Today we have reached a significant milestone for us Symbian security people, and for the Symbian Platform in general. The OS Security package source code is now available under the Eclipse Public License (EPL) and it is the very first package to be officially moved from the closed Symbian Foundation License (SFL) to be open sourced under the EPL.
I want to publicly thank everyone who pulled out the stops to make this happen, particularly Santosh Patil and William Roberts who did most of the heavy lifting, but also many others who were involved in the approval process inside and outside Symbian.
Why was this package the first to go through this process? There was a practical reason and a symbolic reason:
The practical reason is the export regulations in the UK, where the Symbian Platform source code is hosted. The rules and regulations weren’t really written with source code in mind, and we found that it wasn’t feasible to get an export license which permitted the SFL crypto library source code to be exported. Fortunately there is an exemption for software “in the public domain”, meaning that open source software isn’t export controlled, so moving it from SFL to EPL was the most straightforward way to make sure that the complete cryptographic functionality would be available to all.
The symbolic reason is to demonstrate that we really are serious about providing a platform that is both open and secure. We’ve always been open about the design of our platform security mechanisms. Now we’ve started being open about their implementation as well. Cryptographers know to distrust cryptographic algorithm implementations that aren’t open to peer review, so here are ours. Our algorithm implementations were actually derived from the public domain Crypto++ library some years ago, and our thanks go to Wei Dai for making that available.
One final note for those who dive in to the source code: you’ll notice that the crypto library source is in a directory called “weakcrypto”, but that’s for arcane historical reasons and it does actually include the full crypto library code. There are two project build files:
- crypto.mmp builds weak_cryptography.dll which limits symmetric keys to 56 bits and asymmetric keys to 512 bits (I suppose this might still be needed for some devices in some jurisdictions?)
- strong_crypto.mmp builds strong_cryptography.dll which has no arbitrary limit on key sizes.
Congratulations to all involved, and I’m now looking forward to the next package we can move to open source (the application installer would be my preference, but let’s see 
).
Wed, 08 Jul 2009 at 8:07 pm |
[...] and obtain approval for EPLing asap. Easier said than done, as you can read in Craig’s post We’re Off and Running! it was a steep learning curve for all of us involved, despite everyone’s, and I mean this, [...]
Thu, 09 Jul 2009 at 5:51 pm |
[...] moved from the closed Symbian Foundation License (SFL) to…the EPL," Heath wrote in a blog post. Heath said the EPL would allow the security package to bypass export regulations in the U.K., [...]
Fri, 10 Jul 2009 at 10:16 am |
[...] Symbian Foundation Security Blog Descarga OS Security Package (código fuente) Tags: codigo-fuente, nokia, open-source, Symbian [...]
Fri, 10 Jul 2009 at 2:12 pm |
I’d like to see the Wifi stack opened up next, so that we can add PAP authentication support to the EAP-TTLS protocol, for crying outloud!
Fri, 10 Jul 2009 at 4:09 pm |
@Jack, sounds good, are you volunteering?
EAP-TTLS is in the Access Security package (alas not open sourced yet,) and it actually looks to me like TTLS-PAP is already in there for Symbian^2. The package owner just left for his summer vacation, but I will definitely discuss this with him when he gets back, thanks!
Thu, 06 Aug 2009 at 6:56 am |
Yes, Craig is correct. EAP-TTLS/PAP support is there in Symbian^2. I am also working on getting my Access Security package open sourced soon.
Fri, 10 Jul 2009 at 9:02 pm |
[...] si può leggere nel blog (http://secblog.symbian.org/2009/07/08/were-off-and-running/) l’OS Security Package source code è ora disponibile sotto la licenza Eclipse Public Licence [...]
Fri, 10 Jul 2009 at 11:36 pm |
[...] opensource code due to legal reasons – this has now changed. The statement below is from the Symbian Foundation blog: Today we have reached a significant milestone for us Symbian security people, and for the Symbian [...]
Sat, 11 Jul 2009 at 12:21 am |
[...] We’re Off and Running! Today we have reached a significant milestone for us Symbian security people, and for the Symbian Platform in general. [...] [...]
Sat, 11 Jul 2009 at 8:11 pm |
How to install this thingy?
Sun, 12 Jul 2009 at 8:26 pm |
@christooss, it depends on what you want to do with it! If you have a phone with Symbian OS v8.0 or newer, it’s already on there. If you want to experiment with changing it, the easiest way is to use the emulator that comes with the SDK and compile new DLLs for the emulator environment.
Mon, 13 Jul 2009 at 2:06 am |
[...] Symbian Foundation has finally released some open source code after much waiting and this could be the start of something good in the [...]
Mon, 13 Jul 2009 at 4:21 am |
[...] Wednesday the Symbian made it available the very first packages of EPL or the OS Securiy Package system. According to the Symbian developer, Craig Heath, The OS Package is a great source of new codes now [...]
Mon, 13 Jul 2009 at 5:32 am |
[...] anúncio envolvendo o pacote de segurança foi feito ontem no blog da empresa, junto com duas explicações sobre a decisão do grupo: uma prática e outra [...]
Mon, 13 Jul 2009 at 5:11 pm |
[...] einer Eclipse-Lizenz wurden erste Bestandteile des mobilen Betriebssystems der Symbian Foundation veröffentlich. Die Symbian Foundation besteht seit 2008 und arbeitet an der Auslieferung eines quelloffenen [...]
Mon, 13 Jul 2009 at 9:21 pm |
[...] notícia sobre o pacote de segurança foi realizada ontem no Symbian Foundation Security Blog, junto com duas explicações sobre esta ação: uma prática e outra [...]
Tue, 14 Jul 2009 at 4:14 pm |
Open Source software isn’t in the public domain, it’s copyrighted and held under an Open Source license by the copyright holder. Public Domain refers to the release of ownership of works into the public in general so that there is no owner and anyone can do with it what they will with no restrictions.
Tue, 14 Jul 2009 at 4:54 pm |
@Confused – in the context of copyright law, I agree with you completely. However, in the context of export control law, I’m reliably informed that the phrase means something subtly different (and that’s why I put it in quotes). However, I Am Not A Lawyer, and I can’t give you a definitive reference for that, sorry!
Wed, 15 Jul 2009 at 9:03 pm |
[...] at the Symbian Foundation Security Blog they’ve announced that the Symbian OS Security Package have now gone from Symbian Foundation [...]
Mon, 21 Dec 2009 at 9:44 am |
[...] First package moved to EPL (July) Craig Heath tells the story of the OS Security package moving to EPL. [...]
Mon, 21 Dec 2009 at 3:31 pm |
[...] First package moved to EPL (July) Craig Heath tells the story of the OS Security package moving to EPL. [...]