Licensing and obfuscation for closed projects

We all love open source and we wouldn’t be where we are today without it, but the people that pay for our time to develop stuff for them still don’t like sharing.
I’ve never made any attempt to stop others from copying or using my code, but my customers do.

  1. Can the Keysight licensing framework be used for creating our own licenses, and how is this realised?
  2. What are people using for obfuscation?

Br
Jase

2 Likes

Hi Jason

First, remind “the people that pay” that they can still keep their differentiating IP closed, and also that typically 50-80% of devs’ time is spent building commodity code, the maintenance of which is shared when released as open source (or may not even need to be built at all if OSS alternatives exist). Save time and money on “both ends” of a project.

Second, could you elaborate on the idea of “creating your own licenses”? The OSI already recognizes over 70 free and open source licenses - why create more when you can probably find one that suits your project needs? Also be aware that not all FOSS licenses are compatible with the licensing used with OpenTAP, with other open source code or with proprietary software - choose wisely.

Lastly, what sort of obfuscation are you looking for? Source or binary? And why? You seem to be a strong advocate of open source.

Thanks,

Bill W.

1 Like

Hi Bill
I am a fan, but those that pay me aren’t.
The license question was for package licenses used by OpenTap for the binaries, not for the code. The same as those used for the Editor (not CE).
Binary obfuscation, so the dll can’t be decompiled ‘easily’.

Hi Jason

“Package licensing” is a huge problem in/around open source. Some caveats:

  • The licensing for a package is seldom truly monolithic - most software today comprises a multitude of components with a diversity of licenses. Glomming them all under a single license is an exercise in confabulation, e.g., the Android platform is nominally licensed under APLv2 but real Android implementations typically aggregate 25-35 diferent licenses.

  • A company cannot create a closed source binary that includes open source code that does not include provision for relicensing (which only a few licenses do), meaning that such binaries would by definition violate the licenses of components they contain.

  • There do exist tools for binary obfuscation whose goal is to prevent “unscrambling the egg”. Their intent is usually to keep competitors at bay (although reverse engineering is usually interdicted in commercial/proprietary licenses) or to stymie enemies from studying smart weapons recovered on the battlefield. Of course obfuscation may also violate the terms of open source licensing of code in the obfuscated binary.

  • A vendor for binary obfuscation is Arxan (Digital.ai Application Protection for Secure Apps | Digital.ai)

Bill

1 Like

When you are talking about licensing in this case, are you looking at commercial licenses as a way to monetize what is created (vs the open source licenses?)

  1. The existing framework is fairly ingrained with Keysight tools, so wouldn’t be usable as is. However, a proprietary license check could be implemented as part of the constructor for any of your classes. There are lots of tools that exist for this. Ultimately it will be up to you and your balance of cost and risk that makes the most sense.

  2. On top of @bweinberg’s suggestion, we have also seen people use Obfuscar (MIT License)

In general, we have found it best to do these steps as part of a CI/CD process

@jason.hicks I used to have a manager who demanded encryption for our .NET dlls. The only practical solution we could find was obfuscation. But the obfuscation tools we tried were easy to crack using free de-obfuscation tools. My conclusion at the time was that .NET encryption was a futile endeavor. If a persistent person really wants the code, they’ll get it. I also became a fan of open source at that time, maybe out of convenience. :grinning_face_with_smiling_eyes:

1 Like

@david-wsd That’s my belief too.

@brennen_direnzo It’s not really to monetize it but to protect it from been used outside of our organisation.

My thought is that as an organisation we purchase the Editor, and the packages we release appear in the package manager, so it’ all looks like a well-oiled machine. If I could ‘lock’ my packages in a similar way and unlock them using Keysight’s License Manager it would have been the icing on the cake.

I best start reading up proprietary licensing.

1 Like

To be honest, we certainly plan to allow OpenTAP Plugins that have 3rd party licensing, but we have not really considered a way for that to be turned on “easily” for organizations that don’t already have their own licensing/locking system. I’m open to ideas here on what could create a good experience.

1 Like