[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

comp.lang.ruby

Open source credit card processing in ruby

snacktime

12/31/2006 8:45:00 PM

Just recently I have the option to open source a credit card
processing application that is written in ruby using eventmachine.
This application processes cards directly to Vital. It basically
replaces an online payment gateway.

On one hand I'd love to open source it, but on the other I'm hesitant
because of the potential for abuse or misuse given the growing body of
security requirements that go along with credit card processing. I'm
also wondering if it would even get much use.

You have can have multiple copies of the application running that
share the same database (postgresql) for a certain level of fault
tolerance. The client protocol is netstrings over tcp/ssl.

Thoughts, comments?
12 Answers

M. Edward (Ed) Borasky

12/31/2006 9:33:00 PM

0

snacktime wrote:
> Just recently I have the option to open source a credit card
> processing application that is written in ruby using eventmachine.
> This application processes cards directly to Vital. It basically
> replaces an online payment gateway.
>
> On one hand I'd love to open source it, but on the other I'm hesitant
> because of the potential for abuse or misuse given the growing body of
> security requirements that go along with credit card processing. I'm
> also wondering if it would even get much use.
>
> You have can have multiple copies of the application running that
> share the same database (postgresql) for a certain level of fault
> tolerance. The client protocol is netstrings over tcp/ssl.
>
> Thoughts, comments?
>
>
1. Ask your attorney for legal advice.
2. Ask your accountant for business advice.

I personally stay as far away from such things as I possibly can -- I've
never written a business app in my life and don't intend to start now.
:) So I for one wouldn't use it, whether it was open source or not. But
from a technical perspective, I don't think open vs. closed source
really has any security impact. I don't think it's any easier or any
harder to attack or otherwise compromise open or closed source software.

For that matter, I don't think there's really any advantage to closed or
open source software in *any* of the dimensions we normally use to rate
software quality -- ease of use, performance, reliability, security,
privacy, or even total cost of ownership! In my humble opinion, open
source software is all about freedom, learning, and community that
transcends organizational boundaries. The only weakness I see in open
source software is that it tends to be written more for programmers than
for other intelligent life forms. :)

--
M. Edward (Ed) Borasky, FBG, AB, PTA, PGS, MS, MNLP, NST, ACMC(P)
http://borasky-research.blo...

If God had meant for carrots to be eaten cooked, He would have given rabbits fire.

snacktime

12/31/2006 10:07:00 PM

0

On 12/31/06, Francis Cianfrocca <garbagecat10@gmail.com> wrote:
> On 12/31/06, M. Edward (Ed) Borasky <znmeb@cesmail.net> wrote:
> >
> > from a technical perspective, I don't think open vs. closed source
> > really has any security impact. I don't think it's any easier or any
> > harder to attack or otherwise compromise open or closed source software.
>
>
>
> Many security practitioners prefer open-source implementations because it's
> easier to audit them. I have to ship security-sensitive code all the time,
> and my company's large-company customers have always preferred that
> *everything* we ship be on open-source.
>
>
I'm mainly concerned about people modifying the source. Even though
it's open source, it's also certified and any changes that effect
messages sent to Vital require re-certification. There is also the
danger that Vital could at any time refuse to certify open source
implementations. If someone modifies the code and starts sending in
corrupt batches or causes other problems, that could happen rather
quickly.

Another option would be to make it free but not open source. The
source could still be provided for review to those that need it, but
would require signing a simple contract to not release the source, and
not to modify it unless you were a Vital developer, which only costs
$100. But with those restrictions I doubt many people would even use
the software. It has a limited market to begin with, even though
there is nothing out there like it that isn't fairly expensive.

Chuck Remes

12/31/2006 10:25:00 PM

0


On Dec 31, 2006, at 4:07 PM, snacktime wrote:

> Another option would be to make it free but not open source. The
> source could still be provided for review to those that need it, but
> would require signing a simple contract to not release the source, and
> not to modify it unless you were a Vital developer, which only costs
> $100. But with those restrictions I doubt many people would even use
> the software. It has a limited market to begin with, even though
> there is nothing out there like it that isn't fairly expensive.

I'd love to see it just so I could see a (hopefully) good example
using eventmachine and a home-grown protocol using netstrings.

If you don't opensource it, put me on the list of people who'd like
to see the source code.

Happy New Year!

cr

Matt Lawrence

12/31/2006 11:55:00 PM

0

Chuck Remes

1/1/2007 12:01:00 AM

0


On Dec 31, 2006, at 5:55 PM, Matt Lawrence wrote:

> On Mon, 1 Jan 2007 cremes.devlist@mac.com wrote:
>
>>
>> On Dec 31, 2006, at 4:07 PM, snacktime wrote:
>>
>>> Another option would be to make it free but not open source. The
>>> source could still be provided for review to those that need it, but
>>> would require signing a simple contract to not release the
>>> source, and
>>> not to modify it unless you were a Vital developer, which only costs
>>> $100. But with those restrictions I doubt many people would even
>>> use
>>> the software. It has a limited market to begin with, even though
>>> there is nothing out there like it that isn't fairly expensive.
>>
>> I'd love to see it just so I could see a (hopefully) good example
>> using eventmachine and a home-grown protocol using netstrings.
>>
>> If you don't opensource it, put me on the list of people who'd
>> like to see the source code.
>
> You may want to take a look at CCVS by HKS, which was purchased by
> Red Hat.

Actually, I don't really care about what it does (credit card
verification). I just want to see some running code using netstrings
and eventmachine.

Does CCVS use it? I searched for it and got a few hits but didn't see
any obvious links that lead to its source code.

cr

snacktime

1/1/2007 5:16:00 AM

0

> Does CCVS use it? I searched for it and got a few hits but didn't see
> any obvious links that lead to its source code.


CCVS was dead a long time ago, and was never open source. They had
open source client libraries is all, which is nothing special.

snacktime

1/1/2007 5:30:00 AM

0

On 12/31/06, cremes.devlist@mac.com <cremes.devlist@mac.com> wrote:
>
> On Dec 31, 2006, at 4:07 PM, snacktime wrote:
>
> > Another option would be to make it free but not open source. The
> > source could still be provided for review to those that need it, but
> > would require signing a simple contract to not release the source, and
> > not to modify it unless you were a Vital developer, which only costs
> > $100. But with those restrictions I doubt many people would even use
> > the software. It has a limited market to begin with, even though
> > there is nothing out there like it that isn't fairly expensive.
>
> I'd love to see it just so I could see a (hopefully) good example
> using eventmachine and a home-grown protocol using netstrings.

There is some netstrings sample code in the eventmachine repository
somewhere, that's where I got the idea from. I'd never really looked
at it before, and when I did I liked it. It's great for simple line
oriented tcp protocols.

Chris

Wilson Bilkovich

1/2/2007 3:27:00 AM

0

On 1/1/07, snacktime <snacktime@gmail.com> wrote:
> On 12/31/06, cremes.devlist@mac.com <cremes.devlist@mac.com> wrote:
> >
> > On Dec 31, 2006, at 4:07 PM, snacktime wrote:
> >
> > > Another option would be to make it free but not open source. The
> > > source could still be provided for review to those that need it, but
> > > would require signing a simple contract to not release the source, and
> > > not to modify it unless you were a Vital developer, which only costs
> > > $100. But with those restrictions I doubt many people would even use
> > > the software. It has a limited market to begin with, even though
> > > there is nothing out there like it that isn't fairly expensive.
> >
> > I'd love to see it just so I could see a (hopefully) good example
> > using eventmachine and a home-grown protocol using netstrings.
>
> There is some netstrings sample code in the eventmachine repository
> somewhere, that's where I got the idea from. I'd never really looked
> at it before, and when I did I liked it. It's great for simple line
> oriented tcp protocols.
>

You might be interested in this article, published in this month's CACM.
http://portal.acm.org/citation.cfm?id=1188913.1188921&coll=ACM&dl=ACM&idx=1188913&part=periodical&WantType=periodical&title=Communications%20of%20the%20ACM&CFID=10300099&CFTOKE...

Chuck Remes

1/2/2007 8:42:00 AM

0


On Jan 2, 2007, at 12:02 AM, Francis Cianfrocca wrote:

> On 1/1/07, snacktime <snacktime@gmail.com> wrote:
>>
>> > I'd love to see it just so I could see a (hopefully) good example
>> > using eventmachine and a home-grown protocol using netstrings.
>>
>> There is some netstrings sample code in the eventmachine repository
>> somewhere, that's where I got the idea from. I'd never really looked
>> at it before, and when I did I liked it. It's great for simple line
>> oriented tcp protocols.
>
> I realize this is offtopic but are any of you guys interested in
> adding an
> industrial-strength netstrings implementation to the EM package?

Define industrial strength. :-)

I have some interest in this area. Feel free to contact me off-list.

cr

Windowwasher

3/11/2012 6:08:00 PM

0


"Ian J. Ball" <ijball-NO_SPAM@mac.invalid> wrote in message
news:ijball-NO_SPAM-D72E0F.09451911032012@news.eternal-september.org...
> In article <jjif0i$6ft$1@dont-email.me>,
> "Windowwasher" <windowwasher@here.com> wrote:
>
>> Just Netflix stuff: Pizza My Heart (Shiri Appleby), some Life Unexpected
>> episodes from Season1, some Instant Star episodes. Meh.
>
> Ah, "Instant Star"... I think I never did get to see the last season of
> that. It'd be nice if TeenNICK would run that show again, some time...

The third season never made it to DVD or streaming for some reason.