Stallman rants about FreeBIOS

[Robert Redelmeier]

I think that the first sentence "preferred form for .. making
modifications", and the third (special exception) probably
covers it. IANL etc. I.e., compilers would be included,
because you need them in order to make modifications,

But it just says "source in the preferred form for making mods".
That means ASCII text. It does not include tools.

Then it wouldn't be a sufficient form for making
modifications, would it?

It doesn't say anything about sufficient. It says "preferred
form" Interestingly, I once emailed RMS about some of my
pgms, which have no source, only executable (MS-DEBUG *.com).
He said that's allowed under the GPL.

Besides which, doesn't GPLv2 contain words along the lines of
"or any subsequent version of this license"?

Yes, but Linus dropped this phrase because it included
"at the option of the licencee".

What I don't understand about the whole DRM'd BIOS issue is
how they expect it to achieve anything at all? Would it be
impossible, or illegal in some sense, to get an interpreter
signed? If you've got a signed perl or python executable, then
you can still do whatever you like. If you've got a signed
JVM or Bochs/Dynamo/FX!32 then you can run anything at all.

I'd expect signed interpreters to not allow raw device access
if the media forbade it. So you can play a DVD with a signed
executable, but not copy it/portions to a file.

-- Robert

 

[Sander Vesik]

I don't know whether DRM signing would count as "scripts used to control
compilation and installation of the executable", but it could well do.

Why would one care? after all, as you'll get the source to the bios
that is in your machine you can modify to disable the check and then
publish both the source and binaries...

 

[Scott A Crosby]

The problem is also that this represents a loophole in the GPL. If
you embed DRM in the hardware and require the OS to be signed¹,
you could distribute GPL-compliant source code to your hearts content,
without granting the users the freedom to actually *run* modified
code.

The loophole in the GPL that controlled/trusted computing would
exploit seems to me to be a largely orthogonal issue to FreeBIOS.

Only some of the controlled computing schemes depend on refusing to
boot any unsigned OS. I consider schemes that refuse to boot an
unsigned OS likely to be used in enbedded devices like game machines
or dvd players. In mass-market PC's, I expect that you can run any
software that you want, but if its not 'authorized', the hardware will
refuse to relinquish decryption keys to your data.

There seems to be at least two different implementations of
trusted/controlled computing. One is based around secure boot, where,
before the BIOS is run, it is cryptographically hashed into a secure
register. The chain of firmware, boot loaders, OS, and kernel and such
is hashed into a chain whose root is hashed into a secure
register. This is roughly the TCPA design.

There's also an alternative design works differently where a section
of memory is loaded with some code and is then partitianed off. The
hardware then insures that the 'locked box' cannot be altered
externally, and cryptographically hashes it. This is similar to the
Palladium/NGSCB approach.

In both of these cases, the hardware refuses to relinquish decryption
keys to any altered or non-trusted software. In both cases, GPLed
conded may be included within the code in those locked boxes. The
author, would supply full source code. But if the user were to alter
the software in any way, the hardware then refuses to relinquish
decryption keys that the software would need to access its data. The
user is free to recompile the code or modify it any way they wish, but
it would be effectively useless.

That is the hole in the GPL.

Here's an example of how it could be exploited:

A PVR could use linux as its operating system and be based around
MythTV. However, the stored MPEG database and a non-GPLed driver to
access the tuner card are encrypted so that the hardware will refuse
to relinquish the decryption keys. Furthermore, the TV-guide download
refuses to work without 'remote attestation' that the install is
unmodified. Thus, any attempt to modify the installed MythTV, say, to
replace it with an upgraded version would invalidate the ability to
get at the complete stored database, the non-GPLed driver, *and* the
tv guide.

Scott

 

[Ketil Malde]

I don't know whether DRM signing would count as "scripts used to control
compilation and installation of the executable", but it could well do.

I think it is fairly clear that whether or not DRM-controlled
exectution breaks with the wording of the GPL, it clearly breaks with
the *intent*, which is precisely to empower the user to make any
changes he desires to the software.

I've no idea how much that is worth in a court of law -- the system of
justice we are blessed with seems to be too arbitrary for a lay person
to predict with any degree of accuracy.

-kzm

 

[=?ISO-8859-1?Q?Jan_Vorbr=FCggen?=]

What I don't understand about the whole DRM'd BIOS issue is how they

expect it to achieve anything at all? Would it be impossible, or illegal
in some sense, to get an interpreter signed?

Unlikely illegal, but possibly impossible. It depends on whether the OS's
author - e.g., Microsoft - or the owners of certificates that have been
countersigned by the OS author are prepared to sign your code if that has
been written to circumvent a DRM mechanism supported by that OS. Whether
your code is an executable or interpreted is immaterial - after all, you
can view the processor as an interpreter of instructions.

Jan

 

[Bernd Paysan]

But it just says "source in the preferred form for making mods".
That means ASCII text. It does not include tools.

"However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable."

So you don't need to ship the compiler, since it is part of the OS on which
the executable runs. Or, use an entire different world, you don't need to
ship the synthesis and place&route tool for an FPGA, when you are shipping
free hardware, because that's what the FPGA vendor provides.

But if you need a secret key to make (working) modifications to the program,
you have to include it, or at least have an instance that does sign
whatever modified binary (or hash) you send them.

 

[Alexander Terekhov]

Bernd Paysan wrote:
[...]

But if you need a secret key to make (working) modifications to the program,
you have to include it, or at least have an instance that does sign
whatever modified binary (or hash) you send them.

According to the FSF, the GPL is not a contract.

Under copyright law one just can't restrict distribution of copies
(material objects) lawfully made. Electronic distribution implies
reproduction, but that right is also granted unilaterally to
everybody-and-his-dog by the GPL licensors. So all "copies" (17 USC
101) incorporating publicly available GPL'd works (and their
derivative works lawfully prepared and incorporated in "copies"
thanks the GPL unilateral grant, *not* restricted adaptation right
under 17 USC 117) are "lawfully made" and can be distributed as
their owners see fit notwithstanding purported "must be free"
restrictions stated in the GPL. That's because distribution of
copies lawfully made doesn't require permission of the copyright
proprietors. RedHat's lawyers simply erred in thinking that current
codification of "first sale" doctrine (17 USC 109) needs amendments
(formally codifying "digital first sale"... and as a byproduct, also
clearly stating legality of teleportation*** of books and etc. ;-) )
to break the GPL. The GPL is already totally broken.

< quotes from dmca/sec-104-report-vol-<2|3>.pdf >

Red Hat, Inc.:

Let me just clarify that I don't think anyone today intends to
impact our licensing practices. I haven't seen anything in the
comments, nor have I heard anything today that makes me think
someone does have that intention. What we're concerned about
are unintended consequences of any amendments to Section 109.
The primary difference between digital and nondigital products
with respect to Section 109 is that the former are frequently
licensed. ... product is also available for free downloaded
from the Internet without the printed documentation, without
the box, and without the installation service. Many open source
and free software products also embody the concept of copyleft.
... We are asking that amendments not be recommended that would
jeopardize the ability of open source and free software
licensor to require [blah blah]

Time Warner, Inc.:

We note that the initial downloading of a copy, from an
authorized source to a purchaser's computer, can result in
lawful ownership of a copy stored in a tangible medium.

Library Associations:

First, as conceded by Time Warner, digital transmissions can
result in the fixation of a tangible copy. By intentionally
engaging in digital transmissions with the awareness that a
tangible copy is made on the recipient's computer, copyright
owners are indeed transferring ownership of a copy of the work
to lawful recipients. Second, the position advanced by Time
Warner and the Copyright Industry Organizations is premised
on a formalistic reading of a particular codification of the
first sale doctrine. When technological change renders the
literal meaning of a statutory provision ambiguous, that
provision "must be construed in light of its basic purpose"
and "should not be so narrowly construed as to permit evasion
because of changing habits due to new inventions and
discoveries." Twentieth Century Music Corp. v. Aiken, 422 U.S.
151, 156-158 (1975). The basic purpose of the first sale
doctrine is to facilitate the continued flow of property
throughout society.

See also

http://www.oii.ox.ac.uk/resources/feedback/OIIFB_GPL3_20040903.pdf

regards,
alexander.

***) http://www.research.ibm.com/quantuminfo/teleportation

 

[Bernd Paysan]

Bernd Paysan wrote:
[...]

But if you need a secret key to make (working) modifications to the
program, you have to include it, or at least have an instance that does
sign whatever modified binary (or hash) you send them.

According to the FSF, the GPL is not a contract.

Under copyright law one just can't restrict distribution of copies
(material objects) lawfully made. Electronic distribution implies
reproduction, but that right is also granted unilaterally to
everybody-and-his-dog by the GPL licensors

.... if the terms are accepted. The GPL is not really unilateral. I, as
author, give you an offer. If you accept that offer, you can exercise the
rights from that offer. If you don't, you can't. So if you do distribute a
signed Linux or whatever, that can only work *because it's signed*, it's a
derivative of Linux, and you either have to fully comply to the GPL (and
include the private key), or go straight to jail, do not pass go, and do
not collect $200. It's a simple copyright violation if you don't accept the
GPL, and violate the terms - i.e. it's not a lawful copy.

The question whether this is a contract or not depends on legal nitpicking.
In German law, a contract has an offer and an acceptance. The GPL is the
offer, the user has to accept it to exercise the rights. Therefore, in
German law, the GPL is a contract - and a German court ruled just last year
that the GPL is fully valid.

 

[Paul F. Dietz]

Alexander Terekhov wrote:
[...]

... if the terms are accepted. The GPL is not really unilateral. I, as
author, give you an offer. If you accept that offer, you can exercise the
rights from that offer.

Terekhov is a well-known anti-GPL troll. He should be ignored; arguing
with him is a waste of time.

Paul

 

[Alexander Terekhov]

Bernd Paysan wrote:
[...]

if the terms are accepted.

The GPL is a bare copyright license, not a contract. It merely
misstates the law (go read both 17 USC 109 and 17 USC 117 to begin
with) and just can't legally compel you to relinquish rights that
you enjoy under copyright law (or any other rights; in contrast
to other contractual OSS licenses*** written by real IP lawyers,
not some obsessive and oppressive lunatic with the help of a law
historian fond of spreading anti-copyright-and-patent anarchistic
propaganda).

<quote source=http://tinyurl.com/3c2n2>

Adobe characterizes each transaction throughout the entire stream
of commerce as a license.8 Adobe asserts that its license defines
the relationship between Adobe and any third-party such that a
breach of the license constitutes copyright infringement. This
assertion is not accurate because copyright law in fact provides
certain rights to owners of a particular copy. This grant of rights
is independent from any purported grant of rights from Adobe.

</quote>

s/Abobe/FSF

See also

http://www.nysd.uscourts.gov/courtweb/pdf/D02NYSC/01-07482.PDF
(Specht v. Netscape Communications Corp.)

Furthermore, FSF's expansive claims (just like SCO's -- see Tenth
IBM's defense) are barred by the doctrine of copyright misuse.

<quote source="Open Source Licensing: Virus or Virtue?">

Even if the open source license [GPL] is binding, the copyleft
provision may still not be enforceable as to independent
proprietary code, in light of the intellectual property misuse
doctrine. The doctrine is asserted as an affirmative defense to
an intellectual property infringement claim. Much like an unclean
hands defense, the misuse doctrine precludes enforcement of
intellectual property rights that have been extended beyond the
scope of those rights.

[...]

A successful misuse defense bars the misuser from prevailing
against anyone on an action for infringement of the misused
intellectual property, even against defendants who have not been
harmed or affected by the misuse.[76]

The misuse doctrine was judicially created, first in the patent
context. Only recently has the misuse doctrine been extended to
copyrights, building on the rich misuse history in the patent
law.[77] Importantly, most courts have found misuse without
requiring a finding of antitrust liability.[78] Thus, market
power is unnecessary, as is any analysis of the competitive and
anticompetitive impacts of the provision.[79]

The courts have yet to analyze a copyleft provision for misuse,
but the courts have addressed an analogous provision—the
grantback. A grantback provision requires that a licensee of
intellectual property grant back to the licensor a license or
ownership in creations made by the licensee. The typical
grantback provision requires that the licensee give the licensor
a nonexclusive license to any improvements or derivatives that
the licensee creates based on the original licensed property. The
idea is that the licensee would not have been able to make the
improvement or derivative without permission of the licensor or
at least access to the original; thus, the licensor should not
be blocked by an improvement or derivative he and his
intellectual property helped create. Giving the license back
encourages licensors to license, since it mitigates the risk of
becoming blocked by derivative intellectual property. Like a
grantback, copyleft requires the licensee to license back its
improvements. The copyleft provision is more expansive, though.

[...]

Although grantbacks have not come up in the copyright misuse
arena, they have in the patent context—and as we have seen, the
patent misuse cases form the underpinning for the copyright
misuse doctrine. Courts have found that grantback clauses
extending to improvements are not misuse, because the licensee
in some sense developed the improvement with the help of the
original patent. Where grantback clauses extend to preexisting
or unrelated patents, however, courts have found patent misuse.
Where "the scope of [licensee's] 'improvements' and inventions
required to be assigned to [the patent licensor] extended far
beyond the scope of [the] basic patent [licensed by licensor] the
effect was to extend unlawfully its monopoly and thus result in
patent misuse."[80] Plainly, the Patent Act does not give the
patent owner rights to other unrelated patents, and using a
patent to obtain such rights exceeds the scope of the patent.

Similarly, the Copyright Act's grant of rights does not extend
to unrelated works or preexisting (and therefore necessarily
nonderivative) works, and using the copyright license to extract
such rights exceeds the scope of the copyright grant. This may
constitute copyright misuse. A license to a copyrighted work on
condition that any work with which it is combined or shares data
must be licensed back to the licensor—and the entire world—on
the specific terms the licensor mandates, is beyond the scope of
the copyright in the originally licensed work. Yet this is what
the GPL apparently requires. The copyleft provision purports to
infect independent, separate works that are not derivative of the
open source code, and requires that such independent works be
licensed back to the licensor and the entire world under the GPL.
The Copyright Act does not give the copyright owner rights to
such independent nonderivative works. Attempting to extract such
rights exceeds the scope of the copyright. The fact that the GPL
mandates that the license be free and open is irrelevant; as
explained above, misuse doctrine does not require an analysis of
market share, or a weighing of the competitive and anticompetitive
effects of the provision.

If the copyleft provision constitutes misuse, then the plaintiff's
copyrights in the open source program are unenforceable until the
misuse is purged.[81] As a result, at least with respect to the
code contributed by any plaintiff, the defendant (and anyone else)
could infringe the copyright with impunity, including taking the
code private for his own commercial ends.[82] Thus, licensors
using copyleft licenses need to realize that they may be unable to
enforce the copyleft provision against separate works of the
licensee, and that any such attempt may at least temporarily
invalidate all their copyrights in the entire open source program.
Copyleft licenses are still valuable, however, where they do not
try to infect independent code. They should safely cover any
dependent derivative works based on the original GPL code.
Licensors simply need to understand the potential limitations and
risks of copyleft to employ it effectively.

</quote>

regards,
alexander.

***) e.g the CPL:

http://www.opensource.org/lice­nses/cpl.php

<quote>

No party to this Agreement will bring a legal action under this
Agreement more than one year after the cause of action arose.
Each party waives its rights to a jury trial in any resulting
litigation.

</quote>

 

[Alexander Terekhov]

Bernd Paysan wrote:
[...]

and a German court ruled just last year that the GPL is fully valid.

That's not true. It was about preliminary injunction (presumption,
etc) to begin with. Reread that "feedback" from Hoeren. BTW, go see
his profile:

http://arbiter.wipo.int/domains/panel/profiles/hoeren.pdf.

Note "Court of Appeal of Dusseldorf (Copyright Senate)".
^^^^^^^^^^^^^^^

regards,
alexander.

 

[=?ISO-8859-1?Q?Jan_Vorbr=FCggen?=]

Note "Court of Appeal of Dusseldorf (Copyright Senate)".

^^^^^^^^^^^^^^^

That's because all cases in intellectual property law in Germany are
initially heard at that level - I believe this is a translation of
"Landgericht", which for "normal" cases is indeed the court of appeal.

Jan

 

[Alexander Terekhov]

Bernd Paysan wrote:
[...]

It's a simple copyright violation if you don't accept the
GPL, and violate the terms - i.e. it's not a lawful copy.

C'mon, as far as copyright is concerned, copies just can't become
unlawful just because they change owners under terms (or whatever)
you don't like. If I want to make a copy or two incorporating
protected elements from some publicly available GPL'd work(s), I
certainly have all the rights to copy and all those copies are
lawful.

http://gl.scofacts.org/gl-20031214210634851.html

Moglen: "Because the GPL does not require any promises in return
from licensees, it does not need contract enforcement in order to
work. A GPL licensor doesn't say in the event of trouble "But, judge,
the licensee promised me he wouldn't do what he's doing now." The
licensor plaintiff says 'Judge, the defendant is redistributing my
copyrighted work without permission.'"

And the defendant says "17 USC 109, Judge." Judge: Case closed.

Heck, what is so hard to understand here?

regards,
alexander.

 

[Alexander Terekhov]

That's because all cases in intellectual property law in Germany are
initially heard at that level - I believe this is a translation of
"Landgericht", which for "normal" cases is indeed the court of appeal.

Bzzt. Hoeren (Court of Appeal/*Ober*landesgericht, etc.) wrote

http://www.oii.ox.ac.uk/resources/feedback/OIIFB_GPL3_20040903.pdf

as feedback on "final judgment" by Landgericht Muenchen I (district
court) in response to "appeal" (it is actual nothing but "you know,
we disagree" reply) to *the same court* (AFAIK Sitecom raised some
territorial issues and nothing having anything to do with the GPL,
BTW) in response to the initial "preliminary injunction"

http://www.google.de/[email protected]

that the district court has made under presumption (not hearing
anything from the other side at all) that Welte is right.

regards,
alexander.

 

[Bernd Paysan]

Bernd Paysan wrote:
[...]

if the terms are accepted.

The GPL is a bare copyright license, not a contract. It merely
misstates the law (go read both 17 USC 109 and 17 USC 117 to begin
with) and just can't legally compel you to relinquish rights that
you enjoy under copyright law

Sure it can't. But where is changing, modifying, and thus creating
derivatives of other people's code a right that's given to you under
copyright law? We don't talk about people reselling their CDs. We talk
about people who sign a Linux binary to be run under a DRM regime BIOS.
This is not a mere aggregate of the Linux binary and the signature, as both
form a functional unit. In other words: you can't change the Linux binary
without invalidating the signature, and the signature is necessary to run
the binary. Makes it part of the binary, and therefore the whole thing a
derivative.

If you tell me that I can legally modify Windows, and sell the derivatives
to whoever likes it, I'll do so from tomorrow. Microsoft won't be happy ;-)

 

[Alexander Terekhov]

Bernd Paysan wrote:
[...]

Sure it can't. But where is changing, modifying, and thus creating
derivatives of other people's code a right that's given to you under
copyright law?

EU aside for a moment, "the owner of a copy of a computer program"
can create derivatives called "adaptations". 17 USC 117. BTW, it
gives legal basis to a work around the GPL by patching (apart from
17 USC 109 and unilateral grant of right to prepare derivative works
that has nothing to do with 17 USC 117 adaptations) with patches
distributed under "proprietary" licenses and patching done by
recipients. It works because patches are not derivative works under
copyright law as long as they don't contain any protected elements
from the originals. And references are not protected elements. As
for Windows, IIRC, they really try to obtain strong manifestation
of assent (you press "I accept" or something) to a contract. Well,
but I sorta like this (wink):

http://cr.yp.to/softwarelaw.html

"Software user's rights

In the United States, once you own a copy of a program, you can
back it up, compile it, run it, and even modify it as necessary,
without permission from the copyright holder. See 17 USC 117.

For example, after purchasing a copy of Microsoft Windows NT 4.0
Workstation---which is a poorly tuned version of NT 4.0 Server,
minus a few utilities---you can back it up, apply a small patch
that fixes the tuning, and run the result.

Microsoft hates this. Of course, Microsoft could restrict your
rights by demanding that you sign a contract before you get a
copy of Windows NT, but this would not do wonders for Windows
sales.

So Microsoft puts a ``license'' on all of its software and
pretends that you don't have the right to use the software
unless you agree to the ``license.'' You can't patch Windows
without their permission, according to the license; you can't
use NT Workstation for more than 10 simultaneous connections;
you must give Microsoft your first-born son. (Or something like
that.)

The problem with Microsoft's license is that it's unenforceable.
You can simply ignore it. Microsoft can't win a copyright
infringement lawsuit: you own the software that Microsoft sold
you, and Congress gave you the right to use it.

Ten years ago, the SPA convinced Louisiana to subvert the will
of Congress by passing a law that declared shrinkwrap licenses
enforceable. In Vault v. Quaid, 847 F.2d 255 (5th Cir. 1988),
this law was struck down. Federal copyright law preempts state
law.

The SPA didn't give up. It keeps arguing in court that, gee, if
all these software makers claim that you can't use the software
without a license, then they can't all be wrong, can they?
(Ignore the fact that they're willingly selling their software
to the public.)

The SPA lost again in Step-Saver but then won in ProCD. I
expect the Supreme Court to step in within the next few years
to resolve the dispute in favor of Vault and Step-Saver."

regards,
alexander.

 

[Casper H.S. Dik]

But if you need a secret key to make (working) modifications to the program,
you have to include it, or at least have an instance that does sign
whatever modified binary (or hash) you send them.

Ah, but the program works on any hardware which doesn't enforce
signatures. Is there a requirement that you can run the modified
program on the same hardware? Also, by shipping the signature
you allow people to recreate the binary.

You could also ship the signature as part of the signature
verification system and not as part of the binary.

Casper

 

[Robert Redelmeier]

b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
^^^^^^^^^^
parties under the terms of this License."

So if the signature is part of the *functionality* of the
program, i.e. a program without that signature would not
do the same thing, the signature is part of the program,
and therefore the means to create it, the "source code"
to generate the signature (that's the private key, and in
case of a non-standard signature process, also the signature
program) is part of the overall source code.

You could distribute a signature that is only valid for unchanged
source. The meets the definition of "licenced as a whole".

If there's a loophole, than in sloppy interpretation of
what the source code is. The source code *is* the stuff to
create the program from. It doesn't need to be C code.

Quite true, but the GPL doesn't say this. And any ambiguities
in the GPL will be construed against the draftor [licensor]
because they had the means to eliminate the ambiguity.
Intent is only considered when words are absolutely unclear.

have to give out your private key. As long as the signature
has no effect on the functionality of the program, it is
not part of the source code.

And perhaps as some one else commented, the signature
would have no effect on a system that didn't enforce
signatures. So the problem gets back to BIOS.

-- Robert

 

[Bernd Paysan]

Bzzt. Hoeren (Court of Appeal/*Ober*landesgericht, etc.) wrote

http://www.oii.ox.ac.uk/resources/feedback/OIIFB_GPL3_20040903.pdf

It is no surprise that German and US court decisions are not compatible -
they occur under fundamentally different civil law systems (German civil
law is based on Code Napoleon, while the US civil law is based on the older
pre-revolution British law). As far as I know, the GPL has a number of
loopholes under US law, which it apparently hasn't under (continental*)
European law. I can't see how to close those loopholes under current US
law, but your example with patching Windows to Windows Server shows a way:
Microsoft, being furious about US law, buys itself a new copyright
amendment, which then helps the GPL ;-). The GPL, after all, hacks
copyright law to make its intention legally binding, and the stronger
copyright law is, the more legally binding is the GPL.

Some parts of the text above are pretty funny. E.g. that a German court
ignores the US law environment of the GPL. A German court is only bound to
German law, that's how it works (everywhere). It *has* to ignore US law. If
I go to a US court, I hope that they also are only bound to US law, and
will completely ignore Iran or Saudi-Arabic law. The quality of our
court-decisions is generally not very high, but neither is that of the US
system (e.g. spilled hot coffee ;-).

*) most continental European nations have a civil law based on Code
Napoleon.

 

[Alexander Terekhov]

Bernd Paysan wrote:
[...]

Some parts of the text above are pretty funny. E.g. that a German court
ignores the US law environment of the GPL. A German court is only bound to
German law, that's how it works (everywhere).

Bzzt.

http://www.iuscomp.org/gla/literature/foreignlaw.htm

regards,
alexander.