August 17, 2006
The 1996 JavaWorld article
I think the answer is an emphatic yes.
Some people might see that as a huge business risk. I say if your business model is that dependent on clever, obfuscated source code tricks, it isn't much of a business model.
That's why I'm not afraid to bust out a copy of Reflector and perform a little ad-hoc "View Source". It's common practice to decompile binary .NET assemblies, for a whole host of entirely valid reasons:
- You've encountered a possible bug in the code
- You don't understand the code's behavior
- You need to do something similar in your own code
Having the source code gives you the ability to fix your own problems-- or even someone else's problems. If you can see the source code, the binary is alive-- it can evolve.
And you can still license your software and make money, even if you're handing out the source code at the same time. According to DesaWare, one of the most compelling software sales pitches is the phrase "source code included":
Providing source code is the only answer -- it's a way to say to the customer that if worst comes to worst, they can be their own alternate source. Even Microsoft has demonstrated this by providing Windows Source to certain customers, like large governments, who have the leverage to demand it. And, yes, escrow services should be sufficient for this purpose, but for some reason most customers don't like that approach. Perhaps it's lack of confidence in the long-term viability of the escrow services themselves? Or perhaps lack of faith in their own institutional memory to recall that such escrow arrangements had been made.
There are some nice side benefits of having source code available: the ability to learn from someone else's code, and the possibility of customizing components to suit specific needs, but those are smaller issues. Security is always a concern, but it is only applicable to software that has the potential to elevate the privilege of a user -- something that applies to a relatively small number of software components.
So what about the great closed source vs. open source debate? I'm never one to shy away from controversy, but that's for another time and place. What we did by releasing our software was not open source by any stretch of the imagination. Our source code is licensed to individual developers for their own use -- not for distribution. Does a true open source model make sense for the component world? I don't know. What I do know is that source code availability provides a level of peace of mind for some developers that probably cannot be matched any other way.
We should do away with the pretense of hiding code. Let's not only acknowledge that decompiling .NET code is trivial, let's embrace the power of "view source" by shipping source code along with our binaries.
Posted by Jeff Atwood
Unfortunately 'Code Darwinism' worked operates on the same timscales as real Darwinism.
All too often, bad practices are seen, copied and made worse. Eventually, the projects based upon these practices will fail, but not before leaving a trail of destruction and frustration behind them.
Ultimately, people fall into one of 2 camps (and this applies in general behaviour too, not just software development)...
Those who use the bad behaviour of others as an excuse for behaving the same way themselves.
Those who see the good behaviour of others as a example to follow.
The difference is very subtle, but it's an important one.
I do agree, though, that being able to examine other people's code is one of the best tools for self improvement.
"I think in 2 years we will be awash in a lot of bad AJAXified apps."
10 years so far and we're still saddled with many applications written in C++ with buffer overflow flaws.
Don't blame the saw, blame the carpenter.
Jon: excellent stuff. Beefing up the language (E4X) is definitely a step in the right direction. Thanks for the light.
Sorry Scott, I have good and bad tools in my garage, and the bad tools just make things hard to do.
.NET's transparency is the very reason companies that write and sell software are not adopting it en masse. The truth is that software companies need to protect their IP. If they can't do that, they won't stay in business. Your Desaware example is an exeption to the rule - they provide components to developers. I don't think Microsoft or Adobe will be licensing any of their source code anytime soon.
In fact, Microsoft's biggest .NET app to-date (Small Business Accounting 2006) is obfuscated.
One of the strengths of Smalltalk systems comes from the fact that all source code is delivered with the system. This holds true for both commercial systems (like VisualWorks and Dolphin Smalltalk) and open source systems (like Squeak).
Smalltalk and its IDE are written in Smalltalk itself, and there is really no difference in the access you have to view and modify your own code and someone else’s code. No extra source files to be hunted for, and no settings in the IDE to change.
I agree that the open source model has a place in the software world. However, it isn't something that can be applied realistically across the board for every software category.
I work for a small ISV, and we create stand alone as well as web based applications. It never fails that as soon as we create a unique product that starts selling well, someone will re-create our product and start selling it on their site. Some time ago, we rolled out a VB based application that was quite popular. Within a month of roll-out, we noticed that someone had taken our app, modified the string-table (changing such things as the app title, copyright, etc.) to brand the app as their own.
People that usually are evangelizers of a blanket open source software model often aren't dependent on their software sales for a living, and/or aren't familiar with the fact that there is a large portion of the Internet that will stop at nothing to make a buck - even if it means stealing from someone to do it.
For these reasons alone, we haven't migrated to .NET yet, and have spent more time on web based development where our code is securely stored on our servers - away from prying eyes. If someone wants to duplicate our functionality, let THEM figure it out - I don't need to "donate" my time telling them how I did it so they can go make a buck on it. That code represents my livelihood.
If you think .NET code is difficult to decompile perhaps you should grab a copy of .NET Reflector.
"I work for a small ISV, and we create stand alone as well as web based applications. It never fails that as soon as we create a unique product that starts selling well, someone will re-create our product and start selling it on their site. Some time ago, we rolled out a VB based application that was quite popular. Within a month of roll-out, we noticed that someone had taken our app, modified the string-table (changing such things as the app title, copyright, etc.) to brand the app as their own."
If you are being ripped off that easily, then your apps are too simple to really be hard to duplicate via traditional methods *and* you are not availing yourself to the legal system. Something so blatant is a slam dunk to get squashed.
Not making enough to pursue them in the courts? Then I wonder how it could possibly be sustaining your livelihood to a degree you care.
We provide source upon request to our customers. A few even tried to make a copy our service, but the reality is that our product is complex enough that they flame out in the attempt. Then get a nice letter and a bit later we get a nice check for their troubles. Simple really: provide something of true value and protect it via the laws that were put in place to do so.
The details are here.
Just because it's ubiquitous and open does not make it good. JS is not a great language. I think in 2 years we will be awash in a lot of bad AJAXified apps.
please not again this discussion.
Opensource can work for apps that need loads of service afterwards - that means things, where the source alone is next to worthless like complex OS'ses.
However, for "simple" products that dont warrant a support contract, giving the source is a shot in the own foot imho...
This leads to what I call "Code Darwinism": good techniques are seen immediately and reproduce promiscuously.
Bad techniques never reproduce and die out.
This would be nice if it worked. Unfortunately it doesn't, for two reasons:
* Good scripts are more often than not in separate JS file (instead of being in the HTML page or *shudder* inline in the elements), their visualization therefore requires a bit more work than just View Source (unless you're using Chris Pederick's wonderful Web Developer Toobar that is)
* And good scripts often use fairly advanced JS techniques (DOM manipulation, functional concepts, ...) requiring a fairly good understanding of the basic JS concepts.
I personally want people to see my code. If someone out there can teach me how to write better, more efficient code, as far as I'm concerned, the more power to me.
If someone sees my code and learns from it, the more power to them.
Unfortunately, I think that there's some JS obfuscation software - ant it's doing its job pretty well (taking a script, assigning random names to all identifiers, encrypting that source code into function that creates this code from seemingly random characters - caesar's crypt and some xoring involved - just into a variable and then executes it)... Bye bye OS.
All is not goodness and flowers--you're forgetting about malicious intent.
IP needs to be protected, plain and simple.
It's easy eough to obfuscate code without obfuscating it, anyway:
1. No comments or design
2. If you're in a niche enough area (e.g. simulations of complex systems - I'm talking from experience), without the domain knowledge (or, at times, even with domain knowledge), you can see what the code does...but still not understand what it does!
(1) Using AJAX where it doesn't belong
More about E4X here: http://weblogs.asp.net/jgalloway/archive/2005/11/06/429666.aspx
@Jon: It's funny how several years in, this post still draws attention. Great subjects for discussion never really die !
For anyone who thinks that every desktop or desktop oriented application needs to be web-ified, ask yourself a question. Why, if anything and everything MUST ( or to not be so harsh, should ) be web-based, did everyone bash the darling of mobility that is the iPhone when Apple put off having a native applications sdk for over a year ? Why did they almost immediately start to take out the nails for Palm's final coffin, when they said they wouldn't have a native development kit.