How to gracefully abandon an open-source project?

| | August 7, 2015

A few years before I was employed at our organization, it demoed a useful but specialized Java application (library plus GUI) to our peers and to a few conferences. We had several requests for copies, and one of my projects when I joined the organization was to release it the code as an open source project. My role was project manager (and licensing expert) and I contracted out the development.

The open source release was undertaken as a goodwill gesture and to raise our profile in our community.

Fast forward a few years, and the software is still on sourceforge, and we have released new versions once or twice when we’ve added features as parts of other projects. It gets a bit of use, but has not attracted any external developer contributions. It is occasionally cited by peer or academic organizations, and we know other developers are using it for their own projects.

We field occasional requests (via support email address) for help from users, usually along the lines of “why doesn’t the installer work when…”. Over the last 18 months I have been able to send these to a colleague who uses the tool internally, but their position is changing and this is no longer possible. I want to recommend to my boss that we stop supporting the software at all.

What I would like to ask is whether there a good way for our organization to withdraw from supporting open source software? What can we can do beyond adding a notice that we no longer provide support to the project website and disabling the email address?
My main concern is the ramifications for our organization’s reputation.

jQuery license choice

| | August 7, 2015

“jQuery is currently available for use in all personal or commercial projects under both MIT and GPL licenses“. A software developer wants to modify few lines of the code and include as a part of a commercial project. What license (MIT or GPL) is most appropriate from open source community point of view to be accepted by the developer?

Not looking for a legal advice, but related to the subject differences in the licenses. jQuery is selected as an example.

Which open source license require re-release of modifications?

| | August 7, 2015

I need to use some open source components in my application. I can’t re-release my modifications (and certainly not the rest of the code that the opensource code touches). The software I’m working with isn’t distributed (unless you call working as a onsite contractor doing maintenance programming “distribution”, which seems a stretch.)

Which license are safe for this scenario? Or Which licenses are not safe for this scenario?

I’m interested in how ordinary developers are reacting to this scenario–or else I’d be asking at lawsuitoverflow :-), going to a lawyer at $200 an hour on my personal funds is currently out of the question, although I appreciate the humor of such an answer.

Should I go open-source even if I want to retain all rights?

| | August 7, 2015

Years ago I released a program called Banshee Screamer Alarm and at the time it included the full source code, “for educational purposes only.” You couldn’t extend it to make your own version, but you could learn from it. It actually helped somebody fix a bug in wine.

If I release more software like this (open source, but copyrighted and non-free), are there any legal thorns that I should know about? Are there any suitable licenses for this purpose?

An open-source license that doesn't let users compile the application unless they've purchased it?

| | August 7, 2015

I’ve been developing GPL’d software for years, but now I need a more restrictive license.

This is for a commercial application, and I want to share my source code with the whole world, regardless of whether they’ve purchased the application from me or not. I also want to allow people to produce derivative works, but I want to prohibit binary distribution of both my original work, and that of any derivative work.

Basically, if someone has already purchased the original work, he/she can compile and use the original source code, or any derivative work. Otherwise, they can only study my source code, or that of a derivative work.

Does anyone know a license that fits my needs, or do I need to write my own?



First of all, thanks everyone for the answers.

Let me clear up a few things:

  1. This application has not yet been released. So I’m not adopting a new license like XFree86, I’m trying to pick a license for a new application.

  2. I usually use the term “free software” instead of open source, so that’s why I used the term open source here. The source will be “open” indeed, just not the way the OSI defines it.

  3. I’m all for GPL, and almost all software I’ve written before was released under the GNU GPL v2. But this one has to be an exception.

  4. I don’t really care if people violate the license. I wouldn’t dream of suing anyone for that, unless they’re selling my software.

Now I’m not suggesting I’ve written a very special piece of software, but I just don’t want people making money by stealing my code. But I also want the tech-savvy users to be able to modify the software anyway they see fit.

Oh, and finally, the application is written in a compiled language (Objective-C, to be precise *cough*iPhone*cough*).

Extensibility without Open-Source

| | August 7, 2015

My company is currently in the process of creating a large multi-tier software package in C#. We have taken a SOA approach to the structure and I was wondering whether anyone has any advice as to how to make it extensible by users with programming knowledge.

This would involve a two-fold process: approval by the administrator of a production system to allow a specific plugin to be used, and also the actual plugin architecture itself.

We want to allow the users to write scripts to perform common tasks, modify the layout of the user interface (written in WPF) and add new functionality (ie. allowing charting of tabulated data). Does anyone have any suggestions of how to implement this, or know where one might obtain the knowledge to do this kind of thing?

I was thinking this would be the perfect corner-case for releasing the software open-source with a restrictive license on distribution, however, I’m not keen on allowing the competition access to our source code.


EDIT: Thought I’d just clarify to explain why I chose the answer I did. I was referring to production administrators external to my company (ie. the client), and giving them someway to automate/script things in an easier manner without requiring them to have a full knowledge of c# (they are mostly end-users with limited programming experience) – I was thinking more of a DSL. This may be an out of reach goal and the Managed Extensibility Framework seems to offer the best compromise so far.

How effective is obfuscation?

| | August 7, 2015

A different question, i.e. Best .NET obfuscation tools/strategy, asks whether obfuscation is easy to implement using tools.

My question though is, is obfuscation effective? In a comment replying to this answer, someone said that “if you’re worried about source theft … obfuscation is almost trivial to a real cracker“.

I’ve looked at the output from the Community Edition of Dotfuscator: and it looks obfuscated to me! I wouldn’t want to maintain that!

I understand that simply ‘cracking’ obfuscated software might be relatively easy: because you only need to find whichever location in the software implements whatever it is you want to crack (typically the license protection), and add a jump to skip that.

If the worry is more than just cracking by an end-user or a ‘pirate’ though: if the worry is “source theft” i.e. if you’re a software vendor, and your worry is another vendor (a potential competitor) reverse-engineering your source, which they could then use in or add to their own product … to what extent is simple obfuscation an adequate or inadequate protection against that risk?

1st edit:

The code in question is about 20 KLOC which runs on end-user machines (a user control, not a remote service).

If obfuscation really is “almost trivial to a real cracker“, I’d like some insight into why it’s ineffective (and not just “how much” it’s not effective).

2nd edit:

I’m not worried about someone’s reversing the algorithm: more worried about their repurposing the actual implementation of the algorithm (i.e. the source code) into their own product.

Figuring that 20 KLOC is several month’s work to develop, would it take more or less than this (several months) to deobfuscate it all?

Is it even necessary to deobfuscate something in order to ‘steal’ it: or might a sane competitor simply incorporate it wholesale into their product while still obfuscated, accept that as-is it’s a maintenance nightmare, and hope that it needs little maintenance? If this scenario is a possibility then is obfuscated .Net code any more vulnerable to this than compiled machine code is?

Is most of the obfuscation “arms race” aimed mostly at preventing people people from even ‘cracking’ something (e.g. finding and deleting the code fragment which implements licensing protection/enforcement), more than at preventing ‘source theft’?

choosing a SOAP library to integrate with ISAPI webapp

| | August 7, 2015

The company I work for has a large webapp written in C++ as an ISAPI extension (not a filter). We’re currently enhancing our system to integrate with several 3rd party tools that have SOAP interfaces. Rather than roll our own, I think it would probably be best if we used some SOAP library. Ideally, it would be free and open source, but have a license compatible with closed-source commercial software. We also need to support SSL for both incoming and outgoing SOAP messages.

One of the biggest concerns I have is that every SOAP library that I’ve looked at seems to have 2 modes of operation: standalone server and server module (either Apache module or ISAPI filter). Obviously, we can’t use the standalone server. It seems to me that if it is running as a module, it won’t be part of my app — it won’t have access to the rest of my code, so it won’t be able to share data structures, etc. Is that a correct assumption? Each HTTP request processed by our app is handled by a separate thread (we manage our own thread pool), but we have lots of persistent data that is shared between those threads. I think the type of integration I’m looking for is to add some code to my app that looks at the request URL, sees that it is trying to access a SOAP service, and calls some function like soapService.handleRequest(). I’m not aware of anything that offers this sort of integration. We must be able to utilize data structures from our main app in the SOAP handler functions.

In addition to handling incoming SOAP requests, we’re also going to be generating them (bi-directional communication with the 3rd parties). I assume pretty much any SOAP library will fulfill that purpose, right?

Can anyone suggest a SOAP library that is capable of this, or offer a suggestion on how to use a different paradigm? I’ve already looked at Apache Axis2, gSOAP and AlchemySOAP, but perhaps there’s some feature of these that I overlooked. Thanks.

Java licensing for commercial distribution

| | August 7, 2015

I’m thinking of using Java to write a program that I might try to sell one day. I’m new to Java so I have to ask, what types of tools/software/etc will I need (from development, to distribution, to user-friendly installation on users’ machines) that have licenses that must be considered to make sure they allow sales and closed source code, etc.?

Should we assume the user already runs at least one Java app, and therefore has a fairly recent version of Java on their machine?

Also, do you have any recommendations for specific tools that are definitely suitable for this purpose?

Licence and/or concurrent use enforcement mechanism for fairly open UNIX product?

| | August 7, 2015

I would be grateful for any suggestions on how to add license key enforcement or concurrent user limit enforcement to a (UNIX-based) software product that – while not explicitly open-source – the end-user nominally has source code to, or could, conceivably, obtain with relative ease because the servers running it are located on their premises, etc.

Obviously, I am neither seeking nor expecting a technique that cannot be circumvented by someone highly motivated to do so, and/or by 1337 h4x0rs that are just good like that. The point of such anti-piracy mechanisms isn’t to prevent the user from doing something they really want to do, but just to make it annoying enough to do that it’s not really worth the hassle as compared to the relative ease of just paying for another (cheap) license – at least, for an end-user of merely average abilities.

That calls for something more sophisticated than mere security by obscurity (which will also get you laughed at by users that may come across it, even inadvertently without the intent to modify the setting), but nothing close to what’s required to guard a missile silo. Just enough of something to say, “Yes, this product really does limit the use to what you bought.” Shouldn’t be anything interesting enough to motivate someone seeking fame and fortune to post a blog entry about how to crack it either, ideally, although given how utterly niche the product is and how inexpensive it is, I don’t see that as being a concern.

The only real technique I can think of is to compile some routine(s) that is functionally essential to the rest of the program into a static or dynamic binary reloadable object and, along with it, include the checks. It is necessary that the routine be critical in some inseparable respect, rather than an artificial check just for that particular condition, otherwise the user could just go and disable the call to the function. The idea is that disabling the call to the function has other unattractive consequences as well.

That’s nothing a smart hacker can’t disassemble, and, obviously, if the function is trivial enough to build into an otherwise purposeless binary, it is trivial enough to reimplement outside of it as well. But it’s more effort than a typical end-user would bother going through. And of course, again, the point isn’t to mechanically stop piracy, but just to put a little limit in place so that the product doesn’t work purely on the honour system, though I’m sure that’s sufficient for many corporate buyers in the US.

Is this a common approach? Are there better ones?

Page 1 of 812345678