The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

Source code encryption

I am ready to release a PHP web application. After extensive bug-checking and testing, I am facing a dilemma: should I encrypt the source code?

I also want to know what the current thinking on source code encryption is.

Thank you in advance for sharing your knowledge.
Ken Deji Send private email
Monday, September 27, 2004
 
 
Are you distributing it to clients or are you hosting it for others?

I assume that you're not hosting it, otherwise, this would not be much of an issue.

Are you worried about them further distributing it or are you worried about them making custom modifications?

In my current position, we've been selling our ASP apps out to various *large* clients and we came up with a VERY simple clause.  If they have a support contract with us and make ANY changes without notifying us, their support ends and the balance of the contract must be paid.  If they make changes and give them to us, then we will continue support.  They also cannot distribute the app further.  Changes are detected by comparing md5 checksums with the installation CD they have and their current installation.  We also have a checksum of the entire filespace of the CD to confirm that it has not been replaced.

It's not the best scenario, but it was what my boss came up with...
KC Send private email
Monday, September 27, 2004
 
 
Encrypt the source code, definately - you don't want your customers reading your valuable source code.

You will, of course, have to provide the decryption key in order for the web server to decrypt the code to run it, but that's ok because your customers won't be able to use that key to decrypt the code themselves - the decrypted code could never possibly get out of the web server.

Er, can anyone see a problem there? No? Good, I'll place my order as soon as it's available.

(Er, just in case: yes, I see the problem there - I was being sarcastic. But have I missed something obvious? Did the question actually mean something sensible and intelligent and I just missed the whole point?)

Monday, September 27, 2004
 
 
"But have I missed something obvious? Did the question actually mean something sensible and intelligent and I just missed the whole point?"

PHP code can be "compiled" into IL much the same as Java bytecodes or .NET IL code.  Zend (the makers of PHP) have a encoder tool and their free PHP optimizer includes code the decoder (because by default PHP operates on source code only).

Our company is a similar situation (w/ PHP no less) but our license agreement pretty much forbids looking at the code and definately forbids changing it.  We've never had a problem --  but we only have a few clients and our product costs alot of $$$.
Almost Anonymous Send private email
Monday, September 27, 2004
 
 
See, as long as it's against the license, there's no probs giving the customers the source.

Remember, it's far cheaper to have you fix the problems than it is to fix the problems themselves.  They are prevented from selling the code and if they did want to try, they probably aren't in the software business anyway.  And if they do even modify it, they will have to bother with merging the code of your next release in.  So, giving your source code to your average not-in-the-same-line-of-business guy isn't going to make new competitors.

The problem, of course, is if you sell it to the archetypal "evil overseas programmer" who is out to profit from your work.  Everything falls apart there because there's only so much you can do to them when they can buy off judges but you can't.
Flamebait Sr.
Monday, September 27, 2004
 
 
PHP code can be "compiled" into IL much the same as Java bytecodes or .NET IL code

If that's what was meant, then this is just another round of "should I use an obfuscator". What is it with this topic?

Monday, September 27, 2004
 
 
"If that's what was meant, then this is just another round of "should I use an obfuscator". What is it with this topic?"

PHP is typically distributed as source code -- and not in encoded form.  And special software is needed to be installed on the server for the encoded form to work.

In my case, I'm not able to run encoded PHP scripts on my server because it conflicts with other optimization software I have installed.
Almost Anonymous Send private email
Monday, September 27, 2004
 
 
Thank you all very much for the comments.

I should have been more specific in my question. The product I plan to release is similar to pMachine, MovableType, WordPress, etc. Its target customers include both individuals and enterprise customers. There are a few features in there that are original to us. That's why I am thinking about encryption, to protect the features we came up with.

So, should I encrypt the source code for the orginal features, or am I worrying about nothing?
Ken Deji Send private email
Monday, September 27, 2004
 
 
If the features are that original and that great, why not patent them?  If they're not worth patenting, are they really worth fretting over?

Besides, customers with the technical skills and desire to modify source code are likely to choose an open-source solution, of which there are plenty in this market.  So the customers looking for products like yours are going to be the ones who aren't interested in that sort of thing, and your source is likely safe.
Iago
Tuesday, September 28, 2004
 
 
Why not put your "original ideas" into a compiled C extension, and leave the rest as normal, unobfuscated PHP?

Even then, a web application is a web application is a web application, and any competent programmer can just "reverse engineer" what you've done by observing how the thing operates with their web browser, and will probably end up coding it better than you originally did, and may even thrown in some ideas of their own.

That said, even the most curious of people will look at the source code, recognise it's -- you know -- code, and then go back to whatever it is they're getting paid to do.
Omar Kilani Send private email
Tuesday, October 05, 2004
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz