2022-02-02 16:24:00 EST Axel Heider: Does "real time" imply "porting" - or is there a (economic) wish for "real time" in a VM. 2022-02-02 16:25:26 EST Ihor Kuz: When I asked (in the ASK tutorial) whether (kernel) changes would be made public, I was told that there could be discussion about this in the panel. So as a general question/topic: can we discuss the gap/conflict between open source/GPL and secret government work/export control - are they compatible? 2022-02-02 16:30:25 EST Gernot Heiser: Sorry for my failed talk, I was giving an update on the time-protection work there. Proofs are done on an abstract level and are being connected to the seL4 proofs, and in parallel we're working with ETH on specifying the HW mechanisms needed 2022-02-02 16:35:02 EST Gernot Heiser: How can modifications to a GPL code base kept secret? I'm not a lawyer, but that looks like IP theft to me 2022-02-02 16:38:49 EST June Andronick: A different angle to the closed/open question is about the proofs (as opposed to the code): how can you trust there is some modelling/verification of some properties without seeing the evidence? 2022-02-02 16:39:58 EST Danielle Stewart: Zero-knowledge proofs? 2022-02-02 16:40:32 EST David Hardin: Answer to Todd's question: No, but you don't want standards committee people writing hard real-time specs. 🇨🇨 2022-02-02 16:43:19 EST David Hardin: (Said as a veteran of RT-POSIX, etc. committees.) 2022-02-02 16:43:44 EST Aleksey Nogin: [All IMHO, I am definitely not an IP lawyer] Gernot, AFAIU GPL only requires that the sources are provided those that are provided with the binaries. If Nick does not gave you binaries, then there is no GPL violation in him not giving you sources. So if Nick only provides the binaries to the Government and also provides Government with the sources, he is probably not violating the GPL 2022-02-02 16:43:47 EST Aleksey Nogin: GPL requires that those sources that are given should be given without redistribution restrictions, but I am not sure whether it's a GPL problem if the restrictions come from the Government export control, not from Nick. 2022-02-02 16:44:18 EST Axel Heider: GPL seems to says, when you distribute (!) the modified program to someone else, you have to give them (and only them it seems?) ownership of the modified source code under this license. So that leave a loophole what "distribute" and "someone else" is. 2022-02-02 16:47:25 EST Stuart Card: "You ain't seen nothin' yet!" The ML at the edge so far is mostly just executing pre-trained models; when we start _training_ at the edge, it will get really heavy computationally. 2022-02-02 16:47:51 EST Ihor Kuz: However, if the government gives the code (binary or source) to anyone else, they cannot place extra restrictions on further (re)distribution (i.e. they can't say "you can only give this code to other government entities"). This makes me wonder what the status of GPL code in the TCCoE repository would be. 2022-02-02 16:51:00 EST Stuart Card: I suspect a bit of "sea lawyering" may suffice: everyone, in order to gain access to the repo, must agree to the rules of engagement of _the repo_; then when something is released to the repo, no additional restriction is placed on that bit of code, but the pre-existing rules of play in the repo would govern the _behavior of the participants_. OTOH I'm not a lawyer either and don't want to be. 😉 2022-02-02 16:52:13 EST Danielle Stewart: What have you seen in your respective companies that hinders the use & application of trusted systems? What do you think a solution could be to resolve this? 2022-02-02 16:54:21 EST Aleksey Nogin: @Danielle: "we have a lot of trouble making sure our suppliers would even get the basics right, it's hopeless to try to get them to use [seL4/formal methods based technologies/etc]" 2022-02-02 16:54:25 EST Stuart Card: +1 Todd!!! 2022-02-02 16:56:25 EST Renato Levy: @Todd, you should know that snakes are tricky to track 😂 2022-02-02 17:03:10 EST Danielle Stewart: Thank you! Great answers and discussion. 2022-02-02 17:08:56 EST Stuart Card: Probably don't even need strong / general AI for that risk to become real: just a step forward in self-modifying code (I'll again mention Genetic Programming). 2022-02-02 17:11:09 EST Renato Levy: better sword, better shield 2022-02-02 17:11:23 EST David Hardin: There are a number of classified programs doing this. 2022-02-02 17:11:41 EST Axel Heider: Stop using C? 😉 2022-02-02 17:12:30 EST David Hardin: Amen to that. We need to stop paying people to generate new vulnerabilities all day, every day. 2022-02-02 17:13:32 EST Nathan Studer: @Ihor Not a lawyer 2022-02-02 17:14:07 EST Jason Li: Great panel! 2022-02-02 17:14:09 EST Nathan Studer: but I think the answer is something like the GPL licenses you to distribute the code, but not to break US export law. 2022-02-02 17:14:40 EST Danielle Stewart: Great panel! Thanks everyone. 2022-02-02 17:16:12 EST Jason Li: I was at least correct on one thing --- Todd is a much better moderator for panels. So he should carry both next time! 2022-02-02 17:20:35 EST Todd Humiston: Thank you Paul!! See you all back here tomorrow!