I'm wondering if it's possible to distribute a RoR app for production use without source code? I've seen this post on SO, but my situation is a little different. This would be an app administered by people with some clue, so I'm cool with still requiring an Apache/Mongrel/MySQL setup on the customer end. All I really want is for the source to be protected. Encoding seems a popular way to go for distributing PHP apps (eg: Helpspot).
I've found these potential solutions:
Zenobfuscate - not all types of Ruby code is supported however, so that counts that out
Ruby Encoder - may be the best option, as their PHP encoder looks alright (I haven't tried it however) but it's not available yet. I've used IONcube for PHP before and it worked well, but it doesn't seem that IONcube is interested yet.
Slingshot - it was mentioned in the other SO post, but it solves a different problem to mine and the source is still visible.
RubyScript2Exe - from the doco, it's not production ready, so that counts that out.
I've heard that potentially using JRuby and distributing bytecode might be a way to achieve this, but I've never used JRuby so I'm not sure what's involved.
Can anyone offer any ideas and/or known examples? Ideally I'd love to have some kind of automated build scenario as well.
Your best option right now is to use JRuby. A little bit of background: My company (BitRock) works with many proprietary and commercial open source vendors. We help them package their server software, which is typically based on PHP, Java or Ruby together with a web server or application server (Apache, Tomcat), the language runtime and a database (typically Postgres, MySQL) into a self-contained, easy to use installer. We have a large number of PHP-based customers (including HelpSpot, which you mention) but also several Rails-based ones. In the case of the RoR customers the norm is to use JRuby together with Tomcat or Glassfish although in some cases we also bundle a native Ruby interpreter to run specific scripts that rely on libraries not yet ported to JRuby (usually not core to the application). JRuby has matured quickly and in many cases it actually runs their code faster than regular Ruby. You will need to also consider that although porting your code to JRuby is fairly straightforward, you will need to invest some time on that. You may want to check JRuby Stack which is a free installer of everything you need to get started. Good luck!
If you release the source, obfuscated or otherwise, your app will be pirated. See, for example, Mint. It depends on what you're building, but you may find that you're better off releasing the app as a hybrid of sorts: A hosted app with a well-defined API, and a component that runs on the customer's server. As long as the true value of your product lives on the server side, you don't need to obfuscate your code, and you can just release the source code unmodified. Additionally, this may also give you the opportunity to reach clients running, say, PHP rather than Ruby. See, for example, Google Analytics, HopToad, Scout, etc, etc.
You can, but it wouldn't do anything to prevent somebody from reverse-engineering or modifying it. I remember there was an article about similar attempts to obfusticate Perl and how they could be effectively bypassed by a debugger and 5 minutes of effort.
If you can't wait for the delivery of RubyEncoder, then I think ZenObfuscate is the most promising. Though it may require some modifications to your source code, they do say this on their site:
ZenObfuscate costs $2500 for a site license or is individually negotiable for other licensing schemes. Yes, that is expensive. That was on purpose. But don't let that thwart you too much. If your product is really cool and we want to see it succeed, we'll make it work. "Really cool" is not freecell.
Of course, for $2500 (or more), you'd hope to get a few tweaks to the compiler that'd make your codebase fully supported. It might be worth engaging them in the conversation.
You can also take a look at Mingle from ThoughtWorks studios as an example of using JRuby for this.
It's a Ruby on Rails app, they run it using JRuby. They've customized jruby to load encrypted .rb files.
Take a look at JumpBox.
I've had conversations with them on the topic, and they seem to have a solution that will work soon for Rails apps.
I'm wondering if you could just "compile" the ruby code into an executable using something like RubyScript2Exe ?
To be honest I haven't used it but it seems like it could be what you want, even if it just packages up the scripts with the interpreter into a single executable.
Related
My Ruby on Rails app of course contains all business logic and algorithms, and if I install this on a customers server, then they can read my source code, which I want to keep as secret as possible to protect my business.
PHP have several tools which can take the php project and encode it into bytecode, which is exactly what I would like to be able to do for Ruby on Rails.
There are several Ruby on Rails packers, which just bundles it all into an executable, but the plain Ruby source code is still in there.
Question
How to protect your Ruby on Rails source/product when it is installed on a customers server?
There are a few Ruby code obfuscators, that you couple with a packer, to produce something that is at least reasonably hard to reverse-engineer.
If protecting your code is a business need, you might want to try RubyEncoder, a commercial product designed to do exactly what you want. (disclaimer: I didn't)
Note that if secrets in your code are that important to you, you might want to make it a service (e.g. a Web service) that your customer accesses instead of code you deploy on their systems. But that's an option that may not be viable (or desirable) for you for a zillion different reasons…
It is impossible to encode code in such a way that a machine can execute it, but a human cannot read it. In order for your customers to run the code, the CPU must understand the code. CPUs are much, much stupider than humans, so if a CPU can understand the code, then a human can, too.
The only way to protect your code, is to not give it away. Host the app on your own premises and rent access to it out as a service.
Note that reading your code is illegal, so what makes you think that somebody who has no problem with going to prison go get access to your secrets is going to get stopped by some encoding that can be reverse-engineered anyway? (Note that even if they have the un-encoded source code, they still need to reverse-engineer it anyway, since without access to your source repository and design documents, they have no idea why the code is written the way it is.)
Also, for someone who has no problem breaking the law, bribing one of your employees who knows how the code works is going to be much easier than reverse-engineering the code.
There is no general bytecode-format for Ruby. There are several different Ruby implementations, some of them have a bytecode format, some don't. E.g. Opal is a compiler that outputs ECMAScript, no bytecode involved. XRuby was a compiler for the JVM, but it is abandoned. Ruby.NET was a compiler for .NET, but it is abandoned. JRuby is an implementation for the JVM that also includes a compiler. Both YARV, MRuby, and Rubinius have different, incompatible bytecode formats; some of those implementations allow loading bytecode from disk, some don't.
I've been doing front end web work for a while. I maintain several company websites and etc, mostly on Joomla. I'm getting bored with it and I really want to expand in to development. I have a few web app ideas for the company and some personal stuff I'd like to do.
Ive decided I want to learn Ruby and Rails and have been pursuing it for about a month now. I read a lot of tutorials and work through stuff I find online. I'm also diving in to git and trying to use it more.
I feel like Windows is not going to be conducive to me getting efficient at this. I know that you can, and some do, develop in Windows but I'm wondering if its time for me to move past it.
I picked Ruby to be my first real programming language because of the simplicity I read about. For both Ruby and RoR and I want to be able to learn a language that will let me build apps and web apps that are cross platform.
On to the problem, I can't immerse myself completely in a linux world. I have to have photoshop and indesign for part of my job. So I'm thinking maybe I should just do a live usb key install and take it back and forth between work and home. Is that a better solution than dual booting for what I want to do? I also realize that a mac would give me the best of both worlds, but I am budget constrained and I can't make that leap yet.
Also, is there a good place to hang out to learn more? I have paid codeschool and tutsplus accounts. Should I be back on IRC? What do you think? I'm looking for guidance more than anything I guess. I feel kind of lost on where to go how to not waste time and start developing real skills. Thanks.
You should also checkout the vagrant project which creates headless (non-gui) VMs and makes it easier to work with your files, etc in Windows while the code actually gets run on the Vagrant VM. Also, since its headless, the graphical UI isn't eating up resources and has less impact on your host machine.
Check out these resources:
http://www.vagrantup.com/
http://blog.dcxn.com/2013/07/12/introduction-to-vagrant-for-rails-developers/
http://railscasts.com/episodes/292-virtual-machines-with-vagrant
*Also if you're learning Rails, you MUST checkout Railscasts http://railscasts.com/
The last thing I knew about this is that:
In Linux you can use RVM which handles pretty well everything about your Ruby environment. In Windows I tried pik, but it does not have support to install newer Rubies.
Also, Linux console is much friendlier than Windows one, regarding appearance and functionality. I have explored console2 for Windows, but it did not feel so comfortable that time.
In Linux you have plugins like oh-my-zsh which allows you to speed up your development. But maybe there are kind of this plugin for Windows.
Other than those, I don't know why you should choose Linux VM.
I've developed a Rails app under Windows, and it turned out to be a huge mistake. Near the end of the development, I had to make my webapp multithreaded. The default Rails server does not allow multithreading, and all the alternative servers are either Linux-only, or I couldn't get them to work.
I also considered using JRuby(because Java threads), but by then my app was too big to convert to JRuby(there are some syntax differences that I couldn't track, and I relayed on some gems that don't work on JRuby). However, if you go for JRuby from the beginning, you might be able to pull it off.
I am writing an application where the webapp will be rails and it will allow a user to input rules/ruby-logic and save them to the database. Later on, Java will come along and grab these rules (if/else/elseif) and will execute them via jruby engine. I am wondering of the negatives and possible side-effects of this? And having two languages here?
I want to do rails front-end because the available plugins, and speed of development of webapps. For example, groovy doesnt have as many plugins and i believe that it's much slower in development.
Am I missing anything, or possible logic that may be hurtful in the future if I choose this solution?
In addition I think since ruby is dynamic it will be easier for the user to input rules via a 'ruby' syntax instead of another third-party library like bean shell.
I feel like most complex applications end up needing several languages eventually, usually interfacing through the DB as you're planning. I'm not sure what constraint leads to you Java on backend rather than ruby (guessing legacy or performance), but if that's a requirement then your plan sounds reasonable.
As far as negatives/side-effects, Jruby seems to lag a bit behind the latest ruby, but that's not generally a big deal as long as you match versions for the UI & backend. I can't think of anything that would be harmful in this off the top of my head, but the devil is always in the details ;-)
Are there any applications out there that will let me encode my Ruby on Rails code so others can't read it? I plan on selling a few small applications, but I really don't want everyone knowing my code.
Thanks.
Only example I have seen in the wild is Mingle from ThoughtWorks, which runs on JRuby, which I think they must have modified in some way to run the encrypted code.
http://www.thoughtworks-studios.com/mingle-agile-project-management
I think they may have used something like this AOT compiler:
http://kenai.com/projects/jruby/pages/RailsAOT
This also looks promising:
http://www.infoq.com/news/2008/10/rubyencoder
Check out this answer for other ideas.
Can you Distribute a Ruby on Rails Application without Source?
If you want people to able to run your code (and if you don't, then why did you write it in the first place?), then their CPU needs to be able to execute your code. In order to be able to execute the code, the CPU needs to be able to understand it.
Since CPUs are dumb, and humans aren't, this means that humans can understand the code as well.
The only way you can protect your code through technical means, is if you "own" the entire execution path: you need to build your own CPU, your own computer, write your own operating system and your own Ruby interpreter. Then, and only then can you protect your code. (But note that even the tiniest mistake will render all of your protections useless. Microsoft, Apple, Sony, the Music Industry and the Movie Industry can attest to that.)
Or, you could just do nothing, which means that your code will be automatically protected by copyright law.
Thanks for all your answers! Currently I'm looking at jRuby and Ruby Encoder options but if I find neither are what I want then I think I should just sell the code and focus more on getting customers. It really doesn't make sense to spend all this time and money on an encryption that can be easily cracked anyways.
Maybe you could host the application yourself.
This way nobody will have ever access to your code and you're clients will use the application everywhere via Internet and also will pay you for the support.
In order to host rails application the easiest way you could try http://heroku.com/ or even set a small VPS with apache and mod_passenger.
No, there is no way to have executable code that can't be read. Hard to read yes, impossible to read is... impossible. Best you can do is obfuscate, of which there are many examples around the net (but I don't know of any libraries that do it for you).
I'm working on a cms and wanted the ability to offer custom extentions for certain accounts. Like having a plugin with custom code that is only available or only used by that account. These custom extentions would be specific to the business needs of an account and perhaps unlikely that any other accounts would need it, but maybe. Is there a way that this could be done and to be loaded without having to restart the whole app, thereby creating downtime for the other accounts?
In terms of per-client plugin code, you could store the code in a data model and then eval() the code to dynamically execute it. (Of course you would want to do some serious sanity-checking / scrubbing on update to ensure the code does not contain malicious calls). Another approach could be to develop a custom tag library, much along the lines of what the Radiant CMS developers have built ... and then let your users "program" their behaviour using the tags provided. This gives you more control and better security at the expense of less flexibility.
In terms of the downtime question, if you are using a modern rails deployment approach I don't see how this should be an issue. The eval() approach above doesn't require a restart (unless your custom code calls "include ..." on libraries that are not installed at the time of the last boot - but getting these libraries installed is also an "out of band" problem that you would need to solve.
Passenger gives you the restart.txt file that you can touch to force a refresh. Similarly there are recipes for mongrel (like see saw) that allow you to progressively restart your mongrel stack to avoid downtime. I would pull these two issues apart mentally if I were you, as the dependencies between the two are not that great. Hope this helps.
I built a cms and added plugin support for it. Best thing you can do is have it be all database driven, the plugin exists for everyone, technically, but you can only make use of it if you've "purchased" it, or some other way of turning it on.. Which is really just a db record.
That'd be 0 downtime. :) Then again, I have no idea what the rest of your setup looks like. I'd think your solution is going to be pretty specifically tailored to your cms system design.
how long would this downtime be really? i mean running migrations and stuff would be a pain for a system that allows any tom dick or harry to upload a plugin. You'd have to verify that the migrations were set up correctly etc. if you aren't getting that 'fancy' and just allow them to do something 'neat' in js, then i guess it's a question of restarting passenger, which is what 5 secs?
I'd check out other 'famous' CMS like radiant or something to see if/how they do it, personally. good luck.
Im not if this is exactly what you are trying to achieve, but have you checked out pancake?
Pancake is a tool & framework to let you stack and loosely couple Rack-based webapps.
http://www.rubyinside.com/pancake-rack-webapps-stacking-2863.html