Sky D-Link router and GPL violation (was Re: Selling device but retaining ownership of the firmware?)
henrik at henriknordstrom.net
Tue Dec 6 13:13:55 CET 2011
tis 2011-12-06 klockan 10:59 +0000 skrev Neil Brown:
> My view - and that's all it is - is that I would be surprised if a
> court were to read s3 of GNU GPL 2.0 as requiring the disclosure of an
> encryption key used to sign a piece of software for installation, on
> the basis that this is not source code, and interface definition file,
> or a script to control installation.
Agreed. imho it's fairly well accepted that GPLv2 do not require signing
keys to be disclosed. See for example the GPL FAQ published by FSF
There is plenty more to read on the subject if interested. It's a topic
which was debated quite in depth before and during the preparations of
An interesting follow up question is how far the related requirements in
GPLv3 actually stretches. I.e. would it be acceptable if there is an
installation method where the existing signing key is invalidated
including any related DRM keys, enabling use of unsigned binaries or
binaries signed with a custom key on the product, or is that interfering
"solely because modification have been made"? The code as such still
functions if the user installs new keys, but he most likely can no
longer access any content protected by the original DRM keys as the
chain of trust is broken. I do not know.
> > "preferred
> > form of the work for making modifications to it" involves a signed
> > firmware image, then it seems to me that I'll need a valid private key
> > with which to sign it.
> I would read this as simply meaning "source code," arguably in
> non-obfuscated form.
I would even say that the GPL itself is pretty clear on this. Unless you
are arguing that the signed firmware image is the "source code".
firmware encryption might be a slightly different story as that modifies
the exectuable by encrypting it, unlike signing that merely aggregates
the executable with a signature.
More information about the legal