task to me.
Alternative is to remove all gpl2-only derived code.
Only by looking at the USB code it appears to me, it will be needed to
remove the entire USB stack (which has a very close resemblance with
old Linux USB code), or rewrite it from scratch. Similar things will
probably be true for other code as well.

This move to gpl3 will throw up a huge barrier for importing future
Linux code in U-boot, because Linux is still gpl2-only, and as such
Linux code can no longer be used in U-boot...

So, the goal is to prevent misuse by some hardware vendors of U-boot
code. To accomplish this a huge barrier will be thrown up for all
developers what eventually will slow down future developments, and
that again will increase the chance that forks will arise... (And I
believe there is at least 1 fork already...)

I might be missing something huge here, but It seems to me gpl3 is the
wrong hammer to reach the goal.
(So, if you like clear pro/con, count me in the clear 'con' group)

Kind Regards,

Remy

[U-Boot] U-book and GPLv3?

[Wolfgang Denk]

Dear Remy,

In message <3efb10970907071216h57288a2an91701c1c851dea9e@mail.gmail.com> you wrote:
> 
> > Thanks for mentioning this. But  this  is  explicitly  restricted  to
> > "stand  alone  applications",  with  a  pretty tightly limited set of
> > functions exported to such code. It is not intended  to  be  extended
> > into  something  like  loadable  modules that can access much more of
> > U-Boot's internal code.
>
> AFAIK this limitation of extension is not stated anywhere in the
> documentation that is delivered with U-boot. (If I am wrong, please
> point me to the location where this is stated)

True.

> So, I guess every user of U-boot is allowed to extend that interface
> to even the complete symbol map of U-boot, without doing anything in
> conflict with the license. You can now say it is not intended, but it
> is not restricted.

Right. But try it - banging your head against the nearest wall  might
be a pastime with more opportunities for reward.

And don't expect that such an "extension" had any  chance  for  going
into the mainline code.

Best regards,

Wolfgang Denk

-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
The only way you could make a happy  marriage  is  by  cuttin'  their
heads  off  as  soon  as  they say `I do', yes? You can't make happi-
ness...                           - Terry Pratchett, _Witches Abroad_

[U-Boot] U-book and GPLv3?

[Wolfgang Denk]

Dear Remy Bohmer,

In message <3efb10970907071307u662f7d87g5a4a0c0b0740b973@mail.gmail.com> you wrote:
> 
> As far as I understand it, a move to gpl3 will need the approval of
> _all_ copyright holders to make such a switch. (not all names are
> listed in the headers)

Only for files where such a switch is not trivial by exercising the
"version 2 (or any later version)" clause. And this is just 184 files
so far (3.x % of all files).

> This move to gpl3 will throw up a huge barrier for importing future
> Linux code in U-boot, because Linux is still gpl2-only, and as such
> Linux code can no longer be used in U-boot...

Without actually trying it out nobody can say how big such a barrier
actually might be...

Best regards,

Wolfgang Denk

-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
I don't see any direct evidence ...  but, then, my crystal ball is in
dire need of an ectoplasmic upgrade. :-)              -- Howard Smith

[U-Boot] U-book and GPLv3?

[Kumar Gala]

On Jul 6, 2009, at 5:55 AM, Wolfgang Denk wrote:

> Medium term goal:
>
>        Analyze which parts of U-Boot are implemented  by  GPLv2-only
>        code, and evaluate options to convert these into GPLv2+later.
>
> Long term goal:
>
> 	Move U-Boot to GPLv3.

Its not clear if you've decided that u-boot will move to GPLv3 or  
not.  If you haven't how will that decision be made?  Will we vote as  
a community with some bias given to how much one has contributed?   
Will you just decide?

I ask because its my understanding from internal Freescale discussions  
(from the PPC group) that its Freescale's preference to stick with  
GPLv2.  What Freescale will decide to do if the decision is to move to  
GPLv3 is not clear at this point.

- k

[U-Boot] U-book and GPLv3?

[Mike Frysinger]

On Thursday 09 July 2009 12:10:48 Kumar Gala wrote:
> I ask because its my understanding from internal Freescale discussions
> (from the PPC group) that its Freescale's preference to stick with
> GPLv2.  What Freescale will decide to do if the decision is to move to
> GPLv3 is not clear at this point.

Freescale isnt alone here, so when/if u-boot goes GPLv3, please dont do your 
own thing in a vacuum.  there will be others who would support a GPLv2 split, 
so we might as well collaborate.  u-boot-v2 looks fairly attractive at this 
point.
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.denx.de/pipermail/u-boot/attachments/20090709/0b255e8d/attachment.pgp 

[U-Boot] U-book and GPLv3?

[Kumar Gala]

On Jul 9, 2009, at 12:54 PM, Mike Frysinger wrote:

> On Thursday 09 July 2009 12:10:48 Kumar Gala wrote:
>> I ask because its my understanding from internal Freescale  
>> discussions
>> (from the PPC group) that its Freescale's preference to stick with
>> GPLv2.  What Freescale will decide to do if the decision is to move  
>> to
>> GPLv3 is not clear at this point.
>
> Freescale isnt alone here, so when/if u-boot goes GPLv3, please dont  
> do your
> own thing in a vacuum.  there will be others who would support a  
> GPLv2 split,
> so we might as well collaborate.  u-boot-v2 looks fairly attractive  
> at this
> point.

My personal opinion (not necessarily Freescale's) is that working on a  
community boot loader is beneficial and doing something in a vacuum is  
a bad idea.

- k

[U-Boot] U-book and GPLv3?

[Remy Bohmer]

Hello Robert and Sascha,

> Freescale isnt alone here, so when/if u-boot goes GPLv3, please dont do your
> own thing in a vacuum. ?there will be others who would support a GPLv2 split,
> so we might as well collaborate. ?u-boot-v2 looks fairly attractive at this
> point.
> -mike

Well, now Mike brought it up, I think it is time to get the picture
complete: What is the standpoint of the u-boot-v2 team on this
subject?

Kind Regards,

Remy

[U-Boot] U-book and GPLv3?

[Wolfgang Denk]

Dear Kumar,

In message <CCBA64F3-2821-475E-8895-4C976032EDBE@kernel.crashing.org> you wrote:
> 
> > Medium term goal:
> >
> >        Analyze which parts of U-Boot are implemented  by  GPLv2-only
> >        code, and evaluate options to convert these into GPLv2+later.
> >
> > Long term goal:
> >
> > 	Move U-Boot to GPLv3.
> 
> Its not clear if you've decided that u-boot will move to GPLv3 or  
> not.  If you haven't how will that decision be made?  Will we vote as  
> a community with some bias given to how much one has contributed?   
> Will you just decide?

As far as I'm concerned, the decision is clear. It is  my  long  term
goal to move U-Boot to GPLv3. Note that this is a goal, a landmark at
the  horizon. I cannot tell what time or whet efforts it will take to
rech this goal, or if it will ever be reached at all. This depends on
a lot of things, last but not least on how many  developers  actively
support (or make a stand against) such activities.

I tend to be a sequential type: to one step after another. Let's  get
the  current,  serious  licensing  issues in U-Boot fixed first. When
this has been done (and I guess it may easily extend into next year),
we can try and to the next step - having a closer look at what  needs
to be done to got forward to GPLv3

> I ask because its my understanding from internal Freescale discussions  
> (from the PPC group) that its Freescale's preference to stick with  
> GPLv2.  What Freescale will decide to do if the decision is to move to  
> GPLv3 is not clear at this point.

I am pretty sure that such positions will shift over time. I've  seen
this  so  many  times  before.  In  any way, if you have any specific
contacts or names of people within Freescale who are concerned  about
goind  GPLv3  please  feel  free to tell them to contact me directly.
I'll be happy to dicuss details with them - maybe I can then at least
understand what their actual problem with GPLv3 is.

May of the concerns raised about GPLv3 are eventually based  on  mis-
understandings  either of the current legal situation (GPLv2), or the
legal consequences of going GPLv3, or most likely both.


Best regards,

Wolfgang Denk

-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
The more sins you confess, the more books you will sell.

[U-Boot] U-book and GPLv3?

[Mike Frysinger]

On Thursday 09 July 2009 15:49:31 Remy Bohmer wrote:
> > Freescale isnt alone here, so when/if u-boot goes GPLv3, please dont do
> > your own thing in a vacuum.  there will be others who would support a
> > GPLv2 split, so we might as well collaborate.  u-boot-v2 looks fairly
> > attractive at this point.
>
> Well, now Mike brought it up, I think it is time to get the picture
> complete: What is the standpoint of the u-boot-v2 team on this
> subject?

Kumar posted the question in a dedicated thread
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.denx.de/pipermail/u-boot/attachments/20090709/89b69a86/attachment.pgp 

[U-Boot] U-book and GPLv3?

[Robert Schwebel]

Hi Remy,

On Thu, Jul 09, 2009 at 09:49:31PM +0200, Remy Bohmer wrote:
> > Freescale isnt alone here, so when/if u-boot goes GPLv3, please dont do your
> > own thing in a vacuum. ?there will be others who would support a GPLv2 split,
> > so we might as well collaborate. ?u-boot-v2 looks fairly attractive at this
> > point.
> > -mike
>
> Well, now Mike brought it up, I think it is time to get the picture
> complete: What is the standpoint of the u-boot-v2 team on this
> subject?

Seen from our side, we don't plan any license change for u2 over what we
have now. Although I must say that I havn't read the recent u-boot
flamewar about this topic yet :)

rsc
-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |