Anti-Tivoization is once again rearing its ugly head in the OpenSource world. I have never understood the mindset of busting other people’s things then expecting them to fix the things under warranty. I guess you could call this an extension of my post on SOVERSION and tiny x86 minds. People don’t understand just how many projects LGPL V3 and later are killing off.
What really stuns me are the people who still believe one should be able to update OpenSource software inside of a medical device any time they want. No testing what-so-ever, just install whatever shat itself out the back of the last sprint and hope for the best. Oh, I’m not making this up dear reader. You need to skim through and old ZDNet article.
Instead, draft 3 makes a distinction between two categories devices that can use GPL-covered programs: “User Products”, and non-User Products. There’s a complex legal definition but intuitively a user product is something that is normally used for personal, family, or household purposes. This would include Tivos, televisions, cell phones, and any other consumer oriented equipment. Under the provisions of draft 3, source code used in user products must be accompanied by enough “installation information” to allow modified versions to be installed and executed on the device. Functionality must not be impaired, but the manufacturer is free to terminate the user’s warranty.From the ZDNet article
The Medical Device Campaign
Terminating the warranty isn’t going to do much for the person whose pace maker just terminated their life because someone “upgraded” the software to the latest untested OpenSouce code. Gotta love this quote from that same article.
We considered including medical devices for implantation in the human body in the User Product definition. We decided against this, however, because there may be legitimate health and safety regulations concerning inexpert and reckless modifications of medical devices. In any case, it will probably be necessary to convince medical device regulators to allow user-modifiable implantable medical devices. We plan to begin a campaign to address this issue.from same ZDNet article
I’ve run into this mentality on the qt-interest list quite often. People who’ve never worked on anything other than the x86-wanna-be-a-real-computer-one-day-when-I-grow-up platform thinking you should be able to modify anything anyway you want any time you want.
How are they going to feel when insert-nationality-here hackers decide it would be fun to turn off their pace maker because the user installed a “networking update” that gave them access?
I haven’t bothered to follow that campaign to allow user modification of medical devices. I can tell you just how far it got though, nowhere. Want to know who was completely against it besides the FDA? Personal injury lawyers. If they can force a bit change on the device to claim the user modified it, that’s it, no more mega-million dollar jury verdicts.
Let me ask you this question. Don’t you want to know the surgical robot that is about to cut your heart open has a fully tested set of software?
Anti-Tivoization on StackExchange
On rare, very rare, ocassions StackExchange will have something actually useful. Sites like that tend to have a lot of up-voted very bad information as well as a lot of down-voted complex questions. It did have this discussion though.
The kernel license covers the kernel. It does not cover boot loaders and hardware, and as far as I’m concerned, people who make their own hardware can design them any which way they want. Whether that means “booting only a specific kernel” or “sharks with lasers”, I don’t care.Linus Torvalds
One of the few times Linus and I see eye-to-eye. The few people who know both of us know just how rare that is. The rest of you can just wonder.
Linus has stated that he didn’t like the anti-tivoization clause in GPLv3 because it fundamentally changes the GPL. The whole point and purpose of the GPL, in Linus’ mind, is to make users of GPL software pay back to the community by making all of their improvements of GPL software available to the community under the same terms. That’s it. With anti-tivoization, GPLv3 adds a completely new obligation that has absolutely nothing to do with this fundamental purpose. He has also stated that there is nothing wrong with GPLv3 in isolation, but to call it GPL version 3 and claim that it’s like GPL version 2, only better, is decidedly wrong as GPLv3 is very different from GPLv2.Another quote from that exchange
For a fantastic laugh read this post from the Free Software Foundation.
Where We Are Today
Lots of frothing at the mouth OpenSource developers are slapping LGPL v3 on things. The flip side is starting to happen. More and more OpenSource projects are adopting LGPL v2 or LGPL v2.1.
Anti-Tivoization is a real bitch. No manufacturer wants to have you “update” software on their device and introduce massive security holes. No manufacturer wants you to “update” software and bust the device expecting their tech support to fix it for free.
You have to realize that it is not just medical devices now. IoT is coming to the same realization that the FDA did decades ago. Security is a real problem. Most people aren’t smart enough to consider security when they install something. Many are gullible enough to believe updates fix security holes without introducing any new ones.
Now what you see are companies banning the use of LGPL v3 or later software. Not just banning, they don’t allow their employees to work on it during company hours. They also refuse to donate or purchases support contracts for LGPL v3 software.
Conversely, they are buying support contracts for LGPL v2.1 software. Donating money and employee time to the projects. Generally feeding that which feeds them.