Forgot your password?
typodupeerror
GNU is Not Unix Microsoft

Microsoft Smartphone Code Signing and the GPL? 49

Posted by Cliff
from the tough-licensing-issues dept.
spacemonkey asks: "I am a professional developer, but in my spare time I have been developing games for the Microsoft Smartphone platform. Included in this work is a port of gnuboy a GPL gameboy colour emulator. Where does the GPL stand on the question of codesigning applications where required? Basically gnuboy is available, with full source for smartphone, however there are a large number of users out there who are unable/unwilling to remove the certification requirements from their smartphone devices, so to allow for these users, I need to sign the code. To enter into the code signing program will cost me approximately £500. I am interested in signing the application to make it available to a wider audience, however since I am not running a charity I was wondering whether charging some nominal fee for the code signed version was compatible with the GPL or not. So users would have an option on a signed version for less than £5, or an unsigned version free, which will include the full source code. Am I allowed to charge for GPL software in this way, where the charge is to cover the packaging of the application into a signed form?"
This discussion has been archived. No new comments can be posted.

Microsoft Smartphone Code Signing and the GPL?

Comments Filter:
  • by ArmorFiend (151674) on Saturday May 03, 2003 @01:13PM (#5869344) Homepage Journal
    You can charge money for GPL software. You just have to make the source easily available. I think that would be covered by a URL in the about-box.

    In fact, the signing works nicely in your favor, since nobody can undercut you on price. Or they can, but they too have to pay the L500, in which case they'd have to either 1) charge as much as you or 2) hate you enough to take an intentional loss. Both are a lot of hassel. Seems to me like you just win.
    • > In fact, the signing works nicely in your favor, since nobody can undercut you on price. Or they can, but they too have to
      > pay the L500, ... or purchase a copy from him and then resell it!


      • In fact, the signing works nicely in your favor, since nobody can undercut you on price. Or they can, but they too have to pay the L500, ... or purchase a copy from him and then resell it!


        DOH!
        LoL
        • or purchase a copy from him and then resell it!

          As far as I can tell, the major rights/obligations of the GPL are:

          • You are permitted to redistribute the software in source form.
          • If you distribute the software in binary form, you must make source available to the recipient.

          Maybe I'm overlooking it, but I don't see that the GPL requires people to let you redistribute their binaries. As far as I can tell, the creator of this software can prohibit you from redistributing his binaries, even if they are de

          • Maybe I'm overlooking it, but I don't see that the GPL requires people to let you redistribute their binaries. As far as I can tell, the creator of this software can prohibit you from redistributing his binaries, even if they are derived from GPL'ed source code.

            No way. Look at section 3, which begins:

            3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the followi
    • In fact, the signing works nicely in your favor, since nobody can undercut you on price. Or they can, but they too have to pay the L500, in which case they'd have to either 1) charge as much as you or 2) hate you enough to take an intentional loss. Both are a lot of hassel. Seems to me like you just win.

      Not quite, unless I compleatly mis-understand the way this instance of code-signing works. Lets say that Bob has a piece of GPL'ed software avaiaible on his website. Bob makes three files availaible for
      • ...at least not legally. Go read the EULA on the keys. Distributing the binary under the GPL requires shipping source, fine, but "mere aggregation" of the key does not force it under the GPL or grant Joe the right to redistribute the key.

        This gets interesting for the GPL, since the key is not required to run the software on Microsoft-based phones (dial the emergency number, get a blue screen? ...or get a request for your serial number, can you remember all 20 digits?), there is no GPL requirement that Bob
      • but release the signed binary under some other licence.
        That's the key to the problem - but you have to have sole copyright to the code. If anyone else has contributed code to the project and holds joint copyright, then you have to get them to agree to the dual-licence release. On large projects this becomes increasingly difficult if it isn't done right early on.
  • by Anonymous Coward on Saturday May 03, 2003 @01:17PM (#5869364)
    It's the Source Code you are only allowed to charge the reasonable 'media charge' for. The application itself you can charge anything you want. The idea of this is to prevent you from charging $5 for the Application, and $50,000 for the source... you know, open source and all.
    • Okay, but you have the right to only distribute the source for people who pay for the app first, right?
      • What difference would it make? The source is useless unless they pay the L500 to get it signed.
      • You (as in the original author) have the obligation under the GPL to provide the source code to people you've distributed the binary to (whether for financial consideration or not).

        However, the GPL doesn't prevent those same people from posting the source to an ftp/web site and distributing it freely.
        • As the author he is under /no/ obligation to provide source, he merely chooses to do so.

          I think the answer is:

          - Provide source under the GPL

          - Provide certified binaries for a fee to cover the certification cost, and /not/ under GPL. Eg, some licence licence that allows use for free, and making of copies for ones /own/ use, but redistribution forbidden.

          He is the copyright holder i presume, so he can do what he wants with the licences.
    • It's the Source Code you are only allowed to charge the reasonable 'media charge' for.

      It's not really a question whether you have to release the source code. That's a given for GPL code. The functional question is whether or not the source code includes the signing key (if you distribute a signed version). I believe that the answer to that (underlying) question is yes.

      First of all we have to distinguish what we think source code is from what the GPL defines it as. In this case: [gnu.org]

      If identifiable sectio

  • I suppose as long as you make the source available, charging for the signed version wouldn't be a problem. After all, people by packaged distributions of Linux all the time, and I hear there's quite a bit of GPL'd code in there. :)

    However, I would wonder if the GNU folks would really be so thrilled that about it. After all, you're writing code for a platform that supports code-signing technology, which many people fear could greatly hamper the free software movement. So why support the platform? Perhaps y

    • Yes, you're buying into an unfree platform. But you're doing it with free software. I think that feels more like shafting the bastards than ignoring the platform completely would.

      "You think you can kill off free software by closing your standards? I'll prove you wrong. Free software can thrive even in an unfree environment. Like money, good software drives out bad."

      I'd have paid your 500 pounds in full, myself, if it would have run on my wife's Nokia phone. Those games suck.
  • Take up a collection (Score:5, Interesting)

    by moncyb (456490) on Saturday May 03, 2003 @01:51PM (#5869542) Journal

    Besides showing MS your middle finger (which I think you should do) or charging everyone money. Why not just ask interested people to donate money until you have enough to pay the fee? You are only interested in not having to pay the fee yourself, I believe this is a fair plan.

    If you want to make money of the deal, the Street Performer Protocol [firstmonday.dk] may work for you. This will be less risky because you don't have to front the £500 yourself. Another guy has one called The Rational Street Performer Protocol [monash.edu.au] if it suits your tastes better.

  • "For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable."

    Would the signing script be considered a script used to control compilation?

    Hey, why won't it let me post this anonymously?

  • by Tom7 (102298) on Saturday May 03, 2003 @02:11PM (#5869625) Homepage Journal
    The GPL defines the source as "the preferred form of the work for making modifications to it." If the work includes the signature and you don't plan on distributing the private key (or can't, because the signing authority won't give it to you) then you are probably in violation. This makes sense--if the platform *only* accepted signed binaries, then users would be unable to make modifications to the program, which is an important freedom that the GPL is intended to protect. You might be okay if the signature can somehow be separated from the GPL'd work, but that's probably not likely for these phone apps.

    Aside from that, if you're looking to recoup your 500 pounds for the signing fee, you might also be in for trouble since once someone buys a single copy, he can legally put up his own web site giving it out for free.
    • ??? Since when is the prefered form for modification the binary version? He said that he was freely distributing the source and an unsigned binary, clearly this meets the GPL... Or at least the GPL as I understand it as IANAL.
      • > ??? Since when is the prefered form for modification the binary version? He said that he was freely distributing the source
        > and an unsigned binary, clearly this meets the GPL... Or at least the GPL as I understand it as IANAL.

        I think you misunderstood my post. What I'm saying is that if he has a piece of software on his site, "signed gameboy emulator," that is a derivative work of the GPL gameboy emulator whose code it is based on. Therefore he has to provide the tools and source code for modifyin
        • You can distribute source which only compiles on Microsoft's Visual C++ compiler, even though it isn't possible to recreate the binary without using proprietary pieces of software. You can redistribute the source to Quake, even though you can't actually get Quake out of it unless you already have the proprietary map and texture files.

          The point is that the eventual outcome is the same: without additional proprietary data, it will eventually be unable to recreate a given binary from the given source. However

          • > You can distribute source which only compiles on Microsoft's Visual C++ compiler, even though it isn't possible to recreate
            > the binary without using proprietary pieces of software.

            Well, the GPL makes exceptions for tools that come with major components of the operating system (it even mentions the compiler specifically). Rememember that when the GPL was made, there were no free software platforms or compilers! They obviously thought about this situation...

            > You can redistribute the source to Q
        • I understood your post, however he is providing the materials neccesary to modify the program. Just because I'm providing a pre-compiled binary, which is not easily edited, I'm not breaking the GPL. Similarly, if I provide a signed binary, which is *VERY* not easily edited, as long as I'm providing the source, and from what I understand of the GPL, that doesn't break the GPL.
          • You have to provide the source for *the work* offered, which in this case is the signed binary. The source is the preferred form for making modifications to the work. If you can't even reproduce the work without the key, then I can't see how that could possibly be considered the preferred form!
            • But you can reproduce the work! I can't make a signed RPM of a work even if I have the source RPM can I? But that release is still covered by the GPL isn't it? You can still make modifications to the program, and still run the program once it's modified, you just can't run it in an environment that requires it to be signed.
              • No, because the work is the program with the signature of the CA that allows it to be run in the signed environment. You can't just conveniently forget a certain part of the work--the GPL requires that you give the source for *all* of it. That doesn't just mean the program code, but anything else that it needs to run. If somehow you can argue that the signature is a separate work (not likely for these phone devices) that's not a derivative of the original GPL work, then you'd be in the clear.
  • My "gut feeling" is that the signed version cannot be distributed under the terms of the GPL unless the recipient can generate it herself from the source code, including a signature.

    Then again, if the unsigned version is functionally equivalent to the signed version, then someone savvy enough to compile it would also probably not need the signed version to begin with, they would turn off the signature checking (or whatever... I'm not familiar with the platform).

    Probably the easiest thing to do is to conta
    • if this is true then why doesn't every copy of a an application written in C come with a platform specific compiler and the source to the compiler.
  • Ransom License (Score:4, Insightful)

    by gehrehmee (16338) on Saturday May 03, 2003 @02:34PM (#5869727) Homepage
    Sounds like a perfect job for the Ransom license: http://www.theoretic.com/Ransom [theoretic.com]
  • Because you'd have to give the key out as well. (It's part of the source code, after all... You need it to compile the binary you give out.) Not only this, but anyone who receives it could go in turn redistribute his copy.

    Why not try to get the authors to license it to you by a modified GPL? All you would have to add is an exception for redistributing the private key.

    The better option sounds like getting others to front the 500 and get the authors to license it to you under a modified gpl for this case th
  • It doesn't matter if you can release it under the GPL signed. Release it under two sets of licensing terms, like MySQL. The licences:

    unsigned version license: free, straight GPL; anyone can get the source and use it for anything they want, free as in speech and beer.

    signed version licence: 5 pound charge, binary only, no redistribution allowed.

    This might really fit the "spirit" of the GPL better than releasing a signed binary with GPLed source (but no key) where the user can't reproduce the exact execu
    • It's a port, he doesn't own it.

      Bleah, I'm an idiot too.
    • "signed version licence: 5 pound charge, binary only, no redistribution allowed."

      "This might really fit the "spirit" of the GPL better than releasing a signed binary with GPLed source (but no key) where the user can't reproduce the exact executable from the source."

      Hmmm...Why do that? Considering its open source software, let people do what they want with it. If folks are willing to turn off the security on their phone, let them use the unsigned. Let the pay for the signed ones...how can ya do this and
  • Ask the Free Software Foundation [fsf.org], or ask a lawyer.
    • He can certainly ask the FSF their opinion out of a desire to be a "good citizen", but remember, the only legally relevent interpreters of the GPL are the courts. With no GPL trial record available, a lawyer is unlikley to provide much insight either.
  • by ianezz (31449)

    From the GPL:

    ...For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation
    and installation of the executable...

    Just wondering if the signing tool could fall in the highlighted category.

    • You know when you download the kernel and you see those files that have the md5sum's and they are signed.... ever notice when you unpack the kernel you don't get Linus's private key, and you don't get GPG, nor md5.

      The kernel source is signed, the signature just isn't in the same file as the source, and it isn't required by tar.
      • You know when you download the kernel and you see those files that have the md5sum's and they are signed.... ever notice when you unpack the kernel you don't get Linus's private key, and you don't get GPG, nor md5.

        Signed and md5summed tarballs are fine, they don't keep me from getting the kernel sources, modify them, recompile and install.

        OTOH, apparently I need some non-free tools and secret data (which I'm assuming that are not part of the normal distribution) in order to install a modified version of

  • Instead put up a site, manage to get slashdotted twice. Put up your non-signed version of the program and a donation link with your paypal email, allow donations of any amount and suggest $20. You keep a log of what accounts donated what (this is your payment history in paypal, not work). If the donations add up to $500 (or close enough your happy) then not only is your problem solved but you also know there is enough interest for the port. Keep the donation link of course, nobody expects you to turn
  • Why? (Score:3, Interesting)

    by mike_sucks (55259) on Sunday May 04, 2003 @06:22AM (#5873597) Homepage
    Look, I know this -2 (Offtopic, Troll) but why in god's name are you developing applications for Windows phones? You should be building apps for J2ME. *All* of the major phone manufacturers (Nokia, Sony-Ericsson, Motorola, Siemens, etc) are already supporting J2ME - I can't count the number of models of phones that support J2ME on both hands, but I can count the number of Windows phones with no hands.

    Switching to J2ME also solves your code-signing issue; you don't have to sign your programs at all.

    /mike
    • by toast0 (63707)
      wow... so theres at least 1024 phones that'll do j2me?

      (i'm not terribly surprised, but that does sound like a lot)

      I'm assuming binary use of your hands... i suppose you could easily do ternary since it'd be pretty easy to determine between unbent, fully bent, and halfway bent on figures... which would make the number of phones you'ld need to have to be more than you can count 59,050

      • wow... so theres at least 1024 phones that'll do j2me?



        Oh, at least. In fact, I wouldn't be suprised if there were several gazillion.

        /mike
      • interestingly enough, there are several million phones . Perhaps you meant to say:


        wow... so theres at least 1024 phone models that'll do j2me?

        :-)
  • It's worth pointing out here, before the baying masses start shouting, that code signing on the smartphone device is at the discretion of the network operator and not Microsoft.

    In the UK, Orange decided to go with code signing because of the concerns about virus' and the fact they could get some money from each application produced for it.

    Microsoft merely provides the ability to enforce it, if the operator so desires.

"I have just one word for you, my boy...plastics." - from "The Graduate"

Working...