Protecting Source Code

Alex Martelli aleax at aleax.it
Fri May 9 09:49:25 EDT 2003 

Bo M. Maryniuck wrote:

> On Friday 09 May 2003 13:53, Alex Martelli wrote:
>> Selling a product doesn't mean you must install all executable code
>> on customer machines.
> 
> Hmm. I just thinking... Well, and yes and not: if you install on YOUR
> website something very important, you SHOULD be responsible to make it
> work all the time. And other side of the bad thing is that who want to pay
> a standalone product without a "heart"? I.e. I am a customer. And what
> will be with MY business, if you will simply DIE in the market as a

You have basically the same problem if you have bought "a bag of bits"
WITHOUT source-code access and the company that's sold it to you goes
under.  Eric Raymond makes the point quite tellingly by pointing out
the bins of 'cut-rate software' in the PC shops -- some application
that might have cost hundreds of dollars going for say $10 (and staying
unsold at that price) because its maker has failed.

The solution, of course, is *source-code escrow* -- at least, it is
_one_ soluton, and quite a popular one.  Source code is deposited at
some trusted agency who shall keep it under lock and key unless and
until certain conditions apply, and if and when those conditions do
apply (e.g. the producing company fails, or goes into chapter 11, or
whatever else was previously agreed) the source code is released to
the buyer, who also gains some connected rights (e.g. to perform
modifications and corrections or have them performed by third parties
for their own use).

Source-code escrow, clearly, works just as well whether all the 'bits'
derived from that source code were originally delivered to the customer,
or whether some of those bits were 'held back' and only running as a
webservice on the supplier's site.

Yes, of course under such an arrangement the supplier must undertake
a best-effort attempt to keep the site up at all times, just as it
must in any case undertake to have all software it supplies working
correctly at all times (guaranteeing site availability is obviously
far easier than guaranteeing lack of bugs in the software, of course,
since it's easy to provide redundancy from multiple hosting providers
and so on).  But there are compensating advantages (quite apart from
"source code protection" issues), e.g., software upgrades become WAY
easier and smoother than when all software is physically deployed at
customer sites.

I think that in most cases making the sources available to the
customer under suitable legal arrangements is probably a better
business model.  But holding back key parts of the code thanks to
a webservice arrangement is surely also feasible.

> company? :| Yes, you probably will questionally answer me "Who stupid will
> buy a product from a company, which WILL die?" ;-) But that's another
> story I think.

I don't follow you.  How can anybody predict what companies will be
alive, say, five years from now?  That's in good part why source-escrow
arrangements are so popular.


>> I'm not sure what you're driving at.  If there are exploitable security
>> holes, an untrustworthy bank employee can no doubt enrich himself or
>> herself if he or she can find and exploit them.
> 
> Probably more in theory... Yes, they do this for sure: several different
> companies tries to crack/find a bugs/ etc. But in practice (and Bible)
> human knowlegde != God knowledge. Samba for Linux -- is an example:
> everybody (who want to) had access to the code and might examine it. But
> as result: there was very big hole for 8 years and nobody found it before!

Yes, an unusual example.  Normally, software whose source is available
for public inspection is less likely to have such bugs remain unnoticed.
But, it CAN happen  -- it's just less likely.


>> You can reproduce everything (at a cost) without needing to examine
>> source
>> code for the purpose.  If all you have is an idea, and it's not
>> patentable, and you can't get serious savings in terms of first-mover
>> advantages,
>> network effect, and the like, you won't survive in the market, sure. 
>> That has precious little to do with "protecting source code", though.
> 
> Fully agree with you here. OTOH (I still just thinking, don't bite me!
> :-), as contrexample -- where IBM still selling very old product: IBM MQ
> Series. Product is pure crap, has Lisp-like scripting-language where you
> should type all in UPPERCASE, processes sometimes does not work at all,
> but this stuff is still on a market place. ;-)

I think the "first-mover advantages" may apply here.  If the market was
large and lucrative enough somebody would clone the product and offer the
clone for sale cheaper, of course.  But sometimes the market just sticks
with the original producer (first mover) for all sorts of reasons (some
of them having to do with 'network effect' in the economic sense).  Source
code protection, allegedly the subject of this thread, has little to do
with it -- cloning can easily be a "clean-room operation" anyway, it does
not have to rely on inspecting competitors' sources.


Alex

More information about the Python-list mailing list