Linux leader attacks "anti-DRM" GPL

Provisions against digital rights management (DRM) in a draft update to the General Public Licence (GPL) could undermine computer security, Linus Torvalds said this week in emails reflecting the Linux leader's pragmatic philosophy.

Torvalds said in a posting on Wednesday to the Linux kernel mailing list: "I think a lot of people may find that the GPLv3 'anti-DRM' measures aren't all that wonderful after all. Digital signatures and cryptography aren't just 'bad DRM'. They very much are 'good security' too."

The Free Software Foundation (FSF) is in the process of revising the GPL, a seminal document that not only governs thousands of open source projects but also functions as the constitution of the free software movement.

Torvalds gave some examples of areas where he believes it's appropriate for secret digital keys to be used to sign software, or for a computer to run only software versions that have this digital signature to assure they're authorised.

A company might want to distribute a Linux version that loads only kernel modules that have been signed, for example. Or they may want one that marks the kernel as "tainted" if it loads unsigned modules, Torvalds said.

He added: "The current GPLv3 draft pretty clearly says that Red Hat would have to distribute their private keys, so that anybody can sign their own versions of the modules they recompile, in order to re-create their own versions of the signed binaries that Red Hat creates. That's insane."

In January, Torvalds said he plans to keep the Linux kernel under the current version 2 of the GPL. That was seen as something of a rebuff to the FSF and its president, Richard Stallman.

The foundation added the anti-DRM provision in part so companies such as TiVo wouldn't be able to continue their current practice of using only authorised versions of Linux. The move restricts software freedoms that the foundation considers essential.

But Torvalds said he believes it's not the software programmer's place to tell hardware designers what to do; if a hardware company's proprietary practices are objectionable, programmers should simply buy another company's hardware, Torvalds said.

In one email he said: "I literally feel that we do not - as software developers - have the moral right to enforce our rules on hardware manufacturers. We are not crusaders, trying to force people to bow to our superior god. We are trying to show others that co-operation and openness works better."

The GPL 3 draft goes beyond Torvalds' prime licensing goal of reciprocity, he said: "GPLv2 is fair. It asks others to give back exactly what I myself offer: the source code to play with. The GPLv3 fundamentally changes that balance, in my opinion. It asks for more than it gives. It no longer asks for just source back, it asks for control over whatever system you used the source in."

When it comes to using DRM to encrypt digital content such as movies, Torvalds suggested in another email that people take a different approach: employ a licence from a group such as the Creative Commons that requires content to remain open.

Torvalds said: "If enough interesting content is licensed that way, DRM eventually becomes marginalised. Yes, it takes decades but that's really no different at all from how the GPL works."

And he said the power of entrenched media companies doesn't just come through encryption. "As long as you expect Disney to feed your brain and just sit there on your couch, Disney and company will always be able to control the content you see," Torvalds said. "DRM is the smallest part of it. The crap we see and hear every day [regardless of any protection] is a much bigger issue."

Stephen Shankland writes for CNET News.com