From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 382D1258 for ; Sun, 28 Aug 2016 00:02:18 +0000 (UTC) Received: from mail-yw0-f169.google.com (mail-yw0-f169.google.com [209.85.161.169]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 9ADB6AB for ; Sun, 28 Aug 2016 00:02:17 +0000 (UTC) Received: by mail-yw0-f169.google.com with SMTP id z8so68399170ywa.1 for ; Sat, 27 Aug 2016 17:02:17 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: <20160826193331.GA29084@jra3> <87inunxf14.fsf@ebb.org> <20160827162655.GB27132@kroah.com> <20160827230210.GA6717@jeremy-acer> From: Matthew Garrett Date: Sat, 27 Aug 2016 20:02:14 -0400 Message-ID: To: Linus Torvalds Content-Type: multipart/alternative; boundary=001a11463926e4873a053b16755a Cc: "Bradley M. Kuhn" , ksummit-discuss@lists.linuxfoundation.org Subject: Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --001a11463926e4873a053b16755a Content-Type: text/plain; charset=UTF-8 On Aug 27, 2016 6:49 PM, "Linus Torvalds" wrote: > > On Sat, Aug 27, 2016 at 4:30 PM, Matthew Garrett wrote: > > > > Can you clarify whether or not you believe that source availability for > > owners of devices that run Linux (even if the vendor chooses not to > > participate upstream) is something you consider to be good for the project? > > That question makes no sense. > > Without an actual case, and without being able to judge the upsides > *AND* downsides, your question is just silly. OK. A vendor sells 500,000 network-connected devices running a version of Linux that has a vulnerability in the network driver that's discovered a year later. The hardware is custom, they refuse to release source, and they've discontinued the product line, so nobody else is able to fix it. Is it acceptable to engage in litigation in order to ensure that owners of these devices can receive a security update, even if by doing so we alienate the vendor and cause them to choose another kernel in future? (other than sales numbers, which I don't have direct insight into, this is not a hypothetical) --001a11463926e4873a053b16755a Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On Aug 27, 2016 6:49 PM, "Linus Torvalds" <torvalds@linux-foundation.org<= /a>> wrote:
>
> On Sat, Aug 27, 2016 at 4:30 PM, Matthew Garrett <mjg59@coreos.com> wrote:
> >
> > Can you clarify whether or not you believe that source availabili= ty for
> > owners of devices that run Linux (even if the vendor chooses not = to
> > participate upstream) is something you consider to be good for th= e project?
>
> That question makes no sense.
>
> Without an actual case, and without being able to judge the upsides > *AND* downsides, your question is just silly.

OK. A vendor sells 500,000 network-connected devices running= a version of Linux that has a vulnerability in the network driver that'= ;s discovered a year later. The hardware is custom, they refuse to release = source, and they've discontinued the product line, so nobody else is ab= le to fix it. Is it acceptable to engage in litigation in order to ensure t= hat owners of these devices can receive a security update, even if by doing= so we alienate the vendor and cause them to choose another kernel in futur= e?

(other than sales numbers, which I don't have direct ins= ight into, this is not a hypothetical)

--001a11463926e4873a053b16755a--