[maemo-developers] [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing
From: Andrew Flegg andrew at bleb.orgDate: Mon Feb 8 09:27:53 EET 2010
- Previous message: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing
- Next message: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, Feb 8, 2010 at 00:18, Sanjeev (EIPI) <mobiletabletsblog at gmail.com> wrote: > > As I said, I am new at this, so I did not see some of these issues before > starting development. The points you make are quite valid, and I did not > realize that python was distributed as source. That may sound obvious to > many, but I am not a s/w person at all. > > I wonder how independant developers are making use of this API then? It > confuses me greatly. In my opinion, you should go to "best efforts"; and here are some suggestions to try and keep the key (slightly) hidden: 1) non-free package ~~~~~~~~~~~~~~~~~~~ * Create a non-free (i.e. binary) package which contains your API keys encrypted in some way (perhaps just XORing the values) and a small C program which decrypts them. * Create your Python package as normal, with a `Depends' on the non-free package and call the small C program from within your app. It's not "real" security, but that should be OK. The biggest problem I can see is that the C program would then be callable by any other developer. 2) Retrieve keys at install time ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Create your Python package as normal, but ensure it does not contain the keys. * In your package's postinst you can be fairly sure there's a network connection, so retrive the keys from a known URL. * You could even have it so that the URL is a small little PHP script which has a list of MD5s for the main Python file and that this is sent as a query parameter. When a new version is released you get the package from Extras and add the MD5 to the PHP file. You could even XOR things with the MD5 sent so that you get an extra layer of obscurity. > FWIW - the application I made provides a simple UI so that a user > can enter an airline, and flight number. The app then uses the > flightstats.com API to search for the flight's current status. > The app provides a list of airlines so that the user does not have > to know the airline code. Sounds excellent. It's worth bearing in mind that almost every app using this API, on every platform will be able to have the keys retrieved unless there is an in-built security mechanism such as that being developed for Maemo 6. However, even then, distribution mechanisms could be the weakest link. At some point, flightstats.com will have have to trust a device (whether N900, desktop, Nexus One or jailbroken iPhone) which could be in a malicious user's hands. Hope that helps, Andrew -- Andrew Flegg -- mailto:andrew at bleb.org | http://www.bleb.org/
- Previous message: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing
- Next message: [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]