Practical considerations for licensing software written with dynamic/non-compiledlanguages/platforms

[Matt Pelletier]

Hello all. I'm looking for feedback on the following:

What options does one have, as a company that produces software that is
distributed directly to clients/VARs, when that software is built with a
platform/architecture that uses a dynamic (non-compiled) language, and
further, when that platform and/or language is open-source? This
question qualifies for Rails and Ruby, but also it could hold for PHP,
Perl, etc.

I'm interested not just in the general legal considerations (like
licensing, intellectual property rights), but also practical
considerations. For example, I could get an airtight licensing contract
written for me, but if I have to hand the software to a client or
vendor, they could easily turn around and get a team to re-sell it under
another name (Pear PC anyone?). At least with designer bag knockoffs
there is the latent pride on the part of the consumer of having the
*real-thing* (albeit at 10x the cost). With software, if it walks like a
duck and talks like a duck... who cares if it's a rip-off? I could force
the use of keys or certificates, but these are easily cracked even when
the software is written in C++. This is less likely to happen in the
ever-litigious US, but it's a major concern for any company working
internationally, where well-trained techies, cheap labor, and loose
laws/enforcement abound.

If we wrote software in assembly it would still be a concern, but when
there is little-to-no reverse-engineering needed for languages that
don't need to be compiled in the first place, it affects decision-making
when selecting platforms/languages, which is rather unfortunate. With
Java/.NET you can download a decompiler and have source code exported in
a day. You can obfuscate, but that's a small comfort; anyone with time
and interest can figure that out. With dynamic languages, all the hard
work is done for you.

If you are operating as an ASP (a la 37 signals with Basecamp), this
isn't much of an issue. However, if you have to give your software to
*anyone*, whether a client to run on their own network, or to a 3rd
party in general, what are your options?

This isn't really a concern when dealing with smaller projects for
smaller clients, where the compensation is based on project time, even
if license it to them (as opposed to letting them own it). In those
cases, PHP (and from this point forward RoR!) is usually the best
choice, for all the reasons that we love (quick development, simple
changes / customization). But when you're licensing software that you
own, the value - which at face value is the feature set and
maintenance/support services - ultimately boils down to the source code,
and needs to be protected to the fullest possible extent. Yes there are
business models where the value is strictly your support (Red Hat, at
least at first), but that's not really what I'm asking about (though I
welcome the comments).

This is something I've been curious about for some time, but PHP et al
have never been attractive alternatives for larger projects. RoR is
compelling enough that these concerns have escalated.

Any comments / sites / experience are welcome. Thanks!

Matt

 

[Joshua J. Kugler]

What options does one have, as a company that produces software that
is distributed directly to clients/VARs, when that software is built
with a platform/architecture that uses a dynamic (non-compiled)
language, and further, when that platform and/or language is
open-source? This question qualifies for Rails and Ruby, but also it
could hold for PHP, Perl, etc.

<SNIP>

It really does come down to a matter of trust. You can put strong
language in a license agreement, but it does rely on trusting your
customer to not "take your code and run." Really. There are lots of
examples, but a good one is:

http://www.brownbearsw.com/calcium/WhatIsIt.html

Brownbear makes a great bit of calendaring software. So good in fact,
that I went with it for a project over every other open source
calendaring solution I could find. Their entire product is written in
Perl, which means you get (and can modify, but not distribute) the
source code. They are still going strong, if their client list
<http://www.brownbearsw.com/clients.html> is any indication. Can
someone steal your code? Yep. Do you then crawl in a hole and program
no more? Well, that's really up to you. Everything with possible
benefit involves risk, so you just have to decide how much risk you
want to take. That's really the bottom line.

Sorry if that was a downer...wasn't meant to be.

j----- k-----

 

[Nikolai Weibull]

Matt Pelletier, April 15:

What options does one have, as a company that produces software that is
distributed directly to clients/VARs, when that software is built with a
platform/architecture that uses a dynamic (non-compiled) language, and
further, when that platform and/or language is open-source? This
question qualifies for Rails and Ruby, but also it could hold for PHP,
Perl, etc.

Documentation, Support, and updates.

I'm interested not just in the general legal considerations (like
licensing, intellectual property rights), but also practical
considerations. For example, I could get an airtight licensing contract
written for me, but if I have to hand the software to a client or
vendor, they could easily turn around and get a team to re-sell it under
another name (Pear PC anyone?). At least with designer bag knockoffs
there is the latent pride on the part of the consumer of having the
*real-thing* (albeit at 10x the cost). With software, if it walks like a
duck and talks like a duck... who cares if it's a rip-off? I could force
the use of keys or certificates, but these are easily cracked even when
the software is written in C++. This is less likely to happen in the
ever-litigious US, but it's a major concern for any company working
internationally, where well-trained techies, cheap labor, and loose
laws/enforcement abound.

You couldn't get an airtight licensing contract. They don't exist.

And if you could, how could the client then turn around and get a team
to re-sell it under another name? That'd be breaking the license,
right?

Still, what you get with the "authentic" software is a sense of
reliability, right?

Cheap labor is everywhere but the US is it? Loose laws/enforcement
everywhere but the US? Man, I don't want to be a bastard, but you're
sounding just a tad racist right about now.

If we wrote software in assembly it would still be a concern, but when
there is little-to-no reverse-engineering needed for languages that
don't need to be compiled in the first place, it affects decision-making
when selecting platforms/languages, which is rather unfortunate. With
Java/.NET you can download a decompiler and have source code exported in
a day. You can obfuscate, but that's a small comfort; anyone with time
and interest can figure that out. With dynamic languages, all the hard
work is done for you.

One days work isn't really that much work, is it? So the difference
between decompilable languages and uncompiled languages is non-existant
really.

If you are operating as an ASP (a la 37 signals with Basecamp), this
isn't much of an issue. However, if you have to give your software to
*anyone*, whether a client to run on their own network, or to a 3rd
party in general, what are your options?

Why do you have to give it away?

This isn't really a concern when dealing with smaller projects for
smaller clients, where the compensation is based on project time, even
if license it to them (as opposed to letting them own it). In those
cases, PHP (and from this point forward RoR!) is usually the best
choice, for all the reasons that we love (quick development, simple
changes / customization). But when you're licensing software that you
own, the value - which at face value is the feature set and
maintenance/support services - ultimately boils down to the source code,
and needs to be protected to the fullest possible extent. Yes there are
business models where the value is strictly your support (Red Hat, at
least at first), but that's not really what I'm asking about (though I
welcome the comments).

You obviously haven't had much experience with open source. It seems
that you should get more information before posting questions regarding
open source to a programming-language mailing list. Opensource.org
should have all the information you may need. I am not trying to end
this discussion, but I don't think you'll get much out of this
discussion if you haven't tried to understand how open source works.

This is something I've been curious about for some time, but PHP et al
have never been attractive alternatives for larger projects. RoR is
compelling enough that these concerns have escalated.

Again, when you're developing an online service, you really don't have
to worry about anyone trying to steal your work. You control
everything. Check out some of the essays by Paul Graham
(paulgraham.com) on the subject,
nikolai

 

[Matt Pelletier]

See comments below.

Matt Pelletier, April 15:




Documentation, Support, and updates.




You couldn't get an airtight licensing contract. They don't exist.

And if you could, how could the client then turn around and get a team
to re-sell it under another name? That'd be breaking the license,
right?

That's the point, that they're knowingly breaking the license. I might
not even be able to find out who did it, if this were an app with a big
install base. Breaking the license, on the part of the 'breaker', is not
a concern, esp. if there is not a great fear of legal prosecution. (this
relates to your comment below).

Still, what you get with the "authentic" software is a sense of
reliability, right?

It depends on the company using it. They might be just as willing to
hire a team of programmers to manage it themselves.

Cheap labor is everywhere but the US is it? Loose laws/enforcement
everywhere but the US? Man, I don't want to be a bastard, but you're
sounding just a tad racist right about now.

Race has nothing to do with it. This deals with the maturity of a
country's Intellectual Property laws, the labor cost of reverse
engineering an application. I'm seeking practical comments from people
who understand that the laws in various countries affect an unethical
person's willingness to try to make money from someone else's work
illegitimately. If it is inexpensive to hire programmers to reverse
engineer an application, and the Intellectual Property laws are not
mature or well enforced, than it is more attractive for someone with the
resources to pursue such an unethical track. I used the US as an example
because the ferocious enforcement of Intellectual Property law would
seem to be a discouraging, not encouraging, factor. My simple point,
perhaps not clearly explained, is that fear of prosecution and the
production costs play a role in someone's decision when contemplating
ripping something off (can i get away with it?). It is all just
hypothetical. Nothing deeper.

One days work isn't really that much work, is it? So the difference
between decompilable languages and uncompiled languages is non-existant
really.

The time required to turn a binary into a usable source tree is only one
factor (see above). In this case if it's already source code the labor
cost for reverse engineering is cheaper.

Why do you have to give it away?

I don't. I meant 'give' as in deliver or install, as part of the license
agreement (if it's not run from my server).

You obviously haven't had much experience with open source. It seems
that you should get more information before posting questions regarding
open source to a programming-language mailing list. Opensource.org
should have all the information you may need. I am not trying to end
this discussion, but I don't think you'll get much out of this
discussion if you haven't tried to understand how open source works.

Thanks for the thoughtful advice.

Again, when you're developing an online service, you really don't have
to worry about anyone trying to steal your work. You control
everything. Check out some of the essays by Paul Graham
(paulgraham.com) on the subject,

That's the point I was making re. 'operating as an ASP' above.

nikolai

Look, overall, this is a hypothetical and marginal situation (where bad
people do bad things), and I'm just trying to cull the experience of
helpful programmers. I realize this may not be a likely situation, but
it does happen, that I'm just trying to see what people know about these
things. Nothing more. I hope I haven't offended people by referring to
countries, laws, labor costs, and the decision making processes of
unethical people.

Thanks Nikolai,
Matt

 

[Nikolai Weibull]

Matt Pelletier, April 15:

That's the point, that they're knowingly breaking the license. I might
not even be able to find out who did it, if this were an app with a big
install base. Breaking the license, on the part of the 'breaker', is not
a concern, esp. if there is not a great fear of legal prosecution. (this
relates to your comment below).

Well, look at instances where the GPL has been violated. I have no idea
how the people who have been violated have managed to figure it out, but
they have. Look at the MPlayer cases where code they've written has
wound up in DVD-players, or similar cases with routers using
netfilter/iptables code (see http://rubyurl.com/BTfkV), and so on.

It depends on the company using it. They might be just as willing to
hire a team of programmers to manage it themselves.

OK, but tell me this, how much does this matter? You are the ones who
have the actual original code and hopefully the best knowledge of it.
It wouldn't be hard to figure out when a customer suddenly stops using
your services, support, and so on and release their own software right?
You have to believe in some kind of justice system staying in effect
here, otherwise you might as well consider what happens when someone
breaks into your offices and steal your code that way, right?

Race has nothing to do with it.

Precisely. You can still be what is called a racist without discussing
races. Culture, social situation, and religion are as much a part of
what defines an indiviual or a group.

I was not accusing you of being a racist, but it's been really tiresome
lately, where Americans have gotten it into their head that the US is
somehow the best place on Earth and that only they can save the rest of
the world. Don't get me wrong, I love America unhealthily much. I'm
just getting really tired of being adversely affected by stupid
decisions made 2000 miles (a horrible guess at the actual distance, I'm
sure) away.

This deals with the maturity of a country's Intellectual Property
laws, the labor cost of reverse engineering an application.

Remember Russia back in the 80s? They actually used hackers to hack
into American systems to gain access to C compilers and other tools.
People will gain access to your software by any means necessary if
necessary (hehe).

I'm seeking practical comments from people who understand that the
laws in various countries affect an unethical person's willingness to
try to make money from someone else's work illegitimately. If it is
inexpensive to hire programmers to reverse engineer an application,
and the Intellectual Property laws are not mature or well enforced,
than it is more attractive for someone with the resources to pursue
such an unethical track.

Well, if you figure that people will be able to reverse engineer
anything you write, what's the worry with using "dynamic languages"?
You won't get any of the money that someone will receive for
reverse-engineering your application anyway, so why give them that
satisfaction?

I used the US as an example because the ferocious enforcement of
Intellectual Property law would seem to be a discouraging, not
encouraging, factor. My simple point, perhaps not clearly explained,
is that fear of prosecution and the production costs play a role in
someone's decision when contemplating ripping something off (can i get
away with it?). It is all just hypothetical. Nothing deeper.

My bet is that almost all of the serious IP violations are taking place
in the US. The US IP and patent system is a cancer on the development
of new technology and other fields of knowledge. Both nationally and
internationally. Do you know how hard it is for foreigners to secure a
patent in the US? It's practically impossible. Its a corrupt, racist
system. We're talking Italian government corrupt and racist here.

You seem to be worrying too much about someone stealing your work and
profit than actually figuring out how to make your work generate profit
in the first place. I understand that you are worried that you will
lose out, but in the end nothing is more important than providing a
service that people want. If you do, no one will ever be able to
replace you, unless they do something that's better and they
theoretically can't do that by simply copying what you do. Now they may
get a jump-start by reverse-engineering your work and/or simply copying
your sources, but as far as I understand it takes as much work (if not
more) trying to understand someone elses system as writing your own.

I don't. I meant 'give' as in deliver or install, as part of the
license agreement (if it's not run from my server).

Yes, but why would you have to do that? What's so great about providing
an online service is that you control everything. You can provide
updates immediately, you don't have to give anyone access to anything
you don't want them to have access to, and so on.

Thanks for the thoughtful advice.

Sorry if I sounded a bit harsh. I just get a bit excited in these kinds
of discussions. I really need to take a course in rhetoric...

That's the point I was making re. 'operating as an ASP' above.
Look, overall, this is a hypothetical and marginal situation (where
bad people do bad things), and I'm just trying to cull the experience
of helpful programmers. I realize this may not be a likely situation,
but it does happen, that I'm just trying to see what people know about
these things. Nothing more. I hope I haven't offended people by
referring to countries, laws, labor costs, and the decision making
processes of unethical people.

As I see it, and I guess it makes me sort of a pessimist, people are
going to do bad things. For that reason, you simply can't worry too
much about what they're going to do and instead focus on being good
yourself and doing good onto others.

I'll try and leave this alone now, allowing more experienced people tell
you about these sorts of issues.

My main suggestion is: If you can put your services on the Web, then
do so. You will open up your business for an incredibly large number of
potential customer and you will still make sure that you are in control
over everything. Also, consider providing your service for a price that
may seem far too low initially. Look at flickr. People can create an
account for free. This is probably costing flickr a bunch of revenue
and money (for maintenance, servers, and so on). But if they hadn't
done so, who would have bought into it? I would never (and perhaps
never will as I don't take that many pictures anyway) pay the $59.95
that a pro account costs without seeing it work first. And, as far as I
can tell, flickr's main attraction is that anyone can gain access to it
for free. Still, in the long run, people are going to want the features
that a pro account will provide them with and will pay the $59.95
annually. Consider how much revenue this will generate at that time.
Consider how flickr was bought by yahoo for $18 million. Flickr would
never have been such a success if people didn't have such easy access to
it.

Blah blah blah, but there's a point to be made in there somewhere.

Anyway, good luck with your endeavors,
nikolai

 

[Matt Taylor]

Hi Matt,

My 2c:

If you hand someone information they will do with it as they please.
Whether it is a stock-tip, a recipe for chicken-soup, or code.

It is inherent in the nature of information that you loose control of it
at the precise moment that you share it with someone else. The more
'understandable' the information is the more likely they are to use that
information in their own creations. They may use small sections or
large sections of the original but the result is the same. All of your
hard work can be duplicated and used by someone else with basically no
effort on their part. It's like magic!

Thus the only real way to protect information is to not distribute it
ala the ASP model or to try to obfuscate it thus making it more
difficult to use as creative building blocks for anyone else. This
doesn't prevent someone sharing your work 'as a whole' but does make it
harder for others to use pieces of your work to incorporate into their
creations. Also the 'trust issue' is an important factor and becoming
increasingly so. Sophisticated users are more and more unlikely to run
software on their system that they themselves don't understand unless it
comes from a 'safe' source (we all owe a debt of gratitude to the virus
writers for educating users on this subject).

In the end though I guess the target audience determines how you protect
your code if at all.

Never used it but here are some ruby 'compilers'

http://exerb.sourceforge.jp/index.en.html
http://www.erikveen.dds.nl/rubyscript2exe/index.html


Matt

 

[Zach Dennis]

I was not accusing you of being a racist, but it's been really tiresome
lately, where Americans have gotten it into their head that the US is
somehow the best place on Earth and that only they can save the rest of
the world.

Hasty generalization...please don't tie all of us americans into that
claim. Add "where some Americans have gotten..." to that sentence,
otherwise you sound just as racist as what you claimed that Matt's
statement was starting to sound. Although i dont' think you mean it that
way....and I didn't get the impression that he didn't mean it the way
you took it either.

Zach

 

[Nikolai Weibull]

Zach Dennis, April 16:

Nikolai Weibull wrote:

Hasty generalization...please don't tie all of us americans into that
claim. Add "where some Americans have gotten..." to that sentence,
otherwise you sound just as racist as what you claimed that Matt's
statement was starting to sound.

Since when can't I use the word "Americans" to mean a subset of all
Americans? Is there some new law in effect that forbids me to do so?
If I wanted additional effect, I would have written "all Americans" as
it says a lot more than plain "Americans", right? Have you perhaps not
realized that I am an American as well? I thought it was made pretty
clear, both by what I wrote, how I wrote it, and from what my signature
reads.

Although i dont' think you mean it that way....and I didn't get the
impression that he didn't mean it the way you took it either.

The problem of double negatives here.

I'm sure he didn't mean what he said. But he did say it, and that's the
problem. It's a problem of not realizing just what you're actually
saying. I don't hold Matt to his words, I just hope that I made him
aware of the fact that the way he expressed himself could be considered
offensive to a lot of people.

Sometimes I wake up at night distressed from realizing that I'm not
living in the states. That's how much I miss the America of my dreams;
an America that doesn't exist anywhere but in my head, being nothing but
a romanticized version of the real thing. I'll never let anyone take
that America from me, though,
nikolai

 

[Florian Groß]

Never used it but here are some ruby 'compilers'

http://exerb.sourceforge.jp/index.en.html
http://www.erikveen.dds.nl/rubyscript2exe/index.html

Those are really only ruby 'packagers' in that they collect source code
and package it into a single binary. They don't even try to make the
source code in the binary less clear.

I suppose you could instead try nodewrap[1] or something similar which
is close to shipping byte code -- you will lose some information, but
will usually still have enough of it to be able to understand the code
logic in case you chose to reverse engineer.

There really isn't much more to stopping your people from building upon
your source code than removing things that help humans, but not
machines. In Ruby that will probably mean using non-meaningful names and
perhaps stripping comments and whitespace when they are ignored by Ruby.

[1] http://raa.ruby-lang.org/project/nodewrap/

 

[Alexandru Popescu]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[quote Nikolai Weibull:n 4/15/2005 11:39 PM]

Zach Dennis, April 16:



Since when can't I use the word "Americans" to mean a subset of all
Americans? Is there some new law in effect that forbids me to do so?
If I wanted additional effect, I would have written "all Americans" as
it says a lot more than plain "Americans", right? Have you perhaps not
realized that I am an American as well? I thought it was made pretty
clear, both by what I wrote, how I wrote it, and from what my signature
reads.


The problem of double negatives here.

I'm sure he didn't mean what he said. But he did say it, and that's the
problem. It's a problem of not realizing just what you're actually
saying. I don't hold Matt to his words, I just hope that I made him
aware of the fact that the way he expressed himself could be considered
offensive to a lot of people.

Sometimes I wake up at night distressed from realizing that I'm not
living in the states. That's how much I miss the America of my dreams;
an America that doesn't exist anywhere but in my head, being nothing but
a romanticized version of the real thing. I'll never let anyone take
that America from me, though,
nikolai

Mr Nikolai,

I would probably end up by being criticized for my english - which is by no means my native
language, but I would like to emphasize one thing:
you (and i mean you americans) are too obsessed with -ism words (racism, sexism, whatsoever-ism)
claiming that this is protecting the freedom (freedom of speech included). In my romanian opinion,
talking good or bad about some guys leaving in usa as americans is by no means an -ism situation. It
is just an opinion. a fact. That's all.

cheers,
- --
:alex |.::the_mindstorm::.|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCYWyMOCPjdDT2FEURAv2xAJ9qEPCB1DH/gbXHIltP9rKAJn95MwCeNTGc
9Zg82qwJQYa55F61MtcAixU=
=fi1g
-----END PGP SIGNATURE-----

 

[Nikolai Weibull]

Alexandru Popescu, April 17:

I would probably end up by being criticized for my english - which is
by no means my native language, but I would like to emphasize one
thing: you (and i mean you americans) are too obsessed with -ism words
(racism, sexism, whatsoever-ism) claiming that this is protecting the
freedom (freedom of speech included). In my romanian opinion, talking
good or bad about some guys leaving in usa as americans is by no means
an -ism situation. It is just an opinion. a fact. That's all.

I don't understand what you're getting at,
nikolai