Slashdot Mirror
Licensing Commercial Source Code?
toughguy asks: "I'm the principal in a software startup that develops web apps for a relatively small market. We typically run our software for our customers in hosted environment (kinda like SalesForce.com). We've got some large potential customers who are more sophisticated and would run our application in-house. They'd also like to be able to do more customization using their internal development staff. This customization would require us to give them our source code. This, frankly, gives me the willies. The source code for our application represents millions of dollars of invested time and energy. At this point, we're not interested in open-sourcing the whole thing. I'm interested in knowing how other people have handled similar situations. What protections did you have in place? A good lawyer is a must. A good contract with the customer that makes it clear what they can and can't do with the code. How have you handled similar situations?"
"From a technological stand-point we'd considering watermarking the code in some form for each customer, but this has problems in that if the customer makes significant changes then the watermark may be illegible. We're also considering some sort of Encrypted key scheme that would tie the software to a particular server or something like that. I'd be interested in knowing what other protections you may have used in the past.
If you've been in a similar situation in the past can you share your story with how things worked out. Horror stories are appreciated as well as the 'happily-ever-after' types."
If you've been in a similar situation in the past can you share your story with how things worked out. Horror stories are appreciated as well as the 'happily-ever-after' types."
If you truly do not want to make your code FOSS, then I am a believer in not giving the code out at all, even under contract. Code has a way of making it out to the 'net.
Instead, how about extending your architecture to allow for a plugin & theming framework? Graphical modifications are handled through a theming engine, workflow/process changes are handled through plugins and configuration files.
I understand that this means (potentially) much cost, but it is (potentially) less cost than recovering from a code leak. Think of this "boxed" version as a *new* COTS product for you, as you will be moving from service revenue to product revenue, and then invest R&D and effort into it as such.
10b||~10b -- aah, what a question!
Place your code in escrow. That way your customer has the guarantee that even if you should go belly-up, they still have access to the code - which in commercial settings is usually the driver behind this. There are usually few other valid reasons (other then to just steal your work). We are in a similar position - medium size ASP doing business with very large global players, and thats how we deal with it.
People who think they know everything are a great annoyance to those of us who do.
Actually, it does not. You see a good watermark scheme relies extensively on error correcting codes; that is, if they mangle one of your bits you've got enough redundancy to reconstruct your watermark. You don't actually need to hide that many bits in the source to get this watermark in. You should at most require 20 bits; this would give you around a million watermarks. This should give you plenty of scope to hide your watermark.
Compilers ignore whitespace which means you should focus on introducing changes in to the white space. It's also a good idea to change some of the program code aswell. One of the top of the head that might be useful is to expand the ternary operators out in to if statements.
Unfortuantely, all the methods that come to mind seem to depend on the secrecy of the stego method which is bad design. There is probably a way to do this is secure even when the stego algorithm is known. I'd go and hunt through the literature.
Combined with a decent license, this stego can help you protect your copyright.
Simon
We developed a hosted service over the last 6 years, and a couple of times some big clients asked us if we could "install it" internally, for various reasons.
We told them "No." But we said it in a way that they understood. It sounded something like...
"We custom-built this system over the last 6 years around a centrally-hosted architecture. If you'd like to give us a $500,000.00 down-payment we'll get started on porting this to a stand-alone solution right away, but please realize that you will need to bear all costs of development, we won't guarantee when it will be finished, and once it's done, you'll have to bear all costs of maintenance and upgrades to software and hardware, and you'll probably need to have at least one full-time employee to oversee it the whole time. Oh, and we'll need to work out all sorts of legal paperwork before we'll be able to deliver anything."
"...or you could just continue to use our existing system, and we'll address whatever problems you think would be solved by 'moving it in-house'."
They chose the latter option. The funny thing was, we could never dig out any real reasons why they wanted to move the thing in-house in the first place.
First, let's get the slashdot mentality out of the way.
There. That's a little better.
Two Distinctly Different Problems
Your question has an unstated assumption that might be steering you in the wrong direction. You assumed that you have to release your source code. You might not have to do that...
Application Layers
In the theoretical world, a web application has the following components:
Given these layers, what are you willing to open up? The web server is probably already open source or an off-the-shelf purchased product. Same with the back-end storage system. This leaves the presentation layer and the business rules layer. What are your top-tier customers going to do to your application? Change the way it looks, change the way it behaves, or add missing functionality? You need to know the answers to these questions before you move on...
Licensing Models
You can license the whole mess as one big slab of source code, or maybe a bunch of loadable modules and just open source the "glue". If you open source the glue, the customers can make major changes to your application without having the source code... Look at the PDFLib libraries. They are very powerful, cross platform, and completely closed source. Can't you do the same thing? Maybe build all of your business rules into a collection of libraries and make them binary only? Then wrap them with a license key or even a hardware dongle if desired. There are several software vendors that do this for a living. Talk to them.
SAAS
If your core codebase is really "all that", why don't you look at a three-tier model? Your customers can host their own web server and database, and pay for a leased line back to your office for the business rules. There are many variations on this theme.
Other Options
You could open-source your code and copyright it so that only you could release software under the current name. Depending on whether your revenue model makes more money out of service or sales, this might actually be a viable option.
You could offer a turn-key "vendor supplied" package consisting of a pre-loaded server and hard-lock your software to that server. Sort of a Google Appliance for your app model. This way you can retain control of the platform and the customer can have your platform on their site.
LOAD "SIG",8,1
LOADING...
READY.
RUN
A number of people have already touched on some of these points.
:-) My first attorney told me that I should not do business with people I fundamentally didn't trust, but once I decided to do business with them I should draft a contract that was absolutely crystal clear on who could do, or not do, what and when. The vast majority of people and businesses are honest, but that doesn't mean that weak or vaguely worded contracts won't get interpreted differently by different people.
/. after all). If this is a real fear, then you could either cause that to terminate the license or, probably a better path, you have the right to determine if the transfer is agreeable. Remember, this is *your* code. If they can't agree to it, then maybe you should not be giving it to them.
1. This is primarily a legal matter. Having said that, there are an infinite number of contracts that can be created. Find out what they really want and why, then decide what would make you feel comfortable with giving that to them. This may represent essentially free money for your company.
2. I suggest that you be both paranoid and trusting.
(As a side note: we once had a corporate-wide contract with HP. Five years after signing it, they were licensing manufacturing rights to the machine to a Japanese company. The contract wording was unfortunately vague on this point and could have been read that HP already had the rights to give our code to the other company. We reluctantly said as much, but noted that that had not been our intention. HP decided that that since it was not what we had *intended* when we made the contract with them, then they owed us some more money. The next week a check for twice the original contract amount was hand-delivered to us. Amazing. This happened 17 years ago and it still represents the classiest thing I have ever seen a company do. But you can't count on HP being on the other side of your contracts.)
3. We had a clause in one of our contracts we called the 'Microsoft clause', that gave us significant auditing rights if the other party developed a product or service that was significantly similar to the code being licensed. If they suddenly annouced a TurboCharged Toaster, 6 months after licensing our Competition Toaster, then we had broad rights to examine the code of the competing product.
4. More than likely, their having your code will actually bind them *more* tightly to you. This is especially true if you have a plug-in archetecture and most of their mods are in the plugins. They may also find that they benefit by their people helping to strengthen your product. I don't know your details, but it could happen.
5. Make sure that the contract covers what happens if they are acquired by someone else -- someone you might not have wanted to do business with directly. Say, for example, Microsoft (this *is*
Good Luck,
Peter