Packaging for shipping product made out of RoR

Hi,

I am exploring using RoR for an enterprise application that needs to be given out to customers, and the two criteria I am looking at are packaging and ease of deployment/upgrade, and protecting source code.

Can someone point me to some references for these two – how are RoR projects packaged and deployed, and if they can be compiled into binaries before distribution.

thanks.

no takers?

The way that you protect your Ruby code is usually by not giving it to anyone. If you provide software as a service, and you keep the secret sauce on your server, that's the ticket. If you want to sell the source code to your customers, guess what -- they can read it, because it's not a compiled language.

Walter

You need to protect the source code with a contract or by keeping it
to yourself.

I believe the best method is to use Jruby and to produce a compiled WAR file, combined with some sort of external encrypted licence file…

Don’t dismiss the contractual agreement - pushes the problem to your legal people.

Another idea is providing the software on a virtual machine image. It has the benefit of being a packaging mechanism too.

Peter

Makes me wonder how the current vendors shipping their enterprise apps do it. We are a small shop, legal route will not work for us.

Any references to how JRuby / War packaging works? Have done it with tomcat 7-8 yrs back, latest references/tutorials will help.

thanks!

Sorry, no -- WAR files are not "compiled", and they're nearly always
expanded at deployment anyway, so that's pointless.

Sketchy details on these Hobo threads. They are obviously having some success with Jruby.

https://groups.google.com/forum/?hl=en-GB#!searchin/hobousers/war/hobousers/ChkP_ei4h_o/NzH0DPHjP6IJ

https://groups.google.com/forum/?hl=en-GB#!searchin/hobousers/Torquebox/hobousers/CfznPkeIvlw/2bedQ0np15MJ

"success" at what? Yes, you can certainly run JRuby/Rails from a
WAR file. I'm maintaining one such application now.

This does *nothing* to prevent access to your app's source code, as
the OP is seeking to do.

Ah…sorry about that. I haven’t used JRuby myself but am planning to.

I remember reading a long time ago that Thoughtworks have devised a method of code protection for their Mingle product, using JRuby. I don’t know how its done though.

http://en.wikipedia.org/wiki/Mingle

There appears to be a free download -- you could take a look and
report back :slight_smile:

(I would but I'm about to shut down to head to the airport.)

Sorry no time. I’m snowed under with work.

But there’s gotta be a way, no? As I understand it, although the WAR file code can be viewed it can’t be changed. If it references some kind of encrypted Java class which needs an external licence file, perhaps that would do it? The licence file could include a customer hardware or name key etc.

I’m keen to find a solution to this too.

Sorry, that's not true. A WAR file is just a packaged (equivalent to tar)
directory structure that's usually un-WAR'd on deployment. And you
can do anything you want with the contents at that point.

Sorry, that’s not true. A WAR file is just a packaged (equivalent to tar)

directory structure that’s usually un-WAR’d on deployment. And you

can do anything you want with the contents at that point.

Could you give me a reference to building and deploying a WAR for a ruby web app? thanks.

Are you familiar with the Servlet Spec? If not, I'd strongly recommend
reading it to understand how a Java web app (and hence a WAR file)
is structured.

http://rubygems.org/gems/warbler provides the building part, at least
for a basic app.

The deployment part somewhat depends on what servlet container
you're using, so check the relevant docs. Alternatively you can use
something like capistrano with custom recipes.

HTH,

JRuby is indeed your answer.

I used to work for a company that did exactly this. We had an on
premise enterprise server we were selling and distributing to clients
written in ruby. Yes, we did WAR it all up too, but that's it what
you're looking for.

JRuby has the ability to *actually compile* your ruby code into
java .class files. This has some clear performance benefits since your
rb files aren't being interpreted at runtime anymore, but it also
gives you some obvious advantages when your distributing your code.

In my opinion it's the only decent way to distribute ruby. There's
loads of documentation on the topic if you look it up.

https://github.com/jruby/jruby/wiki/JRubyCompiler

Also, one other quick word of advice: watch those license agreements
in your dependencies carefully.

Much of the awesome open source code we love and enjoy in the ruby
community has entire different rules when your distributing it vs
running it on a web server. Have your lawyers check it over good. The
good news is though that if JRuby also lets you leverage java
libraries in your ruby code so you can no doubt find what you need.

Which, it should be pointed out, can be easily de-compiled to reveal
a pretty decent representation of your source code :slight_smile:

The OP should note that pretty much all companies distributing their
software to end users use licensing agreements to protect proprietary
IP, not just obfuscation (via e.g. compilation).

FWIW,

JRuby has the ability to actually compile your ruby code into

java .class files.

Which, it should be pointed out, can be easily de-compiled to reveal

a pretty decent representation of your source code :slight_smile:

I am seasoned java developer and have used DJ decompiler and Jad pretty extensively myself. With largest level of obfuscation it takes decent expertise to figure out what those a/b/c/d variables represent and interpret the logic. With ruby even the starters can figure out everything, so I’d be happy if we can achieve at least the level of complexity of java bytecodes for my ruby source.

The OP should note that pretty much all companies distributing their

software to end users use licensing agreements to protect proprietary

IP, not just obfuscation (via e.g. compilation).

Point taken, this is a must, it’s just that it’s not sufficient. There are situations where some large enterprises require highest level of security for their data and they are sensitive about the vendor product being confidential as they know they are not without bugs :slight_smile: And I am talking of practical reality and not some mathematically proven RSA algorithm which is open to the public to challenge :slight_smile:

That's totally correct, but true with anything you compile and release.

Its no different than what you do with a regular Java app now ...or
Flash, or C, or Objective-C, etc.

There are things you can do to obfuscate your compiled code but that
too *can* be reversed.

Nothing is fool proof, but providing compiled .class files beats they
hell out of handing them your source code in clear text.