> 1. Obfuscation doesn't prevent ppl from stealing source. Java has the same > problem, there are plenty of great decompilers for java to prove it. > 2. Though we understand point 1, "the perception" is that perl being a > scripting language creates a "risk" and large companies are risk-averse, > which is why large companies prefer java regardless of the lack of security > it provides(larry wall doesn't have the same marketing budget as SUN).
I think you have hit the nail on the head here. My company and many others aren't going to ship something to clients that the client can easily just peel the top off and look inside. Now, probably the opensource guys are right that we shouldn't be worried about people doing this in the first place, but in this case the company is run by people who aren't opensource advocates... Now we could argue, so stuff these kind of people, we don't want to play the game and bow to the closed source pressure... Is this the right way to go... I don't know... I think the problem in "explaining opensource to my boss" is something like: "Well why don't we just go one step further and open up the whole company to inspection? Lets let all our clients and competitors come in, walk around, poke their noses wherever they feel like, peruse all our documentation...!" (Of course: there certainly are cases to be made for having external inpection of certain types of business, but we don't normally use our competitors for this...) You can of course ALWAYS nick the sourcecode. That's the whole point, industrial espionage is always possible. (Witness MS having the code to their new game stolen). However, to most companies it makes sense to spend commensurate money protecting their investment with what it's worth to them. For example, writing it in perl would obfuscate it against most programmers in my company... Compiling it as a PAR archive would fox most junior programmers for a day or so. Adding encryption would probably fox most programmers full stop, ie you are going to be a fairly decent unix "hacker" to start recompiling the core perl sourcecode to reverse engineer somebody's program. Basically unless you happen to reverse engineer stuff everyday, then it's going to take ordinary people at least a few days to weeks to google around, download stuff and hack the program. This probably means you are going to pay your programmers somewhere between a few hundred and a few thousand dollars for their time. So this is a reasonable barrier to entry for many classes of program. Many companies will just buy the software for $50 or whatever you priced it at instead... Hmm, I think I meandered off track a little. The point is that most corporations like to feel that they aren't giving away their investment, and the people who make the decisions tend to feel that if it's "compiled" then the hacker needs to do a little work, whereas shipping the source just makes it far too easy to pinch. It's a perception thing. Look how much you can sell PHP source code encryption plugins for if you need further evidence for a business idea. To be honest I think it would be very fair game to *sell* any PAR encryption mechanism that you write. The only people who will be using it are those shipping closed source software for money, and as such they will most likely happily pay for it... A business idea for someone perhaps? Ed W
