Re: Mass bug filing: Cryptographic protection against modification

To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: debian-devel@lists.debian.org
Subject: Re: Mass bug filing: Cryptographic protection against modification
From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Date: Tue, 04 May 2004 18:34:35 +0200
Message-id: <[🔎] 87pt9kf8x0.fsf@mrvn.homelinux.org>
In-reply-to: <[🔎] E1BKwtD-0003OX-00@gondolin.me.apana.org.au> (Herbert Xu's message of "Tue, 04 May 2004 20:11:03 +1000")
References: <[🔎] E1BKwtD-0003OX-00@gondolin.me.apana.org.au>

Herbert Xu <herbert@gondor.apana.org.au> writes:

> Don Armstrong <don@donarmstrong.com> wrote:
>> 
>> On Tue, 04 May 2004, Florian Weimer wrote:
>>> A few packages contain "software" (well, everything's software these
>>> days) which is cryptographically protected against modification.
>>> This seems to violate DFSG ?3.
>> 
>> Uh, if you're refering to the PGP keys and certificates inclosed in
>> these works, you really need to reread DFSG ?3 very carefully.
>> 
>> Presumably the licenses[1] of these works allows modified works,
>> derived works, and distribution of said works. If it does, there is no
>> DFSG ?3 violation.
>
> I'm not sure that it is as simple as that.
>
> Consider the hypothetical case of a piece of firmware for a peripheral
> device that is protected by a cryptographic signature such that the
> device will reject anything that is not signed using a specific key.
>
> Let's further assume that that the said firmware is distributed with
> full source (but without the private key used to make the signature)
> and a license saying that you can do whatever you wish with it.
>
> Do you consider this piece of firmware to be distributable in Debian main?
>
> Substitute firmware with software for Digital Rights Management.

Since you can't take the original source and rebuild the firmware
image, even with all the compilers and tools originally used, I would
say no.

That would be like not shipping the Makefile.

I would point to:
| For an executable work, complete source code means all the source
| code for all modules it contains, plus any associated interface
| definition files, plus the scripts used to control compilation and
| installation of the executable.

For a Makefile the situation is clear, its 'the scripts used to
control compilation'. But what does a private key fall under?

To take it one step further and back to the beginning of the thread:
Does the key, being derived from source (some prime numbers generated
from random bits) fall under the GPL too? Its not an executable
work.

Do I have to ship the stream of random bits used to generate the key
(+patches to the key generator to read the bits from a file) or do I
just have to provide a script that generate a key if none is present
or just ship the binary key or none at all?  LAW SUCKS.

MfG
        Goswin

Reply to:

Follow-Ups:
- Re: Mass bug filing: Cryptographic protection against modification
  - From: John Hasler <john@dhh.gt.org>
- Please stop breaking things (was: Mass bug filing: Cryptographic protection against modification)
  - From: Andreas Barth <aba@not.so.argh.org>

References:
- Re: Mass bug filing: Cryptographic protection against modification
  - From: Herbert Xu <herbert@gondor.apana.org.au>

Prev by Date: Re: Social Contract GR's Affect on sarge
Next by Date: YOUR MESSAGE HAS BEEN BLOCKED
Previous by thread: Re: Mass bug filing: Cryptographic protection against modification
Next by thread: Re: Mass bug filing: Cryptographic protection against modification
Index(es):
- Date
- Thread