Encoding Ruby on Rails code? - ruby-on-rails

Are there any applications out there that will let me encode my Ruby on Rails code so others can't read it? I plan on selling a few small applications, but I really don't want everyone knowing my code.
Thanks.

Only example I have seen in the wild is Mingle from ThoughtWorks, which runs on JRuby, which I think they must have modified in some way to run the encrypted code.
http://www.thoughtworks-studios.com/mingle-agile-project-management
I think they may have used something like this AOT compiler:
http://kenai.com/projects/jruby/pages/RailsAOT
This also looks promising:
http://www.infoq.com/news/2008/10/rubyencoder
Check out this answer for other ideas.
Can you Distribute a Ruby on Rails Application without Source?

If you want people to able to run your code (and if you don't, then why did you write it in the first place?), then their CPU needs to be able to execute your code. In order to be able to execute the code, the CPU needs to be able to understand it.
Since CPUs are dumb, and humans aren't, this means that humans can understand the code as well.
The only way you can protect your code through technical means, is if you "own" the entire execution path: you need to build your own CPU, your own computer, write your own operating system and your own Ruby interpreter. Then, and only then can you protect your code. (But note that even the tiniest mistake will render all of your protections useless. Microsoft, Apple, Sony, the Music Industry and the Movie Industry can attest to that.)
Or, you could just do nothing, which means that your code will be automatically protected by copyright law.

Thanks for all your answers! Currently I'm looking at jRuby and Ruby Encoder options but if I find neither are what I want then I think I should just sell the code and focus more on getting customers. It really doesn't make sense to spend all this time and money on an encryption that can be easily cracked anyways.

Maybe you could host the application yourself.
This way nobody will have ever access to your code and you're clients will use the application everywhere via Internet and also will pay you for the support.
In order to host rails application the easiest way you could try http://heroku.com/ or even set a small VPS with apache and mod_passenger.

No, there is no way to have executable code that can't be read. Hard to read yes, impossible to read is... impossible. Best you can do is obfuscate, of which there are many examples around the net (but I don't know of any libraries that do it for you).

Related

Possible to compile/encode Ruby to binary to hide code?

My Ruby on Rails app of course contains all business logic and algorithms, and if I install this on a customers server, then they can read my source code, which I want to keep as secret as possible to protect my business.
PHP have several tools which can take the php project and encode it into bytecode, which is exactly what I would like to be able to do for Ruby on Rails.
There are several Ruby on Rails packers, which just bundles it all into an executable, but the plain Ruby source code is still in there.
Question
How to protect your Ruby on Rails source/product when it is installed on a customers server?
There are a few Ruby code obfuscators, that you couple with a packer, to produce something that is at least reasonably hard to reverse-engineer.
If protecting your code is a business need, you might want to try RubyEncoder, a commercial product designed to do exactly what you want. (disclaimer: I didn't)
Note that if secrets in your code are that important to you, you might want to make it a service (e.g. a Web service) that your customer accesses instead of code you deploy on their systems. But that's an option that may not be viable (or desirable) for you for a zillion different reasons…
It is impossible to encode code in such a way that a machine can execute it, but a human cannot read it. In order for your customers to run the code, the CPU must understand the code. CPUs are much, much stupider than humans, so if a CPU can understand the code, then a human can, too.
The only way to protect your code, is to not give it away. Host the app on your own premises and rent access to it out as a service.
Note that reading your code is illegal, so what makes you think that somebody who has no problem with going to prison go get access to your secrets is going to get stopped by some encoding that can be reverse-engineered anyway? (Note that even if they have the un-encoded source code, they still need to reverse-engineer it anyway, since without access to your source repository and design documents, they have no idea why the code is written the way it is.)
Also, for someone who has no problem breaking the law, bribing one of your employees who knows how the code works is going to be much easier than reverse-engineering the code.
There is no general bytecode-format for Ruby. There are several different Ruby implementations, some of them have a bytecode format, some don't. E.g. Opal is a compiler that outputs ECMAScript, no bytecode involved. XRuby was a compiler for the JVM, but it is abandoned. Ruby.NET was a compiler for .NET, but it is abandoned. JRuby is an implementation for the JVM that also includes a compiler. Both YARV, MRuby, and Rubinius have different, incompatible bytecode formats; some of those implementations allow loading bytecode from disk, some don't.

What things do Ruby or Rails not handle well? Are there any situations or cases that they're suboptimal for?

I'm trying to come up with things that Ruby (or Rails) either doesn't handle well, or things that are way too hard to do in Ruby.
So far I'm having a tough time, but I figured some people on here MUST have know some things that Ruby or Rails don't handle too well.
Anyone?
Ruby is a language. Rails is a framework. Many of the things Rails isn't good at, such as anything not relating to a web framework, Ruby handles with ease.
The other question of what Ruby as a language is not good at is simple. Anything extremely performance intensive is probably better written in C. Ruby won't run natively on most smart phone devices so mobile apps are out. Ruby is not designed for embedded devices, so powering the next space shuttle launch is also a no go. Furthermore the lack of a maternal instinct make Ruby a bad choice to watch young infants.
There is nothing, it's simply perfect. ;-)
Ok, some downsides:
Ruby has questionable parallelism and threading support. See for more details: http://www.igvita.com/2008/11/13/concurrency-is-a-myth-in-ruby/
Windows support isn't up to par since most Ruby developers simple don't care (like me)
The stuff you'll most commonly hear about scaling issues is a myth. Unless you're making a second twitter perhaps.
There's very little you flat-out couldn't do in Ruby, but there's a few things you wouldn't want to do, mainly involving highly numerical computation. For most of those you could easily write a binding to a C-based API (or some other more performant library.) Image processing, for example, is something that would be dog slow for any non-trivial example in pure Ruby, but you can use RMagick to do it, which is a binding to the much-faster ImageMagick library.
Just about any other use for Ruby is fair game. I've written GUI apps with it, a lot of system services and more one-off scripts than I could count.
Well, it's a framework, so it optimizes for the most common cases. If your app requires unordinary and bizarre things (eg huge performance requirements, needs to use non-Ruby libraries), then Rails might not be suitable.
It seems to me that whenever a company hits these cases (usually performance rather than functionality or integration with other systems) they have to write their own stuff - Google has Big Table, Facebook has their own webserver, etc.
If you're in this position, you're most likely rolling in money and spending some of it to rewrite your code isn't going to be an issue.
However, Rails is great for most normal apps! I don't think it has any gaps that might cause pitfalls in normal cases.

Did we really always need to use Ruby/ rails plugin?

I been intersted in ruby and rails lately but what I always encounter in blog/ podcast / book is they will always teach how to use ruby or rails plugin/ ruby instead of writing one. Did we really always need to use plugin, even thing like authorization? Authenticate? Is it really waste time Or hard to write from start? Then if it hard and waste time why rails say make web development less painful?
Or I was wrong in term of concept? Goal ? Or anything else? Of rails? Anyone can guide me ?
It can be a good learning experience to write your own tagging system, or authentication system, or what have you. That's one argument for "rolling your own".
The argument for using libraries is the "standing on the shoulders of giants" concept. By using popular, actively-developed libraries, you can be reasonably sure that they're well-tested in multiple production environments and are extremely stable. And it gives you more time to focus on your actual application.
As an example, I would be very wary of writing my own system to process credit card payments when there are already full-featured, well-tested alternatives.
I think it really has to do with edge cases. With something you build yourself, you can think of many of the edge cases up front, but there are just as many that you will not be able to think of until you come to them. That's where the time savings comes in.
That being said, if you don't understand how to write an authentication system, then you should probably write your own. Conceptually you should fully understand how the parts of your app work, and if you don't, writing from scratch is a good way to learn. But with things that you already understand, I recommend using a gem.

How to profile?

I've developed a little screenshot application but I've heard that I should profile my code to see where it's using a lot of resources and stuff.
What is a profiler? what does it do? Where can i get it for free? and How do I use it?
A profiler is a software tool which intercepts and measures every executed code path in a certain run of an application. They store this information and later report graphically (or tabularly) where does your code spend most of the running time so you can optimize where it really matters.
About where to get one, it depends on your platform/language combination.
What language are you developing in? For C#, check this question.
Any decent C# profilers out there?
Here's one for C++
Decent profiler for Windows?
In fact, check the profiler tag to see all the questions tagged in connection with profilers.
https://stackoverflow.com/questions/tagged/profiler
See:
what-techniques-can-you-use-to-profile-your-code
You didn't say what language you use. For C/C++ (and probably others) a free ones are:
gcov
gprof

Can you Distribute a Ruby on Rails Application without Source?

I'm wondering if it's possible to distribute a RoR app for production use without source code? I've seen this post on SO, but my situation is a little different. This would be an app administered by people with some clue, so I'm cool with still requiring an Apache/Mongrel/MySQL setup on the customer end. All I really want is for the source to be protected. Encoding seems a popular way to go for distributing PHP apps (eg: Helpspot).
I've found these potential solutions:
Zenobfuscate - not all types of Ruby code is supported however, so that counts that out
Ruby Encoder - may be the best option, as their PHP encoder looks alright (I haven't tried it however) but it's not available yet. I've used IONcube for PHP before and it worked well, but it doesn't seem that IONcube is interested yet.
Slingshot - it was mentioned in the other SO post, but it solves a different problem to mine and the source is still visible.
RubyScript2Exe - from the doco, it's not production ready, so that counts that out.
I've heard that potentially using JRuby and distributing bytecode might be a way to achieve this, but I've never used JRuby so I'm not sure what's involved.
Can anyone offer any ideas and/or known examples? Ideally I'd love to have some kind of automated build scenario as well.
Your best option right now is to use JRuby. A little bit of background: My company (BitRock) works with many proprietary and commercial open source vendors. We help them package their server software, which is typically based on PHP, Java or Ruby together with a web server or application server (Apache, Tomcat), the language runtime and a database (typically Postgres, MySQL) into a self-contained, easy to use installer. We have a large number of PHP-based customers (including HelpSpot, which you mention) but also several Rails-based ones. In the case of the RoR customers the norm is to use JRuby together with Tomcat or Glassfish although in some cases we also bundle a native Ruby interpreter to run specific scripts that rely on libraries not yet ported to JRuby (usually not core to the application). JRuby has matured quickly and in many cases it actually runs their code faster than regular Ruby. You will need to also consider that although porting your code to JRuby is fairly straightforward, you will need to invest some time on that. You may want to check JRuby Stack which is a free installer of everything you need to get started. Good luck!
If you release the source, obfuscated or otherwise, your app will be pirated. See, for example, Mint. It depends on what you're building, but you may find that you're better off releasing the app as a hybrid of sorts: A hosted app with a well-defined API, and a component that runs on the customer's server. As long as the true value of your product lives on the server side, you don't need to obfuscate your code, and you can just release the source code unmodified. Additionally, this may also give you the opportunity to reach clients running, say, PHP rather than Ruby. See, for example, Google Analytics, HopToad, Scout, etc, etc.
You can, but it wouldn't do anything to prevent somebody from reverse-engineering or modifying it. I remember there was an article about similar attempts to obfusticate Perl and how they could be effectively bypassed by a debugger and 5 minutes of effort.
If you can't wait for the delivery of RubyEncoder, then I think ZenObfuscate is the most promising. Though it may require some modifications to your source code, they do say this on their site:
ZenObfuscate costs $2500 for a site license or is individually negotiable for other licensing schemes. Yes, that is expensive. That was on purpose. But don't let that thwart you too much. If your product is really cool and we want to see it succeed, we'll make it work. "Really cool" is not freecell.
Of course, for $2500 (or more), you'd hope to get a few tweaks to the compiler that'd make your codebase fully supported. It might be worth engaging them in the conversation.
You can also take a look at Mingle from ThoughtWorks studios as an example of using JRuby for this.
It's a Ruby on Rails app, they run it using JRuby. They've customized jruby to load encrypted .rb files.
Take a look at JumpBox.
I've had conversations with them on the topic, and they seem to have a solution that will work soon for Rails apps.
I'm wondering if you could just "compile" the ruby code into an executable using something like RubyScript2Exe ?
To be honest I haven't used it but it seems like it could be what you want, even if it just packages up the scripts with the interpreter into a single executable.

Resources