Summary
A separate companion subcommand (or standalone binary) that takes a master `.epub` and embeds a per-user watermark, producing a personalised copy. Used at distribution time, not at conversion time. Not DRM — non-blocking, accessibility-preserving, just a forensic marker.
Why
Came up in a discussion with the maintainer about protecting EPUBs from extraction. The honest answer was: don't try DRM. EPUB DRM (Adobe DRM, FairPlay, Readium LCP) is hostile to the population dpub serves — it commonly breaks screen readers, refreshable Braille displays, and Media Overlays themselves.
The pragmatic compromise modern accessibility libraries use is per-user watermarking at distribution time: the master EPUB is unencumbered; each download gets a personalised copy with a hidden marker that identifies the recipient. If a copy leaks, the watermark identifies it. Legally enforceable; ethically defensible because it doesn't restrict legitimate use.
This is server-side, not in the converter. dpub produces the master; `dpub stamp` would be the distribution-time tool.
Suggested shape
```
dpub stamp <master.epub> --user-id -o personalised.epub
Options:
--user-id required: identifier to embed
--field ns:name OPF metadata field (default: dc:identifier refines)
--visible / --hidden visible (in metadata) vs hidden (steganographic-ish)
```
Out of scope (as a starting point)
- Audio steganography. Possible (psychoacoustic embedding survives transcoding) but adds heavy DSP code and licensing concerns. Start with OPF-metadata embedding; revisit audio if customers actually need it.
- License servers (LCP-style). Different problem.
- Encryption. Explicitly not the goal — that's DRM.
Maintainer constraint
The strategic plan flagged this kind of distribution-time tooling as carrying real maintenance tax for a small consultancy. Worth doing only if there's a customer who'd use it. File now so the idea is tracked, but don't prioritise above the Tier 1 / Tier 2 strategic items.
Status
Discussion-level. Don't start work without a customer commitment.
Summary
A separate companion subcommand (or standalone binary) that takes a master `.epub` and embeds a per-user watermark, producing a personalised copy. Used at distribution time, not at conversion time. Not DRM — non-blocking, accessibility-preserving, just a forensic marker.
Why
Came up in a discussion with the maintainer about protecting EPUBs from extraction. The honest answer was: don't try DRM. EPUB DRM (Adobe DRM, FairPlay, Readium LCP) is hostile to the population dpub serves — it commonly breaks screen readers, refreshable Braille displays, and Media Overlays themselves.
The pragmatic compromise modern accessibility libraries use is per-user watermarking at distribution time: the master EPUB is unencumbered; each download gets a personalised copy with a hidden marker that identifies the recipient. If a copy leaks, the watermark identifies it. Legally enforceable; ethically defensible because it doesn't restrict legitimate use.
This is server-side, not in the converter. dpub produces the master; `dpub stamp` would be the distribution-time tool.
Suggested shape
```
dpub stamp <master.epub> --user-id -o personalised.epub
Options:
--user-id required: identifier to embed
--field ns:name OPF metadata field (default: dc:identifier refines)
--visible / --hidden visible (in metadata) vs hidden (steganographic-ish)
```
Out of scope (as a starting point)
Maintainer constraint
The strategic plan flagged this kind of distribution-time tooling as carrying real maintenance tax for a small consultancy. Worth doing only if there's a customer who'd use it. File now so the idea is tracked, but don't prioritise above the Tier 1 / Tier 2 strategic items.
Status
Discussion-level. Don't start work without a customer commitment.