Is every thread on SF now about cars? 
At least it’s not B****t 
1 Like
Well no Billy that’s one of the poor consumer rights things in France I’ve been talking about. In the UK the motor trade has been blocked from manufacturers refusing supply or insisting only the manufacturer’s own network can do some things for a very long time now.
When I’ve told my local independent garages this and that I’m surprised Peugeot is restricting in France I’ve got “Le Shrug” and one or two times a short hollow laugh.
This and the fact that our local baker is cr*p and most people agree they’re not that good, but no other baker is allowed to open up within a certain distance…
That’s not always the case, and won’t be the case for Humax. The way it works is that the customer (Freesat) pay for the product from the manufacturer at an agreed price. That price has to reflect all costs including development. This can sometimes be renegotiated after the initial agreement if circumstances change. The product will come with a warranty period, which can be more than the statutory minimum (some of our Sky Italia boxes were warranted for 5 years I think). The warranty can be serviced by the manufacturer, the customer (Sky Italia did this) or by a third party under contract from the customer. As far as fixing bugs is concerned, the manufacturer/developer has a contract with the customer to support this for a fixed period. This can be extended if the customer wants, but this is at the customers cost. So, when I said basically “why should they care”, It’s because the maintenance contract will have expired, and not extended by the customer (i.e Freesat). That’s just the reality of the situation.
1 Like
Fair enough where the direct customer of the manufacturer is not the end user (and, in this case Freesat possibly bought all the IP as well) - but it’s a general point I think items which have a microcontroller and updatable firmware should be, de jure, open source - we have to tackle the problem of e-waste and this would overcome a lot of built-in obsolescence for these devices.
This is where the French control of small businesses really ends up doing the customer a disservice. It’s also a case where the end user is not the direct customer of the manufacturer and so somewhat poerless - I’m sure if French independent garagistes got together they could force the issue but as there is no shortage of customers (due to the shortage of garagistes) why bother.
Unfortunately, this will never happen. Software in cars is getting more sophisticated, and now controls many critical systems in the car. Allowing unapproved third parties to change software in critical systems would not only invalidate your insurance, it would probably be illegal in most countries. Also it would be highly dangerous.
I’ve had no issues with getting my local garage to fix my Peugeot, including getting spare parts. The only thing I needed to go to a Peugeot garage for is a replacement key when the old one was damaged (still had the non plipper key fortunately).
1 Like
I agree “indy” software for ECUs would struggle with regulatory issues - but AIUI 3rd party ECU’s do exist in the performance sector and are suitable for a wide variety of engines.
Re-reading your post, there is a difference between Peugeot being the only place you can get a new Peugeot ECU - that would almost certainly be on the right side of EU regs.
Peugeot saying they will only sell them to Peugeot dealers for fitting by Peugeot dealers I am pretty sure is illegal.
And how do they control the 2nd hand market? If they do it is presumably be restrict the software that the dealers use to tweak ECU’s, fit them to cars etc - which is also, AIUI, illegal in the EU.
Yes, I agree with this. It’s a great irony though that most STBs (all the ones I had a hand in for the last 15 years I was working) have lots of open source software. They almost all use the Linux kernel and most have many other open source packages. If you have access to a Sky box then you can list all the open source software packages in one of the menus. It’s a long list. There are however proprietary packages and apps in there as well - there has to be in order to protect proprietary code and techniques, enforce security within the box, protect the conditional access via a chain of trust, or just to stop some yahoo from bricking boxes. Often, it’s all of the above.
More than an irony as most ignore the stipulations of the GPL - something which I can get quite hot under the collar about.
By and large it doesn’t and all too often “secret sauce IP” means “we’re too embarrassed by our shit, barely works product for you to see all the fixes we had to put in the firmware”.
Oh, and if “some yahoo” bricks his own box, tant pis. If “some yahoo” figures ouryour box can be bricked and does it lots of customer’s boxes it wasn’t fit for purpose anyway (and that discovery will probably be made open source or not).
I never did STB’s per se but I did do some embedded work and the quality of the code frequently made me shudder.
Most STB companies these days are very good at GPL compliance. We were, and we had both automatic and manual systems and reviews in place to ensure that we stuck to the GPL. And it is all to easy to inadvertently breach the GPL. Of course, some companies are just arses when it comes to this, but they are getting less and less. The only issue with most companies and GPL compliance is that there is a grey area about dynamic linking. Some Linux developers argue that there should be no difference between dynamic and static linking, but many (including Linus) thinks that dynamically linked modules shouldn’t be subject to the GPL (at least GPL2, GPL3 is a whole other can of worms). This has never been tested legally, and probably never will be. Apps of course can be proprietary, and this is where designers prefer most of thier code to run.
This assumes one has a certain bandwidth which is still not the case in many parts of rural france
A propitiatory executable pulling in a standard library would seem to me to be OK (“mere aggregation” and all that - I don’t think the act of linking a .so creates a derived work in spirit).
Really full compliance means shipping a full build environment/scripts - too many seem to think that saying “contains binutils-2.37.tar.gz” is enough.
Unless I can pull down a tarball and type make (I don’t mind having to set up a cross-compile environment though would prefer that it is FOSS based) and get the firmware blob to update my hardware then as far as I am concerned only lip service is being paid to open source.
Yes, binary only apps embedded in all of this and binary blobs of firmware can be tolerated but I’m never terribly convinced they are essential.
I’m sorry @billybutcher , but this is just nonsense. All the protection mechanisms, both hardware and software, are there to ensure that many different companies proprietary technology is properly protected. Some of that technology, if broken into, could cost that partner many millions if not billions of dollars. If your STB was responsible for a partners technology (I’m thinking Conditional Access systems in particular) being out in the wild, your company would probably not survive.
You’re not really seeing my point which is that in most cases all this secret squirrel stuff is just a waste of time (yes, I take a truly radical position on this).
Obviously this would only work if everybody open sourced everything but that is actually what I’d like to see.
Truly novel IP could be protected by patents (which, don’t forget are in the public domain) - though i would agree that the US patent system would need radical overhaul as well for this to be realistic.
Yes, they could, and are. However, it’s the encryption codes, exactly how they are generated and used that is at issue. If that information gets out, as it has in the past with Canal+ CA systems, then that can cost a broadcaster many millions. As these CA systems tend to be used worldwide by dozens of broadcasters, the CA vendor also needs to protect itself against multiple lawsuits in the best way it can. It isn’t a waste of time to them.
Note that I agree some safety critical systems would have to be protected.
So, for example, you would regulate industrial systems to only have firmware/software supplied by suitably accredited vendors - but this is the case for a lot of situations anyway. Boeing isn’t going to install a fly-by-wire system they downloaded from the 'net because it has kool features.
Car systems are an interesting one though because we’re probably on the cusp of where they need to be regulated and have assured suppliers of software.
At the end of the day an ECU does a simple job in principle (though complex in practice) - it decides how much fuel to put into the cylinder and when to make it go bang (in a petrol engine at least). That gets more complex when you have to meet environmental standards but we police that with a system level test at MOT or CT time.
However I’d agree that most people would be a bit worried if some script kid could get a modified level 5 driving system and install it on their car. If their car drives itself into a wall then, again, tant pis. If it drives into some pedestrians then that’s really not good.
Balls.
All entertainment transmissions and storage formats should be unencrypted, end of.
They are only there to enforce arbitrarily restricted markets - and they fail at that. Typically I can download a Blu-Ray from the net if I wish within hours of its release in the 'states. All that wasted effort in protection systems.
Broadcast TV is dead anyway - the corpse just hasn’t stopped twitching. It will all move online where it is possible to control individual subscriptions without resort to closed source encryption standards. As an aside I’m not against encryption by the way - and it is a good example where the best, and most secure protocols, are the open source ones because they get higher levels of scrutiny.
But I am mostly thinking of the gadgets and gizmos that have proliferated in the last 20 years - not so much genuinely safety critical stuff. The IoT stuff which becomes obsolescent almost as soon as you have bought it and certainly does if the manufacturer loses interest, goes bust or gets bought out by someone else.
PS: I won’t mind if you think I am mad here, many I’ve had the same conversation with think so as well- it is, as I said, a radical position.
This is set to change, albeit in a limited manner, with the coming into force of new legislation in France from Jan 1st, 2022, allowing accredited manufacturers of the spare parts (usually the ones that manufacture to spec for the car manufacturers) to sell directly to the public via usual retail channels.
2 Likes
Ok if we assume it’s not totally unreasonable for a broadcaster to want to restrict access to subscribers (as I said I’m not averse to encryption even though I think a lot of content protection is counterproductive)…
Assume the keys for particular channels or bundles are in a smart card, accessed using a public key tied to the subscriber (and pulled dynamically online when the user logs in - or the STB does so on their behalf using their credentials).
In the above case what sensitive encryption keys need to be stored on the STB
Or, assume you have something akin to a TPM in the STB
Again what encryption keys need to be in the STB firmware?
If you don’t need encryption keys in the STB firmware, what is the argument against open source?
I don’t really think you or your opinions are mad, I just don’t think that you understand the realities from a broadcaster or a STB designers point of view. The chip and STB designer has to follow what the customer wants, and so does the CA system. That’s the reality. I agree that broadcast TV is dying and that most people now consume online, but I think closed CA systems, adapted for the online world are here to stay. Many years ago, the company I worked for bought a company from Northern Ireland that was a pioneer in software only CA systems i.e no smartcard. I have no idea how it all worked, but it was apparently just as secure, just as locked down and worked. That basic idea of a software CA system is now pretty universally used in online subscription based streaming services. Good luck finding out how it works. Also, good luck trying to write an open source driver for it.