Re: Mass bug filing: Cryptographic protection against modification
Herbert Xu wrote:
> Don Armstrong <email@example.com> wrote:
>> On Tue, 04 May 2004, Florian Weimer wrote:
>>> A few packages contain "software" (well, everything's software these
>>> days) which is cryptographically protected against modification.
>>> This seems to violate DFSG ?3.
>> Uh, if you're refering to the PGP keys and certificates inclosed in
>> these works, you really need to reread DFSG ?3 very carefully.
>> Presumably the licenses of these works allows modified works,
>> derived works, and distribution of said works. If it does, there is no
>> DFSG ?3 violation.
> I'm not sure that it is as simple as that.
Well, it still isn't an actual problem. See below.
> Consider the hypothetical case of a piece of firmware for a peripheral
> device that is protected by a cryptographic signature such that the
> device will reject anything that is not signed using a specific key.
> Let's further assume that that the said firmware is distributed with
> full source (but without the private key used to make the signature)
> and a license saying that you can do whatever you wish with it.
> Do you consider this piece of firmware to be distributable in Debian main?
Depends: maybe, maybe not. It would certainly be distributable in contrib.
If the peripheral device could also be altered to accept a different
signature, or an alternate peripheral was available which could accept a
user-programmed signature, then yes, it would be appropriate for main.
This is fairly straightforward.
> Substitute firmware with software for Digital Rights Management.
And I believe the cases mentioned fall into the software analogue of the
category I just described.
There are none so blind as those who will not see.