Bradley M. Kuhn
LCA 2019
Friday 25 January 2019
As a regular attendee, I love when conferences pick themes.
It forces me not to propose the same talk everywhere.
I promise at least 51% of this talk is “new content”.
Hey, for a guy who strives to stay “on message” as much as I can, “slim majority new content” really the best I can do.
I seek to convince you the first step toward mitigating the many of the dangers of IoT (Internet of Things) start with a regularly and fairly enforced copyleft license.
The joke of this conference… which I've seen told in at least three other talks:
The S in IoT stands for security.
As good as technical communities are at identifying problems, we too often fail to take measure to solve them.
Linux, historically, was the ultimate counter-example.
My 1992 laptop (from Sager) looked very much like this …
& I had all source code of installed software, and ability to recompile my patches and test them. & I did.
The hobbyist culture brought Linux to the laptop.
Specifically, the hobbyist culture brought Linux to the laptop in spite of, not through the manufactures.
Did your laptop come with Linux?
Have you tried to buy a laptop with Linux preinstalled lately?
It's only slightly easier than it was in 1992.
So, if laptops rarely have Linux pre-installed, where is Linux most commonly preinstalled?
While some people do install alternative firmwares,
few people do, or, more importantly, even can.
You may copy and distribute the Program (or a work based on it, under § 2) in object code or executable form under the terms of § 1 & 2 above provided that you … [a]ccompany it with the complete corresponding machine-readable source code … The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable.
— GPLv2§3
For many years, no other product line of IoT devices had a serious alternative firmware project.
Before IoT was even a term, the goal of BusyBox enforcement was about downstream users with would-be IoT devices!
At least for one model of Samsung's TV's, we yielded a rebuildable release.
You may copy and distribute the Program (or a work based on it, under § 2) in object code or executable form under the terms of § 1 & 2 above provided that you … [a]ccompany it with the complete corresponding machine-readable source code … The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable.
— GPLv2§3
Linux upstream is too often focused on the big corporate users.
Multiple key member of the Linux leadership once said to
me: All I want from the GPL is their best .c files; I don't care if it
builds or installs
.
[D]o you want 4 more enterprise clustering filesystems, or another complete rewrite of the page allocator for a 3% performance improvement under a specific database workload, or do you want a bunch of teenagers who grow up hacking this stuff because it's what powers every device they own? Because honestly I think it's the latter that's helped get you [Linux developers] where you are now, and they're not going to be there if the thing that matters to you most is making sure that large companies don't feel threatened rather than making sure that the next 19 year old in a dorm room can actually hack the code on their phone and build something better as a result. It's what brought me here in the first place, and I'm hardly the only one.— Matthew Garrett, Linux Developer, 26 August 2016
Matthew is right: the hobbyist firmware modifier and the would-be developer really do matter most.
Would we even have any new upstream developers if the only place you can reinstall Linux yourself is in a big data center or in a Cloud host?
We may have won the DIY battle on the laptop, but we're losing it on IoT!
There is no doubt in my mind that Linux is the most important GPL'd program in history.
It was successful because users could install it on their own devices.
Linux cannot remain the most important GPL'd program if users can't install their modifications.
Tinkering is what makes software freedom succeed.
Upstream matters, of course, but downstream matters more.
There may be thousands of Linux upstream developers now, but…
Linux upstream is important to us; they're our friends and colleagues.
A silent plurality and a loud minority agree about the importance of software freedom for the individual downstream user.
& the upstream developers have kindly licensed their code in a manner that does assure our software freedom.
We just need to take advantage of the opportunity.
No, we don't need to fight a revolution to liberate IoT devices…
… because the words are there, right in the GPL, that assures us the ability to reinstall and modify the base operating system of all our firmwares.
We just need to take it.
Request Linux sources on every device you own.
Try to build and install them; if you can't, ask a friend or ask Conservancy to help.
If it doesn't build/install, it's a GPL violation; report it to Conservancy (<compliance@sfconservancy.org>).
Step up as a leader of a project for devices that matter to you.
The problem seems insurmountable now, only because we've been led astray.
The right to upgrade IoT devices is guaranteed to you as a Linux licensee, by the license that upstream Linux gave you.
You just have to exercise your rights.
Rebuilding and reinstalling Linux on IoT device is the first and absolutely necessary step toward privacy and security on those devices.
When the user controls the operating system again, the balance of power will be restored.
URLs / Social Networking / Email:
Presentation and slides are: Copyright © 2017, 2018, 2019 Bradley M. Kuhn, and are licensed under the Creative Commons Attribution-Share Alike 4.0 International License. Slide Source available
Some images included herein are ©’ed by others. I believe my use of those images is fair use under USA © law. However, I suggest you remove such images if you redistribute these slides under CC-By-SA 4.0.