What's the best practice to protect rails code in a small company?

Rails
1

Hi fellows,

I’m starting a small company developing a SNS website and we are using
RoR. The concern we have right now is that we don’t want each of our
developers get the entire Rails code base of our project.

To my knowledge, there might be three pieces of ideas of potential
technical solutions for us. But since I don’t really have any so
called industrial experience on web development, I’m looking forward
to some advices.

  1. Encode/encrypt our Rails souce code somehow;

  2. Distribute the minimum amount of code to an individual developer as
    needed;

3.Construct some sepcial architecture for our SNS like Drupal that
people can develop “plug-in” or “module” for such system that one
developer only needs to know the corresponding APIs for working on his/
her specific “plug-in”/“module”.

Or, is there any other better way? Or, what mechenism is actually
being used by big commercial companies using Rails like Twitter?

Thanks in advance!

Regards,
Sean

2

On 25 February 2011 12:47, Sean W. Liu [email protected] wrote:

Or, is there any other better way? Or, what mechenism is actually
being used by big commercial companies using Rails like Twitter?

Employ reputable contractors (I presume it is contractors that you are
talking about) and get them to sign non-disclosure agreements.

Colin

3

Hi Sean,

In my experience, there really isn’t a good way to separate chunks of
code among developers, especially when they’re working in a team
environment (pair programming, etc.). Speaking from a decade of
experience, it causes many more problems than it solves.

I understand you want to protect your intellectual property - that’s
cool. However, being TOO restrictive of it is going to make things
much harder for your staff and really kill progress. Most developers
I know wouldn’t even take the job to begin with if encrypting part of
the codebase during development, or splitting it up was part of the
deal. Anyone who does is, in my opinion, probably not experienced
enough to really know what’s going on, and therefore, probably not
experienced enough to really build something -right-.

That said, here are two other options for you. You could possibly
implement both:

  1. Create a web service based architecture, having one developer be
    responsible for that, and a series of “client” applications that
    connect to the web service. This works great in environments where
    you have disparate technologies that need to communicate regardless of
    what language they’re built in, or what servers they’re on. It’s a
    solid “technology agnostic” approach because all the other developers
    would need to do is interface over HTTP for each “request” to build
    their portions of the application.

  2. Have your developers sign an NDA. Legally speaking, as long as
    your NDA is sound, IF they go off and try to steal your IP, you’ll
    have the necessary proof of a bad faith effort and/or breach of
    contract that you’d need to win in court. Even though you may not be
    able to get a huge chunk 'o change from each individual up front if
    you win, you might be able to take in a portion of their earnings in
    the future. I’m not a lawyer, but I strongly recommend getting a GOOD
    one who knows IP law and has experience creating/administering solid
    NDA’s and IP agreements, as well as a good track record for winning
    cases against real IP thieves.

At the end of the day, you really can’t feasibly expect a developer to
build any application - Rails-based or otherwise - without access to
the codebase. It just plain doesn’t work.

Good luck man! Hope things work out for you.

4

Hi Colin,

Thanks for your advice!

Actually, I was talking about my employees. I understand your point,
which
is also part of my plan. But I still want to protect our IP technically.
In
my experience, it’s not really a good idea to allow every employee to
get
the whole project code repository.

Signing an NDA can obviously show the company’s intetion about IP
protection. But sometimes it can be either difficult to prove if someone
leaks our code, or exhoustive for a small company to deal with such law
suits.

Anyway, I’m look for some nice technical solutions to this concern.

Sean

On Fri, Feb 25, 2011 at 9:30 PM, Colin L. [email protected]
wrote:

to some advices.

“Ruby on Rails: Talk” group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

Sean W. Liu
NimbRo Group
Institute of Computer Science
University of Bonn
Germany
http://www.nimbro.net
TEL: +49 (228) 8236 9149
Cell Phone: +49 (157) 7616 5080

5

Hi Phoenix,

Thanks a lot for such a detailed explaination!

I’ve talked to my core team about this issue and we did have similar
conclusions as you suggested. I think you are right. I’ll probably
invest
more effort on how to continously improving our product and doing better
marketing instead of worrying too much about IP protection.

Thanks again!

Sean

On Fri, Feb 25, 2011 at 9:41 PM, Phoenix R.
[email protected]wrote:

I know wouldn’t even take the job to begin with if encrypting part of
connect to the web service. This works great in environments where
able to get a huge chunk 'o change from each individual up front if
Good luck man! Hope things work out for you.

called industrial experience on web development, I’m looking forward
her specific “plug-in”/“module”.
You received this message because you are subscribed to the Google G.
“Ruby on Rails: Talk” group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

Sean W. Liu
NimbRo Group
Institute of Computer Science
University of Bonn
Germany
http://www.nimbro.net
TEL: +49 (228) 8236 9149
Cell Phone: +49 (157) 7616 5080

6

On 26 February 2011 01:51, Weichao L. [email protected] wrote:

On Fri, Feb 25, 2011 at 9:30 PM, Colin L. [email protected] wrote:

On 25 February 2011 12:47, Sean W. Liu [email protected] wrote:

Hi fellows,

I’m starting a small company developing a SNS website and we are using
RoR. The concern we have right now is that we don’t want each of our
developers get the entire Rails code base of our project.

How would you expect the developers to be able to run the Rails
application to develop for it, if they don’t have the code?

Employ reputable contractors (I presume it is contractors that you are
talking about) and get them to sign non-disclosure agreements.

I agree wholeheartedly. And as a flip side, as a contractor, I would
be highly suspicious of any employer who wanted to start a
relationship by being so suspicious of me that that want to
micro-manage the sections of code I have access to.
Remember Sean, Rails is a nice open OO framework - unless one has
access to jump around and refactor chunks of it, it’s not going to be
easy to work with.

In my experience, it’s not really a good idea to allow every employee to get
the whole project code repository.

Really? can you explain how you went about it before, please. What
technologies made this possible? What languages and development
methodologies were you using?

Signing an NDA canobviouslyshow the company’s intetion about IP
protection. But sometimes it can be either difficult to prove if someone
leaks our code, or exhoustive for a small company to deal with such law
suits.

Again… as pointed out, if you hire people who are happy to work in
such a restrictive environment, you’re likely to end up with code
that’s not worth stealing (or protecting) in the first place :-/

7

If you don’t trust your own developers, you have bigger problems than
any obfuscation or compartmentalization scheme can solve.

Find developers that you consider your trusted colleagues and build your
product with them.

  • D
8

Hi Michael,

I just wrote a lot to reply but eventually decided to simply say:
Thanks very much! I think I get your point.

Sean

9

Hi Danny,

Thanks for your advice!

But please don’t take it the wrong way. IP protection policy doesn’t
mean a company does not trust their employees! Or otherwise, why there
is something called NDA, right? Why not simply employ the ones you
trust? It doesn’t matter if one joins a company or work in a
university, they will be asked to sign a paper claiming something like
they won’t steal things. At least European and Asian universities and
companies generally do this.

On one hand, IP protection policies is a very common mechanism in an
organization and it definitely doesn’t mean a company doesn’t trust
its employees; on the other hand, when a company grows fast, how can
somebody promise that you know every applicant so well that you are so
sure that each of them can be trusted equally even when people are
from different countries with different backgrounds?

Anyway, we are a great team working together and of course we trust
each other. The IP protection techniques we were looking for was meant
for new employees whom we don’t know that well yet.

AND, I wanna thank everyone here replying my questions! I do get what
I wanted to know on the first place! Thus, I’m gonna move on to the
dev work and close this thread.

Thanks again!

Regards,
Sean

PS: Because Danny has some opinions that sound similar to the ones
proposed by Michael. Therefore, I also wanna finish this thread by
rewriting some of my opinions wrt. Michael’s reply. I don’t really
remember what I wrote for the first time. I’ll just quickly recap some
of my previous thougts concerning Michael’s opinions.

=============
Hi Michael,

Thanks very much!

You are right. It’s not a good idea to be suspicious as an employer.
But try to protect IP != suspicious. Plus, I’m not trying to say we
don’t want anyone to get the entire code base. The core team obviously
have the authorization to touch everything and we only want to get
some kind of control over our new employees to reduce potential risks.
Apparently, IP protection is not something new. Big companies do such
things all the time, not just by asking their employees to sign up
some NDA. And we shouldn’t say that those big companies are suspicious
about their employees. It’s just one kind of risk control policy.
Further more, I believe code leaks and IP thieves are also not brand
new concepts. And there is one more thing, working environments and
attitudes are sometimes different in different countries. People
sometimes simply couldn’t really understand such situations thoroughly
if they were not growing up in that environment, a little bit like
different religions.

In short, now I get some rough ideas about web developers’ opinions on
IP protection and I’ll try to fit into the community. Therefore, I
think I will try to be more open.

FYI, I’ve been working on system software and robotics systems which
are usually developed in C/C++ wrt. computer programming. We also
design mechanical and electronic systems. For our projects, we usually
use differently techniques for IP protection and our team work well.

=============

10

Have you people herd of murphys law? Treat your employees well. That
will do.