GPL / Open Source Application

[Heinz K]

Hi all,

I want to publish my application under GPL so it is open source and
everyone could modify it. How could I prevent my users from installing
"unauthorized" versions by fault? Someone might add malicious code and
my application is then blamed for it :-( I use already strong names to
sign my application, but this is not transparent for the users as they
could not easily check the signature.

What is the best way to 'sign' an application so that the user
immediately knows it's an 'official' version? Many thanks!!

 

[Cowboy \(Gregory A. Beamer\)]

Add a CRC check to any files you distribute is a normal step, but anyone
creating malware can change this. You can also give source to trust only
assemblies signed with your key, but if you have included the key with the
source, anyone who generates the project can use it, as well (which is why
it is not a good idea, no matter how common, to release your own keys with
open source ware).

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

*************************************************
Think outside of the box!
*************************************************

 

[Carl Daniel [VC++ MVP]]

Hi all,

I want to publish my application under GPL so it is open source and
everyone could modify it.

<soapbox>

That's nice of you. As a consumer of open source (and closed source)
products, I have just one suggestion: don't use the GPL. Use the CPL, or
X-windows, or Apache, or any of a hundred other non-viral open-source
licenses. The terms of the GPL are so severe that you're seriously limiting
the ability of many people to make use of your code if you release it under
the GPL. Finally, the GPL was written by lawyers, for lawyers. It's long,
complex, and difficult for most people to understand.

See http://www.opensource.org/licenses/ for a list of dozens of OSF-approved
open-source licenses. Personally, I like to Boost license
(http://www.boost.org/LICENSE_1_0.txt). It's short, easy to understand, and
sufficient for individual contributions. If you're contributing on behalf
of a company, there are provisions in some of the other licenses that may be
important to you. Oh, and IANAL, but I've read a lot of open source
licenses.

</soapbox>

-cd

 

[Heinz K]

Hi Greg,

I'm not sure about the CRC check. Is this done with an additional
application the user has to install? I'll check this, thanks.

But what do you mean with "give source to trust only assemblies"? Of
course I will not share my private key so if it's signed with my private
key then it's defintely MY application compiled by myself. But endusers
don't need to trust my key even if there are not admin, so they would
not see the key while installing and running the application, or am I
wrong there?

 

[Heinz K]

Hi Carl,

thanks for the info, i'll check the CPL. I've also seen the Creative
Commons but GPL is spread widely so many users know the content of the
license roughly. Additionally my application is a little bit complex so
I guess no one would just copy parts of it (which was your main point if
I understand correct) but only add some new features and then I would
prefer to have it open source again.

 

[Mike Lowery]

Hi all,

I want to publish my application under GPL so it is open source and everyone
could modify it. How could I prevent my users from installing "unauthorized"
versions by fault? Someone might add malicious code and my application is then
blamed for it :-( I use already strong names to sign my application, but this
is not transparent for the users as they could not easily check the signature.

One of the main goals of open source is to allow end users to modify your code.
You have no say in that. If they choose to modify it and make it worse than it
already was, then release it to the public, that's their prerogative.

What is the best way to 'sign' an application so that the user immediately
knows it's an 'official' version? Many thanks!!

One of the best ways is to post your project to a well known open source site
like SourceForge.

 

[Mehdi]

I want to publish my application under GPL so it is open source and
everyone could modify it. How could I prevent my users from installing
"unauthorized" versions by fault? Someone might add malicious code and
my application is then blamed for it :-( I use already strong names to
sign my application, but this is not transparent for the users as they
could not easily check the signature.

What is the best way to 'sign' an application so that the user
immediately knows it's an 'official' version? Many thanks!!

By definition, if your application is released under an open source
license, then anybody can download the source code, modify it and release
the modified version. You can add as much signing as you want, it won't
change anything since anybody will have have to the whole source code and
will therefore be able to do anything they want and make it appear to the
user like if it was the original version.

 

[Jon Skeet [C# MVP]]

By definition, if your application is released under an open source
license, then anybody can download the source code, modify it and release
the modified version. You can add as much signing as you want, it won't
change anything since anybody will have have to the whole source code and
will therefore be able to do anything they want and make it appear to the
user like if it was the original version.

No, that's not true. If the OP signs it with a private key and
publishes the public key somewhere, then anyone who wants to can tell
that a modified and recompiled version (which can't be signed with the
private key, because the OP has kept it safe) isn't from the OP.

Alternatively, the OP could just publish the MD5 sum of the original
binary, so people could tell if it's been altered (modulo hacks which
give the same sum - I know there have been attacks, but it's unlikely
to be feasible in this case, I believe; use a different hash algorithm
if necessary).

 

[Heinz K]

One of the main goals of open source is to allow end users to modify your code.
You have no say in that. If they choose to modify it and make it worse than it
already was, then release it to the public, that's their prerogative.

But the users will then blame 'my' application for containing malicious
code. So of course everyone might change the code, but the enduser
should be easily able to check whether this is an 'official' (=released
by myself) version or whether it's a modification by a third person.

But Sourceforge is a good option, I'll think about that, thanks!

 

[Heinz K]

No, that's not true. If the OP signs it with a private key and
publishes the public key somewhere, then anyone who wants to can tell
that a modified and recompiled version (which can't be signed with the
private key, because the OP has kept it safe) isn't from the OP.

Hi Jon,
yes, that is exactly my goal. BUt how could an enduser check the keys
easily? Of course I could not add a check to my application because
everyone might remove or fake the test ;-)

Alternatively, the OP could just publish the MD5 sum of the original
binary, so people could tell if it's been altered (modulo hacks which
give the same sum - I know there have been attacks, but it's unlikely
to be feasible in this case, I believe; use a different hash algorithm
if necessary).

Yes, this is really no high security application so we need not prevent
any checksum-hacks. Did you ever work with checksums and do you have any
suggestions how to implement this? Wikipedia said that Windows does not
have any checksum-checker onboard :-(

 

[Heinz K]

Hi Jon,

searching the net I found a little tool from Microsoft which computes
MD5 and SHA values. Looks quite good, and additionally it's from
Microsoft which most users trust (for whatever reason... ;-) ).

http://support.microsoft.com/kb/841290/EN-US/

I think I'll use this one and publish the codes then on my webpage (or
Sourceforge). Or are there any better ideas?

Many thanks to all for your replies!!

 

[Mike Lowery]

But the users will then blame 'my' application for containing malicious code.
So of course everyone might change the code, but the enduser should be easily
able to check whether this is an 'official' (=released by myself) version or
whether it's a modification by a third person.

How is it "your" application if someone else releases it under a different name?
If you're that concerned about it, don't license it as open source! You
essentially lose all control doing that. You could still include the source
code, but don't let end users modify and/or redistribute it by stating that in
the licensing. If you find that they do, you can then go after them legally
(good luck.)

 

[Jon Skeet [C# MVP]]

searching the net I found a little tool from Microsoft which computes
MD5 and SHA values. Looks quite good, and additionally it's from
Microsoft which most users trust (for whatever reason... ;-) ).

http://support.microsoft.com/kb/841290/EN-US/

I think I'll use this one and publish the codes then on my webpage (or
Sourceforge). Or are there any better ideas?

Many thanks to all for your replies!!

Nope - publishing the md5sum on SourceForge or your website is exactly
the way to go, I'd say.

 

[Cowboy \(Gregory A. Beamer\)]

CRC can be done quite easily, as it is just a checksum. It is most
applicable to apps pushed out via a .cab file, as it is easy enough to get a
checksum on a compressed library.

As for not "giving the keys", you would be surprised how many people in the
open source community HAVE issued source with their own private keys. If
someone is going to compile the source separately (not the binary download
or install, but the actual source download), they will have to generate
their own key. At that point, they will not compile a library trusted as
yours. I know this is quite obvious, but I see so many libraries shipped
with the full key set from sn.exe. If I can recompile with their key, there
is very little way to ensure the library is not corrupted.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

*************************************************
Think outside of the box!
*************************************************