Slashdot Mirror
Protecting Your Code While Allowing Source Access?
foo_48120 asks: "My small development shop, myself and four employees, is taking on a fairly large job that will run a substantial part of the clients business. To protect themselves they want the source code to the project. Frankly I don't blame them. We bid aggressively to get them to underwrite our own efforts to build this code, which we plan to resell again and again. That is the basis for our company.
I have no problem with them holding the source but need to make it clear that we own the code and that they have a license to use it in their business. They may at their discretion hire others to modify the code, but would still be required to pay their maintenance contract and be prohibited from reselling it or using it to run an additional business. How do you provide open source without escrow, yet protect what we are documenting up front as out intellectual property rights in the ownership of this code?"
Of course third party developers may break things and we would not be responsible for that or for fixing it without further renumeration.
Ideally, if we make them happy then we will do all future upgrades and add on modules as well. I am not worried about that. I do want to know if anyone has experience in the writing of such a licensing agreement? Perhaps they could provide me with a sample copy of their text?
Let's leave aside for now the issue of totally open source vs. closed source. There are times when you want the product to be proprietary as we do, however I want them to feel comfortable using our code so that if a proverbial plane were to fly into our building and wipe us all out then they don't go down the tubes with us."
I ran my consulting business under the same premis for 15 years. The contract they signed with me included, among other features, their right to the source code with the restriction that they could not use it as the basis for competition against me. Terms included where a conflict could be ajudicated, the amount of damages, etc...
Running with Linux for over 20 years!
When it comes to selling source code, that's the only method that works.
... How do you provide open source without escrow, yet protect what we are documenting up front as out intellectual property rights in the ownership of this code?"
First off, find out that what you are talking about is not open source. If it was open source, or a compatible license, than your client company would be free to redistribute.
Second, it's called a contract. And lawyers. Slashdot is neither. Just (have a lawyer) draft a contract specifying exactly what can be done and saying anything not listed is expressly forbidden unless written permission is granted.
Dacels Jewelers can't be trusted.
Look into a Exclusive Use rights clause in your contract. There's nothing saying that you can't agree to let them use the software and have a copy of the source as a deliverable. However, you can limit their ability to resell/reuse the component.
Additionally, create an Intellectual Property clause in the contract spelling out specific ownership rights/responsibilities.
Insert IANAL comment here.
Quidquid latine dictum sit, altum sonatur.
That's not a very good answer to the "How do you provide open source without escrow" question, now is it?
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
They are paying you to code something for them. You are a contract firm. What you code for them is their property. Would you get to keep your code if you worked for a company? No, the code would belong to them. This company is paying you for the code, and so, when you are done, then the code belongs to them. They lose their monetary investment if you get to keep the code and resell it to their competitors.
If you offer them outstanding service and support throughout the time they use your product, they will come back over and over again to you. They will want you, and only you to maintain the code, as well as to provide upgrades. If you start jacking them up, have poor business relations with them, they will look for alternatives, and they will take your code, no matter how many clauses you place in your EULA.
Veni, vidi, vici.
Technically speaking, there really isn't any way to prevent this. If they are to have maintenance access to your code, then there is no way to keep them from giving the code to someone else.
The only thing I can think of that might work would be to add extensions to the language you use (like extra keywords) and provide your own closed-source compiler, which is hobbled so it only works on the original system, perhaps with some kind of hardware dongle, or net connection that connects to your server to verify the compiling machine's serial number and some cryptographic key.
This wouldn't prevent it from being hacked, but it might make it difficult enough to make the prospect less likely.
bytesmythe
Hypocrisy is the resin that holds the plywood of society together.
-- Scott Meyer
Seriously, why are you even bothering to "Ask Slashdot?". This is a legal issue, you'll need legal contracts and agreements, all of that. Talk to a fucking lawyer.
:)
You clearly don't know the difference between what you talking to a lawyer costs, and what talking to the slashdot-crowd costs
this sig has intentionally been left blank
Assuming you are in the United States, your work is still covered under US Copyright law. Just because you are giving them access to the source code, does not give them redistribution rights, or the right to make a derivative without expressed permission.
So, all you should need is an (C) Your Co.
All Rights Reserved.
If that doesn't work, a handy lawsuit works wonders.
Black and grey are both shades of white.
That would totally negate them having the code to begin with.
It sounds like they want the code so that they can make changes to their business software when and how they want it.
If you intentionally make it difficult or impossible to do what they're entitled to do (it sounds like they're wanting to basically buy a copy of the code, like a book or something), then you're in violation of the spirit, if not the terms, of the contract.
Plus, if you're not nice to the people who are paying you lots of money, you're less likely to get repeat business from them.
There are two basic ways (as we see it) to do this. Keep ownership and grant a license that has a specific list of allowed uses or just the reverse where you give them ownership but retain specific license for yourselves.
You can usually make it work as you need it with either party having ownership, since ownership just means they have final say, can change the license, and get any non-specified (default) rights.
Keeping in mind this is only one small part of the whole contract and I don't promise this is safe or useful for you as it is... here is a paragraph right out of our standard contracts:
(b)Grant of License. Steem hereby grants to Client, upon the terms and conditions set forth in this Agreement, a non-transferable, non-fee bearing, single use, worldwide right and license, without the right to sublicense, for software developed by Steem for use with the Web Site. Any artwork, graphics, or designs created to Client specifications for use in the Web Site become property of the Client upon the Web Site Launch. However, Steem retains the right to display any created artwork, graphics, or designs as part of Steem's portfolio of design work. Steem retains sole rights and ownership of all interactive code. The provisions of this Section 7 will survive indefinitely regardless of the completion or termination of this Agreement.
RudeDude
Perl/Linux/PHP hacker
You just need to write an obfuscator then, something that takes the inhouse code and changes variable names and adds bogus modules and subroutines.
I know developers who do this part without really trying that hard...
Many of us at Slashdot have been in similar situations. As such, we know there are certain details to keep in mind regardless if the use of a lawyer or some other type of consultant is necessary. For example:
I play rugby and in a recent match I landed on my foot wrong and parts of my foot went numb. Now, I asked some friends of mine and what do you think they said? "Go talk to a fucking doctor?" No, because they have had past experience with similar situations. They gave me anecdotes about past injuries they had, how they felt, etc. some of which helped, some did not.
Now this is the same here, all of the info given here may not be helpful, but the few comments that are made could tremendously help the person asking the question. So please, if you have something to say about the situation, say it, if you don't, try to help in whatever way you can -- remember, we're a community here.
This is my digital signature. 10011011001
Programmers are morally obligated to give the code to their users and allow their users to freely modify and redistribute the code.
When did this happen?
Is [insert popular novelist here] morally obligated to give away his/her novels, allowing the readers to freely modify and redistribute the text?
I respect the open source movement and I think free (as in speech and beer) software is a Good Thing(tm), but I think saying coders are morally obligated to give away their source code is a step too far.
What? You had better share that insight with all of the commercial software vendors out there quickly before they go out of business! Make sure to include Microsoft, Oracle, IBM, etc...!
Programmers are morally obligated to give the code to their users and allow their users to freely modify and redistribute the code. Again... WHAT? I am not aware of any code of morals saying that developers have an obligation to give away their code. Can you explain to me, all GNU and FSF rhetoric aside, why my company should spend countless resources to create a product that we give the code away for and let people do as they wish with it? I personally don't get that logic.
Slightly offtopic (but not by much): I think that the ideal license is one that says something like: "By purchasing this software you get rights to the source code, to do with as you like *within* your organization. If you plan on offering your changed product outside of your organization, you must sign an approved Royalty agreement with the Publisher..."
Don't bite the hand that feeds and don't assume that you can make money by putting a product out as OSS and that someone will pay you to extend or support it.
First off there are other companies that "license" their source code, like ICS. You could always find one of these companies and ask them how they do it.
Second, this does simply sound like a licensing issue. You trust your customers not to hack the license keys for the binary form of your product, or to redistribute it. So perhaps it's all about trust....
"Not knowing when the dawn will come, I open every door." - Emily Dickinson
"How do you provide open source without escrow, yet protect what we are documenting up front as out intellectual property rights in the ownership of this code?"
/. know-it-alls.
By hiring yourself a good lawyer.. and not taking law advice from a bunch of pimple-faced
-gerbik
Never, ever lose a file again. Ever.
GPL: The Guido Public License
Preamble
The licenses for most software are designed to take away your freedom to share and change it. By contrast, the the Scarpelli family's Guido Public License gives you more freedom with the benefit of protection for you, your family and your business. The Guido Public License applies to most of the Scarpelli Family Software Foundation's software and to any other program whose authors commit to using it. (Some other Scarpelli Family Software Foundation software is covered by the Guido Library General Public License instead.) You can apply it to your programs, too.
Accidents, fires and floods happen. The Guido Public License protects you.
We protect our rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy and distribute the software.
Failure to abide by the rules of any of the Guido Public Licenses will mean a visit from Guido Scarpelli himself.
You don't want that.
Trolling is a art,
Well, for one thing, the model of selling a product doesn't work in the software development industry.
I just heard a thunderclap. I think it was the sound of Bill Gates' bank account entering the atmosphere of your argument. I estimate about five minutes until it re-enacts the scene from the end of The Forge of God when it meets up with Scott McNealy's.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
Well my past experience is this:
Go ahead and give them the code. When they start modifying it, taking it to 3rd parties, and using it at other businesses, stare at the ground and tremble your lower lip. That night, get into an argument with your wife and kick the dog.
Best Windows Freeware
You just need to write an obfuscator then, something that takes the inhouse code and changes variable names and adds bogus modules and subroutines.
And I suppose you bill the client for the time it takes to obfuscate and confuse the code? Or you eat the cost?
Trusted relationships are enforced by contracts all of the time. Comfort yourself with some analogies from other industries, then define the terms of the contract and call your lawyer.
That reduces your problem to catching them if they break ranks with the agreement. Rich comments and the occasional random readme in the source tree (e.g., Java package.html files, copyright headers/footers) help give your code a signature.
Something else just came to mind here. What about splitting the code into libraries versus their proprietary code (unique to their project) and only give the source to the latter? It doesn't sound applicable for your current project, but you may find yourself with an opportunity to reduce your risk later by doing this.
You are checking your backups, aren't you?
If I'm an architect and design a house for you, you get to live in the house. But if an architecture magazine publishes an article on it, I get the royalties, not you. And it's my reputation as an architect that is improved.
The actual issue here is, "How much is the client paying for?" Are they buying use of the end product? of course. Are they buying all rights to and use of the design or source? Probably not all rights and use. So, therefore, the challenge is to work out an equitable and profitable distribution of rights and use between the original client and the artist/programmer.
This post is asking, "What are the methods that are established for describing who gets which uses and rights on a piece of software that was part of a custom contract?"
Open source implies that they have all the rights you specifically say that they will not be granted. Your scheme is closer to Microsoft's Shared Source scheme, or what we often refer to as "source under glass" - Look, but don't touch. Source, yes; open, no.
I'm sure there will be those here who will take an activistic viewpoint and urge you to do something different. I will not. You have every right to release code under any terms and conditions you may legally obtain, and more power to you. But my opinion is that you ought not use the phrase "open source" unless it meets the OSI mark requirements (which your plan most certainly would not).
Oh...wait...you mean that wasn't sarcasm? You actually wrote that with a straight face? Now *that* is funny.
Let's see how your opinion of free software changes after Mommy and Daddy stop paying for school and you have to get a job. Your tune will change when you realize that people who give away software won't be hiring you, because....they have no money to pay salaries! Hell, where does Linus get his paychecks? Not from a company releasing its intellectual property for free. As for consulting...you want to add up all the dollars spent on software (binaries) compared to consulting services? It isn't remotely close. Nice try.
This whole "all source code should be free" crap is only popular among people who don't work for a living (and, somehow, Stallman). When you own your code, and make a living off of it, it's amazing how your views tend to change. It's kind of like how the hippies of the 60's became the 80's Me-generation - money and power (and closed source code!) is only bad when someone ELSE is controlling it.
But thanks for the troll, that was a good one!
-Looking for a job as a materials chemist or multivariat
--Keeping the flame wars alive, one post at a time
Conventional escrow doesn't work when customer needs it - when your company fails. A bankruptcy judge will review your company's assets, and may find that the source code is the only marketable asset, and must be preserved for your debtors. Judges have voided escrow contracts in order to maintain the remaining value of the company.
Thus, your customer is wise to ask for the source up front. And if your company is bankrupt, it's not going to matter much to you - except that you'll know you didn't screw the customer.
You need a lawyer. It's a pretty simple contract, once you've explained the parameters.
If you want to use Free-Software-friendly attorneys, I can direct you to several, but pretty much any attorney will do.
Bruce
Bruce Perens.
And their company isn't the first to happen upon this situation.
You always ask your friends about similar situations they may have encountered before you go into some situation. Fools would go ahead and get a lawyer without first discussing it with people who might have had experience with the situation.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
You clearly don't know the difference between what you talking to a lawyer costs, and what talking to the slashdot-crowd costs :)
;-)
You clearly don't know the difference in the quality of advice that a lawyer will give and what talking to the slashdot-crowd will give
In this case you get what you pay for. Seriously, when my brother-in-law who's a realtor has a problem getting his wireless networking problems debugged, do you think he should send out an email to his real-estate buddies? What kind of advice do you think he'll get? They all usually have very strong opinions from what "they knew worked" in the past. It's also usually dead wrong. It's the same here.
Mmmm.. Donuts
Thats my job-security. Nonsensical variable names, meaningless functions etc... It would be a nightmare for even a very experienced programmer to decipher some of my source codes, especially for larger programs... So spaghettify the source code then give it to them. In 5 years when they figure it out it probably wont matter much by then, as it would be quicker just to re-write it from scratch.
Is the concept of "pay me for work" completely dead? Must everything be "pay me for work, and keep paying me for years later too?"
Why do you not just simply charge them for getting a job accomplished, and then, if they want you to come back, tell them it will cost them more money?
In a business situation, its never about just paying for software, and you are done. Nobody wants to pay $100,000 dollars for a chunk of software, have a CD arrive in the mail, and have that be it. They want the peace of mind of knowing that bugs will be fixed, support will be offered, and most importantly, that the expertise of the developers will be available to them if they choose.
No offense, but this isn't just a report or some finite amount of data that you provided. This sort of thing always goes way beyond just delivering a binary.
Do you have Linux and a DotPal? Click here now!
Lawyers are better at telling you if what you're trying to do is going to work than telling you what to do. That's where we come in...
Asking Slashdot will likely generate a lot of dumb ideas that won't fly legally, but it also at times generates the occasional 5-Insightful that contains the idea that neither you nor your lawyer would have thought of. Get the idea from Slashdot, run it past the lawyer, and you might just get an idea that would not have been used otherwise.
of "Open Source" in a dictionary, making the exercise pointless, he is likely to find many other words in there.
.gasp, beautiful.
.or even have our code corrected by an outside party if that's what it takes to make beautiful code.
For instance, after modifying the code his firm is indeed likely to renumerate it, i.e., give it a different version number.
For doing this his firm will expect to be *remunerated.* It's from the Latin remuneratus, derived from munis, from which we also derive the English words "munificent" and even "money."
( Munis is a gift, to remunerate is to *re*gift, i.e., effect an exchange)
This note brought to you by the ever hated Slashdot Lexical Patrol ( also known as SLaP), who believes that language is form of code and believes code should be well formed, it's terminology and functions properly called and invoked and even. .
Our patron saint is William Strunk, Jr., along with his acolyte E.B. White and our Demigods include such figures as Gibbon, Thoreau, Conrad ( who managed in a "foriegn" language no less), Yeats, Voltaire and Kipling ( The OS booted up like thunder!).
Just as Knuth is ( and should be) venerated, so should geeks venerate and study the "code" of these honored figures.
We all write faulty code at times. It's no shame to have to debug and reversion. .
In fact, I rather imagine that some of the more ironically inclined are about to take a hearty whack at this missive itself.
KFG
an confidential inhouse one, and an obfuscated one to give to the company, full of misleading variables names, fake variables, incorrect subroutines, etc. Of course, they both compile correctly.
....OW..OW.OWOWOWOWOWOWOWOW! It's a joke! Stop hitting me!
so we convert it to perl then?
OW.. OW
Do not look at laser with remaining good eye.
Is the concept of "pay me for work" completely dead? Must everything be "pay me for work, and keep paying me for years later too?"
It's not that, it's distributed payment for work. It's "I want to be paid in full, but they don't want to pay that much so we'll compromize."
Let's say a coder produces a program at $100/hr and it takes 4,000 hours. This will cost $400,000. No one wants to pay $400,000 for that software. This company in question specifically does not want to pay $400,000.
So what do you do? You sell it to them cheaper and say "but you can't sell this to anyone else, because you haven't fully paid me for it."
It's like a rental, except it's not time based because no one ever has to return it. Instead, it's instance based. You rent x copies of the code, forever. To be fair, they should be able to sell their copies so long as they stop using them (and don't sell more than they've bought).
Now eventually the coder may have made the full cost of the software, been fully compensated. They could release it for free after this, but software isn't a sure bet. You can have one product make a substancial profit and have another be a total loss. If the potentially profitting projects were cut off when they had been fully paid, all software companies would lose money.
...believes code should be well formed, it's terminology and functions properly called and invoked...
I would like to call your attention to the fact that the character sequence "it's" is a macro that is expanded by the preprocessor to the sequence "it is". Thus the sentence fragment above, once preprocessed, reads "...believes code should be well formed, it is terminology and functions properly called and invoked..." This bit of code, as it were, is clearly not well formed.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Guess what... you just talked yourself out of the contract. No company is going to put up any of its own assets to put your mind at ease. They'll just go with the next highest bidder who doesn't want them to jump through so many hoops.
Doug
Venn ist das nurnstuck git und Slotermeyer? Ya! Beigerhund das oder die Flipperwaldt gersput!