Mikel Artetxe <[email protected]> writes: > Oh! I see. You wrote that "you could sign the language pairs with your > public key", but you actually meant your *private* key. That makes > sense, of course.
doh :-)
> Let me try explaining again: Your app has your own public key
> hardcoded.
> You sign any language pairs that you upload to your server with
> your
> private key. Your app uses the hardcoded public key to verify on
> download that the pairs have been signed with the corresponding
> private
> key. If they are unsigned or signed with some other private key,
> they
> will fail the test.
>
>
> Sure. In fact, that's exactly what I was proposing from the beginning.
> Jim's point was that we would be forced to publish our private key
> because of GPL, but it looks like that wouldn't be necessary after
> all.
apt-get is GPL, and it uses a set of public keys to check the downloaded
software. It lets you change its keyring of course, but a user could do
that with Mitzuli as well by downloading the source and swapping out the
public key for their own and signing their own language pairs etc.
I don't know the details of how the GPL works on this, but I thought the
issue arose when you packaged some *private* key, and had to decrypt
something[1]. In Mitzuli's case, however, only public keys are packaged,
and public signatures are downloaded. No private key is required in the
software for any functionality.
[1] The obvious unfree example would be if we wanted people not to make
copies of the language pair (say they were paid for), and so we
encrypted the language pairs and shipped a private key in the app.
That, I'm fairly sure is GPL-infringing.
--
Kevin Brubeck Unhammer
GPG: 0x766AC60C
signature.asc
Description: PGP signature
------------------------------------------------------------------------------
_______________________________________________ Apertium-stuff mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/apertium-stuff
