Releasing components with source code. Is it safe?
-
Hi, I am about to release my .NET component in the market, and am thinking of releasing with full source code. This is because i have read from various discussion forums and threads on this subject that people prefer to buy components with full source code license. My question is this: If i am releasing the product with full source code license, then am i not taking the risk of "some" people abusing the source code availability. I know its just a small percetange of "bad people" out there who will abuse the source code contrary to the terms of the EULA i will have in place. But that said, i will need to take an informed decision taking into account the damage that can be caused by these small lot of bad people. So, what is the general feel - is it safe to release the components with source code, in order to give the developers the advantage to be able to debug the pruchased source code, and not worry about the "small lot" that can absuse the source code availability? I surely want to release the source code along with my components, since i feel most of the buyers want this option so they can debug the source etc. Comments invited. Thanks.
You remind me of a troupe of three young japanese guys. Their question? "Is it safe in Mexico City?" What do you answer to such a question? Safe to do what? Safe from what? First, if your component is of any value, someone WILL abuse it, and violate the EULA. Can you live with that - emotionally? financially? Second, can you build your business around supporting the people that are willing to pay? Third, I likely wouldn't buy your component if I couldn't get sources. You might charge extra for source code access, you might make me sign additional paperwork, fine.
We are a big screwed up dysfunctional psychotic happy family - some more screwed up, others more happy, but everybody's psychotic joint venture definition of CP
blog: TDD - the Aha! | Linkify!| FoldWithUs! | sighist -
Yes that is true, but I do obfuscate my assemblies. Yes, i know it is not a perfect solution to safegaurd my code, but I am sure it does make it very difficult for the abusers.
User7208 wrote:
but I am sure it does make it very difficult for the abusers.
When I was working on security-related systems and (license enforcement) algorithms, I always followed the following belief:
Presume that the hacker is at least as smart as you are.
With that belief in hand, have you tried to decompile your own assemblies to see what the result would be? There is the chance that obfuscated is not as obscure, or as hard as you might like... Just a thought... Peace!
-=- James
Please rate this message - let me know if I helped or not! * * *If you think it costs a lot to do it right, just wait until you find out how much it costs to do it wrong!
Remember that Professional Driver on Closed Course does not mean your Dumb Ass on a Public Road!
See DeleteFXPFiles -
Increase the cost of the source code version if they really really want it make them pay for it. Don't be surprised if it starts to pop up all over the place under GPL
DEVELOPER DAY SCOTLAND 10th MAY 2008 http://www.developerdayscotland.com/[^]
Will they even want his code? :laugh:
So the creationist says: Everything must have a designer. God designed everything. I say: Why is God the only exception? Why not make the "designs" (like man) exceptions and make God a creation of man?
-
Hi, I am about to release my .NET component in the market, and am thinking of releasing with full source code. This is because i have read from various discussion forums and threads on this subject that people prefer to buy components with full source code license. My question is this: If i am releasing the product with full source code license, then am i not taking the risk of "some" people abusing the source code availability. I know its just a small percetange of "bad people" out there who will abuse the source code contrary to the terms of the EULA i will have in place. But that said, i will need to take an informed decision taking into account the damage that can be caused by these small lot of bad people. So, what is the general feel - is it safe to release the components with source code, in order to give the developers the advantage to be able to debug the pruchased source code, and not worry about the "small lot" that can absuse the source code availability? I surely want to release the source code along with my components, since i feel most of the buyers want this option so they can debug the source etc. Comments invited. Thanks.
I think most people here agree that making source available is a good option. You might want to make someone sign an NDA or such - one company I frequent sells their library and source if you want it, and have a clause along the lines of 'you will not use this library/source code' in a product that directly competes with our x, y, z products ... I like the way they put it 'g'
-
Thanks guys. I researched on this for a while, and i found that almost all of the vendors offer source code option. That gave me some comfort that i thought it was probably OK and safe to release the full source. That said, i could not find out what sort of "safety" element these vendors have / think they have on the "potential" abuse side of things. There must be some sort of safety that would have planned for their intellectual property... if i can get that point understood, then i think that is all i need before i release the source :-)
Someone I worked with released a VB component some years ago. His method was to charge a $50 shareware fee for the binaries and $500 if someone wanted the source. A lot of people went ofr just the binaries but a few companies paid the extra for the security of having the source. Probably some people just downloaded it and never paid anything, but most companies are worried enough about being legal and $50 is cheap enough that paying becomes a no-brainer.
-
User7208 wrote:
but I am sure it does make it very difficult for the abusers.
When I was working on security-related systems and (license enforcement) algorithms, I always followed the following belief:
Presume that the hacker is at least as smart as you are.
With that belief in hand, have you tried to decompile your own assemblies to see what the result would be? There is the chance that obfuscated is not as obscure, or as hard as you might like... Just a thought... Peace!
-=- James
Please rate this message - let me know if I helped or not! * * *If you think it costs a lot to do it right, just wait until you find out how much it costs to do it wrong!
Remember that Professional Driver on Closed Course does not mean your Dumb Ass on a Public Road!
See DeleteFXPFilesI completely agree with this statement here. About a month ago, my company had challenged this very idea. We used an inhouse utility application developed in Visual Studio 2005 (C#). We tried obfuscating it 3 different times with different tools to see which was best. My boss had used the obfuscaters and gave me the binaries. On each attempt, I used "Reflector" to perform the disassembly. Each time, the disassembled code was nearly perfect. Even most of the indentation and spacing was right. The biggest differences I saw is that they primarily renamed all the variables to more obscure names by using just letters and numbers. All the logic was clear which helped to decipher what each variable was used for. If you have never heard of or even used Reflector, I strongly suggest you check it out. Try it on your .NET binaries that have been obfuscated. Here is a link to the site: http://www.aisto.com/roeder/dotnet/[^]
Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, burger in one hand, drink in the other, body thoroughly used up, totally worn out and screaming "WOO HOO......What a ride!"
-
User7208 wrote:
but I am sure it does make it very difficult for the abusers.
When I was working on security-related systems and (license enforcement) algorithms, I always followed the following belief:
Presume that the hacker is at least as smart as you are.
With that belief in hand, have you tried to decompile your own assemblies to see what the result would be? There is the chance that obfuscated is not as obscure, or as hard as you might like... Just a thought... Peace!
-=- James
Please rate this message - let me know if I helped or not! * * *If you think it costs a lot to do it right, just wait until you find out how much it costs to do it wrong!
Remember that Professional Driver on Closed Course does not mean your Dumb Ass on a Public Road!
See DeleteFXPFiles -
Hi, I am about to release my .NET component in the market, and am thinking of releasing with full source code. This is because i have read from various discussion forums and threads on this subject that people prefer to buy components with full source code license. My question is this: If i am releasing the product with full source code license, then am i not taking the risk of "some" people abusing the source code availability. I know its just a small percetange of "bad people" out there who will abuse the source code contrary to the terms of the EULA i will have in place. But that said, i will need to take an informed decision taking into account the damage that can be caused by these small lot of bad people. So, what is the general feel - is it safe to release the components with source code, in order to give the developers the advantage to be able to debug the pruchased source code, and not worry about the "small lot" that can absuse the source code availability? I surely want to release the source code along with my components, since i feel most of the buyers want this option so they can debug the source etc. Comments invited. Thanks.
Well! Component Vendor Biggies Like Infragistics Infragistics, DevExpress, www.componentone.com, Component Art and others like www.purecomponents.com,Exceed Componentsall come with source code. But to be very honest, i had gone through the source codes of DevExpress and Infragistics and they are messed up in so much layer of hierarchy that you would actually require to do a full time job to read through it properly :laugh: In my opinion, if you are not going to distribute your components with code, perhaps there are less chance people will buy it unless and otherwise you have introduced something that is really new and innovative. Now, how these biggies are providing codes:confused: there are 2 possible options: 1.During the course of their development of components, they might have a team that may have performed task of code refactoring and abstraction introduction in to their components such that it won't change the external public interface and then they once tested it build their components based on this code base. Suppose a programmer A has completed a Task T in a component C with some public interfaces I1 and I2. Now, this code may be re factored by another programmer C such that the public interfaces of Task T remains same but internal methods might had been recoded by replacing methods that take a Class CC as parameter now take interface II as parameter and they make CC to be inherited from CCBased and assure it implements II. Now this code would definitely be difficult to understand!!! even by the original developer :-\ 2.They keep same hierarchy by obfuscate internal methods and members to make them less readable or atleast package more and more classes in single class files to make it harder for user to navigate the code :rolleyes: Now if you have flat code with clearly understandable methods then you are definitely at danger of having your code misused :(( Now what you say ???? :-O
Syed Muhammad Fahad Application Development Tyler Technologies -- TEMS Division mfahad@mazikusa.com
-
Cheers for that info. Yes, i have written a UI suite for .NET Windows Forms and WPF. My web site is up and running, selling components well already... but i would not want to mention the details here, since others can consider it as spamming :-) So far it has only been binary licenses being sold, and i am now thinking about releasing the source as well - extra cash (more the merrier, always :-)) Thanks for your reply :-)
By the way what's your web site BOSS ??? :-\
Syed Muhammad Fahad Application Development Tyler Technologies -- TEMS Division mfahad@mazikusa.com
-
I completely agree with this statement here. About a month ago, my company had challenged this very idea. We used an inhouse utility application developed in Visual Studio 2005 (C#). We tried obfuscating it 3 different times with different tools to see which was best. My boss had used the obfuscaters and gave me the binaries. On each attempt, I used "Reflector" to perform the disassembly. Each time, the disassembled code was nearly perfect. Even most of the indentation and spacing was right. The biggest differences I saw is that they primarily renamed all the variables to more obscure names by using just letters and numbers. All the logic was clear which helped to decipher what each variable was used for. If you have never heard of or even used Reflector, I strongly suggest you check it out. Try it on your .NET binaries that have been obfuscated. Here is a link to the site: http://www.aisto.com/roeder/dotnet/[^]
Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, burger in one hand, drink in the other, body thoroughly used up, totally worn out and screaming "WOO HOO......What a ride!"
The trouble is, if you start messing with the generated IL code too much, the JIT may run into trouble. Some early .NET obfuscators caused problems with the code and have been scaled back to be a lot more conservative. Meanwhile the decompilers can often detect the transformations made and undo them! IL doesn't reference objects by name anyway, so local variable names are always lost. The metadata only describes classes, method names and parameters. Anything that's declared public or protected is accessible outside the assembly, so its names must be preserved. Otherwise, the obfuscators take advantage of the fact that anything can be overloaded in the metadata, being distinguished by the full type when referenced, so you get them naming as many things as possible 'a' or 'A' or 'aa'.
DoEvents: Generating unexpected recursion since 1991
-
Hi, I am about to release my .NET component in the market, and am thinking of releasing with full source code. This is because i have read from various discussion forums and threads on this subject that people prefer to buy components with full source code license. My question is this: If i am releasing the product with full source code license, then am i not taking the risk of "some" people abusing the source code availability. I know its just a small percetange of "bad people" out there who will abuse the source code contrary to the terms of the EULA i will have in place. But that said, i will need to take an informed decision taking into account the damage that can be caused by these small lot of bad people. So, what is the general feel - is it safe to release the components with source code, in order to give the developers the advantage to be able to debug the pruchased source code, and not worry about the "small lot" that can absuse the source code availability? I surely want to release the source code along with my components, since i feel most of the buyers want this option so they can debug the source etc. Comments invited. Thanks.
User7208 wrote:
I am about to release my .NET component in the market, and am thinking of releasing with full source code.
From what little I know of .NET (I've never done any .NET development myself but I've read about it) any app that runs on the CLR can be fairly easily decompiled to any .NET language. IIRC comments will be lost but all variable and class names will be recovered.
User7208 wrote:
I know its just a small percetange of "bad people" out there who will abuse the source code contrary to the terms of the EULA i will have in place. But that said, i will need to take an informed decision taking into account the damage that can be caused by these small lot of bad people.
Unless you obfuscate your assembly, the bad guys will just decompile it. The good guys will be too worried about copyright to do so, however.
User7208 wrote:
So, what is the general feel - is it safe to release the components with source code, in order to give the developers the advantage to be able to debug the pruchased source code, and not worry about the "small lot" that can absuse the source code availability?
It all boils down to this: Would you rather have your code just in the hands of the bad guys, or let your legitimate customers have it too?
-
Hi, I am about to release my .NET component in the market, and am thinking of releasing with full source code. This is because i have read from various discussion forums and threads on this subject that people prefer to buy components with full source code license. My question is this: If i am releasing the product with full source code license, then am i not taking the risk of "some" people abusing the source code availability. I know its just a small percetange of "bad people" out there who will abuse the source code contrary to the terms of the EULA i will have in place. But that said, i will need to take an informed decision taking into account the damage that can be caused by these small lot of bad people. So, what is the general feel - is it safe to release the components with source code, in order to give the developers the advantage to be able to debug the pruchased source code, and not worry about the "small lot" that can absuse the source code availability? I surely want to release the source code along with my components, since i feel most of the buyers want this option so they can debug the source etc. Comments invited. Thanks.
-
The best way I have found to avoid getting your source ripped off is to continually improve your product. That way, the would-be thief is always a few generations behind.
-
Well! Component Vendor Biggies Like Infragistics Infragistics, DevExpress, www.componentone.com, Component Art and others like www.purecomponents.com,Exceed Componentsall come with source code. But to be very honest, i had gone through the source codes of DevExpress and Infragistics and they are messed up in so much layer of hierarchy that you would actually require to do a full time job to read through it properly :laugh: In my opinion, if you are not going to distribute your components with code, perhaps there are less chance people will buy it unless and otherwise you have introduced something that is really new and innovative. Now, how these biggies are providing codes:confused: there are 2 possible options: 1.During the course of their development of components, they might have a team that may have performed task of code refactoring and abstraction introduction in to their components such that it won't change the external public interface and then they once tested it build their components based on this code base. Suppose a programmer A has completed a Task T in a component C with some public interfaces I1 and I2. Now, this code may be re factored by another programmer C such that the public interfaces of Task T remains same but internal methods might had been recoded by replacing methods that take a Class CC as parameter now take interface II as parameter and they make CC to be inherited from CCBased and assure it implements II. Now this code would definitely be difficult to understand!!! even by the original developer :-\ 2.They keep same hierarchy by obfuscate internal methods and members to make them less readable or atleast package more and more classes in single class files to make it harder for user to navigate the code :rolleyes: Now if you have flat code with clearly understandable methods then you are definitely at danger of having your code misused :(( Now what you say ???? :-O
Syed Muhammad Fahad Application Development Tyler Technologies -- TEMS Division mfahad@mazikusa.com
Good analysis. Thanks. Although i get the general feel (from so many threads of discussions now, including yours) that without source code license option, there can be lesser sales of licenses, the risk of code absuse and theft seems to be inevitable and high, and hence providing the source code option is something that i will have to think in deep and decide. I guess i might come up with some options to ensure (as much as i can) that only good guys go for it. The options could be like: 1. Insisting on requiring the user to directly buy from me (via bank transfer) rather than allow them to buy via the e-commerce agent. This option will give me the chance to understand who the potential customer is, and can he be trusted etc. and if not, i can simply reject the order request. 2. I can ask the buyers to give me only a corporate email id or otherwise require them to buy the license in their company name, rather than individual name. This way, I can ensure that purchases cannot be made by "anybody", using anonymous email IDs like hotmail, yahoo, etc. But i guess even with all these options, there is always a chance that bad people can get away with complying with these and still abuse the system :mad: Yes, my product is something that is really cool :-)... the binary licenses are selling well :-), but to enter that $millions sales :cool: market, especially to make the large corporates buy it, i thought source code license will add value. But the risk sems to be prety high :-( Anyway, i have got another idea - for those big customers who want piece of mind on source availablilty (in future, and not necc. immediately!) i can organise a source code escrow option. Thanks for your time.
-
Good analysis. Thanks. Although i get the general feel (from so many threads of discussions now, including yours) that without source code license option, there can be lesser sales of licenses, the risk of code absuse and theft seems to be inevitable and high, and hence providing the source code option is something that i will have to think in deep and decide. I guess i might come up with some options to ensure (as much as i can) that only good guys go for it. The options could be like: 1. Insisting on requiring the user to directly buy from me (via bank transfer) rather than allow them to buy via the e-commerce agent. This option will give me the chance to understand who the potential customer is, and can he be trusted etc. and if not, i can simply reject the order request. 2. I can ask the buyers to give me only a corporate email id or otherwise require them to buy the license in their company name, rather than individual name. This way, I can ensure that purchases cannot be made by "anybody", using anonymous email IDs like hotmail, yahoo, etc. But i guess even with all these options, there is always a chance that bad people can get away with complying with these and still abuse the system :mad: Yes, my product is something that is really cool :-)... the binary licenses are selling well :-), but to enter that $millions sales :cool: market, especially to make the large corporates buy it, i thought source code license will add value. But the risk sems to be prety high :-( Anyway, i have got another idea - for those big customers who want piece of mind on source availablilty (in future, and not necc. immediately!) i can organise a source code escrow option. Thanks for your time.
Hmmm :) Anyways i m still waiting for you to atleast let me know the types of components you are developing and from where can I get its evaluation version if any :-\
Syed Muhammad Fahad Application Development Tyler Technologies -- TEMS Division mfahad@mazikusa.com
-
Hi, I am about to release my .NET component in the market, and am thinking of releasing with full source code. This is because i have read from various discussion forums and threads on this subject that people prefer to buy components with full source code license. My question is this: If i am releasing the product with full source code license, then am i not taking the risk of "some" people abusing the source code availability. I know its just a small percetange of "bad people" out there who will abuse the source code contrary to the terms of the EULA i will have in place. But that said, i will need to take an informed decision taking into account the damage that can be caused by these small lot of bad people. So, what is the general feel - is it safe to release the components with source code, in order to give the developers the advantage to be able to debug the pruchased source code, and not worry about the "small lot" that can absuse the source code availability? I surely want to release the source code along with my components, since i feel most of the buyers want this option so they can debug the source etc. Comments invited. Thanks.
Well we have a proverb which says: Since there is a valley there will be foxes and wolves . and this could not stop living in peace , progress , ... etc. And on the other side there are good peoples ,why should we be afraid of them ? . You have two choises (OPTIONS) : 1- give your product without full source code for a certain price for who wants this option. 2- Put 20 percent more price for providing full source code with the Components .. for who wants this option. whish you good luck. and ofcourse put licencing wrights which you see it satisfactory. mohamad.
-
Hmmm :) Anyways i m still waiting for you to atleast let me know the types of components you are developing and from where can I get its evaluation version if any :-\
Syed Muhammad Fahad Application Development Tyler Technologies -- TEMS Division mfahad@mazikusa.com
Evals - why not? Sure :-) You will love them ;-) I can send you a private email with my website link if you are sure you want to know the details ;-) I am trying to avoid mentioning it here, in public lounge! That is all! :-)
modified on Thursday, March 20, 2008 4:32 PM
-
Well we have a proverb which says: Since there is a valley there will be foxes and wolves . and this could not stop living in peace , progress , ... etc. And on the other side there are good peoples ,why should we be afraid of them ? . You have two choises (OPTIONS) : 1- give your product without full source code for a certain price for who wants this option. 2- Put 20 percent more price for providing full source code with the Components .. for who wants this option. whish you good luck. and ofcourse put licencing wrights which you see it satisfactory. mohamad.
Thanks. Actually my binary license sales is doing very well! :-) Its just that i want to do more :-), and i thought maybe its the source code license that may bring in more customers :-) So thought i will run it through you guys to see what the general opinion / feel is :-) I am getting close to deciding on this though, like with the sort of options i have outlied in one of other replies, + price hike for the source code option, like you have mentioned :-) Thanks.
-
Thanks guys. I researched on this for a while, and i found that almost all of the vendors offer source code option. That gave me some comfort that i thought it was probably OK and safe to release the full source. That said, i could not find out what sort of "safety" element these vendors have / think they have on the "potential" abuse side of things. There must be some sort of safety that would have planned for their intellectual property... if i can get that point understood, then i think that is all i need before i release the source :-)
For 'safety' you should copyright your source code, then take the additional step of registering it with the government ($). You no longer have to send in the source to secure copyright, but if you do then any claims of infringement could be easier to prove. IANAL, consult an attorney. I've published GPL'd source, and while not beautiful code, did receive lots of comments. Many of the comments were not accurate or articulate, but one or two people sent in *really* helpful suggestions. And that alone was enough value for me to release the source.
-
Thanks. Actually my binary license sales is doing very well! :-) Its just that i want to do more :-), and i thought maybe its the source code license that may bring in more customers :-) So thought i will run it through you guys to see what the general opinion / feel is :-) I am getting close to deciding on this though, like with the sort of options i have outlied in one of other replies, + price hike for the source code option, like you have mentioned :-) Thanks.
I think that the source code should bring the attention for more customers as you expect, since the source code is the soul of the job and some one may need it for some reason and he/she will be ready to pay more if they found it neccessary. any way thanks and good luck. mohamad.