[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Mass bug filing: Cryptographic protection against modification

Herbert Xu wrote:

> Don Armstrong <don@donarmstrong.com> wrote:
>> On Tue, 04 May 2004, Florian Weimer wrote:
>>> A few packages contain "software" (well, everything's software these
>>> days) which is cryptographically protected against modification.
>>> This seems to violate DFSG ?3.
>> Uh, if you're refering to the PGP keys and certificates inclosed in
>> these works, you really need to reread DFSG ?3 very carefully.
>> Presumably the licenses[1] of these works allows modified works,
>> derived works, and distribution of said works. If it does, there is no
>> DFSG ?3 violation.
> I'm not sure that it is as simple as that.
Well, it still isn't an actual problem.  See below.

> Consider the hypothetical case of a piece of firmware for a peripheral
> device that is protected by a cryptographic signature such that the
> device will reject anything that is not signed using a specific key.
> Let's further assume that that the said firmware is distributed with
> full source (but without the private key used to make the signature)
> and a license saying that you can do whatever you wish with it.
> Do you consider this piece of firmware to be distributable in Debian main?
Depends: maybe, maybe not.  It would certainly be distributable in contrib.
If the peripheral device could also be altered to accept a different
signature, or an alternate peripheral was available which could accept a
user-programmed signature, then yes, it would be appropriate for main. 
This is fairly straightforward.

> Substitute firmware with software for Digital Rights Management.
And I believe the cases mentioned fall into the software analogue of the
category I just described.

There are none so blind as those who will not see.

Reply to: