Suppose I write some GPLv3 code. You incorporate that code into a program called shim-gpl3 and release the result under the GPLv3. You also release a binary. Microsoft signs that binary and releases the signature but does not redistribute the binary. Microsoft says that they don’t think that the signature is a copyrightable work but that, to the extent that it is, it is permissively licensed (CC0, MIT, whatever). A Linux distribution builds an installer that contains, shim-gpl3 and Microsoft’s signature. The recipient of the distribution asks the distributor for source to the GPL v3 parts of their distro.
The problem (as I see it) is that the distributor cannot comply. This is as intended! The media, as is, runs on an effectively TiVo-ized machine, and neither the distributor nor the end-user can build it from source such that the result works if modifications are applied.
If I publicly attest to something, and provide cryptographic proof that you can verify the version you are looking at is the one that I attest to, then I do not see how that is meaningfully a derivative work of what we are attesting. It is not substantial enough in size or form for it to be a derivative work. So, from that end, it seems we agree that the signature itself is not a problem.
Now, it seems what you are implying is that they need a new signature that must be created at build time. I'm asking for a much more restrictive bootloader that would have to be buildable with a repeatable process so that someone else can create the same one down to the bit level. Is this as useful as one that is not as restricted? No, but it would be a way past the legal problem?
> I'm asking for a much more restrictive bootloader that would have to be buildable with a repeatable process so that someone else can create the same one down to the bit level.
Reproducible builds are fantastic. But I doubt that, in this instance, it would be a valid way around the GPL.
Maybe if one, as an art project, made a project that, when compiled, had a particularly aesthetically pleasing binary representation, it would be okay. But we’re talking specifically about a signature needed to run the software, which appears to fit the definition of “Installation Information” in section 6 of the GPLv3.
My point is the signature can be combined after the fact. Basically, I can give you a binary that is the signature for another binary that is the boot loader, built to certain specifications. You build that, and combine with this signature, and you are good to go. If the build doesn't build exactly the same, signature will be invalid and you can't use it.
Note that this is VERY limited in how much it could possibly help. But I don't see why it wouldn't be permissible by all licenses involved. It doesn't require the signing key, but a valid signature. For that device, it is locked down enough that the only installer that can work is the one that matches this signature. If installing somewhere else, you don't need the signature anymore, and can make your own or use an unsigned loader.
Suppose I write some GPLv3 code. You incorporate that code into a program called shim-gpl3 and release the result under the GPLv3. You also release a binary. Microsoft signs that binary and releases the signature but does not redistribute the binary. Microsoft says that they don’t think that the signature is a copyrightable work but that, to the extent that it is, it is permissively licensed (CC0, MIT, whatever). A Linux distribution builds an installer that contains, shim-gpl3 and Microsoft’s signature. The recipient of the distribution asks the distributor for source to the GPL v3 parts of their distro.
The problem (as I see it) is that the distributor cannot comply. This is as intended! The media, as is, runs on an effectively TiVo-ized machine, and neither the distributor nor the end-user can build it from source such that the result works if modifications are applied.