Slashdot Mirror
Licensing Commercial Source Code?
toughguy asks: "I'm the principal in a software startup that develops web apps for a relatively small market. We typically run our software for our customers in hosted environment (kinda like SalesForce.com). We've got some large potential customers who are more sophisticated and would run our application in-house. They'd also like to be able to do more customization using their internal development staff. This customization would require us to give them our source code. This, frankly, gives me the willies. The source code for our application represents millions of dollars of invested time and energy. At this point, we're not interested in open-sourcing the whole thing. I'm interested in knowing how other people have handled similar situations. What protections did you have in place? A good lawyer is a must. A good contract with the customer that makes it clear what they can and can't do with the code. How have you handled similar situations?"
"From a technological stand-point we'd considering watermarking the code in some form for each customer, but this has problems in that if the customer makes significant changes then the watermark may be illegible. We're also considering some sort of Encrypted key scheme that would tie the software to a particular server or something like that. I'd be interested in knowing what other protections you may have used in the past.
If you've been in a similar situation in the past can you share your story with how things worked out. Horror stories are appreciated as well as the 'happily-ever-after' types."
If you've been in a similar situation in the past can you share your story with how things worked out. Horror stories are appreciated as well as the 'happily-ever-after' types."
If you truly do not want to make your code FOSS, then I am a believer in not giving the code out at all, even under contract. Code has a way of making it out to the 'net.
Instead, how about extending your architecture to allow for a plugin & theming framework? Graphical modifications are handled through a theming engine, workflow/process changes are handled through plugins and configuration files.
I understand that this means (potentially) much cost, but it is (potentially) less cost than recovering from a code leak. Think of this "boxed" version as a *new* COTS product for you, as you will be moving from service revenue to product revenue, and then invest R&D and effort into it as such.
10b||~10b -- aah, what a question!
Place your code in escrow. That way your customer has the guarantee that even if you should go belly-up, they still have access to the code - which in commercial settings is usually the driver behind this. There are usually few other valid reasons (other then to just steal your work). We are in a similar position - medium size ASP doing business with very large global players, and thats how we deal with it.
People who think they know everything are a great annoyance to those of us who do.
who's going to make the first DRM joke? I can't think of any.
Nyhetsankaret.com -- det bÃsta av Sveriges Nyhetssido
Actually, it does not. You see a good watermark scheme relies extensively on error correcting codes; that is, if they mangle one of your bits you've got enough redundancy to reconstruct your watermark. You don't actually need to hide that many bits in the source to get this watermark in. You should at most require 20 bits; this would give you around a million watermarks. This should give you plenty of scope to hide your watermark.
Compilers ignore whitespace which means you should focus on introducing changes in to the white space. It's also a good idea to change some of the program code aswell. One of the top of the head that might be useful is to expand the ternary operators out in to if statements.
Unfortuantely, all the methods that come to mind seem to depend on the secrecy of the stego method which is bad design. There is probably a way to do this is secure even when the stego algorithm is known. I'd go and hunt through the literature.
Combined with a decent license, this stego can help you protect your copyright.
Simon
Bitkeeper.com
He's been doing almost exactly that for years.
As always, all IMO. Insert "I think" everywhere grammatically possible.
We developed a hosted service over the last 6 years, and a couple of times some big clients asked us if we could "install it" internally, for various reasons.
We told them "No." But we said it in a way that they understood. It sounded something like...
"We custom-built this system over the last 6 years around a centrally-hosted architecture. If you'd like to give us a $500,000.00 down-payment we'll get started on porting this to a stand-alone solution right away, but please realize that you will need to bear all costs of development, we won't guarantee when it will be finished, and once it's done, you'll have to bear all costs of maintenance and upgrades to software and hardware, and you'll probably need to have at least one full-time employee to oversee it the whole time. Oh, and we'll need to work out all sorts of legal paperwork before we'll be able to deliver anything."
"...or you could just continue to use our existing system, and we'll address whatever problems you think would be solved by 'moving it in-house'."
They chose the latter option. The funny thing was, we could never dig out any real reasons why they wanted to move the thing in-house in the first place.
I've dealt with this from the client side (i.e., I've been the one getting the code) and I can tell you that you could probably put the source on the internet and post it on billboards and it wouldn't really matter. The important thing is not so much the code itself as the architecture and structure of THE ENTIRE PRODUCT and how one would go about doing important (i.e. business related) things to it. Your customers will need training AND documentation to do this, especially if your code base is of any significant size, and since it represents "millions of dollars", it's probably fairly large and complex. So you probably don't have to worry about technological restrictions on your source code, just legal ones; "customer may not disclose to any third party..." yadda yadda yadda in the contract.
If you're still nervous about opening the family jewels, you should consider watermarking the documentation. Send it out as non-editable PDF and include a unique identifier in small innocuous type as part of each page's footer. This won't prevent a determined technology-capable thief from stealing your data, but it will give you traceability as to which client leaked it and thereby give the lawyers something (or someone) to chew on.
How about just trusting your customer?
The reason your customer is buying your product is because they don't want to (or can't) write the entire thing from scratch. I'm pretty sure that they are also in an entirely different field. They don't want to sell your product. They don't want to create a product and steal your source code. They are in the business of doing something different, and they are probably planning on staying in that business.
Overall, I think you are worrying more than it is worth. Just have some legal agreements put together, and if it is compiled code, make them use a precompiled (.o file) licence manager that contacts your server to make sure that they are on the level. Overall however, I wouldn't worry about it, those guys have a business to run over there, their first thought is not to try and steal it and run their business on your work. The company I work for will let anyone have access to the source code of their system. It's still copyright us, and so they can't stop paying the licence fees and continue to use it. Overall, it's been a big boon, because there are a lot of places out there that won't run their important internal data through a hosted datacenter.
Regarding some outside hacker getting access to your source code. It's a worry, but most businesses aren't going to run some random illegal source code that they found on the internet somewhere, they want support, they don't want a huge legal liabilty from running something some IT guy found off of a Warez site. Also, unless you are never planning on updating your software again, by the time it gets out there, you'll probably have the next release all ready to go.
That's my opinion from someone who has given out commercial source code so customers can modify it to suit their needs.
If your code was writting in something like Java, then you could protect your JARs using some encrypted-code-locking system (think - encrypted JARs) and then give your customer some interfaces to build off of with API documentation.
This will give your code protection, and let your customer expand on what you've done.
But I imagine you havn't written all this in Java, otherwise you wouldn't be asking the question.
For code that isn't written in a interpreted or VM'd language, I'd suggest lawyers and contracts and audits and escrows.
Cheers
This posting doesn't belong in Ask Slashdot. It belongs in Ask Lawyer.
Don't piss off The Angry Economist
Quite a few comments on this page explain different technical "solutions" to the distribution of source code. But the problem is not a technical problem. I'm sure your decision to release or not release the source was not done for technical reasons, but for commercial and legal reasons. And that's how you have to fix your licensing problem.. Through a propre contract and by being ready to enforce your contract terms. Maybe have the contract say that the customer has to provide you any change he made to the application, allowing you to do audits, etc. And be ready to sue if they do something not allowed.
Talk to your friendly lawyer...
Do you trust this customer? If not don't do it. Are they a lot bigger than you? If they are bigger than you and you trust them then write a good contract. If they let out the source code you sue the living daylights out of them.
The simple fact is they have no real reason to want your code to get out. If the product is good and gives them an advantage why would they want their competitors to get something for free that they had to pay for? If you have a good contract they will have everything to loose by not securing your code and nothing to gain.
It is not uncommon for large companies to get the source to a program they buy.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
First, let's get the slashdot mentality out of the way.
There. That's a little better.
Two Distinctly Different Problems
Your question has an unstated assumption that might be steering you in the wrong direction. You assumed that you have to release your source code. You might not have to do that...
Application Layers
In the theoretical world, a web application has the following components:
Given these layers, what are you willing to open up? The web server is probably already open source or an off-the-shelf purchased product. Same with the back-end storage system. This leaves the presentation layer and the business rules layer. What are your top-tier customers going to do to your application? Change the way it looks, change the way it behaves, or add missing functionality? You need to know the answers to these questions before you move on...
Licensing Models
You can license the whole mess as one big slab of source code, or maybe a bunch of loadable modules and just open source the "glue". If you open source the glue, the customers can make major changes to your application without having the source code... Look at the PDFLib libraries. They are very powerful, cross platform, and completely closed source. Can't you do the same thing? Maybe build all of your business rules into a collection of libraries and make them binary only? Then wrap them with a license key or even a hardware dongle if desired. There are several software vendors that do this for a living. Talk to them.
SAAS
If your core codebase is really "all that", why don't you look at a three-tier model? Your customers can host their own web server and database, and pay for a leased line back to your office for the business rules. There are many variations on this theme.
Other Options
You could open-source your code and copyright it so that only you could release software under the current name. Depending on whether your revenue model makes more money out of service or sales, this might actually be a viable option.
You could offer a turn-key "vendor supplied" package consisting of a pre-loaded server and hard-lock your software to that server. Sort of a Google Appliance for your app model. This way you can retain control of the platform and the customer can have your platform on their site.
LOAD "SIG",8,1
LOADING...
READY.
RUN
...its called "customization" licenses.
.dll's or .so's the end customer can't generall touch. However your software does have areas that the users can touch and customize the functionality of...
In the end you no licensing the entire source code, most of the core functionality should be locked up in
This is how most Helpdesk support software works (from companies such as Peregine, Clarify, Applix, Remedy, etc) you should probably look to do something along those lines. It will however probably require some changes to your code base to enable such functionality.
Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
Non-disclosure detailing exactly who can see your source code and requiring them to maintain due diligence in keeping it secret. Non-compete so that your customer won't create a product and use it to compete against you. Binary license so that you know how many copies of your code they are using and what they pay for them. Hold-harmless so you won't get sued for faulty modifications they might make.
As you said, you need a good IP lawyer.
"Eve of Destruction", it's not just for old hippies anymore...
Been there. The customer wanted the source code, for validation, customization, and because they were afraid we would disapear overnight.
Solution:
1/ Offered them to come on site to look at the code as much as they wanted. They came, but just looked at a tiny bit
2/ Built API in the code, so they could customize it by writing additional DLLs
3/ Put the code in escrow, so they can get it (with the build system) if we had anything
At the end, it always ended up this way. And, retrospectively, point 2/ was a mistake (due to support issues). If the customers want to change something, it is because you product is missing something. You should listen to customers and update the product.
Now, we have around 20 customers (for a ~200K$ software package), about 3 asked for the source code, none of them had it, and all have escrow agreements.
The code have no dongles, serial or anything. It is definitely not the kind of software they would copy. We trust our customers. In return I beleive that they trust us.
A number of people have already touched on some of these points.
:-) My first attorney told me that I should not do business with people I fundamentally didn't trust, but once I decided to do business with them I should draft a contract that was absolutely crystal clear on who could do, or not do, what and when. The vast majority of people and businesses are honest, but that doesn't mean that weak or vaguely worded contracts won't get interpreted differently by different people.
/. after all). If this is a real fear, then you could either cause that to terminate the license or, probably a better path, you have the right to determine if the transfer is agreeable. Remember, this is *your* code. If they can't agree to it, then maybe you should not be giving it to them.
1. This is primarily a legal matter. Having said that, there are an infinite number of contracts that can be created. Find out what they really want and why, then decide what would make you feel comfortable with giving that to them. This may represent essentially free money for your company.
2. I suggest that you be both paranoid and trusting.
(As a side note: we once had a corporate-wide contract with HP. Five years after signing it, they were licensing manufacturing rights to the machine to a Japanese company. The contract wording was unfortunately vague on this point and could have been read that HP already had the rights to give our code to the other company. We reluctantly said as much, but noted that that had not been our intention. HP decided that that since it was not what we had *intended* when we made the contract with them, then they owed us some more money. The next week a check for twice the original contract amount was hand-delivered to us. Amazing. This happened 17 years ago and it still represents the classiest thing I have ever seen a company do. But you can't count on HP being on the other side of your contracts.)
3. We had a clause in one of our contracts we called the 'Microsoft clause', that gave us significant auditing rights if the other party developed a product or service that was significantly similar to the code being licensed. If they suddenly annouced a TurboCharged Toaster, 6 months after licensing our Competition Toaster, then we had broad rights to examine the code of the competing product.
4. More than likely, their having your code will actually bind them *more* tightly to you. This is especially true if you have a plug-in archetecture and most of their mods are in the plugins. They may also find that they benefit by their people helping to strengthen your product. I don't know your details, but it could happen.
5. Make sure that the contract covers what happens if they are acquired by someone else -- someone you might not have wanted to do business with directly. Say, for example, Microsoft (this *is*
Good Luck,
Peter
If you've written good APIs for your product (you have done that, right?) then it should be no problem. If you haven't, then you probably have no business dealing with companies big enough to have their own intranet programming teams. If you have a well written and documented API that gives them access to all the functionality of your web app without needing to use the web app, they should have no need for your source code; they can modify the output of your application in whatever way they need.
If you didn't think ahead enough to design your app for this kind of scenario, then yes, you have a tough business decision and your software may not be up to snuff for the big boys. Either redesign your app and target it at the enterprise market or go after small businesses who won't need to modify it much. Or take your chances that these larger companies won't take the source code and run, leaving you with a legal bill your young company may not be able to survive pending the 2 or 3 years corporate law suits usually take. Even if you win, the legal fees alone can bankrupt you.
The whole point of SaaS (salesforce, google, et al) is that the customer pays a subscription fee and gets the service in return. If you're selling them a closed box application, keep it closed box. Google would be a good role model here (for intranet search, they sell you a cheap 1U server with their software loaded on it and some APIs to tell the thing what to do.)
In other words, don't do it. Re-evaluate your application design and your business goals and adjust one to fit the other.
Code has a way of making it out to the 'net.
..
You seem to be pulling this completely out of your ass.
Name 2-3 commercial closed source OEM products that 'made it our the the net'.
No an occassional Windows NT / Cisco code _theft_, but a leak of an actual OEM
package. I'm waiting
Dude, first of all your code isn't worth "millions of dollars". Seriously, 1998 was eight years ago. Code is cheap these days, and every family has a "programmer" somewhere.. I mean, they're BAD programmers but such is the way of the world. Second, the usual flavor when dealing with large corporate accounts is to give them whatever they want and adjust your price accordingly, so that whatever happens, you've made enough money that any adversity won't bother you much. They're probably not going to screw you in the way you're thinking, but the only way to be sure is to get a good lawyer and have it write up a solid contract that explicitly protects your interests.
Many successful companies are driven by one large client, the other thousand little guys are just advertising really, because one of those little guys might know a big guy and suddenly refer a million-dollar contract. The key to staying in business is keeping that large client happy and fat, so that they don't run to your competitor. If this means giving away your source code in exchange for lots of money, then that's what you do. If you don't, they will find someone who will, if that's what they really want, and you will be left with your thousand annoying little guys and no cash cow.
-Billco, Fnarg.com
Clearly I would need to now a lot more about exactly what's proposed by your customers, but to me the main issue is rather who owns copyright on the extended work? If they start adding features that you might have added yourselves in the future, you could find yourself licensing back technology from them if you don't have the right legal framework in place. While it isn't as flexible as giving them the code, I would suggest you doing their in-house development and hosting for them - just move some people inside. Its your product and you should be able to take any developments from experiences with customers as your own to resell onto others, excluding of course any features that could be considered proprietary to an individual customer's business processes. The whole process should cost them less (no training of in-house staff for a start), you would retain more control over your source and future copyright and you both reduce risk. Further, if you haven't structured your software in a modular way for licensing your source in mind, you will then have several source trees to manage and build in new features which could become very costly.
I'm rather skeptical. Suppose a security company says that they've got a program which will guard your source code. The security company says "Mangle it however much you want, we can still extract our watermark!". This means that two functionally equivalent pieces of code always have the same watermark, no matter how you define "functionally equivalent".
Horsepuckey. Lets define functionally equivalent in a braindead stupid way: two programs are functionally equivalent if they both halt when given the same input. "No problem", says the security company representative, "we've got the watermarking algorithm that meets your needs". If this were true, then I can take one program which is known to halt (for example, int main() {return 0;}) and watermark it with "foo". Yay, I've now got some quirky looking code which also halts all of the time. Now, I can take any piece of code and test it for equivalence to my original code by running it through the watermark reader. If arbitrary code contains the watermark "foo", then this code halts when given no input. Phew, I've solved the halting problem. Oh wait, nobody can solve the halting problem, which means our security company is selling magic and moonshine.
Now hold on one minute, says the security company representative. OK, so you might be right. So we can't prove that its impossible to rewrite watermarked code such that it functions the same without the watermark. But its sure infeasible. Even if you have the complete description of how we embed the watermark and the watermarked source code. Horsepuckey again, security company! Now you're just selling me security through obscurity ("We bet you won't find the transformation between functional marked code to functional unmarked code") without the obscurity bit!
Help poke pirates in the eyepatch, arr.
I've heard stories from people delivering large applications in C to financial institutions.
Rather than deliver in compiled form, they always deliver in source form and work with the customer so they customer can do the compilation themselves.
This has the effect of getting their guys much more familiar and comfortable with your codebase, lets them do all kinds of handy and cool things, and makes them trust you (if your code isn't shit).
So if they are ever to _stop_ using you, they are faced with black-box unmaintainable code they can't tweak and can't trust. And so guess who they stick with instead.
1. find out- why they want the code? what all changes do they want to make?
2. if they do not want to change the core of the product, then look at alternatives: like releasing an API/dlls
3. if they want to change the core of your product, then you need to get a really good lawyer. determine things like who will own the code and the modified code; how much will they pay you (one time/yearly basis); scale of deployment of code; how many copies can they make; can they sell the code their/your code to others; can they use your code and start a business of their own (the way you do).. a better thing would be to say that everything else is restricted, and the other company can only do this-this-and-this
4. you need to have traceability in code also (in case there is a leak and you need to find out, from where)
5. look-up court cases/settlements on the web and see if you have missed out something
6. fix everything tightly, release code, get cash, and enjoy!
* lon3st4r *
If your code uses C/C++, then use tool similar to Stunnix C/C++ Obfuscator; for Perl, JavaScript and VBScript/ASP obfuscators also exist from that company and several others.
A viable option is assigning a dedicated coder from your team to that customer ("lease" him to them) and fork your code for them - this way their developers won't spend monthes studying your code before being able to produce anything useful.