Jump to content

Tivoization

From Wikipedia, the free encyclopedia
(Redirected from Mandatory code signing)

Tivoization (/ˌtvɪˈzʃən, --/) is the practice of designing hardware that incorporates software under the terms of a copyleft software license like the GNU General Public License (GNU GPL), but uses hardware restrictions or digital rights management (DRM) to prevent users from running modified versions of the software on that hardware. Richard Stallman of the Free Software Foundation (FSF) coined the term in reference to TiVo's use of GNU GPL licensed software on the TiVo brand digital video recorders (DVR), which actively block modified software by design.[1][2] Stallman believes this practice denies users some of the freedom that the GNU GPL was designed to protect.[3] The FSF refers to tivoized hardware as "proprietary tyrants".[4]

The Free Software Foundation explicitly forbade tivoization in version 3 of the GNU General Public License. However, although version 3 has been adopted by many software projects, the authors of the Linux kernel have notably declined to move from version 2 to version 3.

Background

[edit]

TiVo's software incorporates the Linux kernel and GNU software, both of which are licensed under version 2 of the GNU General Public License (GPLv2). GPLv2 requires distributors to make the corresponding source code available to each person who receives the software. One goal of this requirement is to allow users of GPL-covered software to modify the software to better suit their purposes.[5]

Richard Stallman of the Free Software Foundation asserts that TiVo circumvented the GPL's goal by making their products run programs only if the program's digital signature matches those authorized by the manufacturer of the TiVo.[6] While TiVo has complied with the GPL v2 requirement to release the source code for others to modify, any modified software will not run on TiVo's hardware.

Bradley Kuhn of the Software Freedom Conservancy disputes Stallman's narrative. Kuhn asserts that TiVo did not strictly forbid software replacement, but TiVo's proprietary software was intentionally designed to not function if any open-source components were replaced, which consequently required the user to find fully open-source alternatives to the proprietary software. In Kuhn's view, TiVo did not tivoize, the GPLv2 was already sufficient to prevent tivoization, and the intent of the GPLv3 was to add an additional, unnecessary requirement that proprietary software continue to function.[7]

GNU GPLv3

[edit]

In 2006, the Free Software Foundation (FSF) decided to combat TiVo's technical system of blocking users from running modified software. The FSF subsequently developed a third version of the GNU General Public License (GPLv3) which was designed to include language which prohibited this activity.[8] According to Eben Moglen, "the license should prohibit technical means of evasion of its rules, with the same clarity that it prohibits legal evasion of its rules."[9]

The second draft of the GPLv3 attempted to clarify the rules regarding tivoization.[10] However, some Linux kernel developers were still concerned that this draft might still prohibit beneficial uses of digital signatures.[11] Stallman and the Free Software Foundation attempted to respond to some of these concerns by stating that the GPLv3 allows private digital signatures for security purposes while still preventing tivoization.[citation needed]

In the third and fourth discussion drafts of the GPLv3, released March 28, 2007 and May 31, 2007, respectively, the anti-tivoization clause was limited so as not to apply when the software is distributed to a business.[12] Thus, medical devices and voting machines would not be covered. The final, official GPLv3 was published on June 29, 2007, with no major changes in respect to tivoization relative to the fourth draft.

Linus Torvalds said he was "pretty pleased" with the new draft's stance on DRM.[13] However, he still does not support relicensing the Linux kernel under GPLv3, stating that:[14]

Stallman calls it "tivoization", but that's a word he has made up, and a term I find offensive, so I don't choose to use it. It's offensive because Tivo never did anything wrong, and the FSF even acknowledged that. The fact [is] that they do their hardware and have some DRM issues with the content producers and thus want to protect the integrity of that hardware. The kernel license covers the *kernel*. It does not cover boot loaders and hardware, and as far as I'm concerned, people who make their own hardware can design them any which way they want. Whether that means "booting only a specific kernel" or "sharks with lasers", I don't care.

The GPLv3's new license provisions were acknowledged by TiVo in its April 2007 SEC filing: "If the currently proposed version of GPLv3 is widely adopted, we may be unable to incorporate future enhancements to the GNU/Linux operating system into our software, which could adversely affect our business."[15]

Outcome

[edit]

The Linux kernel, which is included in the operating system of TiVo-branded hardware, is still distributed under the terms of the GPLv2. The kernel has not been changed to use GPLv3[16] because the kernel maintainers have generally perceived the GPLv3 to be overly restrictive,[17][18][19] although some kernel developers, such as Alan Cox,[20] have expressed divergent opinions. In any case, offering the Linux kernel under a different license would likely be infeasible because of its very large number of copyright holders. Unlike most GPL software, the kernel is licensed only under GPLv2 without the wording "or, at your option, any later version", therefore the explicit agreement of all copyright holders would be required to license the kernel as a whole under a new version.[21]

Some other projects widely used in tivoized embedded systems, such as BusyBox, have also declined to move to GPLv3.[22]

See also

[edit]

References

[edit]
  1. ^ "Frequently Asked Questions about the GNU Licenses". Archived from the original on December 29, 2016. Retrieved March 17, 2015. GNU.org Frequently Asked Questions about the GNU Licenses
  2. ^ "A Quick Guide to GPLv3". Archived from the original on December 29, 2016. Retrieved March 17, 2015. A Quick Guide to GPLv3
  3. ^ "[Info-gplv3] GPLv3 Update #2". fsf.org. Archived from the original on October 26, 2006. Retrieved October 2, 2015.
  4. ^ "Proprietary Tyrants". Free Software Foundation. Archived from the original on September 24, 2015. Retrieved January 28, 2023.
  5. ^ "The Free Software Definition". Archived from the original on January 27, 2023. Retrieved January 28, 2023. ...The freedom to study how the program works, and adapt it to your needs...
  6. ^ "Using large disks with TiVo". gratisoft.us. Archived from the original on February 6, 2012. Retrieved October 2, 2015.
  7. ^ Kuhn, Bradley (July 23, 2021). ""Tivoization" and Your Right to Install Under Copyleft". Conservancy Blog. Retrieved April 6, 2023.
  8. ^ "Richard Stallman explains the new GPL provisions to block "tivoisation"". Archived from the original on October 6, 2022. Retrieved January 28, 2023.
  9. ^ "Eben Moglen, speaking about GPLv3 in Barcelona". Archived from the original on January 12, 2023. Retrieved January 28, 2023.
  10. ^ "Opinion on Digital Restrictions Management". fsf.org. Archived from the original on August 19, 2006. Retrieved October 2, 2015.
  11. ^ Bottomley, James E.J.; Chehab, Mauro Carvalho; Gleixner, Thomas; Hellwig, Christoph; Jones, Dave; Kroah-Hartman, Greg; Luck, Tony; Morton, Andrew; Myklebust, Trond; Woodhouse, David (September 22, 2006). "GPLv3 Position Statement". google.com. Archived from the original on December 2, 2021. Retrieved October 2, 2015.
  12. ^ brett (June 26, 2007). "GPLv3 FAQ, with explanation of Section 6's limits |". Archived from the original on June 6, 2007. Retrieved January 28, 2023.
  13. ^ "Torvalds 'pretty pleased' about new GPL 3 draft". CNet news.com. Archived from the original on July 13, 2012.
  14. ^ Torvalds, Linus (June 13, 2007). "Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3". Linux Kernel Mailing List. Archived from the original on June 17, 2007. Retrieved January 28, 2023.
  15. ^ "InformationWeek: TiVo Warns Investors New Open Source License Could Hurt Business". June 1, 2007. Archived from the original on July 27, 2022.
  16. ^ Torvalds, Linus. "COPYING". kernel.org. blob ca442d313d86dc67e0a2e5d584b465bd382cbf5c. Archived from the original on January 28, 2023. Retrieved August 13, 2013. Also note that the only valid version of the GPL as far as the kernel is concerned is _this_ particular version of the license (ie v2, not v2.2 or v3.x or whatever), unless explicitly otherwise stated.
  17. ^ Bottomley, James E.J.; Chehab, Mauro Carvalho; Gleixner, Thomas; Hellwig, Christoph; Jones, Dave; Kroah-Hartman, Greg; Luck, Tony; Morton, Andrew; Myklebust, Trond; Woodhouse, David (September 15, 2006). "Kernel developers' position on GPLv3 – The Dangers and Problems with GPLv3". LWN.net. Archived from the original on September 25, 2006. Retrieved March 11, 2015. The current version (Discussion Draft 2) of GPLv3 on first reading fails the necessity test of section 1 on the grounds that there's no substantial and identified problem with GPLv2 that it is trying to solve. However, a deeper reading reveals several other problems with the current FSF draft: 5.1 DRM Clauses [...] 5.2 Additional Restrictions Clause [...] 5.3 Patents Provisions [...]since the FSF is proposing to shift all of its projects to GPLv3 and apply pressure to every other GPL licensed project to move, we foresee the release of GPLv3 portends the Balkanisation of the entire Open Source Universe upon which we rely.
  18. ^ Linus Torvalds says GPL v3 violates everything that GPLv2 stood for. Debconf 2014. Portland. September 4, 2014. Archived from the original on November 19, 2016. Retrieved March 11, 2015.
  19. ^ "fa.linux.kernel: Linus Torvalds: Flame Linus to a crisp!". google.com. April 24, 2003. Archived from the original on December 27, 2020. Retrieved December 27, 2020.
  20. ^ "UK Linux guru backs GPL 3". ZDNet. January 31, 2006. Archived from the original on April 28, 2009. Retrieved October 2, 2015.
  21. ^ Mark P. Lindhout (October 16, 2006). "(About GPLv3) Can the Linux Kernel Relicense? — Ciarán's free software notes". fsfe.org. Archived from the original on February 23, 2009. Retrieved October 2, 2015.
  22. ^ "Busy busy busybox". LWN. Archived from the original on November 5, 2006. Retrieved January 28, 2023.

Further reading

[edit]