From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id B8F329D for ; Mon, 29 Aug 2016 16:58:00 +0000 (UTC) Received: from mail-yb0-f174.google.com (mail-yb0-f174.google.com [209.85.213.174]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 07D5FCB for ; Mon, 29 Aug 2016 16:57:59 +0000 (UTC) Received: by mail-yb0-f174.google.com with SMTP id e31so50360018ybi.3 for ; Mon, 29 Aug 2016 09:57:59 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: <20160826193331.GA29084@jra3> <87inunxf14.fsf@ebb.org> <20160827162655.GB27132@kroah.com> <20160827230210.GA6717@jeremy-acer> From: Matthew Garrett Date: Mon, 29 Aug 2016 12:57:56 -0400 Message-ID: To: Linus Torvalds Content-Type: multipart/alternative; boundary=001a1148ad162f5f59053b38c48b Cc: "Bradley M. Kuhn" , ksummit-discuss@lists.linuxfoundation.org Subject: Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --001a1148ad162f5f59053b38c48b Content-Type: text/plain; charset=UTF-8 On Aug 27, 2016 7:16 PM, "Linus Torvalds" wrote: > > On Sat, Aug 27, 2016 at 5:02 PM, Matthew Garrett wrote: > > > > OK. A vendor sells 500,000 network-connected devices running a version of > > Linux that has a vulnerability in the network driver that's discovered a > > year later. The hardware is custom, they refuse to release source, and > > they've discontinued the product line, so nobody else is able to fix it. Is > > it acceptable to engage in litigation in order to ensure that owners of > > these devices can receive a security update, even if by doing so we alienate > > the vendor and cause them to choose another kernel in future? > > So why don't you name them and shame them very publicly and try > everything else first? I'm still at the point of trying to work with the company in a way that avoids all that, and things get rather more complicated when you're also trying to practice responsible disclosure over security issues. But yes, obviously I'm not going to press for anything else unless every other option has been exhausted first. > If the vendor still exists, and sells other devices, make a big stink > about it. It sounds like you've talked to them in private already, but > why do you still call them "a vendor" now when you start talking about > wanting to sue them? I *don't* want to sue them. I just don't have faith that the other options will be fruitful, and that seems to be a case you're not really focusing on. > Because without that, the answer is always going to be absolutely no, > simply because of the "absolute last option" thing. > > And you talk about how you're helping users, but how many of them > would actually upgrade? Very few people end up upgrading firmware even > when it's automatic, much less so if it would mean that they'd switch > to OpenWRT or DD-WRT or something (since presumably the *existing* > firmware ends up having lots of non-GPL'd sources that you wouldn't > get even with a lawsuit)? The number would end up being small, but the alternative is that they *all* end up running insecure code. Doesn't giving people the option seem worth it? > In practical terms, how would that help Linux? There would probably be no direct benefits at all for Linux as a technical project. There are potentially benefits in public perception of Linux-based IoT devices as being less likely to be left behind after vendors move on. But really, that's the question. If something has no significant benefit to the Linux project, but does benefit users of the product, are you fundamentally against lawsuits after every other option has been exhausted? --001a1148ad162f5f59053b38c48b Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On Aug 27, 2016 7:16 PM, "Linus Torval= ds" <torvalds@linux-foundation.org> wrote:
>
> On Sat, Aug 27, 2016 at 5:02 PM, Matthew Garrett <mjg59@coreos.com> wrote:
> >
> > OK. A vendor sells 500,000 network-connected devices running a ve= rsion of
> > Linux that has a vulnerability in the network driver that's d= iscovered a
> > year later. The hardware is custom, they refuse to release source= , and
> > they've discontinued the product line, so nobody else is able= to fix it. Is
> > it acceptable to engage in litigation in order to ensure that own= ers of
> > these devices can receive a security update, even if by doing so = we alienate
> > the vendor and cause them to choose another kernel in future?
>
> So why don't you name them and shame them very publicly and try > everything else first?

I'm still at the point of trying to work with the company in a way t= hat avoids all that, and things get rather more complicated when you're= also trying to practice responsible disclosure over security issues. But y= es, obviously I'm not going to press for anything else unless every oth= er option has been exhausted first.

> If the vendor still exists, and sells other devices, ma= ke a big stink
> about it. It sounds like you've talked to them in private already,= but
> why do you still call them "a vendor" now when you start tal= king about
> wanting to sue them?

I *don't* want to sue them. I just don't have faith that the oth= er options will be fruitful, and that seems to be a case you're not rea= lly focusing on.

> Because without that, the answer is always going to be = absolutely no,
> simply because of the "absolute last option" thing.
>
> And you talk about how you're helping users, but how many of them<= br> > would actually upgrade? Very few people end up upgrading firmware even=
> when it's automatic, much less so if it would mean that they'd= switch
> to OpenWRT or DD-WRT or something (since presumably the *existing*
> firmware ends up having lots of non-GPL'd sources that you wouldn&= #39;t
> get even with a lawsuit)?

The number would end up being small, but the alternative is that the= y *all* end up running insecure code. Doesn't giving people the option = seem worth it?

> In practical terms, how would that help Linux?

There would probably be no direct benefits at all for Linux as a tec= hnical project. There are potentially benefits in public perception of Linu= x-based IoT devices as being less likely to be left behind after vendors mo= ve on. But really, that's the question. If something has no significant= benefit to the Linux project, but does benefit users of the product, are y= ou fundamentally against lawsuits after every other option has been exhaust= ed?

--001a1148ad162f5f59053b38c48b--