Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: GPL and Security Measures

  1. #1
    Join Date
    Oct 2007
    Location
    Kentucky, USA
    Beans
    731
    Distro
    Ubuntu

    GPL and Security Measures

    If you develop a security measure for a GPLd program you've written which involves a secret variable, do you have to release said variable with the source code of said program when requested to do so?
    Which is more important in obtaining the truth, "what" or "why"? Trick question. They are of equal importance.
    Freely ye have received, freely give.

  2. #2
    Join Date
    Sep 2010
    Beans
    898

    Re: GPL and Security Measures

    What is a "secret variable"? How does it differ from other variables?

    The GPL requires that the complete source code be provided. The intent is that anyone who receives a copy of the program is fully able to use it, study it, modify it and redistribute it.

    http://www.gnu.org/philosophy/free-sw.html

  3. #3
    Join Date
    Apr 2005
    Location
    Hampshire, UK
    Beans
    1,273

    Re: GPL and Security Measures

    Quote Originally Posted by ki4jgt View Post
    If you develop a security measure for a GPLd program you've written which involves a secret variable, do you have to release said variable with the source code of said program when requested to do so?
    If you've written it by yourself and are the sole copyright holder, you can distribute whatever portions of the source you want.

  4. #4
    Join Date
    Jun 2009
    Beans
    355

    Re: GPL and Security Measures

    Why would you have a "secret variable" in your security program? That makes no sense.

  5. #5
    Join Date
    Mar 2007
    Location
    Portsmouth, UK
    Beans
    Hidden!
    Distro
    Ubuntu 11.10 Oneiric Ocelot

    Re: GPL and Security Measures

    Security through obscurity is a fallacy. If you have written the code, then you can obviously set the licence terms; you don't have to apply the GPL to an entire application, do you?

  6. #6
    Join Date
    Sep 2010
    Beans
    898

    Re: GPL and Security Measures

    Quote Originally Posted by Grenage View Post
    Security through obscurity is a fallacy. If you have written the code, then you can obviously set the licence terms; you don't have to apply the GPL to an entire application, do you?
    If an essential component of the application is not licensed as GPL, then could the application be considered GPL? I suppose we can't discuss this properly until we find out what "secret variable" means.

  7. #7
    Join Date
    Oct 2007
    Location
    Kentucky, USA
    Beans
    731
    Distro
    Ubuntu

    Re: GPL and Security Measures

    Quote Originally Posted by Grenage View Post
    Security through obscurity is a fallacy. If you have written the code, then you can obviously set the licence terms; you don't have to apply the GPL to an entire application, do you?
    Which is why we have public and private GPG keys.

    Quote Originally Posted by Dave_L View Post
    If an essential component of the application is not licensed as GPL, then could the application be considered GPL? I suppose we can't discuss this properly until we find out what "secret variable" means.
    I have an application which upon execution reports to a server (in concept b/c I haven't coded it yet). It combines a code word (the variable) and the current time and then hashes them together, to prove that it is the program and not someone trying to hack the system. The question now, is if I don't include the variable in the program, can I still distribute it under the GPL?
    Which is more important in obtaining the truth, "what" or "why"? Trick question. They are of equal importance.
    Freely ye have received, freely give.

  8. #8
    Join Date
    Mar 2007
    Location
    Portsmouth, UK
    Beans
    Hidden!
    Distro
    Ubuntu 11.10 Oneiric Ocelot

    Re: GPL and Security Measures

    Quote Originally Posted by ki4jgt View Post
    Which is why we have public and private GPG keys.
    That's not quite the same thing.

    While that sounds like a system that could be cracked in under five minutes, why not just make the variable.. variable? If it can be assigned by the user, then the code base can be open; I'm sure you have a reason for not doing so.

    The application can't be considered GPL if you've got closed source, but could be if the closed source was a bolt-on. You could of course use another licence, but you already know that. ^^

  9. #9
    Join Date
    Oct 2007
    Location
    Kentucky, USA
    Beans
    731
    Distro
    Ubuntu

    Re: GPL and Security Measures

    Quote Originally Posted by Grenage View Post
    That's not quite the same thing.

    While that sounds like a system that could be cracked in under five minutes, why not just make the variable.. variable? If it can be assigned by the user, then the code base can be open; I'm sure you have a reason for not doing so.

    The application can't be considered GPL if you've got closed source, but could be if the closed source was a bolt-on. You could of course use another licence, but you already know that. ^^
    Well, I need a way to verify that the program is the actual thing sending me the message of completion (and not a bot). I'm trying to prevent automated bots from reporting multiple times that the task has been completed. It has to do with file downloading. Basically the program will allow webmasters to embed files within their sites. Then when a user downloads the file, the program will fetch an ad to display (it's written in JAVA). The site owner will get half of the profit for every ad shown. Have any other suggestions for a way to do this?
    Which is more important in obtaining the truth, "what" or "why"? Trick question. They are of equal importance.
    Freely ye have received, freely give.

  10. #10
    Join Date
    Dec 2004
    Location
    Manchester
    Beans
    2,081
    Distro
    Ubuntu Studio 13.04 Raring Ringtail

    Re: GPL and Security Measures

    Quote Originally Posted by ki4jgt View Post
    Well, I need a way to verify that the program is the actual thing sending me the message of completion (and not a bot). I'm trying to prevent automated bots from reporting multiple times that the task has been completed. It has to do with file downloading. Basically the program will allow webmasters to embed files within their sites. Then when a user downloads the file, the program will fetch an ad to display (it's written in JAVA). The site owner will get half of the profit for every ad shown. Have any other suggestions for a way to do this?
    The most fundamental freedom of free software is that the user can modify the programs behaviour. so for example i might want to modify your program to not display the adverts, because i consider seeing adverts to be a distracting anti-feature.

    You seem to want to make piece of software that the user can't modify, (or at least that you can spot and reject modified versions).

    But, it sounds like you are also interested in offering your source code to the community (as long you can do so without compromising your main goal). That is admirable, and i think possible. There are a few ways you might be able to do this.

    * You could write the software, and release it as an opensource (GPL) project. Then, because you still own the copyright to the code (you wrote it all), you could make a slight modified version, with your secret extra code, and release that only as a binary. You will need to make sure that you have not used anyone else's GPL code in your program, and that all the libraries you make use of allow linking into a closed program (eg LGPL)

    * You could split your program into bits and release some of them as LGPL or BSD/Apache licence. Then you could write a closed source program, that makes use of those libraries.

    Not being able to hide secrets in source code, is not directly related to security. Look at openssh, openssl, gpg, firefox etc. The are all opensource, and they all implement industry leading secure communication and authentication. There are closed source programs that do similar, and they are not in general any more secure.

    So suppose your program has a secret number in it. and it sends a message to your server using that secret number. what is to stop an attacker listening to your network traffic? what stops them decompiling your binary? just keeping the source secret, does not solve much.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •