Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Matthew Garrett <mjg59@coreos.com>]

[-- Attachment #1: Type: text/plain, Size: 2665 bytes --]

On Aug 27, 2016 7:16 PM, "Linus Torvalds" <torvalds@linux-foundation.org>
wrote:
>
> On Sat, Aug 27, 2016 at 5:02 PM, Matthew Garrett <mjg59@coreos.com> wrote:
> >
> > OK. A vendor sells 500,000 network-connected devices running a version
of
> > Linux that has a vulnerability in the network driver that's discovered a
> > year later. The hardware is custom, they refuse to release source, and
> > they've discontinued the product line, so nobody else is able to fix
it. Is
> > it acceptable to engage in litigation in order to ensure that owners of
> > these devices can receive a security update, even if by doing so we
alienate
> > the vendor and cause them to choose another kernel in future?
>
> So why don't you name them and shame them very publicly and try
> everything else first?

I'm still at the point of trying to work with the company in a way that
avoids all that, and things get rather more complicated when you're also
trying to practice responsible disclosure over security issues. But yes,
obviously I'm not going to press for anything else unless every other
option has been exhausted first.

> If the vendor still exists, and sells other devices, make a big stink
> about it. It sounds like you've talked to them in private already, but
> why do you still call them "a vendor" now when you start talking about
> wanting to sue them?

I *don't* want to sue them. I just don't have faith that the other options
will be fruitful, and that seems to be a case you're not really focusing
on.

> Because without that, the answer is always going to be absolutely no,
> simply because of the "absolute last option" thing.
>
> And you talk about how you're helping users, but how many of them
> would actually upgrade? Very few people end up upgrading firmware even
> when it's automatic, much less so if it would mean that they'd switch
> to OpenWRT or DD-WRT or something (since presumably the *existing*
> firmware ends up having lots of non-GPL'd sources that you wouldn't
> get even with a lawsuit)?

The number would end up being small, but the alternative is that they *all*
end up running insecure code. Doesn't giving people the option seem worth
it?

> In practical terms, how would that help Linux?

There would probably be no direct benefits at all for Linux as a technical
project. There are potentially benefits in public perception of Linux-based
IoT devices as being less likely to be left behind after vendors move on.
But really, that's the question. If something has no significant benefit to
the Linux project, but does benefit users of the product, are you
fundamentally against lawsuits after every other option has been exhausted?

[-- Attachment #2: Type: text/html, Size: 3261 bytes --]