Re: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing
On 2/8/10, Andrew Flegg wrote: > On Mon, Feb 8, 2010 at 00:18, Sanjeev (EIPI) > wrote: >> >> As I said, I am new at this, so I did not see some of these issues before >> starting development. The points you make are quite valid, and I did not >> realize that python was distributed as source. That may sound obvious to >> many, but I am not a s/w person at all. >> >> I wonder how independant developers are making use of this API then? It >> confuses me greatly. > > In my opinion, you should go to "best efforts"; and here are some > suggestions to try and keep the key (slightly) hidden: > > 1) non-free package > ~~~ > * Create a non-free (i.e. binary) package which contains your API > keys encrypted in some way (perhaps just XORing the values) and > a small C program which decrypts them. > > * Create your Python package as normal, with a `Depends' on the > non-free package and call the small C program from within your > app. > > It's not "real" security, but that should be OK. The biggest problem I > can see is that the C program would then be callable by any other > developer. > > 2) Retrieve keys at install time > > > * Create your Python package as normal, but ensure it does not > contain the keys. > > * In your package's postinst you can be fairly sure there's a > network connection, so retrive the keys from a known URL. > > * You could even have it so that the URL is a small little PHP > script which has a list of MD5s for the main Python file and > that this is sent as a query parameter. When a new version is > released you get the package from Extras and add the MD5 to > the PHP file. You could even XOR things with the MD5 sent so > that you get an extra layer of obscurity. > >> FWIW - the application I made provides a simple UI so that a user >> can enter an airline, and flight number. The app then uses the >> flightstats.com API to search for the flight's current status. >> The app provides a list of airlines so that the user does not have >> to know the airline code. > > Sounds excellent. > > It's worth bearing in mind that almost every app using this API, on > every platform will be able to have the keys retrieved unless there is > an in-built security mechanism such as that being developed for Maemo > 6. However, even then, distribution mechanisms could be the weakest > link. > > At some point, flightstats.com will have have to trust a device > (whether N900, desktop, Nexus One or jailbroken iPhone) which could be > in a malicious user's hands. > > Hope that helps, > > Andrew > > -- > Andrew Flegg -- mailto:and...@bleb.org | http://www.bleb.org/ > Thank you for the ideas, Andrew. I will have to think about the best method that I can provide obscurity that is within my means at the moment. Retrieving the keys at install time sounds like a good candidate. I have packaging headaches right now that I need to resolvle. Once those are squared away, I ll tackle the key obscurity issue. Thanks again! Sanjeev -- EIPI Mobile Tablets! Blog: http://mobiletablets.blogspot.com ___ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers
Re: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing
On Mon, Feb 8, 2010 at 2:36 PM, Edward Johns wrote: > Rather than an external c program you could consider making a c > extension that you can import into Python. > > Take look at cython (I seem to remember a tutorial on this in the pymaemo > pages) All that stuff can be easily circumvented easily by just editing the source code and printing the key after it is acquired. Or, hooking into the network communication. Or, whatever. This kind of security is unimplementable locally without hardware support, the best you can get is a small degree of obscurity. -- Ville M. Vainio http://tinyurl.com/vainio ___ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers
Re: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing
> 1) non-free package > ~~~ > * Create a non-free (i.e. binary) package which contains your API > keys encrypted in some way (perhaps just XORing the values) and > a small C program which decrypts them. > Rather than an external c program you could consider making a c extension that you can import into Python. Take look at cython (I seem to remember a tutorial on this in the pymaemo pages) Ed ___ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers
Re: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing
On Mon, Feb 8, 2010 at 00:18, Sanjeev (EIPI) wrote: > > As I said, I am new at this, so I did not see some of these issues before > starting development. The points you make are quite valid, and I did not > realize that python was distributed as source. That may sound obvious to > many, but I am not a s/w person at all. > > I wonder how independant developers are making use of this API then? It > confuses me greatly. In my opinion, you should go to "best efforts"; and here are some suggestions to try and keep the key (slightly) hidden: 1) non-free package ~~~ * Create a non-free (i.e. binary) package which contains your API keys encrypted in some way (perhaps just XORing the values) and a small C program which decrypts them. * Create your Python package as normal, with a `Depends' on the non-free package and call the small C program from within your app. It's not "real" security, but that should be OK. The biggest problem I can see is that the C program would then be callable by any other developer. 2) Retrieve keys at install time * Create your Python package as normal, but ensure it does not contain the keys. * In your package's postinst you can be fairly sure there's a network connection, so retrive the keys from a known URL. * You could even have it so that the URL is a small little PHP script which has a list of MD5s for the main Python file and that this is sent as a query parameter. When a new version is released you get the package from Extras and add the MD5 to the PHP file. You could even XOR things with the MD5 sent so that you get an extra layer of obscurity. > FWIW - the application I made provides a simple UI so that a user > can enter an airline, and flight number. The app then uses the > flightstats.com API to search for the flight's current status. > The app provides a list of airlines so that the user does not have > to know the airline code. Sounds excellent. It's worth bearing in mind that almost every app using this API, on every platform will be able to have the keys retrieved unless there is an in-built security mechanism such as that being developed for Maemo 6. However, even then, distribution mechanisms could be the weakest link. At some point, flightstats.com will have have to trust a device (whether N900, desktop, Nexus One or jailbroken iPhone) which could be in a malicious user's hands. Hope that helps, Andrew -- Andrew Flegg -- mailto:and...@bleb.org | http://www.bleb.org/ ___ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers
Re: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing
On Sun, Feb 7, 2010 at 7:08 PM, Sanjeev (EIPI) wrote: > > > On Sun, Feb 7, 2010 at 1:44 PM, David Greaves wrote: > >> Sanjeev (EIPI) wrote: >> > Thank you for the reply. To clarify this particular situation a bit >> > more... The API key is available only on a paid basis. For some novel or >> > new devices, a limited use (read: non-commercial) key is given to >> > developers that apply for one. So, a casual user is not able to obtain >> > their own API key. I have obtained one of these limited use keys for use >> > in my application. >> > >> > This is the reason why I was inquiring about how to protect the API key >> > within the application. >> >> (nb try not to top-post) >> >> This is not a licensing issue, it's a security issue. >> (Well, actually, you may contravene the api publisher's license since you >> probably can't avoid publishing your personal credentials to the world). >> >> In general if you distribute a binary containing credentials then the >> credentials can be extracted. You need a fairly complex security system to >> avoid >> this (eg Harmattan's upcoming DRM management which is the problem you're >> attempting to solve - and look how well that worked out so far). >> >> You have several obvious problems: >> * python is distributed as source - it's hard to obfuscate >> * the api key will almost certainly be clear in the source >> * if you encrypt the credentials then the decryption routine will be clear >> * if you obfuscate it (eg compile) then it has to be capable of being read >> by >> the CPU - or by a debugger. >> >> One solution is to use a proxy. Provide an 'open' service that your app >> calls >> and which then passes the request on to the paid service using credentials >> kept >> on the proxy. This is likely a breach of the terms-of-use license. >> >> As the problem is outlined I think you're out of luck - sorry. >> >> David >> >> -- >> "Don't worry, you'll be fine; I saw it work in a cartoon once..." >> > > > Thank you for the reply, David (and sorry for top-posting). As I said, I am new at this, so I did not see some of these issues before starting development. The points you make are quite valid, and I did not realize that python was distributed as source. That may sound obvious to many, but I am not a s/w person at all. I wonder how independant developers are making use of this API then? It confuses me greatly. FWIW - the application I made provides a simple UI so that a user can enter an airline, and flight number. The app then uses the flightstats.com API to search for the flight's current status. The app provides a list of airlines so that the user does not have to know the airline code. This data is available through their API on a paid basis. For simple widgets, they allow developers to use the API as long as they provide deep links back to their site (for advertising revenue). I am curious now how other application developers use the API key so that it is secure. Would C be a better choice? It sounds as though it may not, since you say that the API key can still be 'found out'. ___ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers
Re: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing
On 07/02/2010 20:04, igor.sto...@nokia.com wrote: > However it's not impossible to do secure operations on the N900, they > just must be done on the cellular modem, which is perfectly capable > to manage keys in a way that is not worse than any other Nokia > phone. And afaik the omap3 supports Trustzone, so it should even be possible to use it even before Maemo6 comes, though it might be a bit tricky without OS support. Cheers, -- Yves-Alexis signature.asc Description: OpenPGP digital signature ___ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers
RE: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing
From: maemo-developers-boun...@maemo.org [maemo-developers-boun...@maemo.org] On Behalf Of ext David Greaves [da...@dgreaves.com] Sent: 07 February 2010 20:44 To: Sanjeev (EIPI) Cc: maemo-developers@maemo.org; Aldon Hynes Subject: Re: [New Developer]: Questions - Python Packaging / Free or Non-Free/ Software Licensing > As the problem is outlined I think you're out of luck - sorry. Well, in general there s no perfect system, he just has to devise something that requires more cracking effort than it's worth for having illegal access to the functionality :-) And possibly make the crack device-specific. However it's not impossible to do secure operations on the N900, they just must be done on the cellular modem, which is perfectly capable to manage keys in a way that is not worse than any other Nokia phone. Obviously as soon as the control comes back to the linux side, anything is possible. But, as I said, it' s just a matter of making it complex enough. After all even sk...@n900 is subject to the same security problems. But python programming is probably not the most effective way to reach the goal. igor ___ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers
Re: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing
Sanjeev (EIPI) wrote: > Thank you for the reply. To clarify this particular situation a bit > more... The API key is available only on a paid basis. For some novel or > new devices, a limited use (read: non-commercial) key is given to > developers that apply for one. So, a casual user is not able to obtain > their own API key. I have obtained one of these limited use keys for use > in my application. > > This is the reason why I was inquiring about how to protect the API key > within the application. (nb try not to top-post) This is not a licensing issue, it's a security issue. (Well, actually, you may contravene the api publisher's license since you probably can't avoid publishing your personal credentials to the world). In general if you distribute a binary containing credentials then the credentials can be extracted. You need a fairly complex security system to avoid this (eg Harmattan's upcoming DRM management which is the problem you're attempting to solve - and look how well that worked out so far). You have several obvious problems: * python is distributed as source - it's hard to obfuscate * the api key will almost certainly be clear in the source * if you encrypt the credentials then the decryption routine will be clear * if you obfuscate it (eg compile) then it has to be capable of being read by the CPU - or by a debugger. One solution is to use a proxy. Provide an 'open' service that your app calls and which then passes the request on to the paid service using credentials kept on the proxy. This is likely a breach of the terms-of-use license. As the problem is outlined I think you're out of luck - sorry. David -- "Don't worry, you'll be fine; I saw it work in a cartoon once..." ___ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers
Re: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing
Thank you for the reply. To clarify this particular situation a bit more... The API key is available only on a paid basis. For some novel or new devices, a limited use (read: non-commercial) key is given to developers that apply for one. So, a casual user is not able to obtain their own API key. I have obtained one of these limited use keys for use in my application. This is the reason why I was inquiring about how to protect the API key within the application. Sanjeev -- EIPI (Sanjeev) Sent from my Nokia N900 - Original message - > What people normally do in other projects I'm involved with is that they > make the API key a configuration option and pass a sample API key. That > way, anyone who uses the application is required to get an API key for the > application from the third party, and the developer does not have to worry > about his key getting misused. The instructions for installing the app then > include details about how each user goes out and gets their own API key. > > By doing it this way, you don't have keep anything secret and you should be > able to upload all the source into free. > > Personally, I've avoided the religious wars about different open source > software licenses, and I'll leave that and other questions to people with > stronger opinions on these topics. > > Aldon > http://www.orient-lodge.com/N900 > > -Original Message- > From: maemo-developers-boun...@maemo.org > [mailto:maemo-developers-boun...@maemo.org]on Behalf Of Sanjeev (EIPI) > Sent: Saturday, February 06, 2010 2:29 PM > To: maemo-developers@maemo.org > Subject: [New Developer]: Questions - Python Packaging / Free or Non-Free > / Software Licensing > > > Hello, > > I am developing a python/QT application for Fremantle. This is my first > application for Maemo, so I have been on a steep learning curve for the past > 2 weeks for things related to the SDK, python, QT, etc. I finally have it > (mostly) working within scratchbox, and on the device, but it is not yet > packaged. I am using a proprietary API within the code which requires my > personal credentials to be passed. The credentials are in the form of a > unique alpha-numeric string. The company that has issued these credentials > has asked that they are not to be made public. I am able to use their API > so long as I adhere to this and a few other restrictions that they have in > place. Some questions I now have: > > 1. I am researching how to package my python application for maemo.org > Extras-devel. Due to the restrictions placed on the API login credentials, > I am unclear whether the app can use the 'free' distribution. I am not at > all worried about exposing the source code, but am not sure if that can be > done without revealing the API credentials. Is there any way to distribute > my application in 'free', or does it have to be under 'non-free'? > > 2. If it is 'non-free', am I correct in my understanding that none of the > source code gets uploaded to maemo.org? > > 3. I have seen both pypackager and py2deb being mentioned in the wiki > articles on python packaging. Which one should I use? I understand that > pypackager does not have a GUI for Fremantle yet - should I wait for that? > > 4. Do I use the Extras Assistant [1] after creating my package? Does it > allow for both free and non-free? > > 5. Software licensing - I know nothing about this. What are my options > for free and for non-free? I understand that Mauku is non-free, and is > therefore under copyright by its developer. > > Sorry if any of this is very basic. My interest in Maemo is now growing > into the area of application development, and that is something that I do > not do professionally. In fact, I am very far from this area in my day job. > > Many thanks, > > Sanjeev > > [1] https://garage.maemo.org/extras-assistant/index.php > > > -- > EIPI > Mobile Tablets! Blog: http://mobiletablets.blogspot.com > ___ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers
RE: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing
What people normally do in other projects I'm involved with is that they make the API key a configuration option and pass a sample API key. That way, anyone who uses the application is required to get an API key for the application from the third party, and the developer does not have to worry about his key getting misused. The instructions for installing the app then include details about how each user goes out and gets their own API key. By doing it this way, you don't have keep anything secret and you should be able to upload all the source into free. Personally, I've avoided the religious wars about different open source software licenses, and I'll leave that and other questions to people with stronger opinions on these topics. Aldon http://www.orient-lodge.com/N900 -Original Message- From: maemo-developers-boun...@maemo.org [mailto:maemo-developers-boun...@maemo.org]on Behalf Of Sanjeev (EIPI) Sent: Saturday, February 06, 2010 2:29 PM To: maemo-developers@maemo.org Subject: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing Hello, I am developing a python/QT application for Fremantle. This is my first application for Maemo, so I have been on a steep learning curve for the past 2 weeks for things related to the SDK, python, QT, etc. I finally have it (mostly) working within scratchbox, and on the device, but it is not yet packaged. I am using a proprietary API within the code which requires my personal credentials to be passed. The credentials are in the form of a unique alpha-numeric string. The company that has issued these credentials has asked that they are not to be made public. I am able to use their API so long as I adhere to this and a few other restrictions that they have in place. Some questions I now have: 1. I am researching how to package my python application for maemo.org Extras-devel. Due to the restrictions placed on the API login credentials, I am unclear whether the app can use the 'free' distribution. I am not at all worried about exposing the source code, but am not sure if that can be done without revealing the API credentials. Is there any way to distribute my application in 'free', or does it have to be under 'non-free'? 2. If it is 'non-free', am I correct in my understanding that none of the source code gets uploaded to maemo.org? 3. I have seen both pypackager and py2deb being mentioned in the wiki articles on python packaging. Which one should I use? I understand that pypackager does not have a GUI for Fremantle yet - should I wait for that? 4. Do I use the Extras Assistant [1] after creating my package? Does it allow for both free and non-free? 5. Software licensing - I know nothing about this. What are my options for free and for non-free? I understand that Mauku is non-free, and is therefore under copyright by its developer. Sorry if any of this is very basic. My interest in Maemo is now growing into the area of application development, and that is something that I do not do professionally. In fact, I am very far from this area in my day job. Many thanks, Sanjeev [1] https://garage.maemo.org/extras-assistant/index.php -- EIPI Mobile Tablets! Blog: http://mobiletablets.blogspot.com ___ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers