Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday June 10 2019, @01:25PM   Printer-friendly
from the fine-print dept.

Submitted via IRC for SoyCow4463

Why does macOS Catalina use Zsh instead of Bash? Licensing

Yesterday, at its WWDC developer conference, Apple unveiled the latest version of the MacOS operating system. Codenamed Catalina, it's a fairly significant update for the platform, not least because of the changes that have taken place under the hood. Take, for example, the default shell, which has been migrated from Bash to Zsh.

Bash has been the primary macOS shell since OS X 10.2 Jaguar. For almost sixteen years, MacOS developers have used it to write scripts and issue commands to the underlying operating system. It's deeply ingrained in how developers work. So, why the sudden change?

In a word: licensing.

[...] Newer versions of Bash are licensed under the GNU General Public License version 3 – or GPLv3 for short. This comes with several restrictions which could potentially have caused a few headaches for Apple further down the line.

Firstly, the GPLv3 include language that prohibits vendors from using GPL-licensed code on systems that prevent third parties from installing their own software. This controversial practice has a name: Tivoization, after the popular TiVo DVR boxes which are based on the Linux kernel, but only run software with an approved digital signature.

Secondly, the GPLv3 includes an explicit patent license. This can be hard to wrap your head around, but in a nutshell, it means that anyone who licenses code under the GPLv3 also explicitly grants a license to any of the associated patents. This isn't a comprehensive licensing deal; it only applies to the extent required to actually use the code.

[...] These two clauses are likely the reason why Apple's increasingly vary[sic] of GPL-licensed software, and is desperately trying to remove it from macOS. Between MacOS 10.5 Leopard and MacOS 10.12 Sierra, the number of GPL-licensed packages that came pre-installed decreased by an insane 66 percent – from 47 to just 16.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Informative) by choose another one on Monday June 10 2019, @02:58PM (10 children)

    by choose another one (515) Subscriber Badge on Monday June 10 2019, @02:58PM (#853699)

    Apple's aversion to GPLv3 is well known, and very possibly well founded*, they've been refusing to put new GPLv3 stuff in for years so phasing out of older dated GPLv2 stuff is natural and expected - in fact I'm surprised it took that long (it's years since I've spent enough time on MacOS to actually use the shell).

    *Personally I gave up** on GPLv3, I cannot understand (without engaging a lawyer) the full consequences _on_ _me_ of the patent clause, and I cannot understand why the Tivoisation clause is subject to a field-of-use restriction (to "consumer products") when the FSF have been so against such restrictions in the past. If the 3/4 Freedoms are to be protected and Tivoisation violates them, then prohibit it, otherwise don't, I don't see how it can be prohibited in some fields-of-use and not in others - smacks of "All animals are equal, but some animals are more equal than others" (and the "more equal" are big businesses). Plus GPLv3 is just too damned long and complex, v2 was on the verge of being too-long but the effort to read and parse was justified by its effect in encouraging doing right by the community. In contrast v3 (the actual terms) is over twice as long and not discernibly better at anything other than stirring up controversy exacerbating licence-compatibility problems and turning people i in licensing terms it's tl;du; - too-long didn't-use.

    **And yes I did participate and give feedback in the consultation process before giving up

    Starting Score:    1  point
    Moderation   +3  
       Insightful=1, Interesting=1, Informative=1, Total=3
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 4, Interesting) by Immerman on Monday June 10 2019, @03:13PM (2 children)

    by Immerman (3985) on Monday June 10 2019, @03:13PM (#853711)

    On restricting the Tivoisation clause to consumer products, I recall a major argument being things like medical hardware such as CAT-scan machines, IV medicine dispensers, etc., that can easily kill you and require extensive testing before certification. Requiring signed binaries is a great way to severely restrict the malware attack vectors on such devices, as well as preventing doctors from installing improperly tested profit-enhancing software on their machine, which may then kill someone and have the original software restored to hide the true cause and shift massive liability to the manufacturer.

    • (Score: 1) by shrewdsheep on Monday June 10 2019, @03:21PM (1 child)

      by shrewdsheep (5215) on Monday June 10 2019, @03:21PM (#853718)

      That could be easily solved by a chained signing procedure (like what is the reality of Linux secure boot): binaries must be signed, but you can install additional keys by a more involved/physical procedure. For example, the medical devices could come with a sealed box containing a USB-key that can be booted to install additional keys. Make the provision of such a USB-key on demand and you have all the freedoms plus all the security.

      • (Score: 2) by Immerman on Tuesday June 11 2019, @03:28AM

        by Immerman (3985) on Tuesday June 11 2019, @03:28AM (#854052)

        Yep. And doctors can still dodge liability for recklessness or cost-cutting. You've got a situation where the device is only legal to operate when running the *exact* software that it was tested and certified with, so where's the benefit of allowing the software to be changed, that outweighs the associated risks?

        It's one thing to get a "super key" for your home PC or other consumer device - but in a hospital? How many people will inevitably have access to that key at some point? Do you have a separate key for every CAT-scanner, or will an attacker that gets their hands on one gain access to every machine of that model? How much damage could someone do, without ever leaving a trail that would point to them? And what other attack vectors do you open by making it possible to boot from USB?

  • (Score: 2, Interesting) by fustakrakich on Monday June 10 2019, @04:01PM (1 child)

    by fustakrakich (6150) on Monday June 10 2019, @04:01PM (#853734) Journal

    In contrast v3 (the actual terms) is over twice as long and not discernibly better at anything other than stirring up controversy exacerbating licence-compatibility problems and turning people i in licensing terms it's tl;du; - too-long didn't-use.

    Are you saying that v3 is the systemd of GPL?

    --
    La politica e i criminali sono la stessa cosa..
  • (Score: 2) by DannyB on Monday June 10 2019, @06:19PM

    by DannyB (5839) Subscriber Badge on Monday June 10 2019, @06:19PM (#853782) Journal

    I could read and understand GPLv2.

    GPLv3 is difficult to impossible to understand.

    And even worse is LGPLv3. It $INCLUDEs the entire GPLv3 into it before adding even more text.

    There are other, even moderately long, open source licenses that I can read and comprehend.

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
  • (Score: 2) by nishi.b on Monday June 10 2019, @06:52PM (3 children)

    by nishi.b (4243) on Monday June 10 2019, @06:52PM (#853806)

    The explanation I read years ago was that the GPL 2 was beeing abused in the following way: a company uses a GPL software and modifies it. As long as it is not distributed, they do not have to distribute their modifications to the source code. Some companies then argued that they created appliances or services on servers but they did not commercialize the software (i.e. on a computer) but an appliance, so the software was still "internal" to the company and they did not have to share the changes. Basically they were denying that selling an appliance using GPL code was equivalent to distributing the software, thus freeing them from GPL obligation to share the code (i.e. equivalent to a BSD license). GPL 3 was supposed to close this loophole.

    • (Score: 1, Informative) by Anonymous Coward on Monday June 10 2019, @07:03PM

      by Anonymous Coward on Monday June 10 2019, @07:03PM (#853813)

      it sounds like you are describing the AGPL, not just GPLv3.

    • (Score: 2) by Immerman on Tuesday June 11 2019, @03:35AM (1 child)

      by Immerman (3985) on Tuesday June 11 2019, @03:35AM (#854055)

      I think it was more just that so long as the software never left their servers, they were in compliance with GPLv2, even when they provided remote access to that software. So long as they only distributed access and not the software itself, they didn't trigger the distribution clause.

      There was also Tivoization - where they distributed the software and source in full compliance with GPLv2, but locked the hardware so that it couldn't run your modified software. Maybe not such a big deal for minor appliances (though still a slap in the face of the spirit of the license), but a dangerous trend in a world being overtaken by smartphones, tablets, chromebooks, and other locked-down appliances. And yes, I know, many such devices can be unlocked - the GPLv3 just says that if it *can't* be unlocked, then you can't include the licensed software on it

      • (Score: 0) by Anonymous Coward on Tuesday June 11 2019, @09:27AM

        by Anonymous Coward on Tuesday June 11 2019, @09:27AM (#854135)

        I think it was more just that so long as the software never left their servers, they were in compliance with GPLv2, even when they provided remote access to that software. So long as they only distributed access and not the software itself, they didn't trigger the distribution clause.

        From my understanding, this is still the case with GPLv3; it's only the Affero GPL that requires code on the server to be disclosed.

        But then, IANAL, nor am I an FSF member, so I might be wrong on that (since up to now I never set up a public server, I never needed to care about this).