Comment Re:What is Garrett not saying? (Score 1) 437
Malware doesn't have a key in KEK, so it can't.
Malware doesn't have a key in KEK, so it can't.
Keys can be revoked through OS updates. Check the UEFI spec for discussion of authenticated variables and dbx.
As the author of the linked article, things have somewhat changed since then - the language in the hwcert docs makes it clear that the hardware can be configured into a state where keys can be added. Is it a guarantee? No, but it's as close as is possible to get in the technology world.
"Right and if the modifications have absolutely nothing to do with the kernel or drivers then there is no obligation."
No. You must provide either the source or a written offer to provide the source to any third party on request regardless of whether you've modified the GPLed material or not.
Why do you think it makes any difference whether or not they modified it?
Yes. Your offer says "interested customers", whereas 3(b) says "any third party".
No. If you distribute under 3(b), then as long as I'm not distributing commercially I can distribute under 3(c) and pass on the written offer - which still leaves you responsible for providing the source.
"Must make it available ON REQUEST, to a person who received the binary."
I'd really recommend that you re-read 3(b) of GPLv2, which is what's relevant in this discussion.
Yes, but given that the kernel is under GPLv2 (not v2 or later), what GPLv3 says isn't terribly relevant...
Even then, the written offer must be good for anyone who obtains the object code. I download a firmware image from your site? You're obliged to give me source on request. One of your customers downloads a firmware image and then gives it to me? The same applies.There's no point at which it's limited to your customers.
And by "drivers" here, I also mean "board setup code". I can guarantee you that the MSM code in the Google tree isn't going to know which gpio lines are connected to your tablet's LCD power control, even if the CPU happens to be the same one that was in the G1.
Quoting from the GPL v2 section 3(b):
"Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange"
You don't have to choose that option - you can use 3(a) instead, but that means that the source has to be with the device when you sell it.
By Coby? Telechips released their reference kernel earlier this month, but I've seen no indication that Coby are fulfilling their obligations.
The Google reference kernel code doesn't contain the driver code for any of these tablets, and the vast majority of them are based on SoC platforms that don't exist at all in the Google code. The tablet vendors can't simply point at the Google repositories, they're obliged to either ship the source with the devices or provide a written offer to provide the source to any third party on request.
Everything should be made as simple as possible, but not simpler. -- Albert Einstein