Forgot your password?
typodupeerror
Linux Software Your Rights Online

Linus on DRM 969

Posted by michael
from the asbestos-underwear dept.
Linus Torvalds weighed in on the DRM debate on the linux-kernel mailing list last night. No, don't click through, his email is reproduced below. Worth reading and thinking about.

Thread on LKML:

Date: Wed, 23 Apr 2003 20:59:45 -0700 (PDT)
From: Linus Torvalds
To: Kernel Mailing List
Subject: Flame Linus to a crisp!

Ok,
there's no way to do this gracefully, so I won't even try. I'm going to
just hunker down for some really impressive extended flaming, and my
asbestos underwear is firmly in place, and extremely uncomfortable.

I want to make it clear that DRM is perfectly ok with Linux!

There, I've said it. I'm out of the closet. So bring it on...

I've had some private discussions with various people about this already,
and I do realize that a lot of people want to use the kernel in some way
to just make DRM go away, at least as far as Linux is concerned. Either by
some policy decision or by extending the GPL to just not allow it.

In some ways the discussion was very similar to some of the software
patent related GPL-NG discussions from a year or so ago: "we don't like
it, and we should change the license to make it not work somehow".

And like the software patent issue, I also don't necessarily like DRM
myself, but I still ended up feeling the same: I'm an "Oppenheimer", and I
refuse to play politics with Linux, and I think you can use Linux for
whatever you want to - which very much includes things I don't necessarily
personally approve of.

The GPL requires you to give out sources to the kernel, but it doesn't
limit what you can _do_ with the kernel. On the whole, this is just
another example of why rms calls me "just an engineer" and thinks I have
no ideals.

[ Personally, I see it as a virtue - trying to make the world a slightly
better place _without_ trying to impose your moral values on other
people. You do whatever the h*ll rings your bell, I'm just an engineer
who wants to make the best OS possible. ]

In short, it's perfectly ok to sign a kernel image - I do it myself
indirectly every day through the kernel.org, as kernel.org will sign the
tar-balls I upload to make sure people can at least verify that they came
that way. Doing the same thing on the binary is no different: signing a
binary is a perfectly fine way to show the world that you're the one
behind it, and that _you_ trust it.

And since I can imaging signing binaries myself, I don't feel that I can
disallow anybody else doing so.

Another part of the DRM discussion is the fact that signing is only the
first step: _acting_ on the fact whether a binary is signed or not (by
refusing to load it, for example, or by refusing to give it a secret key)
is required too.

But since the signature is pointless unless you _use_ it for something,
and since the decision how to use the signature is clearly outside of the
scope of the kernel itself (and thus not a "derived work" or anything like
that), I have to convince myself that not only is it clearly ok to act on
the knowledge of whather the kernel is signed or not, it's also outside of
the scope of what the GPL talks about, and thus irrelevant to the license.

That's the short and sweet of it. I wanted to bring this out in the open,
because I know there are people who think that signed binaries are an act
of "subversion" (or "perversion") of the GPL, and I wanted to make sure
that people don't live under mis-apprehension that it can't be done.

I think there are many quite valid reasons to sign (and verify) your
kernel images, and while some of the uses of signing are odious, I don't
see any sane way to distinguish between "good" signers and "bad" signers.

Comments? I'd love to get some real discussion about this, but in the end
I'm personally convinced that we have to allow it.

Btw, one thing that is clearly _not_ allowed by the GPL is hiding private
keys in the binary. You can sign the binary that is a result of the build
process, but you can _not_ make a binary that is aware of certain keys
without making those keys public - because those keys will obviously have
been part of the kernel build itself.

So don't get these two things confused - one is an external key that is
applied _to_ the kernel (ok, and outside the license), and the other one
is embedding a key _into_ the kernel (still ok, but the GPL requires that
such a key has to be made available as "source" to the kernel).

Linus

This discussion has been archived. No new comments can be posted.

Linus on DRM

Comments Filter:
  • I saw this coming (Score:5, Informative)

    by mao che minh (611166) on Thursday April 24, 2003 @11:15AM (#5799399) Journal
    What our Finnish friend is saying: Linux should be able to utilize all computing options, including DRM. It shouldn't be forced on you, nor should it be denied to you. Linux shouldn't be guided by the ethics or philosophy of either the majortiy or the minority (he got rms there).

    It's hard to argue with that logic, especially when you step back and take a look at why Linux was so wildly successful over the past three years.

  • Misquote (Score:4, Informative)

    by overshoot (39700) on Thursday April 24, 2003 @11:15AM (#5799407)
    Actually, he never said that but the woman who did insisted that it was the kind of thing he would have said.

    My favorite kind of story: it may not be true, but it should be.

  • Re:Huh? (Score:2, Informative)

    by October_30th (531777) on Thursday April 24, 2003 @11:20AM (#5799456) Homepage Journal
    von Neumann

    Uh... no. You must have been thinking about the father of the hydrogen bomb, Edward Teller.

  • What this is about (Score:5, Informative)

    by amcguinn (549297) on Thursday April 24, 2003 @11:20AM (#5799457) Homepage Journal

    No-one commenting so far seems to have a clue what this is all about, so here goes.

    Imagine someone builds hardware that will only run binaries signed by the manufacturer (current example: X-box, future examples: who knows)

    Now imagine someone makes a version of Linux with functionality limited in some way -- think DRM, and gets that version signed by the hardware manufacturer so that it will run on the controlled hardware.

    Now, as a user of that version of Linux, you have all your GPL rights to obtain, modify, and redistribute the source. But, since only the exact original signed binary will actually run on the hardware, those rights are (arguably) worthless.

    Linus is saying that this is permissible, or at least that it is not his job to try to prevent it.

    Now at least the flames can be on-topic...

  • Re:Misquote (Score:5, Informative)

    by egoff (636181) on Thursday April 24, 2003 @11:29AM (#5799575)
    Hmm, you learn something [york.ac.uk] every day. Beatrice Hall actually said it in her book The Friends of Voltaire that she wrote under the pseudonym S.G. Tallentyre.

    The page linked above had another good quote:

    I may disagree with what you say, but I will defend to the death your right to mis-attribute this quote to Voltaire.
    ---- Avram Grumer, rec.arts.sf.written, May 2000
  • by wfberg (24378) on Thursday April 24, 2003 @11:34AM (#5799630)
    Norton anti-virus on the win32 platform will 'innoculate' binaries (ThunderByte antivirus did this best I believe, alas, they're a gonner). Cf. tripwire.


    If the checksum doesn't match, the binary changed, and the app won't run. Seems pretty sane.


    Also, windows XP comes with "Driver Signing" which is basically an extortion bid to squeeze money from hardware suppliers (and perhaps to divert some of their cash from development of drivers for other OSes). Though fundamentally, it is not a bad idea to have some sort of check that the driver you just downloaded is in fact "blessed" by the manufacturer, if only for warranty purposes.


    Checking checksums or signatures even does NOT equal DRM. As Linus said, this is something you can choose to use. Root gets a say in it (though in corporate environments it might still suck if you're not root).


    DRM is not meant to be optional, it is meant to enforce license conditions ('rights'). Not security. Not integrity. Not trust. Making the possible impossible based not on security or convenience, but on a shrink-wrap license.


    Checksums GOOD.

    Signatures GOOD.

    Digital Rights Management BAD.


    It's NOT the same thing, folks.

  • by Kourino (206616) on Thursday April 24, 2003 @11:43AM (#5799740) Homepage
    What you're missing is the point.

    Say I have a machine that has uber-top-secret data or whatever on it. I want to make sure that all the code that runs on it comes from "trusted" source. (I do this because I know the code may have mistakes or exploits in it, and this doesn't protect me from that, but it makes it less likely that I run code with trojans in it if I at least have proof of where it comes from.)

    So, my machine has a cryptographic check in its firmware: instead of taking a kernel image and just booting it, it takes the kernel image and an accompanying signature tacked to the end of it and checks the signature against Linus' public key. If it matches, it boots. If not, it provides some sort of warning (flashing alerts on screen, sirens, whatever).

    Linus, in his message, is saying that it's perfectly okay for me to do all of that. Not in so many words, but that's a valid example of "rights" management by digital signature, which he's saying the GPL can't prevent you from doing.

    Remember, DRM is not just "digital copyright protection" as so many people on Slashdot seem to enjoy thinking.
  • Re:what ? (Score:2, Informative)

    by Nicolai Haehnle (609575) on Thursday April 24, 2003 @11:49AM (#5799808)
    Some inherently flawed "security" mechanisms, such as DVD encryption, use private keys that are hidden in binaries. This security through obscurity thing obviously didn't work as we all know.

    In fact, even the TCPA-style security uses hidden private keys and could be considered flawed. The difference is that with the TCPA, the private key is stored in a hardware device and not in the software, so it is much more difficult to retrieve.
  • Re:Same with X-box? (Score:4, Informative)

    by Abcd1234 (188840) on Thursday April 24, 2003 @11:49AM (#5799815) Homepage
    No, this isn't the same thing at all (as has been said over, and over, and over, and over...). The X-Box contains a public key which it uses to verify the signature on code before it loads. This signature is generated using Microsoft's private key, which it keeps locked up safe somewhere. Here's how it works:
    1. Microsoft takes code, generates a secure hash, and encrypts that hash using it's private key, generating a digital signature.
    2. The digital signature is embedded in the work.
    3. When the work is loaded by the X-Box, it decrypts the digital signature using MS's public key. Then, it generates its own hash and compares it to the one it got by decrypting the signature. If they are the same, the code is legit, otherwise, abort!
    So, you see, there is no private information embedded in the X-Box. It's all public keys.
  • by Kourino (206616) on Thursday April 24, 2003 @12:01PM (#5799950) Homepage
    Since I've already replied to three messages this way, and a lot of people seem to be missing the point ...

    Okay. First of all, DRM is NOT synonymous with "digital copyright protection", okay?

    Second. Linus is NOT saying "DRM is good" or "copyright protection is the shiznit". He in fact says in the message that a lot of uses for DRM he doesn't like.

    Third. An example of what this article is actually talking about is cryptographically signing a regular, run of the mill built-by-Linus kernel image, somehow providing the signature along with the image at boot, and refusing to load it if the signature doesn't match. Since you don't modify the kernel itself, the GPL has no scope here, so it's obviously not prohibited under the terms of the GPL.

    Fourth. This does NOT allow magically modifying the kernel image, nor does it allow magically allow copyright protection in the kernel, nor does it allow hiding private keys in the kernel, etc.

    READ THE ARTICLE. Turn off your Slashdot "omg wtf it says drm so it's bad, lol" meme. Linus is not selling your souls to Jack Valenti here.
  • by dunham (35989) on Thursday April 24, 2003 @12:03PM (#5799974) Homepage
    The kernel and initrd on the DirectTivo are signed, and the boot ROM will only load a signed kernel. (The initrd checks the root partition for modifications.)

    They do this because you can get DirectTV without paying by tweaking the software. (They currently do not do this in their standalone units.)
  • by Eponymous Coward (6097) on Thursday April 24, 2003 @12:06PM (#5800012)
    You're not advocating security through obscurity, are you?

    Certainly putting the keys inside the kernel sources would be a waste of time because you have to make that source code available when you distribute your modified kernel product.

    There is no reason why a well designed DRM system cannot be open source.
  • KDE has DRM (Score:2, Informative)

    by Anonymous Coward on Thursday April 24, 2003 @12:10PM (#5800061)
    You may not know this, but in kde 3.1 the kde developers added a beta DRM system to stop you from doing certain things like launching unauthorized programs, reading certain programs or changing certain settings.

    In the 3.2 release the DRM framework will be complete, and will be a tool released so the restrictions can be easily mandated by the administrator.

    So if you want freedom, run twm @ 640x480!
  • by DdJ (10790) on Thursday April 24, 2003 @12:39PM (#5800386) Homepage Journal
    To elaborate on my own point, since a few people have missed the implications of the GPL, here is how the GPL explicitly defines source code:
    The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable.
    Think that through.

    If you give me an executable, and you do not give me everything I need to not only recompile but to actually install that executable (with the exception, listed a little later, of the stuff that always comes with the system you're installing on), then you have not in fact given me the source code, by the very definition contained within the GPL.
  • Re:Props to Linus (Score:3, Informative)

    by frost22 (115958) on Thursday April 24, 2003 @01:12PM (#5800718) Homepage
    Linus is discussing the kernel not the OS. Linux is the kernel not the OS.
    No. Linux discusses Politics here. Something his understanding of is obviously lacking.

    Let me quote Bruce Schneier:

    "... it is poor civic hygiene to install technologies that could someday facilitate a police state."
    -- Secrets & Lies: Digital Security in a Networked World, 2000

  • Re:terrorist (Score:5, Informative)

    by ReelOddeeo (115880) on Thursday April 24, 2003 @02:13PM (#5801340)
    Can you name one person who is actually on record arguing that open source software should not be permitted to exist?

    They are not on record. And I won't actually name one of my co-workers. But Yes.

    There are others who have been far more public however. There was one Jim Allchin a couple years ago. He didn't come right out and say it, but he dances around it and implies it quite well.

    From a cnet article [cnet.com] here.

    Microsoft Corp.'s Windows operating-system chief, Jim Allchin, says that freely distributed software code such as rival Linux could stifle innovation and that legislators need to understand the threat.

    ....

    That, as well as programs such as music-sharing software from Napster Inc., means the world's largest software maker has to do a better job of talking to policymakers, he said.

    ....

    ''Open source is an intellectual-property destroyer,'' Allchin said. ''I can't imagine something that could be worse than this for the software business and the intellectual-property business.''

    ....

    ''I'm an American, I believe in the American Way,'' he said. ''I worry if the government encourages open source, and I don't think we've done enough education of policy makers to understand the threat.''
  • Linux is wrong (Score:3, Informative)

    by bwt (68845) on Thursday April 24, 2003 @02:13PM (#5801341) Homepage
    I disagree with Linus. Although my belief doesn't really matter because I am not a kernel hacker, I do expect that many Linux contributors may disagree as well. Unless all the contributors agree with his position, the potential is there for one of them to make the legal claim that distributing a DRM-signed GPL'd work for use in a DRM machine without providing the private key as part of the source code is a violation of their copyrights (traditional and/or DMCA). In this case, unless Linus is willing to play politics and fight his way through a lawsuit to prove his position, then regardless of his beliefs or the legal correctness of those beliefs, there will be no DRM-signed Linux. I also predict that he would lose, if he chose to fight in court.

    An "external" DRM-signature that allows verification of the origin of a particular piece of code is perfectly fine UNTIL that signature's presence is enforced by the hardware as a condition for exectuion. At that point, the signature becomes functionally part of the instructions to the machine that enable the whole to be executed, and I believe that because the DRM machine is requiring the presense of both in order to execute that they are a combined work in the context of use on that machine.

    This signature, when enforced by hardware, also becomes part of an overall technological protection measure within the meaning of the DMCA. The DMCA requires the "authority of the copyright holder" to get access to a work protected by a technological protection measure (TPM). Nothing in the GPL authorizes the removal of a TPM, so if Linus unilaterally places a TPM on his copy of Linux (which the DRM-signature is) then he needs the authority of all the copyright holders to access the protected copy, which would include running it on a machine that enforces DRM. No text in the DMCA supports the position that if unprotected copies exist means that access to a TPM protected version is allowed.

    Putting TPMs on other people's work without their approval results in a TPM protected work that no one can use. The GPL does NOT provide DMCA access rights either (it provides copying and modification rights but not TPM-access rights).

White dwarf seeks red giant for binary relationship.

Working...