Microsoft Smartphone Code Signing and the GPL? 49
spacemonkey asks: "I am a professional developer, but in my spare time I have been developing games for the Microsoft Smartphone platform. Included in this work is a port of gnuboy a GPL gameboy colour emulator. Where does the GPL stand on the question of codesigning applications where required? Basically gnuboy is available, with full source for smartphone, however there are a large number of users out there who are unable/unwilling to remove the certification requirements from their smartphone devices, so to allow for these users, I need to sign the code. To enter into the code signing program will cost me approximately £500. I am interested in signing the application to make it available to a wider audience, however since I am not running a charity I was wondering whether charging some nominal fee for the code signed version was compatible with the GPL or not. So users would have an option on a signed version for less than £5, or an unsigned version free, which will include the full source code. Am I allowed to charge for GPL software in this way, where the charge is to cover the packaging of the application into a signed form?"
GPL says you can charge whatever you want (Score:5, Informative)
In fact, the signing works nicely in your favor, since nobody can undercut you on price. Or they can, but they too have to pay the L500, in which case they'd have to either 1) charge as much as you or 2) hate you enough to take an intentional loss. Both are a lot of hassel. Seems to me like you just win.
Re:GPL says you can charge whatever you want (Score:2, Insightful)
> pay the L500,
Re:GPL says you can charge whatever you want (Score:3, Informative)
DOH!
LoL
Re:GPL says you can charge whatever you want (Score:2)
As far as I can tell, the major rights/obligations of the GPL are:
Maybe I'm overlooking it, but I don't see that the GPL requires people to let you redistribute their binaries. As far as I can tell, the creator of this software can prohibit you from redistributing his binaries, even if they are de
Re:GPL says you can charge whatever you want (Score:2)
No way. Look at section 3, which begins:
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the followi
Re:GPL says you can charge whatever you want (Score:3, Informative)
Not quite, unless I compleatly mis-understand the way this instance of code-signing works. Lets say that Bob has a piece of GPL'ed software avaiaible on his website. Bob makes three files availaible for
Joe is not able to release Bob's software... (Score:3, Insightful)
This gets interesting for the GPL, since the key is not required to run the software on Microsoft-based phones (dial the emergency number, get a blue screen?
Re:GPL says you can charge whatever you want (Score:2)
Source Code is the small charge (Score:4, Informative)
Re:Source Code is the small charge (Score:1)
Re:Source Code is the small charge (Score:3, Insightful)
Re:Source Code is the small charge (Score:1)
However, the GPL doesn't prevent those same people from posting the source to an ftp/web site and distributing it freely.
Re:Source Code is the small charge (Score:2)
I think the answer is:
- Provide source under the GPL
- Provide certified binaries for a fee to cover the certification cost, and
He is the copyright holder i presume, so he can do what he wants with the licences.
Re:Source Code is the small charge (Score:2)
It's not really a question whether you have to release the source code. That's a given for GPL code. The functional question is whether or not the source code includes the signing key (if you distribute a signed version). I believe that the answer to that (underlying) question is yes.
First of all we have to distinguish what we think source code is from what the GPL defines it as. In this case: [gnu.org]
Charging is okay, but... (Score:2)
However, I would wonder if the GNU folks would really be so thrilled that about it. After all, you're writing code for a platform that supports code-signing technology, which many people fear could greatly hamper the free software movement. So why support the platform? Perhaps y
Re:Charging is okay, but... (Score:3, Interesting)
"You think you can kill off free software by closing your standards? I'll prove you wrong. Free software can thrive even in an unfree environment. Like money, good software drives out bad."
I'd have paid your 500 pounds in full, myself, if it would have run on my wife's Nokia phone. Those games suck.
Take up a collection (Score:5, Interesting)
Besides showing MS your middle finger (which I think you should do) or charging everyone money. Why not just ask interested people to donate money until you have enough to pay the fee? You are only interested in not having to pay the fee yourself, I believe this is a fair plan.
If you want to make money of the deal, the Street Performer Protocol [firstmonday.dk] may work for you. This will be less risky because you don't have to front the £500 yourself. Another guy has one called The Rational Street Performer Protocol [monash.edu.au] if it suits your tastes better.
Maybe not... (Score:1)
"For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable."
Would the signing script be considered a script used to control compilation?
Hey, why won't it let me post this anonymously?
Remember: ''source'' is more than just the code (Score:4, Insightful)
Aside from that, if you're looking to recoup your 500 pounds for the signing fee, you might also be in for trouble since once someone buys a single copy, he can legally put up his own web site giving it out for free.
Re:Remember: ''source'' is more than just the code (Score:1)
Re:Remember: ''source'' is more than just the code (Score:2)
> and an unsigned binary, clearly this meets the GPL... Or at least the GPL as I understand it as IANAL.
I think you misunderstood my post. What I'm saying is that if he has a piece of software on his site, "signed gameboy emulator," that is a derivative work of the GPL gameboy emulator whose code it is based on. Therefore he has to provide the tools and source code for modifyin
Re:Remember: ''source'' is more than just the code (Score:1)
The point is that the eventual outcome is the same: without additional proprietary data, it will eventually be unable to recreate a given binary from the given source. However
Re:Remember: ''source'' is more than just the code (Score:2)
> You can distribute source which only compiles on Microsoft's Visual C++ compiler, even though it isn't possible to recreate
> the binary without using proprietary pieces of software.
Well, the GPL makes exceptions for tools that come with major components of the operating system (it even mentions the compiler specifically). Rememember that when the GPL was made, there were no free software platforms or compilers! They obviously thought about this situation...
> You can redistribute the source to Q
Re:Remember: ''source'' is more than just the code (Score:1)
Re:Remember: ''source'' is more than just the code (Score:2)
Re:Remember: ''source'' is more than just the code (Score:1)
Re:Remember: ''source'' is more than just the code (Score:1)
Re:Remember: ''source'' is more than just the code (Score:2)
If I may quote the GPL:
"Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted"
So he's allowing copying, distribution, and modification, but not running. Looks good to me.
It's true that the GPL does not restrict how you can run a program.
Nonetheless, you must provide the source (the preferred form for modifying the work) along with the work (the signed binary).
The source mu
interesting... (Score:2)
Then again, if the unsigned version is functionally equivalent to the signed version, then someone savvy enough to compile it would also probably not need the signed version to begin with, they would turn off the signature checking (or whatever... I'm not familiar with the platform).
Probably the easiest thing to do is to conta
Re:interesting... (Score:2)
Ransom License (Score:4, Insightful)
not going to work... (Score:2)
Why not try to get the authors to license it to you by a modified GPL? All you would have to add is an exception for redistributing the private key.
The better option sounds like getting others to front the 500 and get the authors to license it to you under a modified gpl for this case th
You own it, you can license it however you want (Score:1)
unsigned version license: free, straight GPL; anyone can get the source and use it for anything they want, free as in speech and beer.
signed version licence: 5 pound charge, binary only, no redistribution allowed.
This might really fit the "spirit" of the GPL better than releasing a signed binary with GPLed source (but no key) where the user can't reproduce the exact execu
EXCEPT (Score:1)
Bleah, I'm an idiot too.
Re: (Score:2)
Why are you asking Slashdot? (Score:2)
Re:Why are you asking Slashdot? (Score:2)
But... (Score:2)
From the GPL:
Just wondering if the signing tool could fall in the highlighted category.
Re:But... (Score:2)
The kernel source is signed, the signature just isn't in the same file as the source, and it isn't required by tar.
Re:But... (Score:2)
Signed and md5summed tarballs are fine, they don't keep me from getting the kernel sources, modify them, recompile and install.
OTOH, apparently I need some non-free tools and secret data (which I'm assuming that are not part of the normal distribution) in order to install a modified version of
why charge? (Score:2)
Why? (Score:3, Interesting)
Switching to J2ME also solves your code-signing issue; you don't have to sign your programs at all.
/mike
Re:Why? (Score:2)
(i'm not terribly surprised, but that does sound like a lot)
I'm assuming binary use of your hands... i suppose you could easily do ternary since it'd be pretty easy to determine between unbent, fully bent, and halfway bent on figures... which would make the number of phones you'ld need to have to be more than you can count 59,050
Re:Why? (Score:2)
Oh, at least. In fact, I wouldn't be suprised if there were several gazillion.
/mike
Re:Why? (Score:1)
interestingly enough, there are several million phones . Perhaps you meant to say:
wow... so theres at least 1024 phone models that'll do j2me?
:-)Re:Why? (Score:2)
Code signing (Score:2)
In the UK, Orange decided to go with code signing because of the concerns about virus' and the fact they could get some money from each application produced for it.
Microsoft merely provides the ability to enforce it, if the operator so desires.