Preventing the IoT Dystopia with Copyleft

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so I work for this small organization NGO the software freedom Conservancy and we do a lot of different things one of which is we spend a lot of time worrying about the future of software freedom and what happens to the four freedoms the right to copy share modify using redistribute software as things change in the world I noticed that this conference had this theme of the Internet of Things and they asked for talk specifically about IOT and and you're always wanting to be able to take a 15-hour flight whenever I can especially when the organizers are kind enough to pay for it I made sure I turn this talk to be as close with the theme of the conference as possible I actually like it when conferences pick themes because it keeps me from cheating too much when I create talks those of us that do a lot of the comfort circuit speaking my colleague Karen Sandler who's a bad in the back of the room and I tend to call us the usual suspects who show up at every conference and give a talk or at least try to get talks accepted the fact of the matter is we reuse material the age of recording hello Internet means that we get to do a lot less of this reusing of material but I still cheat a little bit I do promise however especially given that Jake edges in the room and he wrote an article about a previous talk of mine that does have some degree of overlap with this one which you can read on lwn so if you want to leave now and go read that elderman article it will be 49% overlap with with this but for for Jake and the rest of you who have seen me speak before I am promising at least 51% so the the slim majority of this talk will be new content but there will be 49% of things you've probably heard from me before I do a lot of work to stay on message and that's a thing you have to do when you're trying to fight on radical issues because people who disagree with you will twist your words and all the other things that happen in our world of post fact politics so I heard to be on message which means I tend to repeat myself when I give these sort of talks I long for the days of the whistle-stop tour when you could go to every town and give exactly the same speech and it sounded new to everyone because there was no internet but it probably is generally a good thing that we have the internet whether it's a good thing that we have the Internet of Things is an open question in my view my goal in this talk is to convince you that we're in deep trouble with regard to IOT and that copyleft if regularly and fairly enforced is a mechanism to get us out of the problems that we're in now it is not a solution to every problem in the world no idea no matter how great of an idea it is solves every problem all the time but copyleft solves some of the problems or at least the beginnings of the problems most of the time when used effectively and that's what I hope to convince you of I've been to three talks that have told this joke and I'm going to tell it again because I think it matters that the s ni o T stands for security because one of the things that has made free software popular exciting and interesting when you go back to the days that rusty was talking about this morning on the keynote that he gave this morning find that in the other videos if you're online he talked a lot about how hobbyists got excited and one of the reasons they got excited and got involved in this stuff was because they were like wow I can actually write software that's actually secure I can actually check if it's secure because I can read the source code and rebuild it the Internet of Things is not really about security there was a huge set of news in the United States just last month in December that started with this one family who began hearing voices of a nasty person speaking out of their baby monitor and it was not nice and this Washington Post a journalist did a little research and found that over the Latin tire year of 2018 there were a lot of these incidents where people's Internet of Things devices began talking to them telling them that inside the little box was a security researcher who was just there to warn them that their IOT device was not secure I think it's good that security researcher is in quotes there because I don't think security researchers spend their time breaking into people's doorbells but it is a scary thing that these devices are not secure it is a scary thing that these devices phone home here here in New Zealand I actually like to try it well besides the length of the flight once I'm here it's actually very nice because it's only three hours difference from the west coast of the US actually even though it's yesterday but three hours which is great so I can you know check in on the webcam that we have for our dogs now these webcams we have in my house they're Internet of Things devices and they have this great way of getting around firewalls so that you can access them from the internet all they do is just phone home back to the manufacturer in China and send all the data there so that you can download it back so I suppose there are Chinese hackers watching my dogs all day I hope they know they'll call me if they if they need water or something because I haven't had tons of time to go check the cameras every every because I've been around here at the conference so I think one of the things we've done very well in our community is we're very good identifying the problems that's why this you know there's the s and IOT is for security it's been told so many times at this conference we as technologists we as people who really understand how software works know that we're in really big trouble with these devices and we've identified the problem really well I think the hard part is taking measures to solve it I think it's because the problem seems very overwhelming however Linux has historically been this great counter example of how people who are smart and capable and willing to do things in a hobbyist way willing to do things because they're the right code to write at the right time not necessarily because it's the code that their employer assigned them to write at a given time as made an incredibly successful community and rusty talked a great deal about that I am really a big fan of his way of looking at this community as a community of hobbyist first and foremost because that's how I came to this community so this is my laptop from 1992 or very close to it anyway I couldn't find an exact image of the Sager this is a Toshiba model that was probably made in the same factory because it looks so similar to the one that I had and I got this in 1992 and it had windows 3-1 on it and I had recently learned that there was a thing called SLS soft landing system which was a series of floppies that I could put into this thing and install Linux and it didn't work not surprisingly there were a number of things I had to do to fix it and I fixed them but really mostly commented code out in the kernel which is really all I ever my big contribution is I come in and code out I didn't want but I was able to recompile and reinstall Linux on this the thing didn't come with Linux you couldn't find a laptop in 1992 that had Linux pre-installed you couldn't find any devices in 1992 that had Linux pre-installed if you wanted to run Linux you downloaded it and on floppies and installed it yourself that was essential to our community the ability to reinstall the ability to get commercial off-the-shelf hardware and install it is what made this community great we have how many people in the room are running Linux on their laptops right so this is LCA so basically everybody raised their hand almost everybody raised their hand right well the hobbyist culture made that possible the fact that you all in this room that lots of people watching this video run Linux on their laptops is because people have spent a tremendous amount of time making it work the fact of the matter is the manufacturers of laptops to this day do not really sell Linux based laptops you can buy them they exist but I bet how many people in this room bought a laptop that has Linux already installed on it okay so four percent of the room got that right it's not that it's impossible to do this it's not that it's impossible to find a pre it pre-installed laptop but if you look at the entire laptop market which was which is now much larger than it was in 1992 percentage-wise it's only slightly easier because it's only nudged up slightly from 0% the number of manufacturers the number of laptops sold that will offer you a Lennox pre install and it changes here and yeah every once in a while once upon a time I bought a pre installed Linux laptop in 2006 ish that company no longer does pre installed Linux anymore so this is the thing that we need to do to be able to use and run free software we have to be able to buy Hardware on the open market and install a Linux distribution on it if I came into this room and told you I do not think it matters that much if you can install Linux on a laptop would you find that a reasonable position of course not not at LCI anyway but that's exactly what we're being told with IOT the funny part is is that Linux is commonly pre-installed on devices specifically IOT devices generally have Linux pre-installed so while you still can't buy a laptop with Linux pre-installed more or less you know two to two two to four percent of the market you can the rest of it you can't every time you buy an IOT device 90 plus percent of the time it has Linux pre-installed and if I were to stop right there you know as a message if we go back to 1992 and say do you know that 90% of the small device market that has computing in it will have Linux pre-installed in 1992 we all would have been thrilled to hear that like wow we got there we made it the problem is well similar to the people who can buy pre-installed laptops with Linux a very small percentage of people who buy an IOT device with Linux pre-installed can actually reinstall Linux themselves very very few people do this the fact of the matter is very very few people can actually reinstall Linux on their IOT device most IOT devices don't make it possible to reinstall Linux on the device so I see that is even worse than the laptop problem the reason it's worse is because while I'm a huge fan and was so excited when I saw mainstream news coverage in the mid-90s of the MARTA the march on Microsoft that was done by the Silicon Valley Linux group that they were going to manding their windows licensing fees back it was a very very great thing that of protests that was done the fact of the matter was it doesn't matter if we get our windows licensing fees back from the laptops we buy because we can really just delete it and install Linux it's annoying that Microsoft gets the money okay we all agree about that but it doesn't stop us from pushing forward to the future of free software because we can install Linux and move on and Microsoft gets a little bit of cash and we'll live with it the fact of the matter is the GPL is one of the most forward-looking documents ever written at least in software because while the world of 1992 did not contemplate IOT did not really contemplate embedded devices it had the words in it we needed to solve this problem it was already there in the GPL from the very beginning the scripts used to control compilation and installation of the executable the GPL just doesn't require the source code by itself it requires that things around the source code to be disclosed so the person who received the device so that they can effectively make use of their software freedom Stallman when he drafted the GPL thought about this question and understood fully that it didn't matter so much if you had software freedom if all you had was the freedom to study which is only one of the four freedoms the freedom to study is not enough it is essential but not complete you need the freedom to modify in the freedom to install all modified versions and the GPL guarantees that and we're fortunate that Linux is under the GPL version 2 which has that text so IOT is really just a buzzword I think this is probably one of the first IOT devices that ever existed it was the thing that you put into your house to connect you to the Internet and connect your machines over-the-air to the Internet which was a revolutionary thing those of us that are old enough to remember a rusty mention how the early conferences you didn't have network access like what ice like rusty when I started going to conferences wireless 802 11 technology had not been probably been invented but had not been deployed yet you went to a conference and you were off the grid it was a weird thing I was not surprised when I heard they printed out slash dot and put it on the board in those days this device was the beginning of IOT and this one we handled right because we realized early what was going on and did something about it this was the first major product that a large coalition of individuals and organizations enforced the GPL for and not only did a release come from Linksys and Cisco of software for that device but also that package of source code became now SVN day is not yet SVN are one of the open wrt project unfortunately I've been looking if anybody has that I would love to have the SV entry from the original Open WT so I can look at that art one and have a screenshot of that fortunately I have this history page up that you can look at that tells the story that the first thing they started with and I remember looking at that years ago I remember being very excited about it because I had worked personally on the open Deborah T enforcement that are ones comment was sources as received from Lynx's from GPL enforcement that's how that project started that project now is the industry standard it is handled problem after problem that the industry has pushed in our face the buffer boat problem was addressed by the open wrt community in collaboration with many others but the fact that we could deploy firmwares that people could replace the poor formers they were given that were insecure that were using the network poorly with software that we as hobbyist created ourselves that was what Linux was about that's what software freedom is about my worry is that will we get another open wrt there are very few products that have an alternative firmware project and none of them are the size breadth scope and resiliency of the open wrt project this is in my view the biggest problem we face in free software because so many devices now are digital and so many devices now run Linux so many devices now threaten our privacy security our very existence and we need the source code for them to be able to solve all those problems and we don't just need the source code we need the ability to effectively use the source code to recompile it and install it even before IOT existed we were doing enforcement through the busybox project on would be IOT devices or early IOT devices we were successful at getting an excellent source release for a Samsung TV model because of the lawsuits Samsung did not willingly give that source release they gave it after a year and a half of litigation in courts finally said we realize we're doing the wrong thing and we have to release this it was good enough that a project launched this project was floundering now but this project was able to launch because that source release was a good standard of what the GPL requires and they will able to form a community a small one that at least for some models of Samsung TVs could do an alternative firmware I do not understand truly why the hardware manufacturers don't love this I don't understand and why they don't want to sell us more hardware it baffles me just like its baffled all of us for years with the laptops why do they not want to support Linux after all we everyone we might be a small community but we are consumers right we are buying stuff we probably buy more electronics than most of the consumers by far and therefore they should want us to buy it and if they gave us the hardware that allowed us to put our modified firmware so on we would promote them we would build more stuff for them we would sell more devices that wireless router the wrt54g it is the wireless router that is the longest time in production in history of all wireless routers certainly and possibly all digital devices ever you can still buy a wrt54g not on ebay as a used item but new because Linksys still pumps it out because people hear about it and say oh that's the thing that runs open wrt i will go buy it even though it's now a effectively 20 year old piece of technology they still they've occasionally up to gated some of the chips in it but generally speaking it's pretty much at least the same form factor and mostly the same boards that were in the original one GPL enforcement can make this stuff happen it already has we've proven that it is successful at assuring we get the right to copy share modify redistribute and reinstall our software we just need to do more of it the problem we face today is that there's a disconnect between two very important parts of our community I don't make friends in the linux foundation when i say this but i think it's accurate i think that linux upstream too often focuses on the needs of their large corporate users and ignores from time to time quite often these days the needs of the individual downstream hobbyist user in fact in discussions as conservancy began its efforts to enforce the GPL for Linux I was told by not just one but many a version of this statement from the Linux upstream I was talking about this issue of well scripts used to control compilation installation executable and as upstream Linux developers are occasionally want to do at least their leadership they like to take I would say take the GPL cafeteria-style they kind of pick and choose which parts of the GPL is matter most to them even though the license of Linux is GPL there are some clauses they care more about than others and they were very clear at least a few of the leadership that they just didn't care about the scripts used to control compilation and installations executable they said really we just want C files that's all that's useful estas is upstream we want what they change in the C files they didn't change anything in the C files we don't really care what they did with it Matthew said this best I'm gonna pause for a moment let everybody read that slide because Matthew put this better much more than I did when there was an argument about GPL enforcement on a Linux mailing list oh sorry it's not not in real time I was asked if I can make it bigger and not in real time so I'll give the gist of it for those in the back the point Matthew makes here is that the types of technological endeavor that's being done Linux upstream is the type of intellectual and software endeavor that is most needed for large companies doing large things with big data and various other technologies that the average daily consumer does not have the hardware to possibly do Matthew also points out that the people the very people that are now the leaders in Linux they all got their start just as rusty did as he explained in the keynote this morning as being an individual sitting on their own computer hacking on Linux a bunch of students as rusty pointed out ported Linux to spark on computers that just happen to be in front of them at the time we will find the next generation of developers from those hobbyists not from the walls the giant walls of IBM and other big corporations the hobbyists are the ones who become the developers in the next generation and it is an egalitarian effect because if all you need to become a Linux hacker is a laptop and an IOT device it means lots and lots of people of lots of different income and diverse backgrounds have an opportunity and we don't it's yet another vector where we don't get domination by wealthy privileged people who have access to the technology my excitement about GPL and free software and Matthews excitement that he's explaining here was you didn't need anything but a computer and an internet connection to become an upstream developer in those days and that's becoming less and less true and if we solve this problem on IOT we'll get back to the way it was which i think was better in the sense that it allowed people and that allows us to move on other fronts we want to move on like diversity because we have the opportunity to hand young children devices that they can actually become real developers on ultimately there's this disconnect and there always has been between developers and users the interesting thing about free software is it generally blurred that line it said you start out as a user but you don't have to stay that way you know you don't have to be just a user you can be a developer when you're ready and there's always the moment in front of you that you can become that because the source code is always sitting right there next to you and when you feel ready when you feel confident enough to give it a try you can give it a try I worry about what we get for upstream developers if we're only focusing on the big problems as it were the big data problems building in the cloud if the only thing you can install Linux on in a few years is a rack-mounted server maybe a laptop and a VPS cloud host and everything else that's running Linux only the manufacturer can install it that's that's a dystopia that's why I chose that word for the talk I think we've won two do-it-yourself battle on the laptop I think we have an upper tweet we can be sure for the foreseeable future that we're okay on the laptop but in IOT devices we've lost this battle completely at the moment and we have to regain ground I've been often misquoted about my views with regard to Linux and how it interacts with the GPL and what's important I will mince no words so that I don't get misquoted Linux is the most important GPL program in the history of software it may be the most important program ever written in history period but the reason that it was successful and I worry about history being rewritten on this point it was successful because not in spite of the GPL it was successful because there was a license that assured everyone got the same in equal rights to copy share modify redistribute and rebuild the software and because users could install it on their own devices because as a second year undergraduate in 1992 I could download it on a bunch of floppies in the lab and have a running unix-like workstation that was better than the dec UNIX systems that were available in the lab that changed the course of my career certainly and there are plenty of people not just me and rusty but lots of people whose careers change because they got direct access to real professional source code very early in their careers I believe that Linux can't keep its place on the top the Linux upstream cares deeply about the future of Linux reasonably so they want their project to survive I think they are airing in that they don't worry about what happens with all these IOT devices I think they err when they say well does it really matter if you can upgrade your light bulb I say yes it matters if it's running Linux it matters I think tinkering is what makes free software great and if people cannot tinker we don't have free software anymore I want this talk to be quoted as saying I think upstream doesn't matter upstream does matter up streaming code is important learning how to upstream code is an important professional activity that you should study and get good at but ultimately downstream matters more than upstream I'm sorry to say if you're a developer of an upstream project your users are more important than you it's not about you yes thousands of people are upstream like suppose that's amazing the idea I would never have imagined in 1992 that thousands of people would be in the git log and imagine Gateway exist but the thousands people Worm end up in their vision control logs of Linux but I really didn't imagine that two billion people would have Linux on their devices either that is much more surprising than there's thousands of Linux developers that there's two billion people who are potential Linux developers but being thwarted because they can't possibly reinstall Linux on their phone because it's locked down because it's too hard because the various different mod firmwares haven't gotten to that reverse engineering job yet which it usually is to get it running I do see Linux upstream as our friends and colleagues I think we could have reasonable disagreements about this sort of stuff and continue to work together I had a lung you might have all seen me out there having a long conversation with a key Linux developer who gave me a lot of his time yesterday to talk about a lot of these issues in fact I said somebody later I think he was just being polite and they said well that person how will you talk to him I said an hour and fifteen minutes and said even he's not that polite if he didn't want to talk to you he would have walked away earlier I said well that's good to hear you know they're willing to give us our time and talk about this but I really believe there is a silent plurality and a loud minority who really really care about these issues who really want to see these IOT devices reinstall abble packable changeable and study Abul so that you can figure out the security and the privacy implications of what's going on with these devices it's not like having the source code for just the colonel is going to be enough to get us there it's an but is a necessary even if not sufficient condition we have to be able to look at the colonel first because if you want to put something nasty that's the best place to put it you only put it in user space when you really have to you'd rather have the colonel spying on you if you could if you're somebody wants to spy on people the fact of the matter is the license of Linux is set it was picked it's very hard to change as is often talked about it's gplv2 only and GPL b2 is a really great license because it assure software freedom for people downstream whether those clauses are the most interesting to upstream or not I think we just have to work together to take advantage of that opportunity I used to you know I I dabble in anarchism as a youth and I used to think you know revolution I remember going to a protest march once and and one of the chance was revolution not reform I'm so excited about that at 17 years old revolution not reform the fact of the matter is we don't actually need revolution this is the great thing about things like copyleft because there were people thinking ahead to say well gee we need to put something in place that will allow us to not need a revolution software freedom has not been a revolution it's been incremental progress by using tools that make sure we don't get exploited by the other side the GPL has what we needed and already we just have to enforce it we just have to make sure it's used properly we just need to take back our software freedom that's already sitting for us there in the rights outlined already it's not like we are living in an oppressive societies I mean some of us are in the world but New Zealand Australia United States a reasonably free societies right it's not like we need a revolution to have software freedom we have reasonably good democracies and we have freedom outlined for us in the founding constitution of our community the GPL so there are active things you can be doing that you're not doing right now that I'm going to ask you to do while I think we have the tools we need it doesn't mean classically freedom is free and you know mixing the two meanings of freedom there's work to be done listen to where it means of free there's work to be done when you get a device and it looks like it has Linux in it yuuji PL says there has to be an offer for source code the companies are counting on you not asking for the source code we know from years of GPL enforcement that they figured out early on so early on we did GPL enforce note what we did was we just checked if there was an offer for source and if there was no lawful source we knew they were violating because there was you know free software in it so they didn't give the source code they didn't give an offer quick we found a violation so companies discovered this is the extent of what we were doing so they came up with the fake offer for Soros they made an offer source with no intention of ever honoring it and figuring well if they look in our manual their season off resource they'll move on to the next product when they look at it so we had to start requesting the source code that is still where we are today that source code offer needs to be tested every time and the other problem is is that it's tested so rarely these companies assume that no one actually cares about this even if you don't have time or inclination or desire to do anything with the source every time you buy a linux-based device make sure you have the source code or something that looks like it and if you don't request it if you can't get it if you if you can't review if you're able to or have time actually try to build this stuff try to get it reinstalled if you can I know it will sometimes brick your device but that's not supposed to happen which means they're probably violating the GPL so try to build it and if you don't know how to build it ask a friend to work with you post on the internet that you're trying to build it create a culture where people say I actually test the source offer and try to make it work because it will increase the knowledge in the community that these source releases are often incomplete because people say oh I heard about GPL violation oh I heard they release the sources but we live in the world of fake news we live in the world of post fact politics so very few people actually ever check to see not really the source is it really complete does it really build you can make a big difference by creating a culture where we actually check and we actually talked publicly hey I was checking it didn't work why didn't it work did anybody else thought this product did you get it working and if it doesn't work they violated the GPL it's that simple you were promised a bill of rights in the GPL and you didn't get those rights you can report the violation unfortunately the only organization enforcing on behalf the community right now is the organization I work for the software freedom Conservancy and we're small we may or may not be able to get to your particular violation and resolve it because we have thousands of reports sitting there waiting for us but having the catalog of reports is very valuable not having a single place where we've collected how bad the problem is is useful for us when we give talks like this it's useful for the community to know that somebody's out there as a watchdog for better or worse we are the watchdog organization of the GPL now and we need your help to continue that work the big the big ask is that I'm hoping there's at least one person the audience who is willing to spend the time as a hobbyist because no one's gonna fund this in the industry for-profit companies don't want to do this but just like open up party hobbyists made and alternative firmware for wireless routers pick your favorite IOT device get the source release get a building and let's start making alternative firmware for these every single device every or every single type of device at least needs an alternative firmware project everyone needs one now today and so few people are working on it if you're excited about what an IOT device does you can be the leader of that project like rusty talked about it's showing up is basically it to make this thing happen revolutions are run by people who show up I know this seems insurmountable it feels insurmountable to me most days but I think we've been led astray by this idea that it doesn't matter that whether you can rebuild Linux or not for your device doesn't matter it does matter we know it matters because of the laptop problem that we're still fighting every linux licensee has the GPL given right to be able to reinstall linux on your IOT device it's there for the taking we just have to fight for it just exercise your rights that you already have I haven't talked a lot about the privacy and security problems I use that as my set up I'm not saying that if we all just install a version of Linux we'd go from sources ourselves all the things will protect our privacy in our security I know that won't happen overnight but it's the first step forward because that's exactly what happened with open wrt we saw it like first they got linux building and now there are tons of plug-in modules in open WT that help you automatically use third-party VPN services to protect your privacy all that sort of stuff those kinds of technologies were made easy for people because they had the base firmware to start from so every one of these devices needs that base firmware to start from so people can write privacy protecting security protecting your own cloud personal cloud kind of ideas where you control all the devices in your home rather than someone else the stuff that Cathy's working on a Mozilla that can happen better when they have a base firmware to build on top of this free software am i right yeah I'm get Kathy saying right so I think the balance of power can be restored because we did it already on the dust alone our laptops or our servers by being able to install our own copies of Lennox I've got 10 minutes left I'd be happy to take questions [Applause] hello I enjoyed your talk was wonderful I just had a quick question about if you have any recommendations for a proper way to ask for the source code is email good enough or have you any recommendations on ways that you will actually be taken seriously by the company that you're asking so it's an obligation they have and it's not your obligation to do it in the perfect form that they want if I haven't told you how to ask for it you should use whatever means are at your disposal if you have an email address for them email and they may ignore you they probably will ignore you I I have a different tact in this because we're often trying to set up a clear record that they didn't answer because by the time it gets to me someone has already tried all the like mundane means and we do things like send you certified return receipt overnight letters to prove that we tried to contact them and so forth but they should be responsive in fact they should be telling you in the manual how to request the source the requirements of GPL require the offers source actually work and so the author source should say to get the source code email this address or visit this website or whatever it is and if the sources are not there they're already in GPL violation land be polite be friendly but be persistent cool thanks very much one fear the one problem that I see with a lot of Internet of Things devices and generally I try to keep them out of my home is yes I could possibly compile it on my own machine but there is no instruction on how to actually get it into the hardware and if we're ending up with devices which are welded shut or where the pins to write a firmware on to it are you know snipped off or something like that then building it and in a is one thing is where does the where is the GPL on that sort of hardware side so so the the word install is an interesting one and the word script is an interesting one so when developers hear scripts they think what that means bash scripts well you know a judge is not going to look at that and know what a bash script is they're probably gonna think first of a script for a play which tells you all the lines you have to say so that you're actually performing that work well I think that's what the GPL means there and I think if there are a set of steps you have to go through which might include standing in your head or you know wiring two pins together or whatever to make the installation work you should be told that and if you look during the busy box cases that those instructions we got from Samsung included a JTAG pin out as part of the instructions that they gave us so they're well that's well settled court cases which that is does not set precedent in the formal legal sense it is an industry precedent even if not a legal one it says that kind of source release that tells you how to actually install the firmware on the TV is what the GPL requires and I will continue to maintain that from my point of view that's conservancies job if you get to the point where you say wait a second this is GPL this has Linux on it and I can't install it you email us and we'll talk about what we can do about it because I think that's something that we should push on it is not popular in the industry because the industry doesn't want to allow people to reinstall and if they can get away with not allowing people to reinstall and the ways that you're talking about they will do so our job is to challenge that as hobbyists and enthusiasts and people who care about software freedom so the best thing you can do is hit that wall I know that sounds weird but it's better if you find out what devices are not doing the right thing so we can do something about it because we all know probably there are devices out there that do that but I don't know a list off the top of my head because that you all out there aren't bringing that list to us saying hey I've got five IOT devices I tried to sell Linux on everyone and none of it worked and here's the way it didn't work so then we can go to the company and say that's a violation the GPL so what happens when it is possible to get and do the firmware but then the process of writing the firmware the hard way required to write the firmware into the device is possible but involves thousands of dollars worth of hardware just to write your firmware in for example many IOT makers will create their firmware blob they will send it off to the chip many of the rom manufacturer and there will be pre-programmed once and never programmable again how do we deal with that going even further so I agree with you that such devices exist in the world I think they are rarer on the open market than they used to be because I have I have not for a long time seen an IOT device that doesn't allow over-the-air upgrades people have written large articles about how insecure this is that they just you have a good SSL certificate I'll just take this you know I'll take this firmware for you and install it all myself but if it can do that the GPL from my point of you says you should be able to put your own firmware over-the-air installer in between it and be able to install yourself certainly if it's if you burn Linux into ROM there is a lot of discussion about what that what that install instructions mean I think we had talked to you offer about afterwards about kind of what what comes out of that but I don't think it's the regular case anymore because I don't think manufacturers want to make devices that turn into bricks the moment there's a there's a bug in Linux that bothers them not those security bugs bother than that much but there's probably some bugs that bother them but they want to do the upgrade as well so field upgrade ability is pretty much the industry standard now from what I've seen do you or does someone have a directory or clearinghouse of which devices are known to be in compliance or known to be out of compliance like I mean I can go through much trouble to figure out how to contact a manufacturer but like you might already have the source code just like sitting on your computer so we made sure that any source code that we've gotten released under enforcement is being complied with properly ie if you go back to them to ask for that source code they should be giving you the release that we've added so in those cases you're going to get the source code back you may not even know the conservancy had done the enforcement matter there it'll just happen to have source code that works which is a good thing because we'd rather you just be able to do the normal process as far as a clearinghouse of violations that has been often proposed when we wrote the principles of community oriented GPL enforcement we thought a lot about this question of confidentiality about violators our general feeling is still what the principles say which is we don't want GPL violations to be front line news the first day it's found the opened up righty situation took about a year longer than it should have because people got impatient and put it on slash dot to the very to this day Sherman Chu who was at that time that had the head of legal at Cisco now he works elsewhere he still this day believes that I did that in a way to put pressure on him or something that in the middle of the process which in fact it was just the third party that did that and it really made the negotiations more difficult so we're more of a fan of trying to at least contact the company first we want to believe well I have my suspicions it's not true we want to believe every company intended to comply from the start it was just a mistake less and less is that true anymore but I think we should still go in with that friendly assumption of oh you made a mistake let's help you which means making it public and admonishing them publicly as a first step is not a good idea let's suppose very much following on that content that theme let's suppose I find IT device request software and they magically give it to me and then I make modifications or don't and I published that code does that as an individual does that expose me to extra risk in this worlds that something that's happening well first of all I'm not a lawyer and I can't give you legal advice but hypothetically speaking the the you are GPL licensee you've received software in the GPL you've now made of modifications which means you also are a GPL copyright holder because you've modified Linux and redistributed it so you have rights of your own as a copyright holder as well as the rights that you got from the other copyright holders who gave it to you you also have upstream developers involved who were copyright holders so the company in the middle that gave it to you while they may hold copyright there's thousands of other people who also copyright so I would I if it were me I would not be worried at all and I would be very glad to fight the case where somebody tried to do that so if you ever get told that definitely call us and we'll try to figure out what to do we're not a law firm so we can't like be your lawyers but we can certainly provide logistical for people in that situation we're a lotta time folks thank you for your questions please take a picture of the screen on your way out please if you can afford to send money to the software Conservancy please download and read and read the copyleft guide and take action based on that this stuff is as important or more important than reading writing code thanks for your day [Applause]

Info

Channel: linux.conf.au

Views: 18,426

Rating: 4.8664045 out of 5

Keywords: lca, lca2019, #linux.conf.au#linux#foss#opensource, BradleyM.Kuhn

Id: m1o42faNg8k

Channel Id: undefined

Length: 46min 33sec (2793 seconds)

Published: Thu Jan 24 2019