Packaging for shipping product made out of RoR

[Santosh c]

Hi,

I am exploring using RoR for an enterprise application that needs to be given out to customers, and the two criteria I am looking at are packaging and ease of deployment/upgrade, and protecting source code.

 

Can someone point me to some references for these two -- how are RoR projects packaged and deployed, and if they can be compiled into binaries before distribution.

 

thanks.

[Santosh c]

no takers?

[Walter Lee Davis]

The way that you protect your Ruby code is usually by not giving it to anyone. If you provide software as a service, and you keep the secret sauce on your server, that's the ticket. If you want to sell the source code to your customers, guess what -- they can read it, because it's not a compiled language.

Walter

[Norm Scherer]

You need to protect the source code with a contract or by keeping it to yourself.

[mitch]

I believe the best method is to use Jruby and to produce a compiled WAR file, combined with some sort of external encrypted licence file..

[Peter Hicks]

Don't dismiss the contractual agreement - pushes the problem to your legal people.

Another idea is providing the software on a virtual machine image.  It has the benefit of being a packaging mechanism too.

Peter

On Oct 11, 2011 6:26 AM, "mitch" <mlqmailb...@yahoo.com> wrote:

I believe the best method is to use Jruby and to produce a compiled WAR file, combined with some sort of external encrypted licence file..

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/yqiGqNuSLwQJ.
To post to this group, send email to rubyonra...@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-ta...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.

[Santosh c]

Makes me wonder how the current vendors shipping their enterprise apps do it.  We are a small shop, legal route will not work for us.

 

Any references to how JRuby / War packaging works? Have done it with tomcat 7-8 yrs back, latest references/tutorials will help.

 

thanks!

[Hassan Schroeder]

On Mon, Oct 10, 2011 at 10:26 PM, mitch <mlqmailb...@yahoo.com> wrote:
> I believe the best method is to use Jruby and to produce a compiled
> WAR file

Sorry, no -- WAR files are not "compiled", and they're nearly always
expanded at deployment anyway, so that's pointless.

--
Hassan Schroeder ------------------------ hassan.s...@gmail.com
http://about.me/hassanschroeder
twitter: @hassan

[mitch]

Sketchy details on these Hobo threads. They are obviously having some success with Jruby.

https://groups.google.com/forum/?hl=en-GB#!searchin/hobousers/war/hobousers/ChkP_ei4h_o/NzH0DPHjP6IJ

https://groups.google.com/forum/?hl=en-GB#!searchin/hobousers/Torquebox/hobousers/CfznPkeIvlw/2bedQ0np15MJ

[Hassan Schroeder]

On Tue, Oct 11, 2011 at 4:34 AM, mitch <mlqmailb...@yahoo.com> wrote:
> Sketchy details on these Hobo threads. They are obviously having some
> success with Jruby.

"success" at what? Yes, you can certainly run JRuby/Rails from a
WAR file. I'm maintaining one such application now.

This does *nothing* to prevent access to your app's source code, as
the OP is seeking to do.

[mitch]

Ah...sorry about that. I haven't used JRuby myself but am planning to.

I remember reading a long time ago that Thoughtworks have devised a method of code protection for their Mingle product, using JRuby. I don't know how its done though.

http://en.wikipedia.org/wiki/Mingle

[Hassan Schroeder]

On Tue, Oct 11, 2011 at 5:32 AM, mitch <mlqmailb...@yahoo.com> wrote:

> I remember reading a long time ago that Thoughtworks have devised a method
> of code protection for their Mingle product, using JRuby. I don't know how
> its done though.

There appears to be a free download -- you could take a look and
report back :-)

(I would but I'm about to shut down to head to the airport.)

[mitch]

Sorry no time. I'm snowed under with work.

But there's gotta be a way, no?  As I understand it, although the WAR file code can be viewed it can't be changed. If it references some kind of encrypted Java class which needs an external licence file, perhaps that would do it? The licence file could include a customer hardware or name key etc.

I'm keen to find a solution to this too.

[Hassan Schroeder]

On Tue, Oct 11, 2011 at 7:15 AM, mitch <mlqmailb...@yahoo.com> wrote:

> But there's gotta be a way, no?  As I understand it, although the WAR file
> code can be viewed it can't be changed.

Sorry, that's not true. A WAR file is just a packaged (equivalent to tar)
directory structure that's usually un-WAR'd on deployment. And you
can do anything you want with the contents at that point.

[Santosh c]

 

 

 

Sorry, that's not true. A WAR file is just a packaged (equivalent to tar)
directory structure that's usually un-WAR'd on deployment. And you
can do anything you want with the contents at that point.

 

Could you give me a reference to building and deploying a WAR for a ruby web app?  thanks.

[Hassan Schroeder]

On Tue, Oct 11, 2011 at 6:44 PM, Santosh c <santo...@gmail.com> wrote:

> Could you give me a reference to building and deploying a WAR for a ruby web
> app?  thanks.

Are you familiar with the Servlet Spec? If not, I'd strongly recommend
reading it to understand how a Java web app (and hence a WAR file)
is structured.

http://rubygems.org/gems/warbler provides the building part, at least
for a basic app.

The deployment part somewhat depends on what servlet container
you're using, so check the relevant docs. Alternatively you can use
something like capistrano with custom recipes.

HTH,

[Brandon Black]

JRuby is indeed your answer.

I used to work for a company that did exactly this. We had an on
premise enterprise server we were selling and distributing to clients
written in ruby. Yes, we did WAR it all up too, but that's it what
you're looking for.

JRuby has the ability to *actually compile* your ruby code into
java .class files. This has some clear performance benefits since your
rb files aren't being interpreted at runtime anymore, but it also
gives you some obvious advantages when your distributing your code.

In my opinion it's the only decent way to distribute ruby. There's
loads of documentation on the topic if you look it up.

https://github.com/jruby/jruby/wiki/JRubyCompiler

Also, one other quick word of advice: watch those license agreements
in your dependencies carefully.

Much of the awesome open source code we love and enjoy in the ruby
community has entire different rules when your distributing it vs
running it on a web server. Have your lawyers check it over good. The
good news is though that if JRuby also lets you leverage java
libraries in your ruby code so you can no doubt find what you need.

[Hassan Schroeder]

On Wed, Oct 12, 2011 at 1:45 AM, Brandon Black <brando...@gmail.com> wrote:

> JRuby has the ability to *actually compile* your ruby code into
> java .class files.

Which, it should be pointed out, can be easily de-compiled to reveal
a pretty decent representation of your source code :-)

The OP should note that pretty much all companies distributing their
software to end users use licensing agreements to protect proprietary
IP, not just obfuscation (via e.g. compilation).

FWIW,

[Santosh c]

> JRuby has the ability to *actually compile* your ruby code into
> java .class files.

Which, it should be pointed out, can be easily de-compiled to reveal
a pretty decent representation of your source code  :-)

 

 

I am seasoned java developer and have used DJ decompiler and Jad pretty extensively myself.  With largest level of obfuscation it takes decent expertise to figure out what those a/b/c/d variables represent and interpret the logic. With ruby even the starters can figure out everything, so I'd be happy if we can achieve at least the level of complexity of java bytecodes for my ruby source.

 

 

The OP should note that pretty much all companies distributing their
software to end users use licensing agreements to protect proprietary
IP, not just obfuscation (via e.g. compilation).

 

 

Point taken, this is a must, it's just that it's not sufficient. There are situations where some large enterprises require highest level of security for their data and they are sensitive about the vendor product being confidential as they know they are not without bugs :) And I am talking of practical reality and not some mathematically proven RSA algorithm which is open to the public to challenge :)

 

 

FWIW,

--
Hassan Schroeder ------------------------ hassan.s...@gmail.com
http://about.me/hassanschroeder
twitter: @hassan

[Brandon Black]

That's totally correct, but true with anything you compile and release.

Its no different than what you do with a regular Java app now ...or
Flash, or C, or Objective-C, etc.

There are things you can do to obfuscate your compiled code but that
too *can* be reversed.

Nothing is fool proof, but providing compiled .class files beats they
hell out of handing them your source code in clear text.

On Oct 12, 2011, at 9:18 AM, Hassan Schroeder
<hassan.s...@gmail.com> wrote:

[Craig White]

restructuring for bottom posting logic...

On Oct 12, 2011, at 10:35 AM, Brandon Black wrote:
> On Oct 12, 2011, at 9:18 AM, Hassan Schroeder
> <hassan.s...@gmail.com> wrote:
>
>> On Wed, Oct 12, 2011 at 1:45 AM, Brandon Black <brando...@gmail.com> wrote:
>>
>>> JRuby has the ability to *actually compile* your ruby code into
>>> java .class files.
>>
>> Which, it should be pointed out, can be easily de-compiled to reveal
>> a pretty decent representation of your source code :-)
>>
>> The OP should note that pretty much all companies distributing their
>> software to end users use licensing agreements to protect proprietary
>> IP, not just obfuscation (via e.g. compilation).
>>
>> FWIW,

> That's totally correct, but true with anything you compile and release.
>
> Its no different than what you do with a regular Java app now ...or
> Flash, or C, or Objective-C, etc.
>
> There are things you can do to obfuscate your compiled code but that
> too *can* be reversed.
>
> Nothing is fool proof, but providing compiled .class files beats they
> hell out of handing them your source code in clear text.

----
Perhaps it is just my commitment to open source but if nothing else, providing the complete unaltered and unobfuscated source code adds substantial value and I suspect that if you have priced your efforts appropriately and demonstrated your value sufficiently, that there really isn't any need to obfuscate at all in most instances.

Craig

[Brandon Black]

@Craig

Totally. Theres huge value in that and if the situation permits I'm of
the same opinion.

When I buy products for my current company I prefer to buy ones that
also deliver source code so I can tinker at will.

However, doing so you do obviously open yourself up to having a
competitor buy your code, sometimes indirectly, and groking from it.

I wouldn't trust the patent system to protect you these days. So, if
you're going to release source with your product, make sure your
licensing and price model reflect that risk.

I think the OP was asking the question though with the intent of not
giving out the source.

[mitch]

We know that all code protection can be cracked, but what is the "easiness to read" of decompiled JRuby compared with say compiled .Net or C code?

M