When selling a machine with proprietary software that links against an LGPLv3 library, do I need to give the customer root access?

Question

I want to sell some hardware, on which a Linux distribution is installed, and on top of that my proprietary software. I find it difficult to figure out the terms I need to comply to in this scenario particularly because the LGPL seems to assume that I sell my software standalone and the customer has access to the system where it is installed on.

LGPLv3 says that I need to link against an LGPL'd library dynamically so that the user can exchange the version of the LGPL'd library I deliver with another one. That seems straightforward for software the customer installs on their system, but in my case the customer shouldn't have root access to the Linux system.

Without root access, the customer can't exchange the LGPL'd library with a different one. Does this violate LGPLv3?

Answer 1

LGPLv3 is a set of additional permissions to GPLv3. LGPLv3 s4d requires that you ship your software in such a way that an updated version of the LGPL library could be inserted by the end-user, and s4d1 notes that dynamic linking suffices to meet this obligation, as you say.

GPLv3 s6 requires that you provide the end-user with "any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made.". GPLv3 refers to this collection of methods, keys, etc. as Installation Information. This requirement is sometimes known as the anti-tivoisation provision.

LGPLv3 doesn't exempt you from GPLv3 s6, but s4e notes that you are so obliged "only if you would otherwise be required to provide such information under section 6 of the GNU GPL, and only to the extent that such information is necessary to install and execute a modified version of the Combined Work produced by recombining or relinking the Application with a modified version of the Linked Version. (If you use option 4d0, the Installation Information must accompany the Minimal Corresponding Source and Corresponding Application Code. If you use option 4d1, you must provide the Installation Information in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source.)".

Since you are using option 4d1, as I read it, you must provide the end-user with access credentials sufficient to allow them to update the library version on the device. That doesn't necessarily mean root access, but the onus is on you to find a way to enable the end-user to do this without needing root access, and preferably without rendering the device entirely insecure.