I am evaluating to migrate to Ruby (Ruby on Rails) from PHP. One big concern I have is about the project encryption.
Currently in PHP I encrypt the projects before giving it to the clients by using Source Guardian.
However for Ruby the only option I found is rubyencoder.com (the same company as PHP source Guardian). has anyone tried this software and have first hand experience?
Is there any other software?
Is there any native way in Ruby to encrypt the project?
You should know that this is not really protecting your code. At some point, the code will have to be executed by Ruby's VM (let's assume you're on 1.9.x). The VM itself, unless modified, will only be able to understand the instructions in their unencrypted form.
What this means is that before the encrypted code can be executed, it will have to be transformed back into its original form. And someone badly craving to read your source code could do so by debugging the Ruby process and waiting for that decryption to happen.
Even if it's just the byte code instructions that you will get from this, it's possible to reconstruct quite readable source code from byte code interpretation, here is an example for Java, but similar things are possible for Ruby, too.
Code obfuscation might be more what you are looking for, but it is also a very risky option for Ruby code: it might break sophisticated meta programming features.
I've never been a friend of DRM measures, so it might be that I am quite opinionated here... but are you really, really convinced you will need such features?
There is a simple way of dealing with that if you can use Rubinius to execute the code (there might also exist a similar solution for JRuby since it runs on the JVM): With Rubinius you compile your source code to byte code and ship only the binary code to the client. That code can than be executed on the target system without giving away any source code. For detailed instructions and caveats see this blog post on the rubinius homepage: http://rubini.us/2011/03/17/running-ruby-with-no-ruby/
Related
My Ruby on Rails app of course contains all business logic and algorithms, and if I install this on a customers server, then they can read my source code, which I want to keep as secret as possible to protect my business.
PHP have several tools which can take the php project and encode it into bytecode, which is exactly what I would like to be able to do for Ruby on Rails.
There are several Ruby on Rails packers, which just bundles it all into an executable, but the plain Ruby source code is still in there.
Question
How to protect your Ruby on Rails source/product when it is installed on a customers server?
There are a few Ruby code obfuscators, that you couple with a packer, to produce something that is at least reasonably hard to reverse-engineer.
If protecting your code is a business need, you might want to try RubyEncoder, a commercial product designed to do exactly what you want. (disclaimer: I didn't)
Note that if secrets in your code are that important to you, you might want to make it a service (e.g. a Web service) that your customer accesses instead of code you deploy on their systems. But that's an option that may not be viable (or desirable) for you for a zillion different reasons…
It is impossible to encode code in such a way that a machine can execute it, but a human cannot read it. In order for your customers to run the code, the CPU must understand the code. CPUs are much, much stupider than humans, so if a CPU can understand the code, then a human can, too.
The only way to protect your code, is to not give it away. Host the app on your own premises and rent access to it out as a service.
Note that reading your code is illegal, so what makes you think that somebody who has no problem with going to prison go get access to your secrets is going to get stopped by some encoding that can be reverse-engineered anyway? (Note that even if they have the un-encoded source code, they still need to reverse-engineer it anyway, since without access to your source repository and design documents, they have no idea why the code is written the way it is.)
Also, for someone who has no problem breaking the law, bribing one of your employees who knows how the code works is going to be much easier than reverse-engineering the code.
There is no general bytecode-format for Ruby. There are several different Ruby implementations, some of them have a bytecode format, some don't. E.g. Opal is a compiler that outputs ECMAScript, no bytecode involved. XRuby was a compiler for the JVM, but it is abandoned. Ruby.NET was a compiler for .NET, but it is abandoned. JRuby is an implementation for the JVM that also includes a compiler. Both YARV, MRuby, and Rubinius have different, incompatible bytecode formats; some of those implementations allow loading bytecode from disk, some don't.
I'm going to develop a collaborative site, and one of the features will be collaborative editing with realtime changes. i.e. when two or more users are editing the same doc, they can see each other changes as soon as they happen.
I have some experience with Ruby on Rails, so I was thinking about using EventMachine, but with all this hype around Node.js, I am know considering using it instead. So, what would be the main benefits of using Node.js instead of EventMachine?
tl;dr
What are the main differences between EventMachine and Node.js (besides the language)?
EventMachine has nothing to do with Rails apart from them both being written in the same language. You can get EventMachine as bare as Node.js; all you have to do is not add libraries to your project. In my experience the EventMachine libraries (like em-http) are much nicer than anything for Node. And you can use fibers instead of callbacks to avoid callback hell. Complete exception handling is pretty much impossible in Node because of all the callbacks. Plus Ruby is a nicer, more complete language than Javascript.
I tend towards the "use what you know" (even if it's a heavier architecture). Because of that, I don't see it being quite as simple as "EventMachine vs NodeJS." Mainly, the difference can be summarized as this:
NodeJS is a framework/language that was written to handle event based programming in JavaScript. That is its driving force. It's not an after thought, or a third party mechanism. It's baked right in to the language. You create callbacks/events because that's how the language is built. It's not a third party plug in, and doesn't alter your workflow.
EventMachine is a gem in Ruby that gives developers access to some of the goodness of the event based programming model. It's heavily used and well tested, but not baked directly in to the language. Both are locked to one CPU, but with event programming at Nodes core, it still has a leg up. Ruby wasn't written with concurrency in mind.
That said, technical problems can be overcome. The more important questions (from my view) that should guide your decision are these:
What will your production environment look like? Do you have complete control over the server? Can you host it however you want? Or will it be on a shared system to start with, and then you have to expand on that?
Do all the developers on your team have the ability to learn a new language very fast? How fast will they be able to understand an event-based language like JavaScript for the middle tier?
Do you need all of the architecture that Rails gives you (full Testing framework, scaffolding, models, controllers, etc)? Or is that overkill?
There are quite a few technical differences between the two. One is a language, one is a framework. Really, how heavy of a stack you want to run? How much learning will your developers have to do? Do you want a full stack the gives you a lot of niceties, that you may not use, or do you want a bare bones set up that runs extremely fast and concurrent, even though you may have to write extra boiler plate code and learn a new lanugage?
While Rails is not as heavy as some web application architectures, you're still going to need more processor power than you would to handle a similar amount of throughput in NodeJS. Assuming quality code for both systems. Bad code written on either stack is going to prevent the stack from shining. It really comes down to- Do you really want to learn a whole new way of doing things, or utilize your current understanding of Ruby to get things off the ground fast?
I know it's not really a definitive answer, but I hope this helps guide you to a decision!
One thing worth mentioning is the production story. EM, like most Rack stuff, has plenty of testing and monitoring tools available that are well tested, whereas Node.js falls well short in this respect.
At the time of writing, it seems almost impossible to get clear metrics from Node to answer questions like 'Do I need to scale'. There are options starting to form out there from the likes of Joyent, and always the roll-your-own argument, but nothing anywhere near tools such as NewRelic.
Node.js is very good from a performance / configurability point of view, but personally I wouldn't host it in production just yet.
Node.js
You get far better control low level control over what's going in. You can include general libraries to build on top of node.js to tweak your level of abstraction to your own liking. For example you can use connect or express depending on whether you want a view engine written for you.
You can use socket.io or now depending on how much you want your client-server connection abstracted. You can opt to include any of numerous MVC libraries or write your own.
Event-Machine
An asynchronous IO library just like node.js
It comes down to a Ruby vs JavaScript preference, how much flexibility you want with abstractions or lack of abstractions and whether you want to use node as your actual web server.
a detailed view at confusion has already been proposed... just a personal view
[] node.js will be better, if you are ready to learn and experiment more than you think because:
it's thread mechanism is awesome (inspired from that of 'erlang')
you can build a purpose specific server (easily) which will be real productive
I had a question with regards to software built on Ruby on Rails. I'm on the business end of an incubation team that has a few projects in the works, all built on Ruby on Rails. The goal from the investor was to sell the software out to third parties and have them use the platforms to their liking. From what I can tell though, there is no way to compile Ruby code and send it off to a third party, hiding the actual code from them.
We do not want our clients being able to copy our code and take it from us. Is there any actual solution to this problem, or are we screwed because they already decided to develop on Ruby? We wanted to be able to sell software as a service, but that's not going to work out if a client can sign up for a month, copy our code, and then build their own solution.
Thanks for any help in advance.
Ruby code obfuscators do exist, but that's of little real help IMO. But even if Ruby was compiled, chances are good it would get compiled into a format that is easily decompiled. Languages like C# and Java are both easily decompiled and thus source code is easy to get at these days.
Your real protection should probably come from a license. You may need to work with a lawyer or someone versed in software licenses. But if they violate your license, you have legal ground to take action.
Are there any applications out there that will let me encode my Ruby on Rails code so others can't read it? I plan on selling a few small applications, but I really don't want everyone knowing my code.
Thanks.
Only example I have seen in the wild is Mingle from ThoughtWorks, which runs on JRuby, which I think they must have modified in some way to run the encrypted code.
http://www.thoughtworks-studios.com/mingle-agile-project-management
I think they may have used something like this AOT compiler:
http://kenai.com/projects/jruby/pages/RailsAOT
This also looks promising:
http://www.infoq.com/news/2008/10/rubyencoder
Check out this answer for other ideas.
Can you Distribute a Ruby on Rails Application without Source?
If you want people to able to run your code (and if you don't, then why did you write it in the first place?), then their CPU needs to be able to execute your code. In order to be able to execute the code, the CPU needs to be able to understand it.
Since CPUs are dumb, and humans aren't, this means that humans can understand the code as well.
The only way you can protect your code through technical means, is if you "own" the entire execution path: you need to build your own CPU, your own computer, write your own operating system and your own Ruby interpreter. Then, and only then can you protect your code. (But note that even the tiniest mistake will render all of your protections useless. Microsoft, Apple, Sony, the Music Industry and the Movie Industry can attest to that.)
Or, you could just do nothing, which means that your code will be automatically protected by copyright law.
Thanks for all your answers! Currently I'm looking at jRuby and Ruby Encoder options but if I find neither are what I want then I think I should just sell the code and focus more on getting customers. It really doesn't make sense to spend all this time and money on an encryption that can be easily cracked anyways.
Maybe you could host the application yourself.
This way nobody will have ever access to your code and you're clients will use the application everywhere via Internet and also will pay you for the support.
In order to host rails application the easiest way you could try http://heroku.com/ or even set a small VPS with apache and mod_passenger.
No, there is no way to have executable code that can't be read. Hard to read yes, impossible to read is... impossible. Best you can do is obfuscate, of which there are many examples around the net (but I don't know of any libraries that do it for you).
I'm wondering if it's possible to distribute a RoR app for production use without source code? I've seen this post on SO, but my situation is a little different. This would be an app administered by people with some clue, so I'm cool with still requiring an Apache/Mongrel/MySQL setup on the customer end. All I really want is for the source to be protected. Encoding seems a popular way to go for distributing PHP apps (eg: Helpspot).
I've found these potential solutions:
Zenobfuscate - not all types of Ruby code is supported however, so that counts that out
Ruby Encoder - may be the best option, as their PHP encoder looks alright (I haven't tried it however) but it's not available yet. I've used IONcube for PHP before and it worked well, but it doesn't seem that IONcube is interested yet.
Slingshot - it was mentioned in the other SO post, but it solves a different problem to mine and the source is still visible.
RubyScript2Exe - from the doco, it's not production ready, so that counts that out.
I've heard that potentially using JRuby and distributing bytecode might be a way to achieve this, but I've never used JRuby so I'm not sure what's involved.
Can anyone offer any ideas and/or known examples? Ideally I'd love to have some kind of automated build scenario as well.
Your best option right now is to use JRuby. A little bit of background: My company (BitRock) works with many proprietary and commercial open source vendors. We help them package their server software, which is typically based on PHP, Java or Ruby together with a web server or application server (Apache, Tomcat), the language runtime and a database (typically Postgres, MySQL) into a self-contained, easy to use installer. We have a large number of PHP-based customers (including HelpSpot, which you mention) but also several Rails-based ones. In the case of the RoR customers the norm is to use JRuby together with Tomcat or Glassfish although in some cases we also bundle a native Ruby interpreter to run specific scripts that rely on libraries not yet ported to JRuby (usually not core to the application). JRuby has matured quickly and in many cases it actually runs their code faster than regular Ruby. You will need to also consider that although porting your code to JRuby is fairly straightforward, you will need to invest some time on that. You may want to check JRuby Stack which is a free installer of everything you need to get started. Good luck!
If you release the source, obfuscated or otherwise, your app will be pirated. See, for example, Mint. It depends on what you're building, but you may find that you're better off releasing the app as a hybrid of sorts: A hosted app with a well-defined API, and a component that runs on the customer's server. As long as the true value of your product lives on the server side, you don't need to obfuscate your code, and you can just release the source code unmodified. Additionally, this may also give you the opportunity to reach clients running, say, PHP rather than Ruby. See, for example, Google Analytics, HopToad, Scout, etc, etc.
You can, but it wouldn't do anything to prevent somebody from reverse-engineering or modifying it. I remember there was an article about similar attempts to obfusticate Perl and how they could be effectively bypassed by a debugger and 5 minutes of effort.
If you can't wait for the delivery of RubyEncoder, then I think ZenObfuscate is the most promising. Though it may require some modifications to your source code, they do say this on their site:
ZenObfuscate costs $2500 for a site license or is individually negotiable for other licensing schemes. Yes, that is expensive. That was on purpose. But don't let that thwart you too much. If your product is really cool and we want to see it succeed, we'll make it work. "Really cool" is not freecell.
Of course, for $2500 (or more), you'd hope to get a few tweaks to the compiler that'd make your codebase fully supported. It might be worth engaging them in the conversation.
You can also take a look at Mingle from ThoughtWorks studios as an example of using JRuby for this.
It's a Ruby on Rails app, they run it using JRuby. They've customized jruby to load encrypted .rb files.
Take a look at JumpBox.
I've had conversations with them on the topic, and they seem to have a solution that will work soon for Rails apps.
I'm wondering if you could just "compile" the ruby code into an executable using something like RubyScript2Exe ?
To be honest I haven't used it but it seems like it could be what you want, even if it just packages up the scripts with the interpreter into a single executable.