[KLUG Advocacy] XP SP1

Adam Williams advocacy@kalamazoolinux.org
01 Oct 2002 16:49:38 -0400


>>If you thought the XP EULA was bad....
>Nah, it's not "bad", in some cases (like whole industries and sets of
>applications) this is just an absolute show-stopper.

It certainly makes me unhappy.  But lawyers at the SBA are probably
giggling themselves sick.

>>Product Activation post SP1 transmits your product key to Redmond, 
>>where they can "validate" it and accept or decline permission to use
>>updates, etc...
>This has been well-known for some time.

Yes and No.  WinY2k SP3 grants Microsoft the "right" to enter and
inspect the software installed on a machine, and perform updates.  But
there is no concrete mechanism to do so.  XP SP1 is the first to push
information up to Redmond and provide a back channel (assuming of course
Internet connectivity and cooperating firewalls).

>>It installs "technological measures that are designed to prevent 
>>unlicensed use."
>Well, it's a bit more extensive than that. In essense you are granting
>MS the right to enter your system and disable any software installed 
>thereon, and [I beleive] the are held harmless from any consequences.

It is the trespass that bothers me.  I'm fine with the "hold harmless"
applied to software developers, or I can only imagine the mayhem that
would ensue.

>This is simply unacceptable in any application where the configuration of
>the host is certified to consist of known componets (or sets of components)
>and tested to qualify its behavior and performance.

It can currently be disabled, the automatic update part anyway,  the
push of verification information appears to be integral.

>BTW, this is not confined to MS, or XP, but nearly any production platform
>that has some form of self-updating mechanism.
>Consider for a moment some application where the system in question is 
>doing something like measuring chemical or pharmacuetical potency, pro-
>viding some environmental control. These systems are qualified and/or
>certified in accordance with testing and certification protocols that 
>(among other things) require a documented and static configuration as 
>of the certification date. Change often requires a change control pro-
>cedure, which is specified as part of the certification process and often 
>includes testing.
>All of this "auto-update" stuff short-cicuits this kind of rigorous 
>system maintenance, and places the administrator in the position of not
>really knowing what the configuration is if [when] something adverse 
>haapens. This can be **very** serious [human lives have been lost over
>this kind of error].

One would hope common sense exceptions apply like are granted on other
software packages when used in aviation, nuclear, and other industries.

>Signing this into a licence is... I can't think of the words... perhaps 
>criminal negligence covers it, but I'm not certain.

I can see no benevolent reason to place such a technology in a service
pack, or terms in a EULA.  I really can't think of any non-nefarious and
conspiritorial reason to take these steps.  The whole piracy thing is a
red herring, justification to take unpleasant measures for other
purposes.