Releasing components with source code. Is it safe?
-
Hi, I am about to release my .NET component in the market, and am thinking of releasing with full source code. This is because i have read from various discussion forums and threads on this subject that people prefer to buy components with full source code license. My question is this: If i am releasing the product with full source code license, then am i not taking the risk of "some" people abusing the source code availability. I know its just a small percetange of "bad people" out there who will abuse the source code contrary to the terms of the EULA i will have in place. But that said, i will need to take an informed decision taking into account the damage that can be caused by these small lot of bad people. So, what is the general feel - is it safe to release the components with source code, in order to give the developers the advantage to be able to debug the pruchased source code, and not worry about the "small lot" that can absuse the source code availability? I surely want to release the source code along with my components, since i feel most of the buyers want this option so they can debug the source etc. Comments invited. Thanks.
One reason I like source with components is to look at the quality of the coding. I don't like tweaking it because that causes problems with patches. However, I have purchased a component with source with the intent of using just a core algorithm and chucking the rest. I've had bosses who wanted source because they were paranoid types. In some cases this concern was legitimate, in most others it was totally bogus. (In one recent case the component solved a problem perfectly. None of us wanted the source, but the boss insisted so we ponied up the money. A big waste if you ask me.)
Anyone who thinks he has a better idea of what's good for people than people do is a swine. - P.J. O'Rourke
-
Hi, I am about to release my .NET component in the market, and am thinking of releasing with full source code. This is because i have read from various discussion forums and threads on this subject that people prefer to buy components with full source code license. My question is this: If i am releasing the product with full source code license, then am i not taking the risk of "some" people abusing the source code availability. I know its just a small percetange of "bad people" out there who will abuse the source code contrary to the terms of the EULA i will have in place. But that said, i will need to take an informed decision taking into account the damage that can be caused by these small lot of bad people. So, what is the general feel - is it safe to release the components with source code, in order to give the developers the advantage to be able to debug the pruchased source code, and not worry about the "small lot" that can absuse the source code availability? I surely want to release the source code along with my components, since i feel most of the buyers want this option so they can debug the source etc. Comments invited. Thanks.
User7208 wrote:
[...] and am thinking of releasing with full source code.
And the difference between that and someone running the assembly through a decompiler to get C# source code from it? (Ignoring obvious crap like comments, indenting, spacing, etc.) If someone really wants to get at the source code for some .NET code, I do not think that there are many barriers... Peace!
-=- James
Please rate this message - let me know if I helped or not! * * *If you think it costs a lot to do it right, just wait until you find out how much it costs to do it wrong!
Remember that Professional Driver on Closed Course does not mean your Dumb Ass on a Public Road!
See DeleteFXPFiles -
User7208 wrote:
[...] and am thinking of releasing with full source code.
And the difference between that and someone running the assembly through a decompiler to get C# source code from it? (Ignoring obvious crap like comments, indenting, spacing, etc.) If someone really wants to get at the source code for some .NET code, I do not think that there are many barriers... Peace!
-=- James
Please rate this message - let me know if I helped or not! * * *If you think it costs a lot to do it right, just wait until you find out how much it costs to do it wrong!
Remember that Professional Driver on Closed Course does not mean your Dumb Ass on a Public Road!
See DeleteFXPFiles -
Hi, I am about to release my .NET component in the market, and am thinking of releasing with full source code. This is because i have read from various discussion forums and threads on this subject that people prefer to buy components with full source code license. My question is this: If i am releasing the product with full source code license, then am i not taking the risk of "some" people abusing the source code availability. I know its just a small percetange of "bad people" out there who will abuse the source code contrary to the terms of the EULA i will have in place. But that said, i will need to take an informed decision taking into account the damage that can be caused by these small lot of bad people. So, what is the general feel - is it safe to release the components with source code, in order to give the developers the advantage to be able to debug the pruchased source code, and not worry about the "small lot" that can absuse the source code availability? I surely want to release the source code along with my components, since i feel most of the buyers want this option so they can debug the source etc. Comments invited. Thanks.
As a big user of 3rd party components I expect source code to be available but I'm not surprised when an extra fee is charged to get it. Many people don't care or want the source code but a very few are absolutely paranoid about it so it should be available as an option but if it were me I'd charge a hefty premium to get it.
"The pursuit of excellence is less profitable than the pursuit of bigness, but it can be more satisfying." - David Ogilvy
-
Hi, I am about to release my .NET component in the market, and am thinking of releasing with full source code. This is because i have read from various discussion forums and threads on this subject that people prefer to buy components with full source code license. My question is this: If i am releasing the product with full source code license, then am i not taking the risk of "some" people abusing the source code availability. I know its just a small percetange of "bad people" out there who will abuse the source code contrary to the terms of the EULA i will have in place. But that said, i will need to take an informed decision taking into account the damage that can be caused by these small lot of bad people. So, what is the general feel - is it safe to release the components with source code, in order to give the developers the advantage to be able to debug the pruchased source code, and not worry about the "small lot" that can absuse the source code availability? I surely want to release the source code along with my components, since i feel most of the buyers want this option so they can debug the source etc. Comments invited. Thanks.
By releasing the code or component I think it's safe to say that a small group of people are just going to steal your work. I doubt any that steal it would think there was much value in trying to sell it themselves. Not counting places like China where piracy is more the rule than the exception. Most places I've been error on the side of paranoia making sure they have everything fully licensed. What does your component do anyway? Do you have a website to sell it from yet?
-
Hi, I am about to release my .NET component in the market, and am thinking of releasing with full source code. This is because i have read from various discussion forums and threads on this subject that people prefer to buy components with full source code license. My question is this: If i am releasing the product with full source code license, then am i not taking the risk of "some" people abusing the source code availability. I know its just a small percetange of "bad people" out there who will abuse the source code contrary to the terms of the EULA i will have in place. But that said, i will need to take an informed decision taking into account the damage that can be caused by these small lot of bad people. So, what is the general feel - is it safe to release the components with source code, in order to give the developers the advantage to be able to debug the pruchased source code, and not worry about the "small lot" that can absuse the source code availability? I surely want to release the source code along with my components, since i feel most of the buyers want this option so they can debug the source etc. Comments invited. Thanks.
Yes its safe. I sold my old "SyntaxBox" component a few years ago. We had both bin and source licenses.. I saw it on emule and dc and such a few times but nothing that was too annoying. (I've downloaded a few movies in my days so im not any better myself..) But all in all, we never had any problems with it.
Blog: http://www.rogeralsing.com Projects: http://www.puzzleframework.com
-
By releasing the code or component I think it's safe to say that a small group of people are just going to steal your work. I doubt any that steal it would think there was much value in trying to sell it themselves. Not counting places like China where piracy is more the rule than the exception. Most places I've been error on the side of paranoia making sure they have everything fully licensed. What does your component do anyway? Do you have a website to sell it from yet?
Cheers for that info. Yes, i have written a UI suite for .NET Windows Forms and WPF. My web site is up and running, selling components well already... but i would not want to mention the details here, since others can consider it as spamming :-) So far it has only been binary licenses being sold, and i am now thinking about releasing the source as well - extra cash (more the merrier, always :-)) Thanks for your reply :-)
-
Cheers for that info. Yes, i have written a UI suite for .NET Windows Forms and WPF. My web site is up and running, selling components well already... but i would not want to mention the details here, since others can consider it as spamming :-) So far it has only been binary licenses being sold, and i am now thinking about releasing the source as well - extra cash (more the merrier, always :-)) Thanks for your reply :-)
-
Well I wouldn't consider it spamming if the information is requested. But anonymity is good too I suppose. Good Luck.
-
Hi, I am about to release my .NET component in the market, and am thinking of releasing with full source code. This is because i have read from various discussion forums and threads on this subject that people prefer to buy components with full source code license. My question is this: If i am releasing the product with full source code license, then am i not taking the risk of "some" people abusing the source code availability. I know its just a small percetange of "bad people" out there who will abuse the source code contrary to the terms of the EULA i will have in place. But that said, i will need to take an informed decision taking into account the damage that can be caused by these small lot of bad people. So, what is the general feel - is it safe to release the components with source code, in order to give the developers the advantage to be able to debug the pruchased source code, and not worry about the "small lot" that can absuse the source code availability? I surely want to release the source code along with my components, since i feel most of the buyers want this option so they can debug the source etc. Comments invited. Thanks.
It depends on if you put the documentation in the full source code. My employer bought a full source code license from a vendor and it was stripped of all the comments in the code. That made the source code completely useless! We ended up taking the time to create our own component to do the same thing. Ours has source code and documentation. I am not sure I would ever buy source code again, unless I knew up front that the documentation was still in the code. Even then, most developers I work with don't put much documentation/comments in their code. Hogan
-
Hi, I am about to release my .NET component in the market, and am thinking of releasing with full source code. This is because i have read from various discussion forums and threads on this subject that people prefer to buy components with full source code license. My question is this: If i am releasing the product with full source code license, then am i not taking the risk of "some" people abusing the source code availability. I know its just a small percetange of "bad people" out there who will abuse the source code contrary to the terms of the EULA i will have in place. But that said, i will need to take an informed decision taking into account the damage that can be caused by these small lot of bad people. So, what is the general feel - is it safe to release the components with source code, in order to give the developers the advantage to be able to debug the pruchased source code, and not worry about the "small lot" that can absuse the source code availability? I surely want to release the source code along with my components, since i feel most of the buyers want this option so they can debug the source etc. Comments invited. Thanks.
You remind me of a troupe of three young japanese guys. Their question? "Is it safe in Mexico City?" What do you answer to such a question? Safe to do what? Safe from what? First, if your component is of any value, someone WILL abuse it, and violate the EULA. Can you live with that - emotionally? financially? Second, can you build your business around supporting the people that are willing to pay? Third, I likely wouldn't buy your component if I couldn't get sources. You might charge extra for source code access, you might make me sign additional paperwork, fine.
We are a big screwed up dysfunctional psychotic happy family - some more screwed up, others more happy, but everybody's psychotic joint venture definition of CP
blog: TDD - the Aha! | Linkify!| FoldWithUs! | sighist -
Yes that is true, but I do obfuscate my assemblies. Yes, i know it is not a perfect solution to safegaurd my code, but I am sure it does make it very difficult for the abusers.
User7208 wrote:
but I am sure it does make it very difficult for the abusers.
When I was working on security-related systems and (license enforcement) algorithms, I always followed the following belief:
Presume that the hacker is at least as smart as you are.
With that belief in hand, have you tried to decompile your own assemblies to see what the result would be? There is the chance that obfuscated is not as obscure, or as hard as you might like... Just a thought... Peace!
-=- James
Please rate this message - let me know if I helped or not! * * *If you think it costs a lot to do it right, just wait until you find out how much it costs to do it wrong!
Remember that Professional Driver on Closed Course does not mean your Dumb Ass on a Public Road!
See DeleteFXPFiles -
Increase the cost of the source code version if they really really want it make them pay for it. Don't be surprised if it starts to pop up all over the place under GPL
DEVELOPER DAY SCOTLAND 10th MAY 2008 http://www.developerdayscotland.com/[^]
Will they even want his code? :laugh:
So the creationist says: Everything must have a designer. God designed everything. I say: Why is God the only exception? Why not make the "designs" (like man) exceptions and make God a creation of man?
-
Hi, I am about to release my .NET component in the market, and am thinking of releasing with full source code. This is because i have read from various discussion forums and threads on this subject that people prefer to buy components with full source code license. My question is this: If i am releasing the product with full source code license, then am i not taking the risk of "some" people abusing the source code availability. I know its just a small percetange of "bad people" out there who will abuse the source code contrary to the terms of the EULA i will have in place. But that said, i will need to take an informed decision taking into account the damage that can be caused by these small lot of bad people. So, what is the general feel - is it safe to release the components with source code, in order to give the developers the advantage to be able to debug the pruchased source code, and not worry about the "small lot" that can absuse the source code availability? I surely want to release the source code along with my components, since i feel most of the buyers want this option so they can debug the source etc. Comments invited. Thanks.
I think most people here agree that making source available is a good option. You might want to make someone sign an NDA or such - one company I frequent sells their library and source if you want it, and have a clause along the lines of 'you will not use this library/source code' in a product that directly competes with our x, y, z products ... I like the way they put it 'g'
-
Thanks guys. I researched on this for a while, and i found that almost all of the vendors offer source code option. That gave me some comfort that i thought it was probably OK and safe to release the full source. That said, i could not find out what sort of "safety" element these vendors have / think they have on the "potential" abuse side of things. There must be some sort of safety that would have planned for their intellectual property... if i can get that point understood, then i think that is all i need before i release the source :-)
Someone I worked with released a VB component some years ago. His method was to charge a $50 shareware fee for the binaries and $500 if someone wanted the source. A lot of people went ofr just the binaries but a few companies paid the extra for the security of having the source. Probably some people just downloaded it and never paid anything, but most companies are worried enough about being legal and $50 is cheap enough that paying becomes a no-brainer.
-
User7208 wrote:
but I am sure it does make it very difficult for the abusers.
When I was working on security-related systems and (license enforcement) algorithms, I always followed the following belief:
Presume that the hacker is at least as smart as you are.
With that belief in hand, have you tried to decompile your own assemblies to see what the result would be? There is the chance that obfuscated is not as obscure, or as hard as you might like... Just a thought... Peace!
-=- James
Please rate this message - let me know if I helped or not! * * *If you think it costs a lot to do it right, just wait until you find out how much it costs to do it wrong!
Remember that Professional Driver on Closed Course does not mean your Dumb Ass on a Public Road!
See DeleteFXPFilesI completely agree with this statement here. About a month ago, my company had challenged this very idea. We used an inhouse utility application developed in Visual Studio 2005 (C#). We tried obfuscating it 3 different times with different tools to see which was best. My boss had used the obfuscaters and gave me the binaries. On each attempt, I used "Reflector" to perform the disassembly. Each time, the disassembled code was nearly perfect. Even most of the indentation and spacing was right. The biggest differences I saw is that they primarily renamed all the variables to more obscure names by using just letters and numbers. All the logic was clear which helped to decipher what each variable was used for. If you have never heard of or even used Reflector, I strongly suggest you check it out. Try it on your .NET binaries that have been obfuscated. Here is a link to the site: http://www.aisto.com/roeder/dotnet/[^]
Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, burger in one hand, drink in the other, body thoroughly used up, totally worn out and screaming "WOO HOO......What a ride!"
-
User7208 wrote:
but I am sure it does make it very difficult for the abusers.
When I was working on security-related systems and (license enforcement) algorithms, I always followed the following belief:
Presume that the hacker is at least as smart as you are.
With that belief in hand, have you tried to decompile your own assemblies to see what the result would be? There is the chance that obfuscated is not as obscure, or as hard as you might like... Just a thought... Peace!
-=- James
Please rate this message - let me know if I helped or not! * * *If you think it costs a lot to do it right, just wait until you find out how much it costs to do it wrong!
Remember that Professional Driver on Closed Course does not mean your Dumb Ass on a Public Road!
See DeleteFXPFiles -
Hi, I am about to release my .NET component in the market, and am thinking of releasing with full source code. This is because i have read from various discussion forums and threads on this subject that people prefer to buy components with full source code license. My question is this: If i am releasing the product with full source code license, then am i not taking the risk of "some" people abusing the source code availability. I know its just a small percetange of "bad people" out there who will abuse the source code contrary to the terms of the EULA i will have in place. But that said, i will need to take an informed decision taking into account the damage that can be caused by these small lot of bad people. So, what is the general feel - is it safe to release the components with source code, in order to give the developers the advantage to be able to debug the pruchased source code, and not worry about the "small lot" that can absuse the source code availability? I surely want to release the source code along with my components, since i feel most of the buyers want this option so they can debug the source etc. Comments invited. Thanks.
Well! Component Vendor Biggies Like Infragistics Infragistics, DevExpress, www.componentone.com, Component Art and others like www.purecomponents.com,Exceed Componentsall come with source code. But to be very honest, i had gone through the source codes of DevExpress and Infragistics and they are messed up in so much layer of hierarchy that you would actually require to do a full time job to read through it properly :laugh: In my opinion, if you are not going to distribute your components with code, perhaps there are less chance people will buy it unless and otherwise you have introduced something that is really new and innovative. Now, how these biggies are providing codes:confused: there are 2 possible options: 1.During the course of their development of components, they might have a team that may have performed task of code refactoring and abstraction introduction in to their components such that it won't change the external public interface and then they once tested it build their components based on this code base. Suppose a programmer A has completed a Task T in a component C with some public interfaces I1 and I2. Now, this code may be re factored by another programmer C such that the public interfaces of Task T remains same but internal methods might had been recoded by replacing methods that take a Class CC as parameter now take interface II as parameter and they make CC to be inherited from CCBased and assure it implements II. Now this code would definitely be difficult to understand!!! even by the original developer :-\ 2.They keep same hierarchy by obfuscate internal methods and members to make them less readable or atleast package more and more classes in single class files to make it harder for user to navigate the code :rolleyes: Now if you have flat code with clearly understandable methods then you are definitely at danger of having your code misused :(( Now what you say ???? :-O
Syed Muhammad Fahad Application Development Tyler Technologies -- TEMS Division mfahad@mazikusa.com
-
Cheers for that info. Yes, i have written a UI suite for .NET Windows Forms and WPF. My web site is up and running, selling components well already... but i would not want to mention the details here, since others can consider it as spamming :-) So far it has only been binary licenses being sold, and i am now thinking about releasing the source as well - extra cash (more the merrier, always :-)) Thanks for your reply :-)
By the way what's your web site BOSS ??? :-\
Syed Muhammad Fahad Application Development Tyler Technologies -- TEMS Division mfahad@mazikusa.com
-
I completely agree with this statement here. About a month ago, my company had challenged this very idea. We used an inhouse utility application developed in Visual Studio 2005 (C#). We tried obfuscating it 3 different times with different tools to see which was best. My boss had used the obfuscaters and gave me the binaries. On each attempt, I used "Reflector" to perform the disassembly. Each time, the disassembled code was nearly perfect. Even most of the indentation and spacing was right. The biggest differences I saw is that they primarily renamed all the variables to more obscure names by using just letters and numbers. All the logic was clear which helped to decipher what each variable was used for. If you have never heard of or even used Reflector, I strongly suggest you check it out. Try it on your .NET binaries that have been obfuscated. Here is a link to the site: http://www.aisto.com/roeder/dotnet/[^]
Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, burger in one hand, drink in the other, body thoroughly used up, totally worn out and screaming "WOO HOO......What a ride!"
The trouble is, if you start messing with the generated IL code too much, the JIT may run into trouble. Some early .NET obfuscators caused problems with the code and have been scaled back to be a lot more conservative. Meanwhile the decompilers can often detect the transformations made and undo them! IL doesn't reference objects by name anyway, so local variable names are always lost. The metadata only describes classes, method names and parameters. Anything that's declared public or protected is accessible outside the assembly, so its names must be preserved. Otherwise, the obfuscators take advantage of the fact that anything can be overloaded in the metadata, being distinguished by the full type when referenced, so you get them naming as many things as possible 'a' or 'A' or 'aa'.
DoEvents: Generating unexpected recursion since 1991