What's the best practice to protect rails code in a small company?

rubyonrails-talk
1

Hi fellows,

I'm starting a small company developing a SNS website and we are using RoR. The concern we have right now is that we don't want each of our developers get the entire Rails code base of our project.

To my knowledge, there might be three pieces of ideas of potential technical solutions for us. But since I don't really have any so called industrial experience on web development, I'm looking forward to some advices.

1. Encode/encrypt our Rails souce code somehow;

2. Distribute the minimum amount of code to an individual developer as needed;

3.Construct some sepcial architecture for our SNS like Drupal that people can develop "plug-in" or "module" for such system that one developer only needs to know the corresponding APIs for working on his/ her specific "plug-in"/"module".

Or, is there any other better way? Or, what mechenism is actually being used by big commercial companies using Rails like Twitter?

Thanks in advance!

Regards, Sean

2

Employ reputable contractors (I presume it is contractors that you are talking about) and get them to sign non-disclosure agreements.

Colin

3

Hi Sean,

In my experience, there really isn't a good way to separate chunks of code among developers, especially when they're working in a team environment (pair programming, etc.). Speaking from a decade of experience, it causes many more problems than it solves.

I understand you want to protect your intellectual property - that's cool. However, being TOO restrictive of it is going to make things much harder for your staff and really kill progress. Most developers I know wouldn't even take the job to begin with if encrypting part of the codebase during development, or splitting it up was part of the deal. Anyone who does is, in my opinion, probably not experienced enough to really know what's going on, and therefore, probably not experienced enough to really build something -right-.

That said, here are two other options for you. You could possibly implement both:

1) Create a web service based architecture, having one developer be responsible for that, and a series of "client" applications that connect to the web service. This works great in environments where you have disparate technologies that need to communicate regardless of what language they're built in, or what servers they're on. It's a solid "technology agnostic" approach because all the other developers would need to do is interface over HTTP for each "request" to build their portions of the application.

2) Have your developers sign an NDA. Legally speaking, as long as your NDA is sound, IF they go off and try to steal your IP, you'll have the necessary proof of a bad faith effort and/or breach of contract that you'd need to win in court. Even though you may not be able to get a huge chunk 'o change from each individual up front if you win, you might be able to take in a portion of their earnings in the future. I'm not a lawyer, but I strongly recommend getting a GOOD one who knows IP law and has experience creating/administering solid NDA's and IP agreements, as well as a good track record for winning cases against real IP thieves.

At the end of the day, you really can't feasibly expect a developer to build any application - Rails-based or otherwise - without access to the codebase. It just plain doesn't work.

Good luck man! Hope things work out for you.

4

Hi Colin,

Thanks for your advice!

Actually, I was talking about my employees. I understand your point, which is also part of my plan. But I still want to protect our IP technically. In my experience, it’s not really a good idea to allow every employee to get the whole project code repository.

Signing an NDA can obviously show the company’s intetion about IP protection. But sometimes it can be either difficult to prove if someone leaks our code, or exhoustive for a small company to deal with such law suits.

Anyway, I’m look for some nice technical solutions to this concern.

Sean

5

Hi Phoenix,

Thanks a lot for such a detailed explaination!

I’ve talked to my core team about this issue and we did have similar conclusions as you suggested. I think you are right. I’ll probably invest more effort on how to continously improving our product and doing better marketing instead of worrying too much about IP protection.

Thanks again!

Sean

6

> Hi fellows, > > I'm starting a small company developing a SNS website and we are using > RoR. The concern we have right now is that we don't want each of our > developers get the entire Rails code base of our project.

How would you expect the developers to be able to *run* the Rails application to develop for it, if they don't have the code?

Employ reputable contractors (I presume it is contractors that you are talking about) and get them to sign non-disclosure agreements.

I agree wholeheartedly. And as a flip side, as a contractor, I would be highly suspicious of any employer who wanted to start a relationship by being so suspicious of me that that want to micro-manage the sections of code I have access to. Remember Sean, Rails is a nice open OO framework - unless one has access to jump around and refactor chunks of it, it's not going to be easy to work with.

In my experience, it's not really a good idea to allow every employee to get the whole project code repository.

Really? can you explain how you went about it before, please. What technologies made this possible? What languages and development methodologies were you using?

Signing an NDA can obviously show the company's intetion about IP protection. But sometimes it can be either difficult to prove if someone leaks our code, or exhoustive for a small company to deal with such law suits.

Again.. as pointed out, if you hire people who are happy to work in such a restrictive environment, you're likely to end up with code that's not worth stealing (or protecting) in the first place :-/

7

Hi Michael,

I just wrote a lot to reply but eventually decided to simply say: Thanks very much! I think I get your point.

Sean

8

If you don't trust your own developers, you have bigger problems than any obfuscation or compartmentalization scheme can solve.

Find developers that you consider your trusted colleagues and build your product with them.

- D

9

Hi Danny,

Thanks for your advice!

But please don't take it the wrong way. IP protection policy doesn't mean a company does not trust their employees! Or otherwise, why there is something called NDA, right? Why not simply employ the ones you trust? It doesn't matter if one joins a company or work in a university, they will be asked to sign a paper claiming something like they won't steal things. At least European and Asian universities and companies generally do this.

On one hand, IP protection policies is a very common mechanism in an organization and it definitely doesn't mean a company doesn't trust its employees; on the other hand, when a company grows fast, how can somebody promise that you know every applicant so well that you are so sure that each of them can be trusted equally even when people are from different countries with different backgrounds?

Anyway, we are a great team working together and of course we trust each other. The IP protection techniques we were looking for was meant for new employees whom we don't know that well yet.

AND, I wanna thank everyone here replying my questions! I do get what I wanted to know on the first place! Thus, I'm gonna move on to the dev work and close this thread.

Thanks again!

Regards, Sean

PS: Because Danny has some opinions that sound similar to the ones proposed by Michael. Therefore, I also wanna finish this thread by rewriting some of my opinions wrt. Michael's reply. I don't really remember what I wrote for the first time. I'll just quickly recap some of my previous thougts concerning Michael's opinions.

10

Have you people herd of murphys law? Treat your employees well. That will do.