You seem to be saying that any creator or distributor of GPL-3 software, if they ever sign the software they release, could be put in a position (by a malicious person downstream) where they are forced to divulge their private signing keys.

Maybe not very well.

Or maybe you don't want to listen.

The problem isn't "signing software."

It's signing software that is sold with a locked-down machine. GPL v3 specifically singles out this action and makes it problematic for the seller of the machine.

A malicious person, only using the public key, could always concoct a machine where a particular piece of GPL-3 software won't load unless it was signed by the private key of the creator/distributor.

And if Canonical has nothing to do with that person, it's not Canonical's problem. On that we apparently agree.

Forcing people upstream to release their private keys this way makes no sense.

But is Canonical "upstream" or merely an agent of the machine vendor?

The absurdity stems from the fact that you think people upstream can be held liable for the actions of people downstream.

Again, I never wrote anything that would suggest that. Please try again.

This is anti-GPL FUD.

No, Canonical is contracting with vendors to help deliver software on machines, which in some jurisdictions might make them a party to the transaction. If they deliver a bootloader update during the machine's warranty period as the agent of the machine vendor, that might even tie them more closely.

Remember what Darl said: "Contracts are what you use against parties you have relationships with."

Was he smart enough to think of that himself, or did somebody teach him?

[ Reply to This | Parent | # ]

• Is the problem with the GPL-3 or some other contract? - Authored by: jbb on Saturday, July 07 2012 @ 04:36 AM EDT
  • How do you think Canonical is trying to make money? - Authored by: pem on Saturday, July 07 2012 @ 10:49 AM EDT