Does a source code protection harm any MIT, CC, GPL licenses?


#1

I am working on an app that contains not only several plugins but also some sensible data like API Key from openweathermap.org

My idea now was “to protect” these API Keys by using one of the Electron packagers that allows me to protect the app.
My question is: in the moment that i do so, am i not harming any open-source-like licenses?

Either way i am mentioning all the plugins and codes within a “thank you and credits” section.
But my understanding is that i can not i.e. use an open source plugin and code-protect my electron app containing that code or plugin, am i right?

Anyone of you had similiar conflicts?
Hugs and greetings from this corner of the planet.


#2

If you want to be certain of your legal compliance, you should contact a legal professional. Only a legal professional can answer these questions accurately for your situation, jurisdiction and chosen use. I generally disallow extended legal discussion because nobody here is a legal professional and I don’t want anyone to be misled into thinking that anyone here is anything but a complete layman. If someone here is a legal professional, they are more than welcome to contact you via some other means than this message board.

With that said, the GPL (and other “copyleft” licenses) has a clause that specifically states the original source code must be made available upon request. You can find out more about various open source licenses on choosealicense.com.


#3

Thanks a lot for your time and response !
Do you know if it is possible to protect only certain files or the whole electron app?
As i said within my app is a Weathermap API Key and if it gets public, other people could use it for their own weather app.

Greetings and thanks again!


#4

As someone who is not at all a legal professional, I believe that it would be relatively easy for you to release source code without the API key and then add the key in during the build process (or store the key in a file that you’ve told git to ignore, so it simply doesn’t get uploaded), if that’s your main reason for hesitating.


#6

I also am very much not a lawyer. But I’m pretty certain no OSS license would require you to disclose an API key. You just need to provide code that should work if the recipient supplies their API key.


#7

From a technical standpoint Electron doesn’t provide any source code protection, so your secret API keys should never be distributed with your Electron app.


#8

That is correct but if i read correctly, there are two plugins available that can “scramble” up your code. The question is if it is possible to scramble only certain files instead of the whole app.


#9

If the API key or any other piece of data really needs to be confidential and you don’t want application users to see it, you would need to encrypt it or something, and it would probably be better not to commit the data into the source code at all… Minimizing or obfuscating JavaScript won’t be enough to keep people from picking apart the code to see what’s in your application.


#10

You are right. The thing is that in my example where i use the openweathermap api, in the FREE version they offer something like 5.000 api calls per day. If people out there would have my key, they could use it within their apps or websites with the result that my amount of free api calls would vanish within minutes.


#11

What if every installation of the app had its own API key? Is there an easy way to set up each instance with its own key? I mean easy for the end user.

Otherwise, I can only think you’d have to keep the API key on your own server to proxy the client queries. And then possibly limit how often clients can query your server.


#12

What if every installation of the app had its own API key?

I think this is the best solution for a free (as in beer) software. I’ve personally used software that asked me for a map key.

keep the API key on your own server to proxy the client queries

This probably make a lot sens from a business standpoint.
You’d be able to control your expenses.

Also note that electron has full debugger, and it’s probably possible to get the API key by inspecting network packets.


#13

Some open source software comes with an api key with similar restrictions. But makes clear that it is likely to fail to work consistently because of the keys over use the user should apply for and substitute their own. So by all means include a key, but just not one that will stop you using your own product :smiley:

That way you get your product out there, but there are steps people will need to take to make it their own.