Re: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing

2010-02-08 Thread Sanjeev (EIPI)
On 2/8/10, Andrew Flegg  wrote:
> On Mon, Feb 8, 2010 at 00:18, Sanjeev (EIPI)
>  wrote:
>>
>> As I said, I am new at this, so I did not see some of these issues before
>> starting development.  The points you make are quite valid, and I did not
>> realize that python was distributed as source.  That may sound obvious to
>> many, but I am not a s/w person at all.
>>
>> I wonder how independant developers are making use of this API then?  It
>> confuses me greatly.
>
> In my opinion, you should go to "best efforts"; and here are some
> suggestions to try and keep the key (slightly) hidden:
>
> 1) non-free package
> ~~~
>   * Create a non-free (i.e. binary) package which contains your API
> keys encrypted in some way (perhaps just XORing the values) and
> a small C program which decrypts them.
>
>   * Create your Python package as normal, with a `Depends' on the
> non-free package and call the small C program from within your
> app.
>
> It's not "real" security, but that should be OK. The biggest problem I
> can see is that the C program would then be callable by any other
> developer.
>
> 2) Retrieve keys at install time
> 
>
>   * Create your Python package as normal, but ensure it does not
> contain the keys.
>
>   * In your package's postinst you can be fairly sure there's a
> network connection, so retrive the keys from a known URL.
>
>   * You could even have it so that the URL is a small little PHP
> script which has a list of MD5s for the main Python file and
> that this is sent as a query parameter. When a new version is
> released you get the package from Extras and add the MD5 to
> the PHP file. You could even XOR things with the MD5 sent so
> that you get an extra layer of obscurity.
>
>> FWIW - the application I made provides a simple UI so that a user
>> can enter an airline, and flight number.  The app then uses the
>> flightstats.com API to search for the flight's current status.
>> The app provides a list of airlines so that the user does not have
>> to know the airline code.
>
> Sounds excellent.
>
> It's worth bearing in mind that almost every app using this API, on
> every platform will be able to have the keys retrieved unless there is
> an in-built security mechanism such as that being developed for Maemo
> 6. However, even then, distribution mechanisms could be the weakest
> link.
>
> At some point, flightstats.com will have have to trust a device
> (whether N900, desktop, Nexus One or jailbroken iPhone) which could be
> in a malicious user's hands.
>
> Hope that helps,
>
> Andrew
>
> --
> Andrew Flegg -- mailto:and...@bleb.org  |  http://www.bleb.org/
>

Thank you for the ideas, Andrew.  I will have to think about the best
method that I can provide obscurity that is within my means at the
moment. Retrieving the keys at install time sounds like a good
candidate.

I have packaging headaches right now that I need to resolvle.  Once
those are squared away, I ll tackle the key obscurity issue.

Thanks again!

Sanjeev
-- 
EIPI
Mobile Tablets! Blog: http://mobiletablets.blogspot.com
___
maemo-developers mailing list
maemo-developers@maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers


Re: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing

2010-02-08 Thread Ville M. Vainio
On Mon, Feb 8, 2010 at 2:36 PM, Edward Johns  wrote:

> Rather than an external c program you could consider making a c
> extension that you can import into Python.
>
> Take look at cython (I seem to remember a tutorial on this in the pymaemo 
> pages)

All that stuff can be easily circumvented easily by just editing the
source code and printing the key after it is acquired. Or, hooking
into the network communication. Or, whatever.

This kind of security is unimplementable locally without hardware
support, the best you can get is a small degree of obscurity.

-- 
Ville M. Vainio
http://tinyurl.com/vainio
___
maemo-developers mailing list
maemo-developers@maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers


Re: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing

2010-02-08 Thread Edward Johns
> 1) non-free package
> ~~~
>  * Create a non-free (i.e. binary) package which contains your API
>    keys encrypted in some way (perhaps just XORing the values) and
>    a small C program which decrypts them.
>
Rather than an external c program you could consider making a c
extension that you can import into Python.

Take look at cython (I seem to remember a tutorial on this in the pymaemo pages)

Ed
___
maemo-developers mailing list
maemo-developers@maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers


Re: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing

2010-02-07 Thread Andrew Flegg
On Mon, Feb 8, 2010 at 00:18, Sanjeev (EIPI)
 wrote:
>
> As I said, I am new at this, so I did not see some of these issues before
> starting development.  The points you make are quite valid, and I did not
> realize that python was distributed as source.  That may sound obvious to
> many, but I am not a s/w person at all.
>
> I wonder how independant developers are making use of this API then?  It
> confuses me greatly.

In my opinion, you should go to "best efforts"; and here are some
suggestions to try and keep the key (slightly) hidden:

1) non-free package
~~~
  * Create a non-free (i.e. binary) package which contains your API
keys encrypted in some way (perhaps just XORing the values) and
a small C program which decrypts them.

  * Create your Python package as normal, with a `Depends' on the
non-free package and call the small C program from within your
app.

It's not "real" security, but that should be OK. The biggest problem I
can see is that the C program would then be callable by any other
developer.

2) Retrieve keys at install time


  * Create your Python package as normal, but ensure it does not
contain the keys.

  * In your package's postinst you can be fairly sure there's a
network connection, so retrive the keys from a known URL.

  * You could even have it so that the URL is a small little PHP
script which has a list of MD5s for the main Python file and
that this is sent as a query parameter. When a new version is
released you get the package from Extras and add the MD5 to
the PHP file. You could even XOR things with the MD5 sent so
that you get an extra layer of obscurity.

> FWIW - the application I made provides a simple UI so that a user
> can enter an airline, and flight number.  The app then uses the
> flightstats.com API to search for the flight's current status.
> The app provides a list of airlines so that the user does not have
> to know the airline code.

Sounds excellent.

It's worth bearing in mind that almost every app using this API, on
every platform will be able to have the keys retrieved unless there is
an in-built security mechanism such as that being developed for Maemo
6. However, even then, distribution mechanisms could be the weakest
link.

At some point, flightstats.com will have have to trust a device
(whether N900, desktop, Nexus One or jailbroken iPhone) which could be
in a malicious user's hands.

Hope that helps,

Andrew

-- 
Andrew Flegg -- mailto:and...@bleb.org  |  http://www.bleb.org/
___
maemo-developers mailing list
maemo-developers@maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers


Re: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing

2010-02-07 Thread Sanjeev (EIPI)
On Sun, Feb 7, 2010 at 7:08 PM, Sanjeev (EIPI)
wrote:

>
>
> On Sun, Feb 7, 2010 at 1:44 PM, David Greaves  wrote:
>
>> Sanjeev (EIPI) wrote:
>> > Thank you for the reply. To clarify this particular situation a bit
>> > more... The API key is available only on a paid basis. For some novel or
>> > new devices, a limited use (read: non-commercial) key is given to
>> > developers that apply for one. So, a casual user is not able to obtain
>> > their own API key. I have obtained one of these limited use keys for use
>> > in my application.
>> >
>> > This is the reason why I was inquiring about how to protect the API key
>> > within the application.
>>
>> (nb try not to top-post)
>>
>> This is not a licensing issue, it's a security issue.
>> (Well, actually, you may contravene the api publisher's license since you
>> probably can't avoid publishing your personal credentials to the world).
>>
>> In general if you distribute a binary containing credentials then the
>> credentials can be extracted. You need a fairly complex security system to
>> avoid
>> this (eg Harmattan's upcoming DRM management which is the problem you're
>> attempting to solve - and look how well that worked out so far).
>>
>> You have several obvious problems:
>> * python is distributed as source - it's hard to obfuscate
>> * the api key will almost certainly be clear in the source
>> * if you encrypt the credentials then the decryption routine will be clear
>> * if you obfuscate it (eg compile) then it has to be capable of being read
>> by
>> the CPU - or by a debugger.
>>
>> One solution is to use a proxy. Provide an 'open' service that your app
>> calls
>> and which then passes the request on to the paid service using credentials
>> kept
>> on the proxy. This is likely a breach of the terms-of-use license.
>>
>> As the problem is outlined I think you're out of luck - sorry.
>>
>> David
>>
>> --
>> "Don't worry, you'll be fine; I saw it work in a cartoon once..."
>>
>
>
>
Thank you for the reply, David (and sorry for top-posting).

As I said, I am new at this, so I did not see some of these issues before
starting development.  The points you make are quite valid, and I did not
realize that python was distributed as source.  That may sound obvious to
many, but I am not a s/w person at all.

I wonder how independant developers are making use of this API then?  It
confuses me greatly.

FWIW - the application I made provides a simple UI so that a user can enter
an airline, and flight number.  The app then uses the flightstats.com API to
search for the flight's current status.  The app provides a list of airlines
so that the user does not have to know the airline code.

This data is available through their API on a paid basis.  For simple
widgets, they allow developers to use the API as long as they provide deep
links back to their site (for advertising revenue).  I am curious now how
other application developers use the API key so that it is secure.

Would C be a better choice?  It sounds as though it may not, since you say
that the API key can still be 'found out'.
___
maemo-developers mailing list
maemo-developers@maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers


Re: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing

2010-02-07 Thread Yves-Alexis Perez
On 07/02/2010 20:04, igor.sto...@nokia.com wrote:
> However it's not impossible to do secure operations on the N900, they
> just must be done on the cellular modem, which is perfectly capable
> to manage keys in a way that is not worse than any other Nokia
> phone.

And afaik the omap3 supports Trustzone, so it should even be possible to
use it even before Maemo6 comes, though it might be a bit tricky without
OS support.

Cheers,
-- 
Yves-Alexis



signature.asc
Description: OpenPGP digital signature
___
maemo-developers mailing list
maemo-developers@maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers


RE: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing

2010-02-07 Thread Igor.Stoppa

From: maemo-developers-boun...@maemo.org [maemo-developers-boun...@maemo.org] 
On Behalf Of ext David Greaves [da...@dgreaves.com]
Sent: 07 February 2010 20:44
To: Sanjeev (EIPI)
Cc: maemo-developers@maemo.org; Aldon Hynes
Subject: Re: [New Developer]: Questions - Python Packaging / Free or
Non-Free/ Software Licensing


> As the problem is outlined I think you're out of luck - sorry.

Well, in general there s no perfect system, he just has to devise something 
that requires more cracking effort than it's worth for having illegal access to 
the functionality :-) 

And possibly make the crack device-specific.

However it's not impossible to do secure operations on the N900, they just must 
be done on the cellular modem, which is perfectly capable to manage keys in a 
way that is not worse than any other Nokia phone.

Obviously as soon as the control comes back to the linux side, anything is 
possible.

But, as  I said, it' s just a matter of making it complex enough.

After all even sk...@n900 is subject to the same security problems.

But python programming is probably not the most effective way to reach the goal.

igor
___
maemo-developers mailing list
maemo-developers@maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers


Re: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing

2010-02-07 Thread David Greaves
Sanjeev (EIPI) wrote:
> Thank you for the reply. To clarify this particular situation a bit
> more... The API key is available only on a paid basis. For some novel or
> new devices, a limited use (read: non-commercial) key is given to
> developers that apply for one. So, a casual user is not able to obtain
> their own API key. I have obtained one of these limited use keys for use
> in my application.
> 
> This is the reason why I was inquiring about how to protect the API key
> within the application.

(nb try not to top-post)

This is not a licensing issue, it's a security issue.
(Well, actually, you may contravene the api publisher's license since you
probably can't avoid publishing your personal credentials to the world).

In general if you distribute a binary containing credentials then the
credentials can be extracted. You need a fairly complex security system to avoid
this (eg Harmattan's upcoming DRM management which is the problem you're
attempting to solve - and look how well that worked out so far).

You have several obvious problems:
* python is distributed as source - it's hard to obfuscate
* the api key will almost certainly be clear in the source
* if you encrypt the credentials then the decryption routine will be clear
* if you obfuscate it (eg compile) then it has to be capable of being read by
the CPU - or by a debugger.

One solution is to use a proxy. Provide an 'open' service that your app calls
and which then passes the request on to the paid service using credentials kept
on the proxy. This is likely a breach of the terms-of-use license.

As the problem is outlined I think you're out of luck - sorry.

David

-- 
"Don't worry, you'll be fine; I saw it work in a cartoon once..."
___
maemo-developers mailing list
maemo-developers@maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers


Re: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing

2010-02-07 Thread Sanjeev (EIPI)
Thank you for the reply.  To clarify this particular situation a bit more... 
The API key is available only on a paid basis.  For some novel or new devices, 
a limited use (read: non-commercial) key is given to developers that apply for 
one.  So, a casual user is not able to obtain their own API key.  I have 
obtained one of these limited use keys for use in my application.

This is the reason why I was inquiring about how to protect the API key within 
the application.

Sanjeev
   
--
EIPI (Sanjeev)
Sent from my Nokia N900


- Original message -
> What people normally do in other projects I'm involved with is that they
> make the API key a configuration option and pass a sample API key.  That
> way, anyone who uses the application is required to get an API key for the
> application from the third party, and the developer does not have to worry
> about his key getting misused.  The instructions for installing the app then
> include details about how each user goes out and gets their own API key.
>
> By doing it this way, you don't have keep anything secret and you should be
> able to upload all the source into free.
>
> Personally, I've avoided the religious wars about different open source
> software licenses, and I'll leave that and other questions to people with
> stronger opinions on these topics.
>
> Aldon
> http://www.orient-lodge.com/N900
>
>    -Original Message-
>    From: maemo-developers-boun...@maemo.org
> [mailto:maemo-developers-boun...@maemo.org]on Behalf Of Sanjeev (EIPI)
>    Sent: Saturday, February 06, 2010 2:29 PM
>    To: maemo-developers@maemo.org
>    Subject: [New Developer]: Questions - Python Packaging / Free or Non-Free
> / Software Licensing
>
>
>    Hello,
>
>    I am developing a python/QT application for Fremantle.  This is my first
> application for Maemo, so I have been on a steep learning curve for the past
> 2 weeks for things related to the SDK, python, QT, etc.  I finally have it
> (mostly) working within scratchbox, and on the device, but it is not yet
> packaged.  I am using a proprietary API within the code which requires my
> personal credentials to be passed.  The credentials are in the form of a
> unique alpha-numeric string.  The company that has issued these credentials
> has asked that they are not to be made public.  I am able to use their API
> so long as I adhere to this and a few other restrictions that they have in
> place.  Some questions I now have:
>
>    1. I am researching how to package my python application for maemo.org
> Extras-devel.  Due to the restrictions placed on the API login credentials,
> I am unclear whether the app can use the 'free' distribution.  I am not at
> all worried about exposing the source code, but am not sure if that can be
> done without revealing the API credentials.  Is there any way to distribute
> my application in 'free', or does it have to be under 'non-free'?
>
>    2. If it is 'non-free', am I correct in my understanding that none of the
> source code gets uploaded to maemo.org?
>
>    3. I have seen both pypackager and py2deb being mentioned in the wiki
> articles on python packaging.  Which one should I use?  I understand that
> pypackager does not have a GUI for Fremantle yet - should I wait for that?
>
>    4. Do I use the Extras Assistant [1] after creating my package?  Does it
> allow for both free and non-free?
>
>    5. Software licensing - I know nothing about this.  What are my options
> for free and for non-free?  I understand that Mauku is non-free, and is
> therefore under copyright by its developer.
>
>    Sorry if any of this is very basic.  My interest in Maemo is now growing
> into the area of application development, and that is something that I do
> not do professionally.  In fact, I am very far from this area in my day job.
>
>    Many thanks,
>
>    Sanjeev
>
>    [1] https://garage.maemo.org/extras-assistant/index.php
>
>
>    --
>    EIPI
>    Mobile Tablets! Blog: http://mobiletablets.blogspot.com
>

___
maemo-developers mailing list
maemo-developers@maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers


RE: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing

2010-02-07 Thread Aldon Hynes
What people normally do in other projects I'm involved with is that they
make the API key a configuration option and pass a sample API key.  That
way, anyone who uses the application is required to get an API key for the
application from the third party, and the developer does not have to worry
about his key getting misused.  The instructions for installing the app then
include details about how each user goes out and gets their own API key.

By doing it this way, you don't have keep anything secret and you should be
able to upload all the source into free.

Personally, I've avoided the religious wars about different open source
software licenses, and I'll leave that and other questions to people with
stronger opinions on these topics.

Aldon
http://www.orient-lodge.com/N900

  -Original Message-
  From: maemo-developers-boun...@maemo.org
[mailto:maemo-developers-boun...@maemo.org]on Behalf Of Sanjeev (EIPI)
  Sent: Saturday, February 06, 2010 2:29 PM
  To: maemo-developers@maemo.org
  Subject: [New Developer]: Questions - Python Packaging / Free or Non-Free
/ Software Licensing


  Hello,

  I am developing a python/QT application for Fremantle.  This is my first
application for Maemo, so I have been on a steep learning curve for the past
2 weeks for things related to the SDK, python, QT, etc.  I finally have it
(mostly) working within scratchbox, and on the device, but it is not yet
packaged.  I am using a proprietary API within the code which requires my
personal credentials to be passed.  The credentials are in the form of a
unique alpha-numeric string.  The company that has issued these credentials
has asked that they are not to be made public.  I am able to use their API
so long as I adhere to this and a few other restrictions that they have in
place.  Some questions I now have:

  1. I am researching how to package my python application for maemo.org
Extras-devel.  Due to the restrictions placed on the API login credentials,
I am unclear whether the app can use the 'free' distribution.  I am not at
all worried about exposing the source code, but am not sure if that can be
done without revealing the API credentials.  Is there any way to distribute
my application in 'free', or does it have to be under 'non-free'?

  2. If it is 'non-free', am I correct in my understanding that none of the
source code gets uploaded to maemo.org?

  3. I have seen both pypackager and py2deb being mentioned in the wiki
articles on python packaging.  Which one should I use?  I understand that
pypackager does not have a GUI for Fremantle yet - should I wait for that?

  4. Do I use the Extras Assistant [1] after creating my package?  Does it
allow for both free and non-free?

  5. Software licensing - I know nothing about this.  What are my options
for free and for non-free?  I understand that Mauku is non-free, and is
therefore under copyright by its developer.

  Sorry if any of this is very basic.  My interest in Maemo is now growing
into the area of application development, and that is something that I do
not do professionally.  In fact, I am very far from this area in my day job.

  Many thanks,

  Sanjeev

  [1] https://garage.maemo.org/extras-assistant/index.php


  --
  EIPI
  Mobile Tablets! Blog: http://mobiletablets.blogspot.com

___
maemo-developers mailing list
maemo-developers@maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers