Hi Neal,
On 14.01.21 20:38, Neal Gompa wrote:
On Thu, Dec 10, 2020 at 7:18 AM Stefano Babic <sba...@denx.de> wrote:
Hi David,
On 10.12.20 12:27, David Sterba wrote:
On Tue, Dec 08, 2020 at 01:00:01PM -0800, Omar Sandoval wrote:
On Tue, Dec 08, 2020 at 10:49:10AM +0100, Stefano Babic wrote:
Hi,
I hope I am not OT. I ask about license for btrfs-progs and related
libraries. I would like to use libbtrfsutils in a FOSS project, but this
is licensed under GPLv3 (even not LGPL) and it forbids to use it in
projects where secure boot is used.
libbtrfsutil is LGPLv3, where did you get the idea that it is GPLv3?
Checking code in btrfs-progs, btrfs is licensed under GPv2 (fine !) and
also libbtrfs. But I read also that libbtrfs is thought to be dropped
from the project. And checking btrfs, this is linked against
libbtrfsutils, making the whole project GPLv3 (and again, not suitable
for many industrial applications in embedded systems).
Does anybody explain me the conflict in license and if there is a path
for a GPLv2 compliant library ?
No objections from me to make it LGPLv2 instead, I suppose. Dave,
thoughts?
I've replied in https://github.com/kdave/btrfs-progs/issues/323, the
initial question regarding GPL v3 does not seem to be relevatnt as
there's no such code.
I read this, thanks.
I was quite confused about the license for libbtrfsutil due to both
"COPYING" and "COPYING.LESSER" in the library path. COPYING reports
GPLv3. But headers in file set LGPLv3, sure, and btrfs.h is GPLv2.
I'd like to understand what's the problem with LGPLv3 before we'd
consider switching to LGPLv2, which I'd rather not do.
Please forgive me ig I am not correct because I am just a developer and
not a lawyer.
The question rised already when QT switched from LGPv2 to LGPLv3, and
after the switch what companies should do to be license compliant. Based
on information given by qt.io and from lawyers (I find again at least
this link https://www.youtube.com/watch?v=lSYDWnsfWUk), it is possible
to link even close source SW to libraries, but to avoid the known
"tivoization", the manufacturer or user of a library must provide
instruction to replace the running code. This is an issue for embedded
devices, specially in case the device is closed with keys by the
manufacturer to avoid attacks or replacement with malware - for example,
medical devices. This means that such a keys to be licence compliant
(anyone please correct me if I am wrong) must be provided, making the
keys itself without sense. The issue does not happen with LGPv2.1, and
this is the reason why many manufacturers are strictly checking to not
have (L)GPLv3 code on their device.
While I'm not a lawyer, what I've been told by others is that it just
means that you need a way to reset the keys for loading custom
software. That doesn't mean giving your official keys, just a way to
reset the trust for custom keys. This is analogous to how Secure Boot
works on PCs with support for adding the user's own keys and removing
preloaded keys.
This is correct, but this is unsatisfactory for embedded devices. Full
agree in case of PCs, where you can load your keys.
But think about a medical device (a lung ventilator, for example, as we
are all rather conditioned from news), or a device that was certified by
some authority. It is simply not allowed to replace the running
firmware, and manufacturers want to be sure that only their software is
allowed to run. Or device on aircraft, or whatever.
It is more over the initial reason for GPLv3, that is the "tivoization"
on set-top boxes. For such kind of restrictive applications, replacing
the software is a noway. Manufacturers take care of this issue, run
fossology and they avoid (L)GPLv3 software at all, even if it is easier
and technically better to use them.
You can design systems to only interoperate on matching keys, so if a
custom firmware is loaded, it's distrusted by standard firmware, and
so on.
Agree, but this cannot be applied for any device.
This approach actually makes sense for the longevity of secure devices
in the field, because they often outlast the companies that made them.
Having a way to have another party "take over" and maintain the
firmware is a good thing for the long-term stability of leveraging
technology in sensitive industries.
This is not what I see in the embedded systems, and specially in case of
certified devices.
Best regards,
Stefano
--
=====================================================================
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sba...@denx.de
=====================================================================
