GPLv3 considered insecure

At the Open Embedded forum conference 2023, one of the speakers pointed out that GPLv3 cannot be used for IoT devices with signed software. The problem is that GPLv3 not only requires You to give the end customer the source code. The end customer should also be able to compile and install the code on his device.

This is a very serious limitation. If You use GPLv3 together with proprietary code, it may not be enough to separate the GPLv3 in a library or even another application.

However the big problem is that, if Your device uses secure boot and only will boot on signed software, then You will violate the license. Unless You give the end customer the keys to sign the software. And then the whole idea of secure boot kind of disappears.

There are no easy ways around this. One is to give each device a unique key, but if You send millions of devices out to end consumers, that is a no go.

Now does that mean GPLv3 is a no go for DEIF? An email to Free Software Foundation, gave this clarifying answer:

GPLv3 seeks to prevent technical measures such as signature checks in hardware to prevent modification of GPL’d software on a device. To address this issue, GPLv3 §6 requires that parties distributing object code provide recipients with the source code through certain means. When those distributors pass on the source code, they are also required to pass on any information or data necessary to install modified software on the particular device that included it. But this GPL requirement applies to user products only. User products are understood as devices that are sold for personal, family, or household use. Distributors are only required to provide installation information when they convey object code in a user product. From your description it does not look that you are distributing user products within the meaning of GPLv3.

Generally, GPLv3 requirements related to release of source code are triggered only when recipient of GPLv3 program distributes it further down the line. GPLv3 does not require to release user's modified version, or any part of it until it is used privately. This applies to organizations (including companies), too; an organization can make a modified version and use it internally without ever releasing it outside the organization. It has full discretion to modify GPLv3 code as it wishes. But if it releases the modified version to the public in some way, the GPL requires it to make the modified source code available to the program's users down the line, under the GPL.

GPLv3 §6(a–b) apply specifically to distribution of object code in a physical product. Physical products include embedded systems. The distribution of object code may either be accompanied by the machine-readable source code, or it may be accompanied by a valid written offer to provide the machine-readable source code.

The key point is this: “User products are understood as devices that are sold for personal, family, or household use.”

Thus DEIF goes free, as our customers are purely business customers in the energy sector, which is a critical sector regarding the consequences of hacker attacks.

So fortunately Your power system goes free, but GPLv3 may prevent Your home router from being secure!

I appreciate the effort of Richard Stallman and FSF. The idea of being able to root a device is also appealing to me as a computer nerd. But we are living in an age, where Cyber Security is a must. And especially with an explosion of IoT devices, it becomes necessary to be able to protect ordinary users.

Thus FSF should adjust GPLv3 to allow secure boot, where it is possible to lock down devices. Or Open Source developers should keep away from GPLv3.