Rails - Feb 2011 - What's the best practice to protect rails code in a small company?

Hi fellows,

I''m starting a small company developing a SNS website and we are using
RoR. The concern we have right now is that we don''t want each of our
developers get the entire Rails code base of our project.

To my knowledge, there might be three pieces of ideas of potential
technical solutions for us. But since I don''t really have any so
called industrial experience on web development, I''m looking forward
to some advices.

1. Encode/encrypt our Rails souce code somehow;

2. Distribute the minimum amount of code to an individual developer as
needed;

3.Construct some sepcial architecture for our SNS like Drupal that
people can develop "plug-in" or "module" for such system
that one
developer only needs to know the corresponding APIs for working on his/
her specific "plug-in"/"module".

Or, is there any other better way? Or, what mechenism is actually
being used by big commercial companies using Rails like Twitter?

Thanks in advance!

Regards,
Sean

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On 25 February 2011 12:47, Sean W. Liu
<weichaoliu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> Hi fellows,
>
> I''m starting a small company developing a SNS website and we are
using
> RoR. The concern we have right now is that we don''t want each of
our
> developers get the entire Rails code base of our project.
>
> To my knowledge, there might be three pieces of ideas of potential
> technical solutions for us. But since I don''t really have any so
> called industrial experience on web development, I''m looking
forward
> to some advices.
>
> 1. Encode/encrypt our Rails souce code somehow;
>
> 2. Distribute the minimum amount of code to an individual developer as
> needed;
>
> 3.Construct some sepcial architecture for our SNS like Drupal that
> people can develop "plug-in" or "module" for such
system that one
> developer only needs to know the corresponding APIs for working on his/
> her specific "plug-in"/"module".
>
> Or, is there any other better way? Or, what mechenism is actually
> being used by big commercial companies using Rails like Twitter?
Employ reputable contractors (I presume it is contractors that you are
talking about) and get them to sign non-disclosure agreements.

Colin

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

Hi Sean,

In my experience, there really isn''t a good way to separate chunks of
code among developers, especially when they''re working in a team
environment (pair programming, etc.).  Speaking from a decade of
experience, it causes many more problems than it solves.

I understand you want to protect your intellectual property - that''s
cool.  However, being TOO restrictive of it is going to make things
much harder for your staff and really kill progress.  Most developers
I know wouldn''t even take the job to begin with if encrypting part of
the codebase during development, or splitting it up was part of the
deal.  Anyone who does is, in my opinion, probably not experienced
enough to really know what''s going on, and therefore, probably not
experienced enough to really build something -right-.

That said, here are two other options for you.  You could possibly
implement both:

1) Create a web service based architecture, having one developer be
responsible for that, and a series of "client" applications that
connect to the web service.  This works great in environments where
you have disparate technologies that need to communicate regardless of
what language they''re built in, or what servers they''re on. 
It''s a
solid "technology agnostic" approach because all the other developers
would need to do is interface over HTTP for each "request" to build
their portions of the application.

2) Have your developers sign an NDA.  Legally speaking, as long as
your NDA is sound, IF they go off and try to steal your IP, you''ll
have the necessary proof of a bad faith effort and/or breach of
contract that you''d need to win in court.  Even though you may not be
able to get a huge chunk ''o change from each individual up front if
you win, you might be able to take in a portion of their earnings in
the future.  I''m not a lawyer, but I strongly recommend getting a GOOD
one who knows IP law and has experience creating/administering solid
NDA''s and IP agreements, as well as a good track record for winning
cases against real IP thieves.

At the end of the day, you really can''t feasibly expect a developer to
build any application - Rails-based or otherwise - without access to
the codebase.  It just plain doesn''t work.

Good luck man!  Hope things work out for you.

On Feb 25, 5:47 am, "Sean W. Liu"
<weichao...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> Hi fellows,
>
> I''m starting a small company developing a SNS website and we are
using
> RoR. The concern we have right now is that we don''t want each of
our
> developers get the entire Rails code base of our project.
>
> To my knowledge, there might be three pieces of ideas of potential
> technical solutions for us. But since I don''t really have any so
> called industrial experience on web development, I''m looking
forward
> to some advices.
>
> 1. Encode/encrypt our Rails souce code somehow;
>
> 2. Distribute the minimum amount of code to an individual developer as
> needed;
>
> 3.Construct some sepcial architecture for our SNS like Drupal that
> people can develop "plug-in" or "module" for such
system that one
> developer only needs to know the corresponding APIs for working on his/
> her specific "plug-in"/"module".
>
> Or, is there any other better way? Or, what mechenism is actually
> being used by big commercial companies using Rails like Twitter?
>
> Thanks in advance!
>
> Regards,
> Sean
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

Hi Colin,

Thanks for your advice!

Actually, I was talking about my employees. I understand your point, which
is also part of my plan. But I still want to protect our IP technically. In
my experience, it''s not really a good idea to allow every employee to
get
the whole project code repository.

Signing an NDA can obviously show the company''s intetion about IP
protection. But sometimes it can be either difficult to prove if someone
leaks our code, or exhoustive for a small company to deal with such law
suits.

Anyway, I''m look for some nice technical solutions to this concern.

Sean




On Fri, Feb 25, 2011 at 9:30 PM, Colin Law
<clanlaw-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:
> On 25 February 2011 12:47, Sean W. Liu
<weichaoliu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > Hi fellows,
> >
> > I''m starting a small company developing a SNS website and we
are using
> > RoR. The concern we have right now is that we don''t want each
of our
> > developers get the entire Rails code base of our project.
> >
> > To my knowledge, there might be three pieces of ideas of potential
> > technical solutions for us. But since I don''t really have any
so
> > called industrial experience on web development, I''m looking
forward
> > to some advices.
> >
> > 1. Encode/encrypt our Rails souce code somehow;
> >
> > 2. Distribute the minimum amount of code to an individual developer as
> > needed;
> >
> > 3.Construct some sepcial architecture for our SNS like Drupal that
> > people can develop "plug-in" or "module" for such
system that one
> > developer only needs to know the corresponding APIs for working on
his/
> > her specific "plug-in"/"module".
> >
> > Or, is there any other better way? Or, what mechenism is actually
> > being used by big commercial companies using Rails like Twitter?
>
> Employ reputable contractors (I presume it is contractors that you are
> talking about) and get them to sign non-disclosure agreements.
>
> Colin
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> To unsubscribe from this group, send email to
>
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> For more options, visit this group at
> http://groups.google.com/group/rubyonrails-talk?hl=en.
>
>

-- 
============================Sean W. Liu
NimbRo Group
Institute of Computer Science
University of Bonn
Germany
http://www.nimbro.net
TEL: +49 (228) 8236 9149
Cell Phone:  +49 (157) 7616 5080
============================
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

Hi Phoenix,

Thanks a lot for such a detailed explaination!

I''ve talked to my core team about this issue and we did have similar
conclusions as you suggested. I think you are right. I''ll probably
invest
more effort on how to continously improving our product and doing better
marketing instead of worrying too much about IP protection.

Thanks again!

Sean



On Fri, Feb 25, 2011 at 9:41 PM, Phoenix Rising
<polarisrising-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>wrote:
> Hi Sean,
>
> In my experience, there really isn''t a good way to separate chunks
of
> code among developers, especially when they''re working in a team
> environment (pair programming, etc.).  Speaking from a decade of
> experience, it causes many more problems than it solves.
>
> I understand you want to protect your intellectual property -
that''s
> cool.  However, being TOO restrictive of it is going to make things
> much harder for your staff and really kill progress.  Most developers
> I know wouldn''t even take the job to begin with if encrypting part
of
> the codebase during development, or splitting it up was part of the
> deal.  Anyone who does is, in my opinion, probably not experienced
> enough to really know what''s going on, and therefore, probably not
> experienced enough to really build something -right-.
>
> That said, here are two other options for you.  You could possibly
> implement both:
>
> 1) Create a web service based architecture, having one developer be
> responsible for that, and a series of "client" applications that
> connect to the web service.  This works great in environments where
> you have disparate technologies that need to communicate regardless of
> what language they''re built in, or what servers they''re
on.  It''s a
> solid "technology agnostic" approach because all the other
developers
> would need to do is interface over HTTP for each "request" to
build
> their portions of the application.
>
> 2) Have your developers sign an NDA.  Legally speaking, as long as
> your NDA is sound, IF they go off and try to steal your IP, you''ll
> have the necessary proof of a bad faith effort and/or breach of
> contract that you''d need to win in court.  Even though you may not
be
> able to get a huge chunk ''o change from each individual up front
if
> you win, you might be able to take in a portion of their earnings in
> the future.  I''m not a lawyer, but I strongly recommend getting a
GOOD
> one who knows IP law and has experience creating/administering solid
> NDA''s and IP agreements, as well as a good track record for
winning
> cases against real IP thieves.
>
> At the end of the day, you really can''t feasibly expect a
developer to
> build any application - Rails-based or otherwise - without access to
> the codebase.  It just plain doesn''t work.
>
> Good luck man!  Hope things work out for you.
>
> On Feb 25, 5:47 am, "Sean W. Liu"
<weichao...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > Hi fellows,
> >
> > I''m starting a small company developing a SNS website and we
are using
> > RoR. The concern we have right now is that we don''t want each
of our
> > developers get the entire Rails code base of our project.
> >
> > To my knowledge, there might be three pieces of ideas of potential
> > technical solutions for us. But since I don''t really have any
so
> > called industrial experience on web development, I''m looking
forward
> > to some advices.
> >
> > 1. Encode/encrypt our Rails souce code somehow;
> >
> > 2. Distribute the minimum amount of code to an individual developer as
> > needed;
> >
> > 3.Construct some sepcial architecture for our SNS like Drupal that
> > people can develop "plug-in" or "module" for such
system that one
> > developer only needs to know the corresponding APIs for working on
his/
> > her specific "plug-in"/"module".
> >
> > Or, is there any other better way? Or, what mechenism is actually
> > being used by big commercial companies using Rails like Twitter?
> >
> > Thanks in advance!
> >
> > Regards,
> > Sean
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> To unsubscribe from this group, send email to
>
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> For more options, visit this group at
> http://groups.google.com/group/rubyonrails-talk?hl=en.
>
>

-- 
============================Sean W. Liu
NimbRo Group
Institute of Computer Science
University of Bonn
Germany
http://www.nimbro.net
TEL: +49 (228) 8236 9149
Cell Phone:  +49 (157) 7616 5080
============================
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On 26 February 2011 01:51, Weichao Liu
<weichaoliu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> On Fri, Feb 25, 2011 at 9:30 PM, Colin Law
<clanlaw-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:
>>
>> On 25 February 2011 12:47, Sean W. Liu
<weichaoliu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>> > Hi fellows,
>> >
>> > I''m starting a small company developing a SNS website and
we are using
>> > RoR. The concern we have right now is that we don''t want
each of our
>> > developers get the entire Rails code base of our project.
How would you expect the developers to be able to *run* the Rails
application to develop for it, if they don''t have the code?
>> Employ reputable contractors (I presume it is contractors that you are
>> talking about) and get them to sign non-disclosure agreements.
I agree wholeheartedly. And as a flip side, as a contractor, I would
be highly suspicious of any employer who wanted to start a
relationship by being so suspicious of me that that want to
micro-manage the sections of code I have access to.
Remember Sean, Rails is a nice open OO framework - unless one has
access to jump around and refactor chunks of it, it''s not going to be
easy to work with.
> In my experience, it''s not really a good idea to allow every
employee to get
> the whole project code repository.
Really? can you explain how you went about it before, please. What
technologies made this possible? What languages and development
methodologies were you using?
> Signing an NDA can obviously show the company''s intetion about IP
> protection. But sometimes it can be either difficult to prove if someone
> leaks our code, or exhoustive for a small company to deal with such law
> suits.
Again.. as pointed out, if you hire people who are happy to work in
such a restrictive environment, you''re likely to end up with code
that''s not worth stealing (or protecting) in the first place :-/

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

Hi Michael,

I just wrote a lot to reply but eventually decided to simply say:
Thanks very much! I think I get your point.

Sean



On Feb 26, 4:41 pm, Michael Pavling
<pavl...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> On 26 February 2011 01:51, Weichao Liu
<weichao...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
> > On Fri, Feb 25, 2011 at 9:30 PM, Colin Law
<clan...-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:
>
> >> On 25 February 2011 12:47, Sean W. Liu
<weichao...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> >> > Hi fellows,
>
> >> > I''m starting a small company developing a SNS
website and we are using
> >> > RoR. The concern we have right now is that we don''t
want each of our
> >> > developers get the entire Rails code base of our project.
>
> How would you expect the developers to be able to *run* the Rails
> application to develop for it, if they don''t have the code?
>
> >> Employ reputable contractors (I presume it is contractors that you
are
> >> talking about) and get them to sign non-disclosure agreements.
>
> I agree wholeheartedly. And as a flip side, as a contractor, I would
> be highly suspicious of any employer who wanted to start a
> relationship by being so suspicious of me that that want to
> micro-manage the sections of code I have access to.
> Remember Sean, Rails is a nice open OO framework - unless one has
> access to jump around and refactor chunks of it, it''s not going to
be
> easy to work with.
>
> > In my experience, it''s not really a good idea to allow every
employee to get
> > the whole project code repository.
>
> Really? can you explain how you went about it before, please. What
> technologies made this possible? What languages and development
> methodologies were you using?
>
> > Signing an NDA can obviously show the company''s intetion
about IP
> > protection. But sometimes it can be either difficult to prove if
someone
> > leaks our code, or exhoustive for a small company to deal with such
law
> > suits.
>
> Again.. as pointed out, if you hire people who are happy to work in
> such a restrictive environment, you''re likely to end up with code
> that''s not worth stealing (or protecting) in the first place :-/
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

If you don''t trust your own developers, you have bigger problems than
any obfuscation or compartmentalization scheme can solve.

Find developers that you consider your trusted colleagues and build your
product with them.

- D

-- 
Posted via http://www.ruby-forum.com/.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

Hi Danny,

Thanks for your advice!

But please don''t take it the wrong way. IP protection policy
doesn''t
mean a company does not trust their employees! Or otherwise, why there
is something called NDA, right? Why not simply employ the ones you
trust? It doesn''t matter if one joins a company or work in a
university, they will be asked to sign a paper claiming something like
they won''t steal things. At least European and Asian universities and
companies generally do this.

On one hand, IP protection policies is a very common mechanism in an
organization and it definitely doesn''t mean a company doesn''t
trust
its employees; on the other hand, when a company grows fast, how can
somebody promise that you know every applicant so well that you are so
sure that each of them can be trusted equally even when people are
from different countries with different backgrounds?

Anyway, we are a great team working together and of course we trust
each other. The IP protection techniques we were looking for was meant
for new employees whom we don''t know that well yet.

AND, I wanna thank everyone here replying my questions! I do get what
I wanted to know on the first place! Thus, I''m gonna move on to the
dev work and close this thread.

Thanks again!

Regards,
Sean




PS: Because Danny has some opinions that sound similar to the ones
proposed by Michael. Therefore, I also wanna finish this thread by
rewriting some of my opinions wrt. Michael''s reply. I don''t
really
remember what I wrote for the first time. I''ll just quickly recap some
of my previous thougts concerning Michael''s opinions.

============Hi Michael,

Thanks very much!

You are right. It''s not a good idea to be suspicious as an employer.
But try to protect IP != suspicious. Plus, I''m not trying to say we
don''t want anyone to get the entire code base. The core team obviously
have the authorization to touch everything and we only want to get
some kind of control over our new employees to reduce potential risks.
Apparently, IP protection is not something new. Big companies do such
things all the time, not just by asking their employees to sign up
some NDA. And we shouldn''t say that those big companies are suspicious
about their employees. It''s just one kind of risk control policy.
Further more, I believe code leaks and IP thieves are also not brand
new concepts. And there is one more thing, working environments and
attitudes are sometimes different in different countries. People
sometimes simply couldn''t really understand such situations thoroughly
if they were not growing up in that environment, a little bit like
different religions.

In short, now I get some rough ideas about web developers'' opinions on
IP protection and I''ll try to fit into the community. Therefore, I
think I will try to be more open.

FYI, I''ve been working on system software and robotics systems which
are usually developed in C/C++ wrt. computer programming. We also
design mechanical and electronic systems. For our projects, we usually
use differently techniques for IP protection and our team work well.

.......

============



On Feb 27, 4:54 am, Danny Burkes
<li...-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org>
wrote:
> If you don''t trust your own developers, you have bigger problems
than
> any obfuscation or compartmentalization scheme can solve.
>
> Find developers that you consider your trusted colleagues and build your
> product with them.
>
> - D
>
> --
> Posted viahttp://www.ruby-forum.com/.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

Have you people herd of murphys law? Treat your employees well. That
will do.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.