10 Replies Latest reply: Mar 21, 2011 3:20 PM by Peter Johnson RSS

illegal to obfuscate open source jars?

Dave Chen Master

Hello, is it legal to obfuscate open source libraries such as Hibernate, httpClient, Apache common, richfaces, etc. in order to make it more difficult to reserve engineering java code for IP protection?  also jar names are renamed to meaningless names such as a.jar, b.jar. 

 

In the distribution readme, open source libraries are mentioned.

 

Thanks.

Dave

  • 1. illegal to obfuscate open source jars?
    jaikiran pai Master

    Moved to "Legal" forum where questions like this are discussed.

  • 2. illegal to obfuscate open source jars?
    Wolf-Dieter Fink Master

    I'm not sure,

    renaming might not be an issue because the jar can be identified by META-INF.

    But obfuscating IMHO is against open source license, on one hand you might provide the source code, on the other hand it is a strong intervention.

    I think it depends on the licence of each library you try to obfuscate, and lawyer might interpreting it different.

     

    But why you try this, it is open source and everybody might have the source code?

  • 3. illegal to obfuscate open source jars?
    Dave Chen Master

    After obfuscating a web appliation and the libraries it uses, it will make it harder to find the calling points.

  • 4. illegal to obfuscate open source jars?
    Dave Chen Master

    If it is legal, it is best to obfuscate all libraries inculding JDK/JVM  libraries using proguard. I am not sure if it is possible.

  • 5. illegal to obfuscate open source jars?
    Peter Johnson Master

    Most of the open source licenses require that you ship the source code for the open source JARs that you ship with your product (or at least make them available on demand). The licenses also require that you prominently identify (usually in documentation) the open source JARs that. So if you have to provide the source and mention which ones you use, why obfuscate them? And as Wolf-Dieter mentioned, it might not be strictly against the license, but it does sort of go against the spirit.

     

    I suspect you are asking this because your build process automatcially obfuscates all JARs. I recommend that you exlcude the open source jARs from that part of the process.

     

    Oh, one thought - many of the licenses (e.g. LGPL) require that if you modify the code, that you provide the modified sources. Thus if the obfuscator changes anything within the JARs (e.g., changes method names, juggles the algorithms, etc.), then you must provide source code that matches the obfuscated code. The Apache license doesn't require this, all it requires is attribution.

  • 6. illegal to obfuscate open source jars?
    Dave Chen Master

    Thanks for comments.  The purpose of obfuscating code is to protect our own code, not open source code. If we obfuscate all jars used together with our code, it would make it more difficult to figure out where and how our code uses the open-source api. For example, for some security code using java crypto API, if we can obfuscate such API, it would be much harder for others to break the code and figure out crypto algorithms, etc.

     

    We can ship the open-source code or make it available on website for download on demand. But to my knowledge, it is not required to document how our code uses the open-source API. So in my opinion, it makes no difference to obfuscate it or not because it is not meant to let people read the bytecode and  reverse engineering the code.   just my opinion.

  • 7. illegal to obfuscate open source jars?
    Wolf-Dieter Fink Master

    'just my opinion' -> I think in a similar way before ....

    some lawyer check the 'open source' license stuff for the product and there are a lot of issues what might sin against the licenses.

     

    So it depends on your product and on your company what is aceptable, the decision in that case was to be unappeasable.

  • 8. Re: illegal to obfuscate open source jars?
    Peter Johnson Master

    So in my opinion, it makes no difference to obfuscate it

    Please define the second "it" in the above quote. I think that you meant "your proprietarty code" but based on the sentence structure the term "it" seems to be referring to the open source JARs.

     

    And I agree that there is nothing to prevent you from obfuscating your code, even if your code uses open source libraries. (Though you do have to be really careful with using GPLed code...)

     

    But licenses are sort of strange because they don't mean anything unless the license holder is willing to enforce the license. And I think that the open source community is very lax on enforcement of their licenses. There might be occasional rumblings in forums or blog posts, though usually from consumers of products that are not following the licensing requirements of the open source software they contain. Unless a license holder is willing to throw lawyers at a license violator, the license is in effect not worth the paper on which it is printed.

     

    Of course, throwing lawyers at an open source license infringer does not always guarantee a clear outcome. Here is some worthwhile reading:

    http://en.wikipedia.org/wiki/Jacobsen_v._Katzer

  • 9. illegal to obfuscate open source jars?
    Dave Chen Master

    Thanks for info.

    LGPL/GPLed software allows companies to modify them and redistribute them. Obfuscation is one kind of  modification. So it should be legal. Of course, companies can provide obfuscated open-source jars for download on request.  Is there any one interested in reading obfuscated code? It is already in the distribution.

     

    I heard that it is not acceptable to provide open-source download  on company website according to the license. But it is not good to force customers to download a big zip like 2G. Users prefer to download smaller running code like 200M. So open-source code download should be separated from running code, and should be based on user demands. In this sense, LGPL/GPL should be modified in a new version.

     

    Anyway, who is the owner of LGPL/GPL software? All people in the world contribute their efforts to the open-source, including dev, suggestion, testing, etc.  It belongs to the world. It is the real meaning of the open-source.  Again in my opinion, if an open-source code is not licensed under a friendly condition, it should not be opened and shared in the first place, and let people in the world waste their time to contribute their efforts. 

  • 10. illegal to obfuscate open source jars?
    Peter Johnson Master
    Obfuscation is one kind of  modification. So it should be legal.

    I never said it wasn't. I just pointed out that there are licensing issues to be considered, especially if the obfuscation modifies things such as class and method names.

     

     

    Anyway, who is the owner of LGPL/GPL software? All people in the world contribute their efforts to the open-source, including dev, suggestion, testing, etc.  It belongs to the world.

    Not true at all. Look at the copyright statement for the code. That copyright owner owns the code and grants to anyone the right to redistribute and use the code in accordance with the licensing provisions, without having to pay the copyright owner for the privilege. And the copyright owner retains ownership of the code that originated with the copyright owner.

     

    Again in my opinion, if an open-source code is not licensed under a friendly condition,

    That is why there are a number of different open source licenses. If you want to retain strict control over your code, use the GPL/LGPL or similar license. If you want to be more liberal with what others can do with your code, use the Apache License. If you really want to just give it away, use the MIT/Berkley license. Or the Beer License. So if you originate some code, you are free to decide how to license it and to what extend you want to retain control. Just be aware that it you use a very lenient license that anyone can embed your code within their app and can sell their app and you will have no recourse.