Skip to content

[orange-vmprotect-sdk] new port#50013

Merged
BillyONeal merged 13 commits into
microsoft:masterfrom
orange-cpp:vmprotect-sdk-port
Feb 19, 2026
Merged

[orange-vmprotect-sdk] new port#50013
BillyONeal merged 13 commits into
microsoft:masterfrom
orange-cpp:vmprotect-sdk-port

Conversation

@orange-cpp

@orange-cpp orange-cpp commented Feb 14, 2026

Copy link
Copy Markdown
Contributor
  • Changes comply with the maintainer guide.
  • The name of the port matches an existing name for this component on https://repology.org/ if possible, and/or is strongly associated with that component on search engines.
  • Optional dependencies are resolved in exactly one way. For example, if the component is built with CMake, all find_package calls are REQUIRED, are satisfied by vcpkg.json's declared dependencies, or disabled with CMAKE_DISABLE_FIND_PACKAGE_Xxx.
  • The versioning scheme in vcpkg.json matches what upstream says.
  • The license declaration in vcpkg.json matches what upstream says.
  • The installed as the "copyright" file matches what upstream says.
  • The source code of the component installed comes from an authoritative source.
  • The generated "usage text" is accurate. See adding-usage for context.
  • The version database is fixed by rerunning ./vcpkg x-add-version --all and committing the result.
  • Only one version is in the new port's versions file.
  • Only one version is added to each modified port's versions file.

@kehrazy

kehrazy commented Feb 15, 2026

Copy link
Copy Markdown

the VMProtect SDK EULA doesn’t look like a permissive open-source license.. why are you repackaging it?

why are you bundling ".idea" in the release files?

@orange-cpp

orange-cpp commented Feb 15, 2026

Copy link
Copy Markdown
Contributor Author

the VMProtect SDK EULA doesn’t look like a permissive open-source license.. why are you repackaging it?

why are you bundling ".idea" in the release files?

VMprotect SDK is open source and available to everyone. I make port for convince of it integration. I store .idea folder in repository to make it easier for other developer to maintain it and complying with code style. VMprotect sdk also available in Rust and Go language package managers. Its time to bring it into vpckg.

VMprotect has not free license but it's only applies only on product itself not on sdk.

@dg0yt dg0yt left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice-to-have:

  • vcpkg format-manifest scripts/test_ports/vcpkg-ci-vmprotect-sdk/vcpkg.json
  • Ensure that every file ends with a line break (emtpy line in VS Code). There should be no red (-) at the end of files here in GH.

Comment thread ports/vmprotect-sdk/vcpkg.json Outdated
@kehrazy

kehrazy commented Feb 15, 2026

Copy link
Copy Markdown

VMprotect sdk also available in Rust and Go language package managers. Its time to bring it into vpckg.

upstream EULA clearly defines the product as commercial with redistribution restrictions. it is not an OSI-approved open-source license and does not allow packaging/distribution as vcpkg does. please provide a valid SPDX-compatible license text!

@kehrazy

kehrazy commented Feb 15, 2026

Copy link
Copy Markdown

I store .idea folder in repository to make it easier for other developer to maintain it and complying with code style.

in vcpkg, the port’s directory is expected to reflect the upstream source and the port recipe, not arbitrary local IDE environment data. keeping .idea in the port polls the repo with irrelevant files that don’t contribute anything the package manager needs; invites noise/conflicts in diffs and builds, and isn’t portable to users who don’t use that IDE..

@orange-cpp

Copy link
Copy Markdown
Contributor Author

upstream EULA clearly defines the product as commercial with redistribution restrictions. it is not an OSI-approved open-source license and does not allow packaging/distribution as vcpkg does. please provide a valid SPDX-compatible license text!

its my own realization of VMprotect SDK, so its not part of VMprotect product that can be restricted by EULA

@kehrazy

kehrazy commented Feb 15, 2026

Copy link
Copy Markdown

its my own realization of VMprotect SDK, so its not part of VMprotect product that can be restricted by EULA

even if you personally wrote code that wraps or re-exposes the SDK, the SDK you’re packaging still depends on the upstream binaries/documents that are governed by that EULA. packaging/redistributing those artifacts in vcpkg implies you’re redistributing VMProtect’s commercial software under terms it doesn’t allow. the rights granted by a proprietary EULA don’t magically become open source just because someone wrote a shim around them - redistributing the underlying proprietary bits is still restricted

not a lawyer btw, just expressing my concerns

@orange-cpp

orange-cpp commented Feb 15, 2026

Copy link
Copy Markdown
Contributor Author

its my own realization of VMprotect SDK, so its not part of VMprotect product that can be restricted by EULA

even if you personally wrote code that wraps or re-exposes the SDK, the SDK you’re packaging still depends on the upstream binaries/documents that are governed by that EULA. packaging/redistributing those artifacts in vcpkg implies you’re redistributing VMProtect’s commercial software under terms it doesn’t allow. the rights granted by a proprietary EULA don’t magically become open source just because someone wrote a shim around them - redistributing the underlying proprietary bits is still restricted

not a lawyer btw, just expressing my concerns

It does not contain any vmprotect binaries and only rely on source of vmprotct-sdk repository itself. VMProtect only insert own code instead these markers when you protect a binary file. vmprotect-sdk do NOT include any .lib .dll files that bundled with vmprotect and could not be applied as a parts of vmprotect.

@vmpsoft

vmpsoft commented Feb 15, 2026

Copy link
Copy Markdown

packaging/redistributing those artifacts in vcpkg implies you’re redistributing VMProtect’s commercial software under terms it doesn’t allow.

This package doesn't distribute any parts of commercial software because this is a different implementation of the VMProtect's SDK (only the library names match).

@Neumann-A

Copy link
Copy Markdown
Contributor

The name of the port matches an existing name for this component on https://repology.org/ if possible, and/or is strongly associated with that component on search engines.

I dont think this is fullfilled here. So the port name probably needs changing.

@orange-cpp

Copy link
Copy Markdown
Contributor Author

The name of the port matches an existing name for this component on https://repology.org/ if possible, and/or is strongly associated with that component on search engines.

I dont think this is fullfilled here. So the port name probably needs changing.

I think name fits perfectly and it doesn't conflict with anything

Comment thread ports/orange-vmprotect-sdk/vcpkg.json
@luadebug

luadebug commented Feb 15, 2026

Copy link
Copy Markdown
Contributor

The name of the port matches an existing name for this component on https://repology.org/ if possible, and/or is strongly associated with that component on search engines.

I dont think this is fullfilled here. So the port name probably needs changing.

Aw here we go for [orange-vmprotect-sdk] at that case? Although target and namespace would keep find_package(vmprotect_sdk CONFIG REQUIRED) vmprotect_sdk::vmprotect_sdk I suppose?

@orange-cpp

Copy link
Copy Markdown
Contributor Author

orange-vmprotect-sdk

lets wait for what official vcpkg will say. Frankly i think to just leave it as vmprotect-sdk, its just more clear

@luadebug

Copy link
Copy Markdown
Contributor

Thank you for clarification.

@kehrazy

kehrazy commented Feb 16, 2026

Copy link
Copy Markdown

another concern I'm willing to raise is the state of the CMakeLists in the upstream - for no apparent reason it seems to require C++26??

+1 for orange-vmprotect-sdk. the name vmprotect-sdk may cause confusion in regards to ownership and status of the port

@BillyONeal

Copy link
Copy Markdown
Member

upstream EULA clearly defines the product as commercial with redistribution restrictions. it is not an OSI-approved open-source license and does not allow packaging/distribution as vcpkg does. please provide a valid SPDX-compatible license text!

vcpkg does not make license restrictions on what is in our registry so long the license restrictions themselves do not forbid it.

@orange-cpp can you be specific about how your repo is different than the ones in the DMCA takedown notice here? https://github.com/github/dmca/blob/master/2025/05/2025-05-13-vmprotect.md

@vmpsoft

This package doesn't distribute any parts of commercial software because this is a different implementation of the VMProtect's SDK (only the library names match).

Are you saying that you are the source of that DMCA takedown and that you believe @orange-cpp 's repo is unaffected?

The name of the port matches an existing name for this component on https://repology.org/ if possible, and/or is strongly associated with that component on search engines.

I dont think this is fullfilled here. So the port name probably needs changing.

I think name fits perfectly and it doesn't conflict with anything

Unfortunately I think we need orange-vmprotect-sdk or something like that as this isn't on repology and search gives me several conflicting targets:

and so on. (I know some of those are explicitly for go but they seem to have C++ headers)

@BillyONeal

Copy link
Copy Markdown
Member

Unfortunately I think we need orange-vmprotect-sdk or something like that as this isn't on repology and search gives me several conflicting targets

If there's an official ACK from the owners of https://vmpsoft.com/ that this is what they want associated with their name I think that would also be sufficient.

@BillyONeal

Copy link
Copy Markdown
Member

@luadebug

Aw here we go for [orange-vmprotect-sdk] at that case? Although target and namespace would keep find_package(vmprotect_sdk CONFIG REQUIRED) vmprotect_sdk::vmprotect_sdk I suppose?

In general we are only sticklers about the name of the port, rather than symbols, CMake configs, or headers because that's the bit we basically can't ever change to mean something else. (We do have to remove things if there are actual conflicts but we aren't sticklers about hypothetical future conflicts outside of the port's name)

@BillyONeal BillyONeal added the requires:vcpkg-team-review This PR or issue requires someone on the vcpkg team to take a further look. label Feb 17, 2026
@BillyONeal BillyONeal marked this pull request as draft February 17, 2026 22:43
@orange-cpp

Copy link
Copy Markdown
Contributor Author

Unfortunately I think we need orange-vmprotect-sdk or something like that as this isn't on repology and search gives me several conflicting targets

If there's an official ACK from the owners of https://vmpsoft.com/ that this is what they want associated with their name I think that would also be sufficient.

Okay i will rename it, thx.

@orange-cpp

Copy link
Copy Markdown
Contributor Author

upstream EULA clearly defines the product as commercial with redistribution restrictions. it is not an OSI-approved open-source license and does not allow packaging/distribution as vcpkg does. please provide a valid SPDX-compatible license text!

vcpkg does not make license restrictions on what is in our registry so long the license restrictions themselves do not forbid it.

@orange-cpp can you be specific about how your repo is different than the ones in the DMCA takedown notice here? https://github.com/github/dmca/blob/master/2025/05/2025-05-13-vmprotect.md

@vmpsoft

This package doesn't distribute any parts of commercial software because this is a different implementation of the VMProtect's SDK (only the library names match).

Are you saying that you are the source of that DMCA takedown and that you believe @orange-cpp 's repo is unaffected?

The name of the port matches an existing name for this component on https://repology.org/ if possible, and/or is strongly associated with that component on search engines.

I dont think this is fullfilled here. So the port name probably needs changing.

I think name fits perfectly and it doesn't conflict with anything

Unfortunately I think we need orange-vmprotect-sdk or something like that as this isn't on repology and search gives me several conflicting targets:

and so on. (I know some of those are explicitly for go but they seem to have C++ headers)

As vmpsoft said, my sdk realization is written by myself, so its not part of VMprotect and it doesn't not contain initial VMprotect source code and cannot be DMCA'ed. Only function names match for compatibility. These DMCA was initiated because repositories leaked VMprotect original source codes.

@orange-cpp

Copy link
Copy Markdown
Contributor Author

@BillyONeal renamed port to orange-vmprotect-sdk, now we should be good to merge 👍🏻

@orange-cpp orange-cpp changed the title [vmprotect-sdk] new port [orange-vmprotect-sdk] new port Feb 18, 2026
@orange-cpp orange-cpp marked this pull request as ready for review February 18, 2026 03:48

project(vcpkg-ci-vmprotect-sdk)

set(CMAKE_CXX_STANDARD 20)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Source code mentions cxx 23 cppstd. Should we adjust it to 23 here as well?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

where?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@BillyONeal

Copy link
Copy Markdown
Member

my sdk realization is written by myself, so its not part of VMprotect and it doesn't not contain initial VMprotect source code

Ah, in that case that confirms it and also says even more strongly that it shouldn't take vmprotect's name (in case @vmpsoft would ever decide to use that name themselves as it seems pretty unambiguously "owned" by them)

@BillyONeal BillyONeal removed the requires:vcpkg-team-review This PR or issue requires someone on the vcpkg team to take a further look. label Feb 18, 2026
@orange-cpp

Copy link
Copy Markdown
Contributor Author

my sdk realization is written by myself, so its not part of VMprotect and it doesn't not contain initial VMprotect source code

Ah, in that case that confirms it and also says even more strongly that it shouldn't take vmprotect's name (in case @vmpsoft would ever decide to use that name themselves as it seems pretty unambiguously "owned" by them)

So does orange-vmprotect-sdk as a name is okay?

@BillyONeal BillyONeal left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I just wasn't positive everything else was ready to go yet but looks good!

@BillyONeal BillyONeal merged commit ce35b1a into microsoft:master Feb 19, 2026
15 checks passed
@orange-cpp

Copy link
Copy Markdown
Contributor Author

my sdk realization is written by myself, so its not part of VMprotect and it doesn't not contain initial VMprotect source code

Ah, in that case that confirms it and also says even more strongly that it shouldn't take vmprotect's name (in case @vmpsoft would ever decide to use that name themselves as it seems pretty unambiguously "owned" by them)

Thx you!

@orange-cpp orange-cpp deleted the vmprotect-sdk-port branch February 19, 2026 03:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants