There are two scenarios where carrying out their threat plausibly helps the open source community:
1) A source drop demonstrates that Nvidia incorporated GPLed code into their drivers. This is, honestly, unlikely - Nvidia has sufficiently competent lawyers to ensure that everyone they employ is extremely aware of what the consequences of that would be
2) The source drop includes the private keys used to sign Nvidia GPU firmware blobs. Nouveau is currently entirely hamstrung on the last few generations of Nvidia cards because they run extremely slowly unless appropriate signed firmware is loaded, and Nvidia refuse permission to distribute that firmware. I'm not aware of any case law around whether private keys are copyrightable (I'd assume not, given that they're supposed to be randomly generated), and whether it's a DMCA violation to make use of leaked keys if you don't violate any other technical protection mechanisms. This would potentially (given a lot of work) allow Nouveau to implement equivalent firmware and sign it, but this would presumably still just result in Nvidia switching to different keys for the next architecture.
Obviously the calculation differs if Nvidia choose under duress to release the drivers under an open source license, but that doesn't seem likely - this still very much reads as an attempt to extort Nvidia into removing restrictions on crypto mining rather than an earnest attempt to improve open source support for their hardware.
Using leaked source code to Nouveau is illegal whatsoever, and the mere existence of the leak means that devs have to more thoroughly audit incoming contributions. The similar thing happened for ReactOS in 2006; they had to audit all the existing source code for more than a year.
I doubt the hackers are actually trying to help open source, it probably just occured to them that open sourcing would be a way to somewhat future-proof them not putting those restrictions back in for the next generation of cards
I'm not sure if they actually have the expectation that nvidia will meet their demands at all, I certainly wouldn't. Because why would nvidia trust that their word that they won't leak anything is meaningful?
IANAL but I could imagine that this leads to different problems in some jurisdictions.
Depending on how you look at it using another's entity's cryptographic key to sign something that then "pretends" to have been produced by that entity might classify as forgery.
Though this is just my personal thoughts, not sure if that would hold up in practice. Technically you own the hardware, so "forging" the signature yourself for your hardware probably wouldn't be an issue, but distributing it might be.
> Depending on how you look at it using another's entity's cryptographic key to sign something that then "pretends" to have been produced by that entity might classify as forgery.
Perhaps, if you were attempting to make that claim to an actual person in a commercial context, deceiving them for personal gain. But in the context of "pretending" only to the hardware? Unlikely, as hardware has no standing in court. Even for-profit distribution shouldn't be an issue so long as it's clear to the human recipients that the signature is only present to fulfill technical requirements and the item wasn't actually produced by the other entity.
The judicial system started to realize the finer details in software. For example, in Google v Oracle, verbatim copying of source code was still found a violation of copyright, but using APIs was not (it was deemed fair use).
If NVIDIA's firmware's signature private keys are in a standard file instead of being in a HSM (Hardware Security Module), as all serious companies do,
then NVIDIA can only blame themselves.
I seriously doubt that firmware's signature private keys are in hacker's hands.
This made me think. When I was lead developer for a very big online music provider our private keys were stored in plaintext in the registry of the Windows servers. Never thought about that before. That would have been an ugly leak.
1) A source drop demonstrates that Nvidia incorporated GPLed code into their drivers. This is, honestly, unlikely - Nvidia has sufficiently competent lawyers to ensure that everyone they employ is extremely aware of what the consequences of that would be
2) The source drop includes the private keys used to sign Nvidia GPU firmware blobs. Nouveau is currently entirely hamstrung on the last few generations of Nvidia cards because they run extremely slowly unless appropriate signed firmware is loaded, and Nvidia refuse permission to distribute that firmware. I'm not aware of any case law around whether private keys are copyrightable (I'd assume not, given that they're supposed to be randomly generated), and whether it's a DMCA violation to make use of leaked keys if you don't violate any other technical protection mechanisms. This would potentially (given a lot of work) allow Nouveau to implement equivalent firmware and sign it, but this would presumably still just result in Nvidia switching to different keys for the next architecture.
Obviously the calculation differs if Nvidia choose under duress to release the drivers under an open source license, but that doesn't seem likely - this still very much reads as an attempt to extort Nvidia into removing restrictions on crypto mining rather than an earnest attempt to improve open source support for their hardware.