If you mean, "can I ship customers a Rails app that they themselves run, either on their own servers or an appliance, while keeping them from seeing the source code?", then the answer is "no".
You should be aware that the same answer applies to Python, Perl, Tcl, Java, and C#. Bytecode is trivially decompiled back to readable source code.
I think there are pretty good obfuscation tools to provide some degree of protection to C# or Java apps (although I don't remember if they are free). But if you have some proprietary code that you don't want anyone to see the best solution is to run it on your own server and just expose an interface to code that runs on customer machines.
Bytecode obfuscation is a speed bump. We do more raw X86 than .NET, and compared to X86 --- which every security consultancy worth its bill rate can handle now --- obfuscated .NET bytecode is a dream. And that's as mature as we get now.
Although I don't think anyone has done it yet, it may perhaps be possible to package a JRuby on Rails app compiled to java bytecode. Not sure about the technical difficulties or when/if that might happen.
Well, put it like this. If they're looking at your source code it means they're already in your production server, and they can do pretty much whatever the hell they want anyway :)
FiveRuns deploys berkdb's with AES-encrypted compressed Ruby source. I have no idea what the point of the encryption is here, because it's a speed bump to someone who wants the source code; the "player" needs the key to run the code, the key sits in memory, as does the decoded source code.
This system looks even easier to deal with than a typical J2EE app; at least with J2EE, I have to fix up all the JAD artifacts.
Beware of systems that offer packaged solutions to hard problems, like the software protection problem.
No. If someone has only 15 seconds to get the source code, you might be able to try the encryption mentioned below. Otherwise, it's not possible; if the computer can run the code, the attacker can read the source code.
It's better to just host the application yourself.
In terms of deploying an app for a customer without giving the customer source-code level access, then what you need to do is structure in terms of Software as a Service, where the customer is only able to access the application and not the server itself.
As others have pointed out, it might seem like an idea to "obfuscate" the source code, but really this does nothing to protect your application. For one, any obfuscation trick, no matter how obscure, is usually easily undone. Secondly, since Rails depends heavily on the use of eval(), there will be large chunks of raw code in your application even if, theoretically, it could be compiled.
Keep in mind you still have a lot of latitude in how you deploy Software as a Service. You can give your client DB dumps, you can run off your client's DB platform, if they want their data "in house" and not at some untrusted facility.
11 comments
[ 3.2 ms ] story [ 45.4 ms ] threadIf you mean, "can I ship customers a Rails app that they themselves run, either on their own servers or an appliance, while keeping them from seeing the source code?", then the answer is "no".
You should be aware that the same answer applies to Python, Perl, Tcl, Java, and C#. Bytecode is trivially decompiled back to readable source code.
I don't know what the state of the project is, but it looks like what you wanted.
This system looks even easier to deal with than a typical J2EE app; at least with J2EE, I have to fix up all the JAD artifacts.
Beware of systems that offer packaged solutions to hard problems, like the software protection problem.
It's better to just host the application yourself.
As others have pointed out, it might seem like an idea to "obfuscate" the source code, but really this does nothing to protect your application. For one, any obfuscation trick, no matter how obscure, is usually easily undone. Secondly, since Rails depends heavily on the use of eval(), there will be large chunks of raw code in your application even if, theoretically, it could be compiled.
Keep in mind you still have a lot of latitude in how you deploy Software as a Service. You can give your client DB dumps, you can run off your client's DB platform, if they want their data "in house" and not at some untrusted facility.