Zero Install

the antidote to app-stores

Legal issues

I am not a lawyer. This is not legal advice, just a collection of thoughts and issues.

Sharing

The main thing to understand is that Zero Install is all about sharing. It shares libraries between programs, and it shares programs between users and between computers. When one user of a computer installs a program, other users can access it too. In the future, it may share programs using peer-to-peer too. Like a web-cache, Zero Install assumes content is shareable. Therefore:

  • If your program doesn't (at a minimum) allow unlimited redistribution of unmodified binaries, then DO NOT distribute it using Zero Install!

TODO: this is overly restrictive. There should be a way to indicate that a package cannot be redistributed.

If you want to implement some restrictions (e.g. "you must pay before using this program") then you can require a license key to be entered to make the program fully functional, for example. The license key doesn't go in the shared cache and so will not be shared automatically.

It is a good idea to include a file inside your package giving full details of the license and stating who the copyright holder is.

As well as sharing packages, Zero Install also assumes that the XML feed files can be stored and copied freely in unmodified form. Like the packages themselves, feed files may be archived or stored on mirror sites to improve performance and reliability.

Translations

Unless you state otherwise, it is assumed that your XML feed file can be freely translated into other languages and published on indexing sites.

Digital signatures

All Zero Install feeds have a digital signature. The signature shows that the feed hasn't been tampered with since it was signed. By default, this is the only meaning of the signature: an attacker has not intercepted and modified the feed. A signature is not a warranty or guarantee. It is not intended to suggest that the package meets any particular quality standards, unless that is stated explicitly.

In general, the signer of a feed should not have greater legal liability because they signed it. You should treat a signed feed exactly as you would an unsigned feed which you felt confident had not been modified by a third-party.

Licenses for Zero Install software

Each piece of software is licensed separately. Please consult the documentation page for the program you are interested in for details.

Using Zero Install to distribute commercial / closed source software

The core software (0install) is released under the terms of the GNU Lesser General Public License. The tools are mostly LGPL or GPL. In general, this shouldn't cause any problems for you:

  • Normally with 0install, you distribute your software by writing an XML file describing it and publishing that on your web-site. Users can use any client they like to fetch your software using this XML description. If they happen to choose our LGPL software to do this, it has no effect on you.

  • Merely using GPL tools (e.g. 0publish-gui) to produce the XML file does not mean we have any rights over your software (but see note above; we will assume that we can mirror your XML feed unless you make it clear that you don't want that).

  • If you are distributing our software with yours, then you do need to follow the license. The main thing is to keep the two bits somewhat separate: the bundle you are distributing contains our software, under our license, and your software, under your license:

    • Users must be able to see that there are two separate bits. They must be able to modify the 0install part (e.g. to fix bugs), and use the modified version with your software.

    • Any changes you make to our software must be made available under the same license, so that we can (if we choose) include it in future versions of 0install.

    In particular, if you simply use 0export to create an installer containing 0install and your code then there is no problem. 0export unpacks the different components to different directories.

  • If you are actually trying to write an installer (i.e. a competitor to 0install), and you want to use our code to do that, then the license is likely to be an issue for you. In that case, you can only use our code as part of your program if your program is released under the same license terms.

    On the other hand, if you're just using 0install as a library (e.g. you're writing a GUI which uses 0install internally, but as a separate component) then you can use your own license for your code (but see the previous point).

Privacy

When you run a program using "0launch URI" the first time, an HTTP request is sent to the given URL asking for the feed. This will, of course, contain your IP address and can be logged. Future invocations will normally generate no network accesses, unless it's time to check for updates (which can be disabled). If the original site is slow or fails, 0launch will also contact the mirror server to get a copy there. The mirror server therefore also knows your IP address and the URI of the program you are running. The default mirror service will not share this information with anyone. TODO: it should be possible to change the mirror service's address, or disable it.

When encountering a new GPG key, 0launch will contact a key information server to provide advice about the key. It will send the fingerprint of the key to be checked. The key server therefore also knows your IP address and the author of the program you are trying to run. The default key information server will not share this information with anyone. TODO: it should be possible to change the key information service's address, or disable it.

The privacy issues are therefore similar to browsing the web, where your address and the URL of what you're accessing can be recorded by the site you visit, any web cache you go through, and the URL may be sent to anti-phishing sites for checking.

Although the package files may be shared between users, the feeds are not. Therefore, it is possible to see which programs a user has ever run by looking in their home directory (~/.cache/0install.net/ or ~/.config/0install.net/). Zero Install creates both of these directories with the permissions "rwx------" (owner access only), but of course the superuser of the machine you're using still has access.