Posted inExperience / Information Technology / Politics / Thank You Sir May I Have Another

Anti-Tivoization

seasoned_geek by seasoned_geek
Photo 176847618 © Michael Vi | Dreamstime.com

Anti-Tivoization is once again rearing its ugly head in the OpenSource world. I have never understood the mindset of busting other people’s things then expecting them to fix the things under warranty. I guess you could call this an extension of my post on SOVERSION and tiny x86 minds. People don’t understand just how many projects LGPL V3 and later are killing off.

What really stuns me are the people who still believe one should be able to update OpenSource software inside of a medical device any time they want. No testing what-so-ever, just install whatever shat itself out the back of the last sprint and hope for the best. Oh, I’m not making this up dear reader. You need to skim through and old ZDNet article.

Instead, draft 3 makes a distinction between two categories devices that can use GPL-covered programs: “User Products”, and non-User Products. There’s a complex legal definition but intuitively a user product is something that is normally used for personal, family, or household purposes. This would include Tivos, televisions, cell phones, and any other consumer oriented equipment. Under the provisions of draft 3, source code used in user products must be accompanied by enough “installation information” to allow modified versions to be installed and executed on the device. Functionality must not be impaired, but the manufacturer is free to terminate the user’s warranty.

From the ZDNet article

The Medical Device Campaign

Terminating the warranty isn’t going to do much for the person whose pace maker just terminated their life because someone “upgraded” the software to the latest untested OpenSouce code. Gotta love this quote from that same article.

We considered including medical devices for implantation in the human body in the User Product definition. We decided against this, however, because there may be legitimate health and safety regulations concerning inexpert and reckless modifications of medical devices. In any case, it will probably be necessary to convince medical device regulators to allow user-modifiable implantable medical devices. We plan to begin a campaign to address this issue.

from same ZDNet article

I’ve run into this mentality on the qt-interest list quite often. People who’ve never worked on anything other than the x86-wanna-be-a-real-computer-one-day-when-I-grow-up platform thinking you should be able to modify anything anyway you want any time you want.

How are they going to feel when insert-nationality-here hackers decide it would be fun to turn off their pace maker because the user installed a “networking update” that gave them access?

I haven’t bothered to follow that campaign to allow user modification of medical devices. I can tell you just how far it got though, nowhere. Want to know who was completely against it besides the FDA? Personal injury lawyers. If they can force a bit change on the device to claim the user modified it, that’s it, no more mega-million dollar jury verdicts.

Let me ask you this question. Don’t you want to know the surgical robot that is about to cut your heart open has a fully tested set of software?

Anti-Tivoization on StackExchange

On rare, very rare, ocassions StackExchange will have something actually useful. Sites like that tend to have a lot of up-voted very bad information as well as a lot of down-voted complex questions. It did have this discussion though.

The kernel license covers the kernel. It does not cover boot loaders and hardware, and as far as I’m concerned, people who make their own hardware can design them any which way they want. Whether that means “booting only a specific kernel” or “sharks with lasers”, I don’t care.

Linus Torvalds

One of the few times Linus and I see eye-to-eye. The few people who know both of us know just how rare that is. The rest of you can just wonder.

Linus has stated that he didn’t like the anti-tivoization clause in GPLv3 because it fundamentally changes the GPL. The whole point and purpose of the GPL, in Linus’ mind, is to make users of GPL software pay back to the community by making all of their improvements of GPL software available to the community under the same terms. That’s it. With anti-tivoization, GPLv3 adds a completely new obligation that has absolutely nothing to do with this fundamental purpose. He has also stated that there is nothing wrong with GPLv3 in isolation, but to call it GPL version 3 and claim that it’s like GPL version 2, only better, is decidedly wrong as GPLv3 is very different from GPLv2.

Another quote from that exchange

For a fantastic laugh read this post from the Free Software Foundation.

Where We Are Today

Lots of frothing at the mouth OpenSource developers are slapping LGPL v3 on things. The flip side is starting to happen. More and more OpenSource projects are adopting LGPL v2 or LGPL v2.1.

Why?

Anti-Tivoization is a real bitch. No manufacturer wants to have you “update” software on their device and introduce massive security holes. No manufacturer wants you to “update” software and bust the device expecting their tech support to fix it for free.

You have to realize that it is not just medical devices now. IoT is coming to the same realization that the FDA did decades ago. Security is a real problem. Most people aren’t smart enough to consider security when they install something. Many are gullible enough to believe updates fix security holes without introducing any new ones.

Now what you see are companies banning the use of LGPL v3 or later software. Not just banning, they don’t allow their employees to work on it during company hours. They also refuse to donate or purchases support contracts for LGPL v3 software.

Conversely, they are buying support contracts for LGPL v2.1 software. Donating money and employee time to the projects. Generally feeding that which feeds them.

Featured image photo 176847618 © Michael Vi | Dreamstime.com

Roland Hughes started his IT career in the early 1980s. He quickly became a consultant and president of Logikal Solutions, a software consulting firm specializing in OpenVMS application and C++/Qt touchscreen/embedded Linux development. Early in his career he became involved in what is now called cross platform development. Given the dearth of useful books on the subject he ventured into the world of professional author in 1995 writing the first of the "Zinc It!" book series for John Gordon Burke Publisher, Inc.

A decade later he released a massive (nearly 800 pages) tome "The Minimum You Need to Know to Be an OpenVMS Application Developer" which tried to encapsulate the essential skills gained over what was nearly a 20 year career at that point. From there "The Minimum You Need to Know" book series was born.

Three years later he wrote his first novel "Infinite Exposure" which got much notice from people involved in the banking and financial security worlds. Some of the attacks predicted in that book have since come to pass. While it was not originally intended to be a trilogy, it became the first book of "The Earth That Was" trilogy:
Infinite Exposure
Lesedi - The Greatest Lie Ever Told
John Smith - Last Known Survivor of the Microsoft Wars

When he is not consulting Roland Hughes posts about technology and sometimes politics on his blog. He also has regularly scheduled Sunday posts appearing on the Interesting Authors blog.