I'm developing an application that uses an API key, and I am considering making it open source (probably under the GPLv3).
I've seen How to open-source an application that uses API keys, and am considering designing so that if the API key is provided during compilation (using an included C++ header file), it will be used by the application. Otherwise it will have a first-run wizard and settings panel to set the API key at runtime.
I am planning on distributing my application in the Ubuntu Software Center. Is it possible to distribute binaries of the application with my own API key compiled into it, or would this break the GPL?
I wrote to the FSF, and here is their response:
Given the API key and the source code, people who receive the source
code of your software should be able to compile the same binary they got
from you and use it in the same way. From your description this seems to
be the case.
They should also be free not to use your API key or web service, but to
modify the software and connect it to a web service of their own choice
or design with their own API keys. I'm unfamiliar with the web service/s
in question and therefore I don't know if this is relevant to your
specific situation.
I hope this answer is of help. Please feel free to write back if you
have any further questions.
--
I am not a lawyer, the above is not legal advice
Regards, Yoni Rabkin
Related
My app was rejected due to this ,Please help me to resolve this .This issue is new to me .
Guideline 2.5.1 - Performance - Software Requirements
Your app uses or references the following non-public APIs:
"_IOObjectRelease, IOServiceGetMatchingService, IOServiceMatching
The use of non-public APIs is not permitted on the App Store because it can lead to a poor user experience should these APIs change. Continuing to use or conceal non-public APIs in future submissions of this app may result in the termination of your Apple Developer account, as well as removal of all associated apps from the App Store.
Next Steps
If you are using third-party libraries, please update to the most recent version of those libraries. If you do not have access to the libraries' source, you may be able to search the compiled binary using the "strings" or "otool" command line tools. The "strings" tool can output a list of the methods that the library calls and "otool -ov" will output the Objective-C class structures and their defined methods. These tools can help you narrow down where the problematic code resides. You could also use the "nm" tool to verify if any third-party libraries are calling these APIs.
Resources
For information on the "nm" tool, please review the "nm tool" Xcode manual page. If there are no alternatives for providing the functionality your app requires, you can file an enhancement request.
Thanks in Advance !!!
So I have this bit of a project planned for Windows Store and Android. Basically, a networking multi-tool coupled with a scripting engine to implement protocols and behavior. Ideal uses being things like "my embedded device uses this simplistic network protocol. I'd like to quickly prototype a way to control it from my tablet".
It's my understanding that the Android market should have no problem with this. However, the Windows Store policy includes a vague clause concerning remote code execution
3.9 All app logic must originate from, and reside in, your app package Your app must not attempt to change or extend the packaged content
through any form of dynamic inclusion of code or data that changes how
the application interacts with the Windows Runtime, or behaves with
regard to Store policy. It is not permissible, for example, to
download a remote script and subsequently execute that script in the
local context of your app package.
Of course, the scripting engine will be sandboxed and such and should be "safe"(completely intepreted, no reflection), but does it violate this policy?
If you build in your scripting engine, and only run local scripts, you will be good. However, if you were thinking to have a repository of scripts that could be downloaded and subsequently run, that would be in violation of the policy as we understand it.
Unfortunately I don't think anyone but someone on that team can answer that (or someone with direct experience in that) because of the closeness to the legal language. Have you tried the Windows Store Appl Publishing forum at: http://social.msdn.microsoft.com/Forums/en-US/windowsstore/threads
In the context of scripting engine example given, unless the app modifies the scripting engine after deployment on user's system such that the representation of protocol/behavior (the script artifact's format) is made to change then it'll be policy violation. Its as if you submit Python interpreter, and at some point in time it abruptly moves onto interpreting ecmascript.
Im developing a win 8 game in js.
When i deploy my app, can any user can see my code files?
My files has some database passwords, i need to ofuscate it?
There's not really any good way to prevent people from mucking with your REST service if it's public. Sure, you can obfuscate things, digitally sign code, pass around certificates, etc. But in the end it's always possible for someone to reverse engineer your code, emulate a trusted client, or diagnose the network traffic directly.
A better solution here is to focus on mitigating unwanted attacks. Validate the input coming into each web service call, trust nothing, and do a threat analysis on your API. For example, if you were writing a Battleship game, have the server keep track of where each ship is and never expose that information to the clients, allowing them to write a fake client that could cheat. Do the scoring server side, so people can't just post fake scores and get on the high score list.
With that said, unless you're writing the next World of Warcraft, it's unlikely anyone cares enough about your game to jump through any hoops.
Everyone has access to every source file of your app. You just have to go to C:\Program Files\WindowsApps\ to see all your installed apps. If you have a HTML5 app installed, you'll notice that all the .html and .js files are freely accessible by anyone.
You may want to make a simple C# library that won't be so easy to reverse engineer, and put in it the "security critical" parts of your app. You can see how to integrate C# in HTML/JS apps in this MSDN page: http://msdn.microsoft.com/en-us/library/windows/apps/hh779077%28v=vs.110%29.aspx
I'm looking for the equivalent of a URL shortening service such as http://bit.ly/ for an internal deployment in our organisation. Anyone know of any open source projects (especially Java ones) or commercial products which I can install internally rather than using an external service?
Thanks!
Shorty : http://get-shorty.com/
But there's several other url shortener .... most of them are in PHP/Mysql.
Don't know if a Java one exist.
http://monkeytooth.net/2010/12/htaccess-php-how-to-wordpress-slugs/
tells you the core basics of how to achieve the concept with PHP and Htaccess building up from there I can say would solely be on your own. However not all to hard a concept in general to build off of if you know php/mysql. That said your not likely to find anything directly built in JavaScript however using this with JavaScript again wouldn't be all that hard a concept. I say your not likely to find one JS based as you need some type of server-side script to communicate with a DB somewhere, where you have all your short URL identifiers, and JavaScript to my knowledge doesn't support directly at least database connectivity. You can go through any means of AJAX to communicate with a server-side script to then do what you want with the JavaScript though.
There was a challenging situation happened when i was working with install to provide product key validation. I had to use C++ unmanaged code to validate the key. Actually we had the main validation logic written in C# and I had to create a mixed project. Problem was not stopped only with these, it continued. Since I used VC++ code, it expected atleast the VC++ runtime redistributable to be installed in the client machine. I thought of dropping the plan to migrate our install to Wix because of these kind of problems.
But I came to know that there is a nice and very cool feature that DTF is available in Wix to integrate any kind of actions in C#. I used it and could integrate the key validation in couple of hours and till now it is working fine in all client machine I implemented before 6 month.
Do you have any interesting moment or nice experience with DTF?
Search my blog at http://blog.deploymentengineering.com for DTF and you'll find a lot of useful content. I love DTF but I still believe that the best solution is to avoid a CA whenever possible in the first place. C#, like VBScript before it, is so luring that it tends to suck imperative thinking developers into writing CAs when not needed. I believe this is the reason DTF wasn't released for so long.
At my day job my approval is required for anyone who believes they need a CA. I instruct the developers on basic MSI philosphy, how to use DTF, how to attach a debugger and I make it clear that they are on the hook if it ever has any issues. The result is very few but well written CAs in our product line.
I have written several .NET CAs to support our WiX based installs:
Managed Wrapper around HTTPAPI.DLL - supports creating IP/Port SSL bindings and HTTP Url ACLs for use in deploying WCF services. I plan to turn this one into a Wix Extension. It was very interesting learning how to properly handle rollbacks, etc.
SSL Picker dialog that displays all the SSL certificates on the system and allows you to pick one.
SQL Server browser dialog - lets you browse your network for SQL Servers and then browse SQL Servers for Databases. Optionally uses impersonation. This is for crafting a connection string.
I am in the process of writing a set of CAs that will use the Microsoft.Web.Administration assembly to do native installs of web applications on IIS 7 (without requiring the IIS 6 Metabase Compatibilty feature be installed).
First off, the C#/DTF custom actions are still custom actions (no magic here :-)), so you should follow all the various CA guidelines working with this kind as well. It simplifies most of MSI tasks by abstracting low-level API behind the high level well-designed classes. Also, keep in mind that you can use managed code CA only in case the target machine has .NET installed (or install it as a prerequisite). Finally, the dtf.chm documentation which is distributed along with WiX toolset has some simple, but self-explanatory examples.
Hope this helps.