quote:

---

Original post by FearedPixel
No, I have nothing against the philosophy of open source, I am all for it.

---

I actually didn''t mean to imply that you were. My rant was rather about software engineering philisophy, and the role Open Source plays in this process; modularity and interface design.

As Sneftel pointed out, if you are developing a multi-player client: DON''T TRUST THE CLIENT! DON''T TRUST THE ALGORITHM! Assume that the communication protocol between the server and client is open (ie. known to the public), just as you would assume the encryption algorithm to the open in an encryption scheme and put all the trust in the key, or as an HTTP server never trusts the client. Security by obscurity is evil, and Open Source [philosophy] provides a mechanism against it.

It is quite possible to develop a multi-player system, where both the client and server are Open Source, without increased risk of compromise, and such projects exists AFAIK. What you rely on with "closed source" is security by obscurity; which is bad carma.

quote:

---

Original post by CWizard

quote:

---

Original post by FearedPixel
No, I have nothing against the philosophy of open source, I am all for it.

---

I actually didn''t mean to imply that you were. My rant was rather about software engineering philisophy, and the role Open Source plays in this process; modularity and interface design.

As Sneftel pointed out, if you are developing a multi-player client: DON''T TRUST THE CLIENT! DON''T TRUST THE ALGORITHM! Assume that the communication protocol between the server and client is open (ie. known to the public), just as you would assume the encryption algorithm to the open in an encryption scheme and put all the trust in the key, or as an HTTP server never trusts the client. Security by obscurity is evil, and Open Source [philosophy] provides a mechanism against it.

It is quite possible to develop a multi-player system, where both the client and server are Open Source, without increased risk of compromise, and such projects exists AFAIK. What you rely on with "closed source" is security by obscurity; which is bad carma.

---

I see.
But still, the short reply is quite simply, no. It will not work in my case. I have always been aware of that design philosophy, it applies not only to open source, but closed source too. In my case that will still not help. The cheating is not of the nature where they do something that shouldn''t be allowed. I do appreciate the feedback though, and more is welcome.

quote:

---

I can keep my software closed if I dynamically link to the library. What I want to avoid is people replacing the DLL of the library, so would it be legal to put a check in my program that ensures it is using the dll that it was distributed with?

---

I am not a lawyer, but I think this is perfectly acceptable. I also wouldn''t say this goes against the spirit of the license, since people still get access to any changes you have made to the library and can use them in their own projects.

quote:

---

The problem is, that my project will fail if people can use customized versions of an open source library.

---

As others have pointed out, don''t trust the client if this is a security issue. If it''s just a compatability issue where your project requires a certain version of the library, I would not worry about others modifying the library if you insteall it in a private place for your application (rather than as a shared DLL).

quote:

---

Original post by FearedPixel
But still, the short reply is quite simply, no. It will not work in my case. I have always been aware of that design philosophy, it applies not only to open source, but closed source too. In my case that will still not help. The cheating is not of the nature where they do something that shouldn''t be allowed. I do appreciate the feedback though, and more is welcome.

---

Ok. There are methods of making it difficult for the user to change the library (eg. checksum), but I doubt you can do it without violating the LGPL. As has been said, it is required by the license that the source code be distributed and the program able to be run with a recompiled library. If you use a checksum (or similar technique), you need very good luck in order to have it working with a recompiled library.

So, if you want to use the library and be faithful to the license, you need to come up with some scheme to authenticate its input and output, and/or perhaps its side effects. As we do not know what library it is, how you are using it, and what sort of (ab)use you need to prevent, it is hard to suggest techniques, although I suspect that it should be possible.

quote:

---

As has been said, it is required by the license that the source code be distributed and the program able to be run with a recompiled library.

---

Please show this clause. There''s really no way that you can guarantee that a program will run if someone modifies and re-compiles one of its binaries.

AFAIK, the LGPL just states that you have to provide the source for the library with your application that uses the library. People can modify the source and recompile it for their own uses, but your closed-source app does not need to work with such modifications.

quote:

---

Original post by HenryApe

quote:

---

As has been said, it is required by the license that the source code be distributed and the program able to be run with a recompiled library.

---

Please show this clause. There's really no way that you can guarantee that a program will run if someone modifies and re-compiles one of its binaries.

---

Here...

quote:

---

From GNU Lesser General Public License
Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library.

---

And further in section 6:

quote:

---

6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications.

You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:

• a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.)
  
• b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with.
  
• c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution.
  
• d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place.
  
• e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy.

---

[edited by - CWizard on September 15, 2003 6:55:20 PM]

quote:

---

Original post by FearedPixel
Out of curiosity, if I have a function pointer pointing to a dll function, is it possible to get to the actual binary definition of the function? In order to perform size and checksum tests on the actual code of the function?

---

Yes, a function pointer (in C/C++) will point to the function''s entry point, so what follows that address is the compiled machine code of the function (there is no telling where the function image ends, however, besides searching for the instruction). Different compilers on different platforms with different configuration will produce different machine code. And, the LGPL requires that this is possible. It is your choice if you want to be faithful to the license or not; I doubt you will be thrown in jail if you''re not.

quote:

---

so that the user can modify the Library and then relink to produce a modified executable containing the modified Library.

---

As far as I can tell, this text just says you need to be able to produce a modified executable, not that the executable must be able to run.

The other clause "will operate properly with a modified version of the library" says that the application needs to be able to run, but I think doing a version/checksum check and exiting can be considered proper operation from this legal perspective (again, I'm not a lawyer). Aren't there plenty of apps out there that respond "bzzt, you need version x.y.z of library foo to continue" if you have the wrong version of a LGPLed library?

The licenses does not say that the program must work the same way with different versions of the library. After all, the whole point of the license is to allow people to modify the code to get rid of unwanted behavior, mostly bugs, and that would be impossible if the license demanded software to work the same way with modified version of the library.

I must admit that I'm starting to see why bigger companies use other, clearer, licenses instead.

[edited by - HenryAPe on September 16, 2003 3:52:20 AM]

quote:

---

Original post by HenryApe
I think doing a version/checksum check and exiting can be considered proper operation from this legal perspective (again, I''m not a lawyer). Aren''t there plenty of apps out there that respond "bzzt, you need version x.y.z of library foo to continue" if you have the wrong version of a LGPLed library?

---

Yes, but that is not what is happening here; source version and binary version are two different things.

quote:

---

After all, the whole point of the license is to allow people to modify the code to get rid of unwanted behavior

---

Exactly, and that isn''t possible if he would require his own compiled binary.

quote:

---

and that would be impossible if the license demanded software to work the same way with modified version of the library.

---

Operate properly.

The purpose of the GNU [Lesser] Public Licence is to grant freedom for the user; if you have a piece of software, you shall be allowed to do whatever you want with it. If there is a checksum on the library, it denies the user the freedom of modifying the LGPL''ed library and usinging it with the program - which clearly is a violation of the license.

FearedPixel, I suggest you contact the author of the library, explain your situation, and ask if you are granted to use the library the way you feel necessary. If the author is not happy with that, respect it; it is his software. If you are really deperate, send an e-mail to RMS himself and ask for advice

I don''t think you can ever eliminate the kind of cheating you''re talking about with a single solution. Many closed-source games already do authenticate their dll''s but it hasn''t stopped the hackers, only made it a bit more inconvenient for them... Anti-cheat solutions are now much like antivirus programs; they''re updated regularly with new cheat signatures that are compared to what''s running in your RAM.