Hi,
I am exploring using RoR for an enterprise application that needs to be given out to customers, and the two criteria I am looking at are packaging and ease of deployment/upgrade, and protecting source code.
Can someone point me to some references for these two – how are RoR projects packaged and deployed, and if they can be compiled into binaries before distribution.
thanks.
no takers?
The way that you protect your Ruby code is usually by not giving it to anyone. If you provide software as a service, and you keep the secret sauce on your server, that's the ticket. If you want to sell the source code to your customers, guess what -- they can read it, because it's not a compiled language.
Walter
You need to protect the source code with a contract or by keeping it to yourself.
I believe the best method is to use Jruby and to produce a compiled WAR file, combined with some sort of external encrypted licence file…
Don’t dismiss the contractual agreement - pushes the problem to your legal people.
Another idea is providing the software on a virtual machine image. It has the benefit of being a packaging mechanism too.
Peter
Makes me wonder how the current vendors shipping their enterprise apps do it. We are a small shop, legal route will not work for us.
Any references to how JRuby / War packaging works? Have done it with tomcat 7-8 yrs back, latest references/tutorials will help.
thanks!
Sorry, no -- WAR files are not "compiled", and they're nearly always expanded at deployment anyway, so that's pointless.
Sketchy details on these Hobo threads. They are obviously having some success with Jruby.
https://groups.google.com/forum/?hl=en-GB#!searchin/hobousers/war/hobousers/ChkP_ei4h_o/NzH0DPHjP6IJ
"success" at what? Yes, you can certainly run JRuby/Rails from a WAR file. I'm maintaining one such application now.
This does *nothing* to prevent access to your app's source code, as the OP is seeking to do.
Ah…sorry about that. I haven’t used JRuby myself but am planning to.
I remember reading a long time ago that Thoughtworks have devised a method of code protection for their Mingle product, using JRuby. I don’t know how its done though.
There appears to be a free download -- you could take a look and
report back 
(I would but I'm about to shut down to head to the airport.)
Sorry no time. I’m snowed under with work.
But there’s gotta be a way, no? As I understand it, although the WAR file code can be viewed it can’t be changed. If it references some kind of encrypted Java class which needs an external licence file, perhaps that would do it? The licence file could include a customer hardware or name key etc.
I’m keen to find a solution to this too.
Sorry, that's not true. A WAR file is just a packaged (equivalent to tar) directory structure that's usually un-WAR'd on deployment. And you can do anything you want with the contents at that point.
Sorry, that’s not true. A WAR file is just a packaged (equivalent to tar)
directory structure that’s usually un-WAR’d on deployment. And you
can do anything you want with the contents at that point.
Could you give me a reference to building and deploying a WAR for a ruby web app? thanks.
Are you familiar with the Servlet Spec? If not, I'd strongly recommend reading it to understand how a Java web app (and hence a WAR file) is structured.
warbler | RubyGems.org | your community gem host provides the building part, at least for a basic app.
The deployment part somewhat depends on what servlet container you're using, so check the relevant docs. Alternatively you can use something like capistrano with custom recipes.
HTH,
JRuby is indeed your answer.
I used to work for a company that did exactly this. We had an on premise enterprise server we were selling and distributing to clients written in ruby. Yes, we did WAR it all up too, but that's it what you're looking for.
JRuby has the ability to *actually compile* your ruby code into java .class files. This has some clear performance benefits since your rb files aren't being interpreted at runtime anymore, but it also gives you some obvious advantages when your distributing your code.
In my opinion it's the only decent way to distribute ruby. There's loads of documentation on the topic if you look it up.
https://github.com/jruby/jruby/wiki/JRubyCompiler
Also, one other quick word of advice: watch those license agreements in your dependencies carefully.
Much of the awesome open source code we love and enjoy in the ruby community has entire different rules when your distributing it vs running it on a web server. Have your lawyers check it over good. The good news is though that if JRuby also lets you leverage java libraries in your ruby code so you can no doubt find what you need.
Which, it should be pointed out, can be easily de-compiled to reveal
a pretty decent representation of your source code
The OP should note that pretty much all companies distributing their software to end users use licensing agreements to protect proprietary IP, not just obfuscation (via e.g. compilation).
FWIW,
JRuby has the ability to actually compile your ruby code into
java .class files.
Which, it should be pointed out, can be easily de-compiled to reveal
a pretty decent representation of your source code
I am seasoned java developer and have used DJ decompiler and Jad pretty extensively myself. With largest level of obfuscation it takes decent expertise to figure out what those a/b/c/d variables represent and interpret the logic. With ruby even the starters can figure out everything, so I’d be happy if we can achieve at least the level of complexity of java bytecodes for my ruby source.
The OP should note that pretty much all companies distributing their
software to end users use licensing agreements to protect proprietary
IP, not just obfuscation (via e.g. compilation).
Point taken, this is a must, it’s just that it’s not sufficient. There are situations where some large enterprises require highest level of security for their data and they are sensitive about the vendor product being confidential as they know they are not without bugs And I am talking of practical reality and not some mathematically proven RSA algorithm which is open to the public to challenge
That's totally correct, but true with anything you compile and release.
Its no different than what you do with a regular Java app now ...or Flash, or C, or Objective-C, etc.
There are things you can do to obfuscate your compiled code but that too *can* be reversed.
Nothing is fool proof, but providing compiled .class files beats they hell out of handing them your source code in clear text.