From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 3439D25A for ; Sun, 28 Aug 2016 00:16:24 +0000 (UTC) Received: from mail-oi0-f52.google.com (mail-oi0-f52.google.com [209.85.218.52]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 01B87116 for ; Sun, 28 Aug 2016 00:16:22 +0000 (UTC) Received: by mail-oi0-f52.google.com with SMTP id f189so155640215oig.3 for ; Sat, 27 Aug 2016 17:16:22 -0700 (PDT) MIME-Version: 1.0 Sender: linus971@gmail.com In-Reply-To: References: <20160826193331.GA29084@jra3> <87inunxf14.fsf@ebb.org> <20160827162655.GB27132@kroah.com> <20160827230210.GA6717@jeremy-acer> From: Linus Torvalds Date: Sat, 27 Aug 2016 17:16:21 -0700 Message-ID: To: Matthew Garrett Content-Type: text/plain; charset=UTF-8 Cc: "Bradley M. Kuhn" , ksummit-discuss@lists.linuxfoundation.org Subject: Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , On Sat, Aug 27, 2016 at 5:02 PM, Matthew Garrett wrote: > > OK. A vendor sells 500,000 network-connected devices running a version of > Linux that has a vulnerability in the network driver that's discovered a > year later. The hardware is custom, they refuse to release source, and > they've discontinued the product line, so nobody else is able to fix it. Is > it acceptable to engage in litigation in order to ensure that owners of > these devices can receive a security update, even if by doing so we alienate > the vendor and cause them to choose another kernel in future? So why don't you name them and shame them very publicly and try everything else first? If the vendor still exists, and sells other devices, make a big stink about it. It sounds like you've talked to them in private already, but why do you still call them "a vendor" now when you start talking about wanting to sue them? Because without that, the answer is always going to be absolutely no, simply because of the "absolute last option" thing. And you talk about how you're helping users, but how many of them would actually upgrade? Very few people end up upgrading firmware even when it's automatic, much less so if it would mean that they'd switch to OpenWRT or DD-WRT or something (since presumably the *existing* firmware ends up having lots of non-GPL'd sources that you wouldn't get even with a lawsuit)? In other words, you say it is "for the users", but it still smells to me like it's actually "for the lawsuit". In practical terms, how would that help Linux? I can understand being annoyed. I'm annoyed by bad companies too. But I'm also saying that lawsuits aren't automatically the solution, and you really have to ask yourself if it's worth it. And you have to do a lot of other things first. Linus