Re: Octave for OS X (was: How to install Octave 4.0.1 on OS X Yosemite)

[edmund ronald]

On Wednesday, June 8, 2016, edmund ronald <address@hidden> wrote:

On Wednesday, June 8, 2016, Ben Abbott <address@hidden> wrote:

On Jun 7, 2016, at 9:48 PM, edmund ronald <address@hidden> wrote:

Does anyone here have any GPL-related legal, ideological  or personal objection to my code-signing an OS X binary and distributing it? 

Which is the version of the GPL that applies? 

BTW, as most here realize, Apple's security architecture is going to create a bunch of headaches with any native Mac distribution - it's going to be a Red Queen situation, with the Mac maintainers running to keep in place ie. keep their binary compatible as Apple's rules change.

Edmund

ᐧ

Can you give us a quick explanation of “code-signing”? Any reason why we can’t do that ourselves and distribute via SourceForge?

Octave uses GPLv3.

Ben

Hi Ben,

 I would assume you can do anything you want :)  and so can I within the limits set by the GPL, that is the beauty of free software.

 The code-signing tech is described here: https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html

 I believe Sebastian is familiar with it, we discussed it a bit at Octconf.

 I personally feel a bit uneasy about Sourceforge, maybe because of this event: http://arstechnica.com/information-technology/2015/05/sourceforge-grabs-gimp-for-windows-account-wraps-installer-in-bundle-pushing-adware/

 A lot of people seem to be using GIthub these days, both as source and binary repository.

Edmund

 

I have found the relevant legalistic guidance relating to code-signing on the GNU.ORG site    http://www.gnu.org/licenses/gpl-faq.en.html#GiveUpKeys

It would seem that code-signing in itself raises no GPL issues, at least from the point of view of the people who curate the GPL;  Apple, Google and Oracle and other corporations who rely on open source pay lawyers  to have different opinions about the meaning of the GPL but I don't think that concerns us here.

---

I use public key cryptography to sign my code to assure its authenticity. Is it true that GPLv3 forces me to release my private signing keys?(#GiveUpKeys)

No. The only time you would be required to release signing keys is if you conveyed GPLed software inside a User Product, and its hardware checked the software for a valid cryptographic signature before it would function. In that specific case, you would be required to provide anyone who owned the device, on demand, with the key to sign and install modified software on the device so that it will run. If each instance of the device uses a different key, then you need only give each purchaser a key for that instance.

---