Asp Forum - Seeing the source

Michel Cabili

9/1/2007 10:18:00 AM

Hello. I'm new to Ruby (and also to scripting languages).

I'd like to know if, since Ruby is a scripting language, there's a way
to hide the code when deploying an application. I'd users to be unable
to see the source.

Is there a solution for that?

Thanks in advance
--
Posted via http://www.ruby-....

38 Answers

Phillip Gawlowski

9/1/2007 10:42:00 AM

> Hello. I'm new to Ruby (and also to scripting languages).
>
> I'd like to know if, since Ruby is a scripting language, there's a way
> to hide the code when deploying an application. I'd users to be unable
> to see the source.
>
> Is there a solution for that?

http://www.rubyinside.com/px-a-quick-and-silly-ruby-obfuscation-sys...

If you want to obfuscate code for business reasons, though, you might want to use a different language (Perl is naturally obfuscated :P), where obfuscators are available on a larger scale (Java and .NET languages should offer that, with them being enterprise-y and all).

The question is: Why do you need that? If you license your software, you could include a section on using the source in other applications a big, big no-no (well, you'd reiterate copyright laws, basically), and that your code is a trade secret. IANAL, though, nor do I play one on TV, so take that with a grain of salt.

--
Phillip Gawlowski

John Joyce

9/1/2007 2:29:00 PM

On Sep 1, 2007, at 5:41 AM, Phil wrote:

>> Hello. I'm new to Ruby (and also to scripting languages).
>>
>> I'd like to know if, since Ruby is a scripting language, there's a
>> way
>> to hide the code when deploying an application. I'd users to be
>> unable
>> to see the source.
>>
>> Is there a solution for that?
>
> http://www.rubyinside.com/px-a-quick-and-silly-ruby-ob...
> system-7.html
>
> If you want to obfuscate code for business reasons, though, you
> might want to use a different language (Perl is naturally
> obfuscated :P), where obfuscators are available on a larger scale
> (Java and .NET languages should offer that, with them being
> enterprise-y and all).
>
> The question is: Why do you need that? If you license your
> software, you could include a section on using the source in other
> applications a big, big no-no (well, you'd reiterate copyright
> laws, basically), and that your code is a trade secret. IANAL,
> though, nor do I play one on TV, so take that with a grain of salt.
>
> --
> Phillip Gawlowski
>
>
If you really think you need to obfuscate your code, then you're
doing something wrong. It is always possible to decompile stuff even
with compiled languages. PHP users often use obfuscation to try and
hide stuff.
Consider crafty use of file permissions settings, and simply burying
things in modules with hard to read names.
But ultimately, simply put pen to paper and make somebody sign a
contract if you have to. You could go to great lengths, but if it's
really worth it, you'll just use lawyers.

Michel Cabili

9/1/2007 3:26:00 PM

Well, then I guess that we can't obfuscate the code with Ruby.

It's not a necessity. It's just that I'm used to compiled languages in
wich, if the project isn't that complex, you basically give one file to
the user.

<troll>
If I really need this kind of feature I guess I could develop a library
in C that would encrypt all my '.rb' files into another file and decode
them when launching the application... or something like that.
</troll>

Thanks for your answers.
--
Posted via http://www.ruby-....

Phlip

9/1/2007 3:30:00 PM

Michel Cabili wrote:

> <troll>
> If I really need this kind of feature I guess I could develop a library
> in C that would encrypt all my '.rb' files into another file and decode
> them when launching the application... or something like that.
> </troll>

Why is that "trolling"? It's actually "shrouding". Not sure if that came up
in this thread.

Could you use JRuby and ship .class files? That's pretty shrouded. But, as
usual, you are only raising the cost of hacking, not preventing it...

--
Phlip
http://www.oreilly.com/catalog/9780...
"Test Driven Ajax (on Rails)"
assert_xpath, assert_javascript, & assert_ajax

Tim Hunter

9/1/2007 3:40:00 PM

Michel Cabili wrote:
> Well, then I guess that we can't obfuscate the code with Ruby.
>
> It's not a necessity. It's just that I'm used to compiled languages in
> wich, if the project isn't that complex, you basically give one file to
> the user.
>
> <troll>
> If I really need this kind of feature I guess I could develop a library
> in C that would encrypt all my '.rb' files into another file and decode
> them when launching the application... or something like that.
> </troll>
>
> Thanks for your answers.
>
I actually worked on something like this but I finally decided that it
was hopeless. Since the encrypted Ruby code must be decrypted before
being handed off to the Ruby interpreter, there's always going to be a
way for a sufficiently-motivated user to get their hands on the
unencrypted version of the program.

Michel Cabili

9/1/2007 3:44:00 PM

Phlip wrote:
> Why is that "trolling"? It's actually "shrouding". Not sure if that came
> up
> in this thread.
>
> Could you use JRuby and ship .class files? That's pretty shrouded. But,
> as
> usual, you are only raising the cost of hacking, not preventing it...

Trolling because that came up just like that... Didn't know if that kind
of technique was really used (I'm just a student).

But thanks.
Do you have any usefull link that give some light on that matter?
--
Posted via http://www.ruby-....

Phlip

9/1/2007 4:06:00 PM

Michel Cabili wrote:

> Do you have any usefull link that give some light on that matter?

No! Just dive into one of the Ruby Grammar attempts, and then change each
intention-revealing symbol into an unreadable ugly one. Then scramble the
blanks, and you are shrouded.

Though with some Ruby there's not much shrouding left to go... ;-)

Responding to the thread in general - just put your family jewels into C++
behind a Ruby layer, and ship Ruby for the easy stuff that your clients
don't need to steal...

--
Phlip
http://www.oreilly.com/catalog/9780...
"Test Driven Ajax (on Rails)"
assert_xpath, assert_javascript, & assert_ajax

Michel Cabili

9/1/2007 4:25:00 PM

Phlip wrote:
> Responding to the thread in general - just put your family jewels into
> C++
> behind a Ruby layer, and ship Ruby for the easy stuff that your clients
> don't need to steal...

That seems a fair solution. Although I'm not that deep into Ruby yet, I
saw some links concerning creating extensions for Ruby... but in C.
There must be something equivalent for C++...

That means that when I create for instance my extension (let's say
"funky_extension"), the file concerning the extension will be compiled
therefore obfuscated? Is that what you're talking about?
--
Posted via http://www.ruby-....

John Joyce

9/1/2007 4:55:00 PM

On Sep 1, 2007, at 11:25 AM, Michel Cabili wrote:

> Phlip wrote:
>> Responding to the thread in general - just put your family jewels
>> into
>> C++
>> behind a Ruby layer, and ship Ruby for the easy stuff that your
>> clients
>> don't need to steal...
>
> That seems a fair solution. Although I'm not that deep into Ruby
> yet, I
> saw some links concerning creating extensions for Ruby... but in C.
> There must be something equivalent for C++...
>
> That means that when I create for instance my extension (let's say
> "funky_extension"), the file concerning the extension will be compiled
> therefore obfuscated? Is that what you're talking about?
> --
> Posted via http://www.ruby-....
>
You should use C for Ruby extensions.
Ruby is implemented in C.
JRuby might allow Java extensions...?
If you know C++ you can probably handle the C stuff.

Oh, one other idea for obfuscation, you could always also use Ruby
Inline for some things. (like a routine you run first to decrypt your
Ruby files or whatever.) Depending on the size of your app, you could
pretty easily make it at least confusing to look at with a simple
Rot13, or just replacing all newline characters in the Ruby files
with some unique identifier string. (other than the first one called,
which would include Inline C or whatever to decrypt)

You could make it even simpler. Consider Ruby's predefined variables
(they're globals that start with $) and command line flags and
arguments.
there might some simple to implement but not so obvious tricks you
could do there.

Phlip

9/1/2007 5:16:00 PM

----- Original Message -----
From: "Michel Cabili" <michel.cabili@gmail.com>

> That seems a fair solution. Although I'm not that deep into Ruby yet, I
> saw some links concerning creating extensions for Ruby... but in C.
> There must be something equivalent for C++...
>
> That means that when I create for instance my extension (let's say
> "funky_extension"), the file concerning the extension will be compiled
> therefore obfuscated? Is that what you're talking about?

Yes. But...

In general, asking how to obfuscate code so others can't steal it is
"solution probleming". It's just appeasing clue-impaired investors who think
their investment will return nothing if someone "steals" the code, re-skins
it, and publishes it as an alternate solution.

This is self-aggrandizing. The problem of people going crazy trying to steal
your software is a problem most ISVs would dearly love to have. And studies
have shown that competitors generally don't _want_ to use your code, when
they can see it. The code is only useful to you.

An investor's money goes to building a team and a system to create, test,
deploy, and market that code. This _system_ is what a competitor needs, and
it's very hard to steal it.

So, write lots of unit tests, and don't publish them. The code's source will
be useless!

--
Phlip
http://www.oreilly.com/catalog/9780...
"Test Driven Ajax (on Rails)"
assert_xpath, assert_javascript, & assert_ajax

comp.lang.ruby

Seeing the source

Michel Cabili

Phillip Gawlowski

John Joyce

Michel Cabili

Phlip

Tim Hunter

Michel Cabili

Phlip

Michel Cabili

John Joyce

Phlip

x Login to ForumsZone