Protecting Your Code While Allowing Source Access? 553
foo_48120 asks: "My small development shop, myself and four employees, is taking on a fairly large job that will run a substantial part of the clients business. To protect themselves they want the source code to the project. Frankly I don't blame them. We bid aggressively to get them to underwrite our own efforts to build this code, which we plan to resell again and again. That is the basis for our company.
I have no problem with them holding the source but need to make it clear that we own the code and that they have a license to use it in their business. They may at their discretion hire others to modify the code, but would still be required to pay their maintenance contract and be prohibited from reselling it or using it to run an additional business. How do you provide open source without escrow, yet protect what we are documenting up front as out intellectual property rights in the ownership of this code?"
Of course third party developers may break things and we would not be responsible for that or for fixing it without further renumeration.
Ideally, if we make them happy then we will do all future upgrades and add on modules as well. I am not worried about that. I do want to know if anyone has experience in the writing of such a licensing agreement? Perhaps they could provide me with a sample copy of their text?
Let's leave aside for now the issue of totally open source vs. closed source. There are times when you want the product to be proprietary as we do, however I want them to feel comfortable using our code so that if a proverbial plane were to fly into our building and wipe us all out then they don't go down the tubes with us."
I would make two version of the tree (Score:1, Interesting)
You just need to write an obfuscator then, something that takes the inhouse code and changes variable names and adds bogus modules and subroutines.
Pretty smart!
I bought source MANY times for vast amounts of $ (Score:2, Interesting)
I have FULL source to the entire PRIME operating system (Primos), and full source to many things I ran on that mini-computer mainframe.
I had full source to ADP's Manage 2000 system. (over 100,000 dollars per copy per machine)
All sorts of things.
I did some amazing hacks and rewrote some crital bits, but mainly I wanted the source because only an idiot would trust a rinky dink outfit like yours to follow up on an escrow arrangement if you went belly up.
deal with it.... your precious source means NOTHING to the customer but comfort. YOu can salt it with lots of identifying special lines and variable names and sue for millions if they ever give it to someone that cares about your damned source.
No one is going to exploit you... they will merely see if you are billing correctly for mods.
Trust (Score:5, Interesting)
The only thing I can think of that might work would be to add extensions to the language you use (like extra keywords) and provide your own closed-source compiler, which is hobbled so it only works on the original system, perhaps with some kind of hardware dongle, or net connection that connects to your server to verify the compiling machine's serial number and some cryptographic key.
This wouldn't prevent it from being hacked, but it might make it difficult enough to make the prospect less likely.
too late? (Score:2, Interesting)
Re:Sometimes I fail to understand people (Score:2, Interesting)
Then again, I could be completely wrong here.
How about partial code??? (Score:1, Interesting)
Re:Three words: (Score:3, Interesting)
The other company was worried about us being able to finish the project to their specifications. We'd develop a contract with them, send it to them, and their lawyers would change it to basically ensure that we would at some time be in breach of contract. If that happened they would get the source code. We were already willing to share the code with them as part of the deal so long as they didn't resell it or market it themselves. No need to get hostile about it. We learned quite rapidly that only lawyers can fight lawyers (without massive time committments on our part), and by spending the extra money on a good set of lawyers, including an IP specialist, we saved ourselves lots of future headaches and problems.
In the end we ended up not doing business with the company, and we lost the sale and opportunity. The other business spent ten times what we would have charged to implement a generic software package for their needs, and to cutomize that package to work with their business. Do I feel bad about it? Yeah -- it sucks to lose business like that, and it was a good opportunity. But I would have felt much worse if I hadn't involved expert lawyers along the way to protect us and explain what the other side was trying to do (the good parts along with the bad things they were doing).
Add a distribution clause (Score:3, Interesting)
An honest client simply needs to know the rules. If they are unsure of your intent, their lawyer will ask you to clarify.
Even if you got a lawyer to write it, a crook isn't going to care...
Comment removed (Score:3, Interesting)
Printouts, PDF & Auto Contract Breach Detectio (Score:2, Interesting)
I think the solution will have two parts:
a) A method of delivering the source code in a form that does not make it easy to just type "make".
b) A method of determining if the contract has been breached (i.e. if the software is modified without the maintenance fee being paid, or if the software is sold on to other companies).
My solution to part a) is to deliver the source code in one of two forms:
1) Deliver the code as printouts -- it will be a real effort to get someone to hand-type the code back in. There are also method of ensuring that it is difficult to copy the paper (e.g. for OCRing), such as making the text background very close to that of the actual text. I know there is a book out there somewhere on this topic, but I can't remember what it is called or who it is by.
2) Deliver the code in electronic form, but in a format such as PDF where the viewer's rights to print, copy-paste etc. have been disabled, and the file is encrypted. I know PDF isn't madly secure, but it may be better than nothing.
To answer the second part (how to determine if the code has been tampered with in ways that are against the terms of the contract), I suggest:
1) Make the software send a data packet back to you when the software is used with as much information as possible (IP addresses etc.). You should monitor these packets, and if there is a change in the software's usage pattern (e.g. the packets start arriving from significantly different IP numbers, usage increases 10-fold overnight) then you know something's amiss.
2) In these packets include a checksum of the code, so that you know if the code has been changed.
However, make sure that the customer knows that they cannot resell the code or alter it without paying you a maintenance fee, they are happy with it, and make sure that they are heppy with the way that you will deliver the source code, but refuse to deliver code in a way that makes it easy for them to screw you over. Make sure that the customer is happy with the data that will get sent back to you.
Now, if anyone can see any faults with this...
Re:Copyright Law... (Score:3, Interesting)
It doesn't accord to the principles of copyright law, of the UCC, or even particularly to contract law. It's probably bunk, and it's utterly useless.
Sadly, there's been no serious test case. There is no willingness of developers to risk finding out that EULAs are garbage and that they've been outright selling software all this time, and too few purchasers that are otherwise acting in accordance with the copyright laws.
Personally, I have no respect for licensure that interferes with copyright policy. A license that grants me a right that I wouldn't have if I just bought the work, or which occurs in a transaction that is distinguishable from a mere sale of the work -- that's all I can see being acceptable.
Have you read the Softman case? It's not squarely on point, but it gets mighty close. Bobbs-Merril _is_ directly on point, OTOH, and comes out 100% against the licensor.
Software is no different than books, CDs, movies, or any other copyrighted work. It's not generally licensable.
GPL (Score:3, Interesting)
We only charge access to the cvs server (basically a subscription).
This is for companies who find they want to manage the code themselves, or hire thier own programmers.
IN the end though, you still need programmers. Whether it be us, or someone else, they will have to contribute those changes back into the community.
So, many companies stick to component subscriptions, and then use the API's against software they write explicitly, which is private.
Very similiair to what Nvidia does right now with XFree86.
The company gets too keep thier software process unique, and fundamental to thier business edge. (i.e. nobody can buy the process they use...)
While at the same time, the components they use to power that software get updates from said company to our cvs server for others to use.
Very nice arrgangement. I haven't found any company yet that has had an issue with the GPL cvs server arrangement we use.
We are a component company.
-hack
use the law (Score:2, Interesting)
There are actually already laws that protect your interests in this situation.
You see, when you write code, you are automatically grated what is called a "copyright" to said code. This means that no one but you can make copies the code. There are of course exceptions for certain purposes such as commentary, parody, personal use, backups etc, but in general, as long as you own the "copyright", only you are going to be able to distribute and/or sell the code.
So go ahead and give your customer a copy of the code if they want, up the price while you are at it, (software with code is more valuable that without) but make sure that they understand you are retaining your "copyright" to the code.
And make them get a bond to back up their word (Score:3, Interesting)
It's a hell of a lot more bulletproof than the courts, and oftentimes bond issuers will make them put up some hard assets as collateral (property, buildings, tools, or a big cash percentage) which is no big deal if they're honest, but fucks them right in the ass if they're not.
The bond issuer will be legally required to pay the bond based upon the contract surrounding the bond's payment terms, but they don't care that much since they've got the pink slip to the factory. Sure, they'd rather not liquidate the factory, but that's the business they're in and they're good at it.
Jury trials are a huge hassle, and even if you're right you don't always win, and even if you win you lose due to costs, delays and lame jury awards (contract to Republican fear mongering, they're not always generous).
Experience from the other side (Score:2, Interesting)
I can't find the license at the moment, but it let us modify the source (but they would only support their versions), and even sell systems based on our modified source - provided we did not sell on any platforms that H&A supported. We had to pay H&A a one time fee for each system we sold based on our modified source.
The motivation for H&A was that our first modification was porting their system to our platform (Motorola SysV88). Thus, each system we sold was gravy for them. We also shared enhancements for a few years, then H&A went out of business (due to the market for Series/1 conversions drying up). Boy, were we glad we had a source license!
That source is still running. Our systems run the EDX VM as a subsystem under a Java VM, and the EDX "screens" display on a Java widget. The EDX code gets gradually rewritten, although I wish it would disappear faster . . .
Re:use the law (Score:3, Interesting)