|
dev
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
GPL / Open Source ApplicationHi all,
I want to publish my application under GPL so it is open source and everyone could modify it. How could I prevent my users from installing "unauthorized" versions by fault? Someone might add malicious code and my application is then blamed for it :-( I use already strong names to sign my application, but this is not transparent for the users as they could not easily check the signature. What is the best way to 'sign' an application so that the user immediately knows it's an 'official' version? Many thanks!! Add a CRC check to any files you distribute is a normal step, but anyone
creating malware can change this. You can also give source to trust only assemblies signed with your key, but if you have included the key with the source, anyone who generates the project can use it, as well (which is why it is not a good idea, no matter how common, to release your own keys with open source ware). -- Show quoteGregory A. Beamer MVP; MCP: +I, SE, SD, DBA ************************************************* Think outside of the box! ************************************************* "Heinz K" <Heinz-NoSpam@NoSpamPlease.com> wrote in message news:44feb929$0$18480$9b4e6d93@newsspool3.arcor-online.net... > Hi all, > > I want to publish my application under GPL so it is open source and > everyone could modify it. How could I prevent my users from installing > "unauthorized" versions by fault? Someone might add malicious code and my > application is then blamed for it :-( I use already strong names to sign > my application, but this is not transparent for the users as they could > not easily check the signature. > > What is the best way to 'sign' an application so that the user immediately > knows it's an 'official' version? Many thanks!! Hi Greg,
I'm not sure about the CRC check. Is this done with an additional application the user has to install? I'll check this, thanks. But what do you mean with "give source to trust only assemblies"? Of course I will not share my private key so if it's signed with my private key then it's defintely MY application compiled by myself. But endusers don't need to trust my key even if there are not admin, so they would not see the key while installing and running the application, or am I wrong there? CRC can be done quite easily, as it is just a checksum. It is most
applicable to apps pushed out via a .cab file, as it is easy enough to get a checksum on a compressed library. As for not "giving the keys", you would be surprised how many people in the open source community HAVE issued source with their own private keys. If someone is going to compile the source separately (not the binary download or install, but the actual source download), they will have to generate their own key. At that point, they will not compile a library trusted as yours. I know this is quite obvious, but I see so many libraries shipped with the full key set from sn.exe. If I can recompile with their key, there is very little way to ensure the library is not corrupted. -- Show quoteGregory A. Beamer MVP; MCP: +I, SE, SD, DBA ************************************************* Think outside of the box! ************************************************* "Heinz K" <Heinz-NoSpam@NoSpamPlease.com> wrote in message news:44fedb53$0$26951$9b4e6d93@newsspool4.arcor-online.net... > Hi Greg, > > I'm not sure about the CRC check. Is this done with an additional > application the user has to install? I'll check this, thanks. > > But what do you mean with "give source to trust only assemblies"? Of > course I will not share my private key so if it's signed with my private > key then it's defintely MY application compiled by myself. But endusers > don't need to trust my key even if there are not admin, so they would not > see the key while installing and running the application, or am I wrong > there? > Heinz K wrote:
> Hi all, <soapbox>> > I want to publish my application under GPL so it is open source and > everyone could modify it. That's nice of you. As a consumer of open source (and closed source) products, I have just one suggestion: don't use the GPL. Use the CPL, or X-windows, or Apache, or any of a hundred other non-viral open-source licenses. The terms of the GPL are so severe that you're seriously limiting the ability of many people to make use of your code if you release it under the GPL. Finally, the GPL was written by lawyers, for lawyers. It's long, complex, and difficult for most people to understand. See http://www.opensource.org/licenses/ for a list of dozens of OSF-approved open-source licenses. Personally, I like to Boost license (http://www.boost.org/LICENSE_1_0.txt). It's short, easy to understand, and sufficient for individual contributions. If you're contributing on behalf of a company, there are provisions in some of the other licenses that may be important to you. Oh, and IANAL, but I've read a lot of open source licenses. </soapbox> -cd Hi Carl,
thanks for the info, i'll check the CPL. I've also seen the Creative Commons but GPL is spread widely so many users know the content of the license roughly. Additionally my application is a little bit complex so I guess no one would just copy parts of it (which was your main point if I understand correct) but only add some new features and then I would prefer to have it open source again. "Heinz K" <Heinz-NoSpam@NoSpamPlease.com> wrote in message One of the main goals of open source is to allow end users to modify your code. news:44feb929$0$18480$9b4e6d93@newsspool3.arcor-online.net... > Hi all, > > I want to publish my application under GPL so it is open source and everyone > could modify it. How could I prevent my users from installing "unauthorized" > versions by fault? Someone might add malicious code and my application is then > blamed for it :-( I use already strong names to sign my application, but this > is not transparent for the users as they could not easily check the signature. You have no say in that. If they choose to modify it and make it worse than it already was, then release it to the public, that's their prerogative. > What is the best way to 'sign' an application so that the user immediately One of the best ways is to post your project to a well known open source site > knows it's an 'official' version? Many thanks!! like SourceForge. Mike Lowery schrieb:
> One of the main goals of open source is to allow end users to modify But the users will then blame 'my' application for containing malicious your code. > You have no say in that. If they choose to modify it and make it worse than it > already was, then release it to the public, that's their prerogative. code. So of course everyone might change the code, but the enduser should be easily able to check whether this is an 'official' (=released by myself) version or whether it's a modification by a third person. But Sourceforge is a good option, I'll think about that, thanks! "Heinz K" <Heinz-NoSpam@NoSpamPlease.com> wrote in message How is it "your" application if someone else releases it under a different name? news:44ffbe2b$0$26963$9b4e6d93@newsspool4.arcor-online.net... > Mike Lowery schrieb: > > One of the main goals of open source is to allow end users to modify your > code. >> You have no say in that. If they choose to modify it and make it worse than >> it already was, then release it to the public, that's their prerogative. > > But the users will then blame 'my' application for containing malicious code. > So of course everyone might change the code, but the enduser should be easily > able to check whether this is an 'official' (=released by myself) version or > whether it's a modification by a third person. If you're that concerned about it, don't license it as open source! You essentially lose all control doing that. You could still include the source code, but don't let end users modify and/or redistribute it by stating that in the licensing. If you find that they do, you can then go after them legally (good luck.) On Wed, 06 Sep 2006 14:03:48 +0200, Heinz K wrote:
> I want to publish my application under GPL so it is open source and By definition, if your application is released under an open source> everyone could modify it. How could I prevent my users from installing > "unauthorized" versions by fault? Someone might add malicious code and > my application is then blamed for it :-( I use already strong names to > sign my application, but this is not transparent for the users as they > could not easily check the signature. > > What is the best way to 'sign' an application so that the user > immediately knows it's an 'official' version? Many thanks!! license, then anybody can download the source code, modify it and release the modified version. You can add as much signing as you want, it won't change anything since anybody will have have to the whole source code and will therefore be able to do anything they want and make it appear to the user like if it was the original version. Mehdi <vio***@REMOVEME.gmail.com> wrote:
Show quote > > I want to publish my application under GPL so it is open source and No, that's not true. If the OP signs it with a private key and > > everyone could modify it. How could I prevent my users from installing > > "unauthorized" versions by fault? Someone might add malicious code and > > my application is then blamed for it :-( I use already strong names to > > sign my application, but this is not transparent for the users as they > > could not easily check the signature. > > > > What is the best way to 'sign' an application so that the user > > immediately knows it's an 'official' version? Many thanks!! > > By definition, if your application is released under an open source > license, then anybody can download the source code, modify it and release > the modified version. You can add as much signing as you want, it won't > change anything since anybody will have have to the whole source code and > will therefore be able to do anything they want and make it appear to the > user like if it was the original version. publishes the public key somewhere, then anyone who wants to can tell that a modified and recompiled version (which can't be signed with the private key, because the OP has kept it safe) isn't from the OP. Alternatively, the OP could just publish the MD5 sum of the original binary, so people could tell if it's been altered (modulo hacks which give the same sum - I know there have been attacks, but it's unlikely to be feasible in this case, I believe; use a different hash algorithm if necessary). -- Jon Skeet - <sk***@pobox.com> http://www.pobox.com/~skeet Blog: http://www.msmvps.com/jon.skeet If replying to the group, please do not mail me too Jon Skeet [C# MVP] schrieb:
> No, that's not true. If the OP signs it with a private key and yes, that is exactly my goal. BUt how could an enduser check the keys > publishes the public key somewhere, then anyone who wants to can tell > that a modified and recompiled version (which can't be signed with the > private key, because the OP has kept it safe) isn't from the OP. Hi Jon, easily? Of course I could not add a check to my application because everyone might remove or fake the test ;-) > Alternatively, the OP could just publish the MD5 sum of the original Yes, this is really no high security application so we need not prevent > binary, so people could tell if it's been altered (modulo hacks which > give the same sum - I know there have been attacks, but it's unlikely > to be feasible in this case, I believe; use a different hash algorithm > if necessary). any checksum-hacks. Did you ever work with checksums and do you have any suggestions how to implement this? Wikipedia said that Windows does not have any checksum-checker onboard :-( Hi Jon,
searching the net I found a little tool from Microsoft which computes MD5 and SHA values. Looks quite good, and additionally it's from Microsoft which most users trust (for whatever reason... ;-) ). http://support.microsoft.com/kb/841290/EN-US/ I think I'll use this one and publish the codes then on my webpage (or Sourceforge). Or are there any better ideas? Many thanks to all for your replies!! Heinz K <Heinz-NoSpam@NoSpamPlease.com> wrote:
> searching the net I found a little tool from Microsoft which computes Nope - publishing the md5sum on SourceForge or your website is exactly > MD5 and SHA values. Looks quite good, and additionally it's from > Microsoft which most users trust (for whatever reason... ;-) ). > > http://support.microsoft.com/kb/841290/EN-US/ > > I think I'll use this one and publish the codes then on my webpage (or > Sourceforge). Or are there any better ideas? > > Many thanks to all for your replies!! the way to go, I'd say. -- Jon Skeet - <sk***@pobox.com> http://www.pobox.com/~skeet Blog: http://www.msmvps.com/jon.skeet If replying to the group, please do not mail me too  |
|||||||||||||||||||||||
Other interesting topics