Unsolved Qt LGPL Dynamic Library Check (cybersecurity process)
-
Hi,
I developed a software with Qt free edition (LGPL) which is used to communicate with an hardware commercialized by my client (the software is free to download and use for customers who buy the hardware). This software is linked dynamically with Qt based library (like QtCore, QtGui, QtNetwork dlls).
Now, the security of the software must be enforce to prevent cybersecurity attacks. In this way, we need to be sure that libraries used are libraries on which we have pass the test and validation of our software (we can not guarantee the software functionalities with newer or older libraries) and exact library (without modification) downloaded from source : we need to prevent malicious user from replacing original dll from another one.
To do that, I propose to check the checksums of the libraries with wich it is running, and if the checksum calculated of one of the libraries used by the program is different from the checksum expected (saved in the exe), then I display a popup signaling that 'one or some components used by our software have been modified and we can't guarantee its functionalities nor malicious use', then stop the program.
Question : I'm not a lawyer specialized in LGPL rights, so do I have the right to do that according to the licence ??
-
@educhene said in Qt LGPL Dynamic Library Check (cybersecurity process):
Question : I'm not a lawyer specialized in LGPL rights,
Neither am I, nor anyone else here.
so do I have the right to do that according to the licence ??
My gut feeling says no, as you must allow your users to link against different libraries to comply with the LGPL.
Disclaimer: I'm not a lawyer.
-
@educhene The checksum inside exe can be manipulated, so the whole concept is far from being solid.
-
@educhene said in Qt LGPL Dynamic Library Check (cybersecurity process):
Question : I'm not a lawyer specialized in LGPL rights, so do I have the right to do that according to the licence ??
You don't have that right. LGPL states clearly that user has the right to use their own, modified or not, version of the library.
-
First thanks to your quick answers.
Second proposition : if instead of stopping the software (mandatory) after the popup, I let the choice to the user to continue with the execution of the software with message like ("one or some components used by our software have been modified and we can't guarantee its functionalities nor malicious use. You can continue the execution of the software but in that case we decline all responsability of undefined behavior or malicious use in order to retrieve personal information from the software")
So even if library are not the same, we let the possibility to the user to run the software (at his own risk) , we are ok with the LGPL ?
-
@educhene said in Qt LGPL Dynamic Library Check (cybersecurity process):
So even if library are not the same, we let the possibility to the user to run the software (at his own risk) , we are ok with the LGPL ?
That seems fine to me.
But I'm not a lawyer and all that ;-)
-
Thanks Sierdzio for your answer.
It is what we done. -
@sierdzio said in Qt LGPL Dynamic Library Check (cybersecurity process):
@educhene said in Qt LGPL Dynamic Library Check (cybersecurity process):
So even if library are not the same, we let the possibility to the user to run the software (at his own risk) , we are ok with the LGPL ?
That seems fine to me.
But I'm not a lawyer and all that ;-)
I, a non-lawyer, agree with @sierdzio :)