Protecting Source Code

Alex Martelli aleax at aleax.it
Fri May 9 07:53:03 EDT 2003 

On Friday 09 May 2003 12:02 pm, Bo M. Maryniuck wrote:
> On Friday 09 May 2003 10:02, Alex Martelli wrote:
> > If your code is truly worth protecting from competent prying eyes,
> > don't distribute it -- not all of it, at least: keep some under your
> > own strict control, serving xml-rpc or the like from your website.
> > THAT saves you from reverse engineering (and may afford creative
> > billing opportunities, such as per-use fees and the like).
>
> IOW, "don't sell your product".

Who ever said that?  Sell your product and keep some crucial part
of it under your control, "serving xml-rpc or the like from your website".
Selling a product doesn't mean you must install all executable code
on customer machines.

> Well, this is a big problem. E.g. we made Internet Banking (is project
> serious enough?) on scripting language and we _sell_ it to the customer
> (i.e. give them a product, where are scripts which can be *viewed* and
> *examined* if you have access to the server, e.g. you're special bank
> employee). And more problem (much bigger in this case), if some evil bank
> employee will examine that scripts and then after finds a dangerous bug can
> do exploit it from the other place. OTOH, *if* he will find a bug... :)

I'm not sure what you're driving at.  If there are exploitable security holes,
an untrustworthy bank employee can no doubt enrich himself or herself
if he or she can find and exploit them.  I would hope a bank would insist
on a careful code-audit by their own people before they go live with any
software they've outsourced and to which they'll delegate operations that
concern MY money deposited with them -- if the bank is buying "black box"
stuff from you, they're exposing themselves to all sort of accidental AND
deliberate exploits -- shudder.


> But if you want to _sell_ the project (not as Micro$haft does with Windoze:
> they owns you, not you own your Windoze), but GIVE them your product. Then
> they will examine and practically there is no way to protect your _ideas_
> -- any licenses will fail because you need only idea and implementation
> way. All else you can reproduce by your own.

You can reproduce everything (at a cost) without needing to examine source
code for the purpose.  If all you have is an idea, and it's not patentable, 
and you can't get serious savings in terms of first-mover advantages, network
effect, and the like, you won't survive in the market, sure.  That has 
precious little to do with "protecting source code", though.


> Please correct me if I am wrong. Because I want to be wrong here. :)

You may well be, but it's hard for me to say because i can't really follow
what it IS that you mean to be saying:-).


Alex

More information about the Python-list mailing list