Linus on DRM 969
Thread on LKML:
Date: Wed, 23 Apr 2003 20:59:45 -0700 (PDT)
From: Linus Torvalds
To: Kernel Mailing List
Subject: Flame Linus to a crisp!
Ok,
there's no way to do this gracefully, so I won't even try. I'm going to
just hunker down for some really impressive extended flaming, and my
asbestos underwear is firmly in place, and extremely uncomfortable.
I want to make it clear that DRM is perfectly ok with Linux!
There, I've said it. I'm out of the closet. So bring it on...
I've had some private discussions with various people about this already,
and I do realize that a lot of people want to use the kernel in some way
to just make DRM go away, at least as far as Linux is concerned. Either by
some policy decision or by extending the GPL to just not allow it.
In some ways the discussion was very similar to some of the software
patent related GPL-NG discussions from a year or so ago: "we don't like
it, and we should change the license to make it not work somehow".
And like the software patent issue, I also don't necessarily like DRM
myself, but I still ended up feeling the same: I'm an "Oppenheimer", and I
refuse to play politics with Linux, and I think you can use Linux for
whatever you want to - which very much includes things I don't necessarily
personally approve of.
The GPL requires you to give out sources to the kernel, but it doesn't
limit what you can _do_ with the kernel. On the whole, this is just
another example of why rms calls me "just an engineer" and thinks I have
no ideals.
[ Personally, I see it as a virtue - trying to make the world a slightly
better place _without_ trying to impose your moral values on other
people. You do whatever the h*ll rings your bell, I'm just an engineer
who wants to make the best OS possible. ]
In short, it's perfectly ok to sign a kernel image - I do it myself
indirectly every day through the kernel.org, as kernel.org will sign the
tar-balls I upload to make sure people can at least verify that they came
that way. Doing the same thing on the binary is no different: signing a
binary is a perfectly fine way to show the world that you're the one
behind it, and that _you_ trust it.
And since I can imaging signing binaries myself, I don't feel that I can
disallow anybody else doing so.
Another part of the DRM discussion is the fact that signing is only the
first step: _acting_ on the fact whether a binary is signed or not (by
refusing to load it, for example, or by refusing to give it a secret key)
is required too.
But since the signature is pointless unless you _use_ it for something,
and since the decision how to use the signature is clearly outside of the
scope of the kernel itself (and thus not a "derived work" or anything like
that), I have to convince myself that not only is it clearly ok to act on
the knowledge of whather the kernel is signed or not, it's also outside of
the scope of what the GPL talks about, and thus irrelevant to the license.
That's the short and sweet of it. I wanted to bring this out in the open,
because I know there are people who think that signed binaries are an act
of "subversion" (or "perversion") of the GPL, and I wanted to make sure
that people don't live under mis-apprehension that it can't be done.
I think there are many quite valid reasons to sign (and verify) your
kernel images, and while some of the uses of signing are odious, I don't
see any sane way to distinguish between "good" signers and "bad" signers.
Comments? I'd love to get some real discussion about this, but in the end
I'm personally convinced that we have to allow it.
Btw, one thing that is clearly _not_ allowed by the GPL is hiding private
keys in the binary. You can sign the binary that is a result of the build
process, but you can _not_ make a binary that is aware of certain keys
without making those keys public - because those keys will obviously have
been part of the kernel build itself.
So don't get these two things confused - one is an external key that is
applied _to_ the kernel (ok, and outside the license), and the other one
is embedding a key _into_ the kernel (still ok, but the GPL requires that
such a key has to be made available as "source" to the kernel).
Linus
I saw this coming (Score:5, Informative)
It's hard to argue with that logic, especially when you step back and take a look at why Linux was so wildly successful over the past three years.
Misquote (Score:4, Informative)
My favorite kind of story: it may not be true, but it should be.
Re:Huh? (Score:2, Informative)
Uh... no. You must have been thinking about the father of the hydrogen bomb, Edward Teller.
What this is about (Score:5, Informative)
No-one commenting so far seems to have a clue what this is all about, so here goes.
Imagine someone builds hardware that will only run binaries signed by the manufacturer (current example: X-box, future examples: who knows)
Now imagine someone makes a version of Linux with functionality limited in some way -- think DRM, and gets that version signed by the hardware manufacturer so that it will run on the controlled hardware.
Now, as a user of that version of Linux, you have all your GPL rights to obtain, modify, and redistribute the source. But, since only the exact original signed binary will actually run on the hardware, those rights are (arguably) worthless.
Linus is saying that this is permissible, or at least that it is not his job to try to prevent it.
Now at least the flames can be on-topic...
Re:Misquote (Score:5, Informative)
The page linked above had another good quote:
---- Avram Grumer, rec.arts.sf.written, May 2000Anti-Virus software checks binaries' integrity.. (Score:4, Informative)
If the checksum doesn't match, the binary changed, and the app won't run. Seems pretty sane.
Also, windows XP comes with "Driver Signing" which is basically an extortion bid to squeeze money from hardware suppliers (and perhaps to divert some of their cash from development of drivers for other OSes). Though fundamentally, it is not a bad idea to have some sort of check that the driver you just downloaded is in fact "blessed" by the manufacturer, if only for warranty purposes.
Checking checksums or signatures even does NOT equal DRM. As Linus said, this is something you can choose to use. Root gets a say in it (though in corporate environments it might still suck if you're not root).
DRM is not meant to be optional, it is meant to enforce license conditions ('rights'). Not security. Not integrity. Not trust. Making the possible impossible based not on security or convenience, but on a shrink-wrap license.
Checksums GOOD.
Signatures GOOD.
Digital Rights Management BAD.
It's NOT the same thing, folks.
Re:source to the key in the kernel? (Score:5, Informative)
Say I have a machine that has uber-top-secret data or whatever on it. I want to make sure that all the code that runs on it comes from "trusted" source. (I do this because I know the code may have mistakes or exploits in it, and this doesn't protect me from that, but it makes it less likely that I run code with trojans in it if I at least have proof of where it comes from.)
So, my machine has a cryptographic check in its firmware: instead of taking a kernel image and just booting it, it takes the kernel image and an accompanying signature tacked to the end of it and checks the signature against Linus' public key. If it matches, it boots. If not, it provides some sort of warning (flashing alerts on screen, sirens, whatever).
Linus, in his message, is saying that it's perfectly okay for me to do all of that. Not in so many words, but that's a valid example of "rights" management by digital signature, which he's saying the GPL can't prevent you from doing.
Remember, DRM is not just "digital copyright protection" as so many people on Slashdot seem to enjoy thinking.
Re:what ? (Score:2, Informative)
In fact, even the TCPA-style security uses hidden private keys and could be considered flawed. The difference is that with the TCPA, the private key is stored in a hardware device and not in the software, so it is much more difficult to retrieve.
Re:Same with X-box? (Score:4, Informative)
What this actually means (Score:3, Informative)
Okay. First of all, DRM is NOT synonymous with "digital copyright protection", okay?
Second. Linus is NOT saying "DRM is good" or "copyright protection is the shiznit". He in fact says in the message that a lot of uses for DRM he doesn't like.
Third. An example of what this article is actually talking about is cryptographically signing a regular, run of the mill built-by-Linus kernel image, somehow providing the signature along with the image at boot, and refusing to load it if the signature doesn't match. Since you don't modify the kernel itself, the GPL has no scope here, so it's obviously not prohibited under the terms of the GPL.
Fourth. This does NOT allow magically modifying the kernel image, nor does it allow magically allow copyright protection in the kernel, nor does it allow hiding private keys in the kernel, etc.
READ THE ARTICLE. Turn off your Slashdot "omg wtf it says drm so it's bad, lol" meme. Linus is not selling your souls to Jack Valenti here.
DirectTivo already does this. (Score:2, Informative)
They do this because you can get DirectTV without paying by tweaking the software. (They currently do not do this in their standalone units.)
Re:Some people seem to miss the point. (Score:3, Informative)
Certainly putting the keys inside the kernel sources would be a waste of time because you have to make that source code available when you distribute your modified kernel product.
There is no reason why a well designed DRM system cannot be open source.
KDE has DRM (Score:2, Informative)
In the 3.2 release the DRM framework will be complete, and will be a tool released so the restrictions can be easily mandated by the administrator.
So if you want freedom, run twm @ 640x480!
Re:It's more complicated than that. (Score:5, Informative)
If you give me an executable, and you do not give me everything I need to not only recompile but to actually install that executable (with the exception, listed a little later, of the stuff that always comes with the system you're installing on), then you have not in fact given me the source code, by the very definition contained within the GPL.
Re:Props to Linus (Score:3, Informative)
Let me quote Bruce Schneier:
"... it is poor civic hygiene to install technologies that could someday facilitate a police state."
-- Secrets & Lies: Digital Security in a Networked World, 2000
Re:terrorist (Score:5, Informative)
They are not on record. And I won't actually name one of my co-workers. But Yes.
There are others who have been far more public however. There was one Jim Allchin a couple years ago. He didn't come right out and say it, but he dances around it and implies it quite well.
From a cnet article [cnet.com] here.
Microsoft Corp.'s Windows operating-system chief, Jim Allchin, says that freely distributed software code such as rival Linux could stifle innovation and that legislators need to understand the threat.
That, as well as programs such as music-sharing software from Napster Inc., means the world's largest software maker has to do a better job of talking to policymakers, he said.
''Open source is an intellectual-property destroyer,'' Allchin said. ''I can't imagine something that could be worse than this for the software business and the intellectual-property business.''
''I'm an American, I believe in the American Way,'' he said. ''I worry if the government encourages open source, and I don't think we've done enough education of policy makers to understand the threat.''
Linux is wrong (Score:3, Informative)
An "external" DRM-signature that allows verification of the origin of a particular piece of code is perfectly fine UNTIL that signature's presence is enforced by the hardware as a condition for exectuion. At that point, the signature becomes functionally part of the instructions to the machine that enable the whole to be executed, and I believe that because the DRM machine is requiring the presense of both in order to execute that they are a combined work in the context of use on that machine.
This signature, when enforced by hardware, also becomes part of an overall technological protection measure within the meaning of the DMCA. The DMCA requires the "authority of the copyright holder" to get access to a work protected by a technological protection measure (TPM). Nothing in the GPL authorizes the removal of a TPM, so if Linus unilaterally places a TPM on his copy of Linux (which the DRM-signature is) then he needs the authority of all the copyright holders to access the protected copy, which would include running it on a machine that enforces DRM. No text in the DMCA supports the position that if unprotected copies exist means that access to a TPM protected version is allowed.
Putting TPMs on other people's work without their approval results in a TPM protected work that no one can use. The GPL does NOT provide DMCA access rights either (it provides copying and modification rights but not TPM-access rights).