Reuse, not rework
Home

License Awareness



Highly Reusable Software

By activity
Professions, Sciences, Humanities, Business, ...

User Interface
Text-based, GUI, Audio, Video, Keyboards, Mouse, Images,...

Text Strings
Conversions, tests, processing, manipulation,...

Math
Integer, Floating point, Matrix, Statistics, Boolean, ...

Processing
Algorithms, Memory, Process control, Debugging, ...

Stored Data
Data storage, Integrity, Encryption, Compression, ...

Communications
Networks, protocols, Interprocess, Remote, Client Server, ...

Hard World
Timing, Calendar and Clock, Audio, Video, Printer, Controls...

File System
Management, Filtering, File & Directory access, Viewers, ...



Digitally Signed License Certificate


Subscribers receive digitally signed and dated license certificates. Each digitally signed certificate mentions the receiver by name, the shs1 checksums of each source file and license file, and a pointer to the known license terms and original source for each if known.

The text and format of the certificate is:
[html]
CERTIFIED STATEMENT OF LICENSE AND LIMITED WARRANTY
Message-Id: <1033497288$11c12fef$16d54eae$MIBSOFT1@mibsoftware.com>
Date: 10/01/2002

This document certifies that
__,
("You") subject to applicable licenses and disclaimers of warranty, are
permitted to create, use, and/or redistribute copies and derivative works
of the files obtained from Forrest J. Cavalier III doing business as
Mib Software ("Provider") having the listed SHS1 checksums.

A valid, unaltered copy of this document will have an authentic digital
signature.  The SHS1 checksum of this document may be kept on file by
Provider and used as an alternate method of verification.

For methods of using this file to check file integrity, positively
identify licenses, and detect licensing conflicts see
http://www.mibsoftware.com/librock/signed.html

LIMITED WARRANTY
Provider warrants that below each file, the source which Provider used to
obtain the original file is indicated if known, followed by the LIDESC
stamps of the licenses and disclaimers that Provider is aware apply to You
as of this date. 

For software exclusively authored by Provider, Provider warrants that the
listed licenses apply to You.

Provider disclaims all other express and implied warranties to the maximum
extent permitted by law.  Provider's liability to You for all claims related
to this document on any theory of liability is limited to the full amount
paid to Provider by You to obtain this document.

c432e4800c2ccd1c7fd5ee9803c6cb9d8a9b4b7b  ./acquired/zlib/uncompr.c
    >ACQUIRED 2001-10-23 ftp://ftp.uu.net/graphics/png/src/zlib-1.1.3.tar.gz http://www.gzip.org/zlib/
    >License text in <librock/license/zlib.txt> librock_LIDESC_HC=d49ece91d0f3402f1ca405bc4ae7b2a989a56ab2
    >License text in <librock/license/librock.txt> librock_LIDESC_HC=12440211096131f5976d36be0cddca4cd9152e45^C


Q. How can I check for an invalid certificate?

A. A valid, unaltered copy will have an authentic digital signature. You can use an OpenPGP-compliant program like GnuPG or PGP to check that the signature was created using the proper key.
[req-debug]link to public key.

Alternatively, the SHS1 checksum of the certificate is also kept on file and may be made available to subscribers as an alternate method of verification.

Q. How do I use a certificate to detect source file tampering (unauthorized changes)?

A. When you name the certificate file on the LIDESC command line, LIDESC will report when SHS1 checksums listed in the certificate do not match the SHS1 checksums of the file present on disk.

For the truly careful who want to know more about the trust and verification chain:
Detecting changes requires trusting the certificate and the ability of the checking program which reads the certificate and each file, and computes and compares each signature. A valid certificate has a valid digital signature which can be checked using an OpenPGP-compliant program and the proper public key or by verifying the SHS1 sum of the entire certificate file. Instead of using the LIDESC program, you can use a 'shs1sum' or 'sha1sum' program to do the per-file verification. (Such a program must take a file syntax similar to GNU md5sum, but with SHS1 signatures.)

Each certificate is generated from the files in the master repository, so simply replacing files on the file distribution server would result in detection. (If you discover that has happened, please report it immediately.)

Q. How do I use a certificate to report licensing for a file?

A. When you name the certificate file on the LIDESC command line, LIDESC will lookup entries in a certificate (instead of scanning each file for LIDESC stamps.)

Q. Do license certificates expire?

A. Since librock does not include software under time-limited licenses, or licenses which allow authors to change terms retroactively, a certificate becomes "obsolete" only when files are added or changed, or if someone presents evidence that additional or other licensing terms apply to a file. Updated license certificates are created for subscribers whenever needed.


(This page is under development)