10 July 2009

Symbian Foundation Has Released
Its First Fully Open Source Software Package

The evaluative process in the migration to open source platform and releasing the first version of Symbian Foundation OS has proven longer than anticipated but over the past few months, work has been accelerating at an incredible pace resulting in company’s first open source software package and the promised beta release of Symbian^2 platform over the summer.

The OS Security package source code is now available under the Eclipse Public License (EPL) and it is the very first package to be officially moved from the closed Symbian Foundation License (SFL) to be open sourced under the EPL.

The move is seen as a significant milestone for Symbian Platform in general and represents the first step towards open sourcing the entire Symbian mobile operating system. Symbian developer Craig Heath wrote on the official Foundation’s blog that "There are a practical and a symbolic reasons behind this move"

The practical reason is the export regulations in the UK, where the Symbian Platform source code is hosted. The rules and regulations weren’t really written with source code in mind, and we found that it wasn’t feasible to get an export license which permitted the SFL crypto library source code to be exported.

Fortunately there is an exemption for software “in the public domain”, meaning that open source software isn’t export controlled, so moving it from SFL to EPL was the most straightforward way to make sure that the complete cryptographic functionality would be available to all.

The symbolic reason is to demonstrate that we really are serious about providing a platform that is both open and secure. We’ve always been open about the design of our platform security mechanisms. Now we’ve started being open about their implementation as well.

Cryptographers know to distrust cryptographic algorithm implementations that aren’t open to peer review, so here are ours. Our algorithm implementations were actually derived from the public domain Crypto++ library some years ago, and our thanks go to Wei Dai for making that available.

One final note for those who dive in to the source code: you’ll notice that the crypto library source is in a directory called “weakcrypto”, but that’s for arcane historical reasons and it does actually include the full crypto library code. There are two project build files:

• crypto.mmp builds weak_cryptography.dll which limits symmetric keys to 56 bits and asymmetric keys to 512 bits (I suppose this might still be needed for some devices in some jurisdictions?)
• strong_crypto.mmp builds strong_cryptography.dll which has no arbitrary limit on key sizes.

The next release is the Symbian kernel. "While Security is a very relevant package, we need to target something that will trigger discussions, represent Symbian at the heart, fuel development, overload the forums, engage the non-believer and most of all start putting us on equal fighting terms with other available open source platform," said Symbian chief architect Daniel Rubio.