[maemo-developers] [New Developer]: Questions - Python Packaging / Free or Non-Free / Software Licensing

From: Sanjeev (EIPI) mobiletabletsblog at gmail.com
Date: Mon Feb 8 17:36:01 EET 2010 
On 2/8/10, Andrew Flegg <andrew at bleb.org> wrote:
> On Mon, Feb 8, 2010 at 00:18, Sanjeev (EIPI)
> <mobiletabletsblog at gmail.com> wrote:
>>
>> As I said, I am new at this, so I did not see some of these issues before
>> starting development.  The points you make are quite valid, and I did not
>> realize that python was distributed as source.  That may sound obvious to
>> many, but I am not a s/w person at all.
>>
>> I wonder how independant developers are making use of this API then?  It
>> confuses me greatly.
>
> In my opinion, you should go to "best efforts"; and here are some
> suggestions to try and keep the key (slightly) hidden:
>
> 1) non-free package
> ~~~~~~~~~~~~~~~~~~~
>   * Create a non-free (i.e. binary) package which contains your API
>     keys encrypted in some way (perhaps just XORing the values) and
>     a small C program which decrypts them.
>
>   * Create your Python package as normal, with a `Depends' on the
>     non-free package and call the small C program from within your
>     app.
>
> It's not "real" security, but that should be OK. The biggest problem I
> can see is that the C program would then be callable by any other
> developer.
>
> 2) Retrieve keys at install time
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>   * Create your Python package as normal, but ensure it does not
>     contain the keys.
>
>   * In your package's postinst you can be fairly sure there's a
>     network connection, so retrive the keys from a known URL.
>
>   * You could even have it so that the URL is a small little PHP
>     script which has a list of MD5s for the main Python file and
>     that this is sent as a query parameter. When a new version is
>     released you get the package from Extras and add the MD5 to
>     the PHP file. You could even XOR things with the MD5 sent so
>     that you get an extra layer of obscurity.
>
>> FWIW - the application I made provides a simple UI so that a user
>> can enter an airline, and flight number.  The app then uses the
>> flightstats.com API to search for the flight's current status.
>> The app provides a list of airlines so that the user does not have
>> to know the airline code.
>
> Sounds excellent.
>
> It's worth bearing in mind that almost every app using this API, on
> every platform will be able to have the keys retrieved unless there is
> an in-built security mechanism such as that being developed for Maemo
> 6. However, even then, distribution mechanisms could be the weakest
> link.
>
> At some point, flightstats.com will have have to trust a device
> (whether N900, desktop, Nexus One or jailbroken iPhone) which could be
> in a malicious user's hands.
>
> Hope that helps,
>
> Andrew
>
> --
> Andrew Flegg -- mailto:andrew at bleb.org  |  http://www.bleb.org/
>

Thank you for the ideas, Andrew.  I will have to think about the best
method that I can provide obscurity that is within my means at the
moment. Retrieving the keys at install time sounds like a good
candidate.

I have packaging headaches right now that I need to resolvle.  Once
those are squared away, I ll tackle the key obscurity issue.

Thanks again!

Sanjeev
-- 
EIPI
Mobile Tablets! Blog: http://mobiletablets.blogspot.com
More information about the maemo-developers mailing list