Re: [Suit] Firmware Update Paper

David Brown <> Fri, 29 November 2019 18:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4E0661201AA for <>; Fri, 29 Nov 2019 10:36:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BJbCxYczktmt for <>; Fri, 29 Nov 2019 10:36:33 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::f33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4DFE0120058 for <>; Fri, 29 Nov 2019 10:36:33 -0800 (PST)
Received: by with SMTP id g18so11921409qvp.8 for <>; Fri, 29 Nov 2019 10:36:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=KO1LE/1PCglzOoFqO+tDR6sBEPeY9bg45iPGOQSXszk=; b=LT1GH+QGf9CU3KcnMO9b9rhqus7XUDnD0dxGiizJR+PI7iELleK85kg1b5030Fecv7 bId4o2FHSTW1ZdshhO5LNfl8qGISjfcGGLjoxOkpWmBve4OFr2d9028opl28kCJgpP5z R7RDIjw8+sX3ibQucazoGv9+SfcJUuNAIQQ4Egb+VKyzUjKy4L7O2K03svF6YZdV/da2 6Zas7V7myDd9PXLqXOvh6HyrPSVn12+AEn6o0KqQMbCS/F5mqADRCMrHTlyitUDcYKDD 1u5yGiJJFgFTKL7nmQeKE+aFiZiGhwQTeWp1iDf0pq1z2nKZ5VjW+OQ6hSK927xOcQSO FCag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=KO1LE/1PCglzOoFqO+tDR6sBEPeY9bg45iPGOQSXszk=; b=sm5dT3GRMciA83JFoMS6V3f3MLuEdzskDb/TVqUsQ78If9OaPn8vyo21kxr9DPhV2q yYTPLyNXewEEscuDeEVe/ZdXV2Xz3OhD2jXcDnNLj4ftLQ4DO0WEOAu9SEqu2eA+UoYC TEAlVrX8KylIjuvzYi/vLgxITNoAF1QrWgHDBtDJwPoPc7mJ9LjXVn5nLSNBlMy9QBK+ BP2ZtK7KRARAdYaDSgA69YMdpXsAxC1bsoDmDSPYhefyum4vfYRlnrxJRq4HhllaAzxV I4b8xwYrPfFUqASCUf3RuQGUFHaT9c77WifF5PbfgmM/DlFd+L0fu5OgYpDuLOlHiIyD koWA==
X-Gm-Message-State: APjAAAXe+U64iu4kmT9NBxoYaaCJnQPpbw4SedfKaXY53mof1WqeUDeu oqE7wREdOWX/yKpTXSoSERfNEA==
X-Google-Smtp-Source: APXvYqz8V2MpAy4O6mOejmNuT539iGaFt8usucX+TKmi0DqBPt4fO/zS+kz1/T3bcHJA9MZujswmzg==
X-Received: by 2002:ad4:4682:: with SMTP id bq2mr18714006qvb.215.1575052590833; Fri, 29 Nov 2019 10:36:30 -0800 (PST)
Received: from ( []) by with ESMTPSA id h4sm10591828qkk.128.2019. (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Nov 2019 10:36:30 -0800 (PST)
Date: Fri, 29 Nov 2019 11:36:27 -0700
From: David Brown <>
To: Emmanuel Baccelli <>
Cc: "" <>
Message-ID: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <>
Subject: Re: [Suit] Firmware Update Paper
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 29 Nov 2019 18:36:35 -0000

On Fri, Nov 29, 2019 at 12:46:42PM +0100, Emmanuel Baccelli wrote:

> The open source implementation stemming from our paper [1] is embedded into the
> RIOT operating system, which is indeed licensed with LGPL.
> The implementation is compliant with draft-ietf-suit-manifest-00 and has
> recently been merged into the main branch of RIOT, see [2].
> Reuse and further contributions to this code base are welcome!
> Relicensing this code is not planned as far as I know (@ code co-authors:
> please correct me if I'm wrong).

This is fine.  The authors of the code are free to license the code
however they wish.  I just want to make sure it is clear that this
code is not useful as a general example, and if the SUIT wishes to
have reference code, it will need to be licensed differently.

> Related: we know of several companies, big and small, which use RIOT in their
> IoT products (and thus use software including -- but not limited to -- LGPL
> code) and they are quite happy with it.

I'm sure there are a few companies that are willing to use LGPL
licensed embedded code, but their existence doesn't negate that there
are large numbers of users who will be unable to use (or even look at)
this code.

One example is that both Zephyr and MCUboot are licensed under the
Apache 2.0 license.  Most parties feel that the Apache 2.0 and the
LGPL 2 license are incompatible, and this code cannot be linked
together into a single product.  Since I'd like to include SUIT
support into MCUboot, this means I'll have to be doing an
implementation from scratch.

It's not my place to argue about the licensing of RIOT, but I would
like to see reference code for SUIT that can be used as widley as
possible, and the licensing of this particular code prevents it from
being used for that.