[riot-users] LGPL Requirements
kaspar at schleiser.de
Mon Mar 23 12:37:08 CET 2015
whatever I write, I am not a lawyer and we will have to consult e.g.,
the Free Software Foundation, to clarify these points.
On 03/22/15 23:42, Craig Younkins wrote:
> 1. Am I legally obligated to provide a software upgrade mechanism on the
> device? Do I need to publish the documentation on how to upgrade it?
§6 of LGPL permits combinations of the licensed work or works based on
it "to produce a work containing portions of the Library, and [to]
distribute that work under terms of your choice, provided that the terms
permit modification of the work for the customer’s own use and reverse
engineering for debugging such modifications."
So, the *license* of the distributed combined work cannot restrict
upgrading / modification of the license part.
As I read that, if there are *technical* reasons prohibiting upgrades
(e.g., only signed or no upgrades possible), LGPL poses no restrictions
> 2. Am I permitted to only allow signed software upgrades?
See above. You cannot forbid unsigned upgrades in the license terms of
your product, but LGPL doesn't mention technical means.
> 3. Many micros have lock bits that prevent further programming without
> erasure. Are there any restrictions on setting those?
> 4. Can I store secrets like private or symmetric keys in flash memory
> alongside but that is not part of the flashed binary? This would be
> similar to storing those secrets in external EEPROM, which is almost
> certainly permitted. This has interesting effects in combination with 3,
> including potentially bricking a device if firmware upgrade was
> attempted due to erasure of keys.
IMHO the flashed binary can be seen as a file system layout. Part of it
might be RIOT, part of it might be your application, and part of it
might be some data your application is using.
This data can be put alongside your application, but is not part of it's
It should not make a difference if your application is just opening a
file you distribute along with your application, or if it is put
somewhere in it's own section by the linker script and your application
accesses it using the flash address.
Do you mind if we add your questions to our license FAQ?
More information about the users