We are in a bind here. If you ship GPLv2 software on a locked down device then nobody downstream has the professional opportunity to contribute, because they simply can't get any of their changes onto the device. The reason to rectify this is not "to ship GPLv3 software" the reason is because otherwise customers don't have control over their own devices.
The developers who relicensed to GPLv3 don't care that some companies won't contribute. From their perspective, any of those contributions would be unusable to them. I feel a similar way with my open source projects -- why would I as an outsider maintain code that nobody outside of your company will ever have any possible way to test in a real production scenario? It's a waste of my time. Yes I might be missing out on minor bug-fixes but I don't really care about that. Like you said, feature development is more important.
As far as firmware-updating goes, to be in compliance the user just needs to have some way to get access to the keys. You don't need to make separate keys, it can be the same method that you use.
> We are in a bind here. If you ship GPLv2 software on a locked down device then nobody downstream has the professional opportunity to contribute, because they simply can't get any of their changes onto the device.
I should clarify - what I meant is that if we're shipping GPLv2 software like Busybox, then I'm able to spend billable time improving Busybox and upstreaming my patches. That's labor that could be going to GNU coreutils instead, if it was the userspace on my product. But since I'm not shipping it, that means I don't find bugs or need features very often. Which means I have way less of an opportunity to pitch in.
That's great for you. In that situation, if my company buys your product, we have zero opportunity to pitch in to Busybox and are not able to spend any of our billable time upstreaming our patches, because the device is locked down. Who wins here? It's not the project who wins, because they lost contributions. It's not my company or any of your other customers who win, because we can't contribute. It's not you who wins, because if you get a different job then you lose access to the device and can't contribute, and you also lose the billable consulting hours that you could have charged to my company. It's not your company who wins, because they lose the shared contributions from my company.
I'm not making this up either. Even in my personal life I own lots of random devices that I know for a fact are running Linux and Busybox. But I have to go out of my way to find a device that I actually have a chance to get a toolchain running on and can actually start working on patches. It's usually limited to old devices that had no security or had their security broken. So any contributions I make are limited to things that only work on insecure old legacy hardware, stuff that is not going to be of interest to your company working on the next new hotness. There is a real problem here that's in-part solved by the GPLv3, but you have to actually acknowledge that it's a problem.
Just a note - I appreciate this discussion, and your point of view! Thanks for having it.
Ease of contribution is a problem for sure, and it's one that GPLv3 was intended to address. My main point is that the changes from GPLv2 actually had the opposite effect for a whole group of developers.
Instead of encouraging -more- development, I feel like maybe it's just driven developers away and onto GPLv2, MIT, or BSD equivalents. Maybe this is intended behavior, and not an accidental side-effect. I don't know. But it's hard to dispute that it reduces the pool of potential contributors to GPLv3 packages.
GPLv3 components just aren't an option for a lot of products, regardless of whether GPLv3 is better for users (I agree that it is). I think it's really harmed the FSF a lot. With fewer installations of FSF packages, the FSF sees less participation and loses some of its clout. And that makes me sad :(
People and groups that wanted to contribute but couldn't because of locked-down devices were already driven away and discouraged from development. And it was worse for them, if you own a locked-down device you can't go and decide to run FreeBSD on it to fix that. You just can't work on it at all. The GPLv3 was drafted in response to complaints about this -- specifically, companies that were shipping Linux and Busybox and were either straight-up GPL violating, or were telling users to get lost when they asked how it would be possible to get patched software on the device in any practical sense. From my perspective, there already was a wall in between those companies locking down their devices and the rest of the community. The GPLv3 only highlighted it.
The developers who relicensed to GPLv3 don't care that some companies won't contribute. From their perspective, any of those contributions would be unusable to them. I feel a similar way with my open source projects -- why would I as an outsider maintain code that nobody outside of your company will ever have any possible way to test in a real production scenario? It's a waste of my time. Yes I might be missing out on minor bug-fixes but I don't really care about that. Like you said, feature development is more important.
As far as firmware-updating goes, to be in compliance the user just needs to have some way to get access to the keys. You don't need to make separate keys, it can be the same method that you use.