[cryptography] Complying with GPL V3 (Tivoization)
thierry.moreau at connotech.com
Mon Jan 9 14:52:54 EST 2012
Jeffrey Walton wrote:
> Hi All,
> I was reading on CyanogenMod (a custom ROM project for Android) and
> "The story behind the mysterious CyanogenMod update"
> Interestingly, it seems some privaye keys were circulated to comply
> with GPL V3 with some nasty side effects (could anything else be
> expected?). Some interesting points were brought up, including how to
> comply with GPL V3.
> Is anyone aware of papers on integrity/signature schemes or protocols
> tailored for GPL V3? Or does this reduce to (1) allow the
> hardware/firmware to load additional [trusted] public keys; or (2)
> provide the private key for the hardware?
> cryptography mailing list
> cryptography at randombit.net
The high-level picture would be as follows:
[A] The GPL V3 philosophy excludes software intended to run on
[B] The custom ROM software version distributed under GPL V3 has to
distribute a private key such that it is not tied to proprietary
hardware. Consequently, accepting the software license terms includes
the implicit limitation of an explicitly-breached signature key.
[C] However, the GPL philosophy allows closed or proprietary
modifications *within*an*organization*, so the IT department could use
its own private key applicable to the internally distributed hardware.
It may well be unworkable in practice because all software components
might need the IT department blessing/signature, but who demonstrated
that code signing was workable at all at the institutional level?
[D] The GPL V3 compliance would forbid any transfer of such
gplv3-turned-proprietary ROM-based equipment outside of the organization
(one would put back the original ROM version as part of IT equipment
sanitization before disposal).
I guess multiple keys or other schemes can only be attempts to obfuscate
the fact that one breaches either the software integrity mechanism or
the relevant GPL rule: you may not re-distribute without allowing
Overall, [C] is perhaps the essential vision of trusted computing where
some hardware comes bound to a central authority responsible for
software integrity. I never understood why the central authority had to
be the hardware vendor who also sells to influential governments.
- Thierry Moreau
More information about the cryptography