Free Software Foundation, FSF, recently published a white paper criticizing Ubuntu’s move to drop Grub 2 in order to support Microsoft’s UEFI Secure Boot. FSF also recommend that Ubuntu should reconsider their decision. Ubuntu’s charismatic chief, Mark Shuttleworth, has finally responded stating the reason why they won’t change their stand on dropping Grub 2 from Ubuntu.
In its whitepaper FSF said:
Our main concern with the Ubuntu plan is that because they are afraid of falling out of compliance with GPLv3, they plan to drop GRUB 2 on Secure Boot systems, in favor of another bootloader with a different license that lacks GPLv3’s protections for user freedom. Their stated concern is that someone might ship an Ubuntu Certified machine with Restricted Boot (where the user cannot disable it). In order to comply with GPLv3, Ubuntu thinks it would then have to divulge its private key so that users could sign and install modified software on the restricted system.
This fear is unfounded and based on a misunderstanding of GPLv3. We have not been able to come up with any scenario where Ubuntu would be forced to divulge a private signing key because a third-party computer manufacturer or distributor shipped Ubuntu on a Restricted Boot machine. In such situations, the computer distributor — not Canonical or Ubuntu — would be the one responsible for providing the information necessary for users to run modified versions of the software.
When asked by a user during a chat organised by The Register, Mark said:
The SFLC advice to us was that the FSF could require key disclosure if some OEM screwed up. As nice as it is that someone at the FSF says they would not, we have to plan for a world where leaders change and institutional priorities change. The FSF wrote a licence that would give them the rights to take specific actions, and it’s hard for them to argue they never would!
So, does that mean Microsoft can be trusted with their keys but FSF can’t be trusted with their licence?
Lack Of Unity: Communication Gap?
FSF accuses that “No representative from Canonical contacted the FSF about these issues prior to announcing the policy. This is unfortunate because the FSF, in addition to being the primary interpreter of the license in question, is the copyright holder of GRUB 2, the main piece of GPLv3-covered software at issue.”
It is not clear is if Ubuntu team contacted FSF/SFLC on this matter. Canonical has not released any statement whether they communicated with FSF/SFLC on this matter or not.
Mark’s wordings are vague so we don’t know if they contacted the FSF and failed to reach an agreement or by ‘SFLC advice’ he was referring to the advice given in the whitepaper.
So the question arises should not open source companies contact FSF before taking such decisions as FSF is not only an authority in the matter, but also has legal expertise in the subject?
Ubuntu Has An In-House Security Expert
On the other hand Mark Shuttleworth himself has a lot of experience in security. He founded Thawte Consulting, a certificate authority (CA) for X.509 certificates, which he later sold to VeriSign for $575 million and created Ubuntu.