We’re Off and Running!

Today we have reached a significant milestone for us Symbian security people, and for the Symbian Platform in general. The OS Security package source code is now available under the Eclipse Public License (EPL) and it is the very first package to be officially moved from the closed Symbian Foundation License (SFL) to be open sourced under the EPL.

I want to publicly thank everyone who pulled out the stops to make this happen, particularly Santosh Patil and William Roberts who did most of the heavy lifting, but also many others who were involved in the approval process inside and outside Symbian.

Why was this package the first to go through this process? There was a practical reason and a symbolic reason:

The practical reason is the export regulations in the UK, where the Symbian Platform source code is hosted. The rules and regulations weren’t really written with source code in mind, and we found that it wasn’t feasible to get an export license which permitted the SFL crypto library source code to be exported. Fortunately there is an exemption for software “in the public domain”, meaning that open source software isn’t export controlled, so moving it from SFL to EPL was the most straightforward way to make sure that the complete cryptographic functionality would be available to all.

The symbolic reason is to demonstrate that we really are serious about providing a platform that is both open and secure. We’ve always been open about the design of our platform security mechanisms. Now we’ve started being open about their implementation as well. Cryptographers know to distrust cryptographic algorithm implementations that aren’t open to peer review, so here are ours. Our algorithm implementations were actually derived from the public domain Crypto++ library some years ago, and our thanks go to Wei Dai for making that available.

One final note for those who dive in to the source code: you’ll notice that the crypto library source is in a directory called “weakcrypto”, but that’s for arcane historical reasons and it does actually include the full crypto library code. There are two project build files:

  • crypto.mmp builds weak_cryptography.dll which limits symmetric keys to 56 bits and asymmetric keys to 512 bits (I suppose this might still be needed for some devices in some jurisdictions?)
  • strong_crypto.mmp builds strong_cryptography.dll which has no arbitrary limit on key sizes.

Congratulations to all involved, and I’m now looking forward to the next package we can move to open source (the application installer would be my preference, but let’s see :-)).


21 Responses to “We’re Off and Running!”

  1. Security package in EPL…tick…what’s next? « Symbian Blog Says:

    […] and obtain approval for EPLing asap. Easier said than done, as you can read in Craig’s post We’re Off and Running! it was a steep learning curve for all of us involved, despite everyone’s, and I mean this, […]

  2. [CNET] First open-source Symbian software released - Overclock.net - Overclocking.net Says:

    […] moved from the closed Symbian Foundation License (SFL) to…the EPL," Heath wrote in a blog post. Heath said the EPL would allow the security package to bypass export regulations in the U.K., […]

  3. Symbian da su primer paso hacia el open source Says:

    […] Symbian Foundation Security Blog Descarga OS Security Package (código fuente) Tags: codigo-fuente, nokia, open-source, Symbian […]

  4. Jack Says:

    I’d like to see the Wifi stack opened up next, so that we can add PAP authentication support to the EAP-TTLS protocol, for crying outloud!

  5. Craig H Says:

    @Jack, sounds good, are you volunteering? 🙂

    EAP-TTLS is in the Access Security package (alas not open sourced yet,) and it actually looks to me like TTLS-PAP is already in there for Symbian^2. The package owner just left for his summer vacation, but I will definitely discuss this with him when he gets back, thanks!

    • Panu Says:

      Yes, Craig is correct. EAP-TTLS/PAP support is there in Symbian^2. I am also working on getting my Access Security package open sourced soon.

  6. Symbian cambia licenza! Says:

    […] si può leggere nel blog (http://secblog.symbian.org/2009/07/08/were-off-and-running/) l’OS Security Package source code è ora disponibile sotto la licenza Eclipse Public Licence […]

  7. Symbian Foundation releases first open source package -> TamsS60 Says:

    […] opensource code due to legal reasons – this has now changed. The statement below is from the Symbian Foundation blog: Today we have reached a significant milestone for us Symbian security people, and for the Symbian […]

  8. Top Posts « WordPress.com Says:

    […] We’re Off and Running! Today we have reached a significant milestone for us Symbian security people, and for the Symbian Platform in general. […] […]

  9. christooss Says:

    How to install this thingy?

    • Craig H Says:

      @christooss, it depends on what you want to do with it! If you have a phone with Symbian OS v8.0 or newer, it’s already on there. If you want to experiment with changing it, the easiest way is to use the emulator that comes with the SDK and compile new DLLs for the emulator environment.

  10. Symbian Foundation releases open source code | PDA-247 Says:

    […] Symbian Foundation has finally released some open source code after much waiting and this could be the start of something good in the […]

  11. The First Open Source Symbian Software Says:

    […] Wednesday the Symbian made it available the very first packages of EPL or the OS Securiy Package system. According to the Symbian developer, Craig Heath, The OS Package is a great source of new codes now […]

  12. Symbian libera código de pacote de segurança | FórumWEB Says:

    […] anúncio envolvendo o pacote de segurança foi feito ontem no blog da empresa, junto com duas explicações sobre a decisão do grupo: uma prática e outra […]

  13. HowtoForge Linux Tutorials » Symbian-Betriebssystem: Erstes Zubehör als Open-Source lizensiert Says:

    […] einer Eclipse-Lizenz wurden erste Bestandteile des mobilen Betriebssystems der Symbian Foundation veröffentlich. Die Symbian Foundation besteht seit 2008 und arbeitet an der Auslieferung eines quelloffenen […]

  14. Código Aberto na Symbian - Mobile Says:

    […] notícia sobre o pacote de segurança foi realizada ontem no Symbian Foundation Security Blog, junto com duas explicações sobre esta ação: uma prática e outra […]

  15. Confused Says:

    Open Source software isn’t in the public domain, it’s copyrighted and held under an Open Source license by the copyright holder. Public Domain refers to the release of ownership of works into the public in general so that there is no owner and anyone can do with it what they will with no restrictions.

    • Craig H Says:

      @Confused – in the context of copyright law, I agree with you completely. However, in the context of export control law, I’m reliably informed that the phrase means something subtly different (and that’s why I put it in quotes). However, I Am Not A Lawyer, and I can’t give you a definitive reference for that, sorry!

  16. Symbian OS Security Package Goes Open Source | Symbian-Guru.com Says:

    […] at the Symbian Foundation Security Blog they’ve announced that the Symbian OS Security Package have now gone from Symbian Foundation […]

  17. Best of 2009: Chosen by a package owner | Chris Dudding Says:

    […] First package moved to EPL (July) Craig Heath tells the story of the OS Security package moving to EPL. […]

  18. Best of 2009 v1 | Symbian Blog Says:

    […] First package moved to EPL (July) Craig Heath tells the story of the OS Security package moving to EPL. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: