[Catalyst] creating binaries

[Octavian Rasnita]

From: "Joe Landman" <landman at scalableinformatics.com>

> Technological measures can be defeated.  Assume they provide speed bumps 
> at most to determined hackers.
>
> We have found that people are (sometimes) willing to pay for programs when 
> they add significant value to what it is they are doing.  That said, much 
> of the reason we see our customers interested in open source has very 
> little to do with libre' and a great deal to do with acquisition cost. 
> The often higher quality is an added benefit.

Bla bla. You are living in USA probably, where what you said is not bla bla, 
but I am living in Romania, Central Europe where even stronger laws than 
those regarding the piracy are not always respected. In my country there are 
no many people that care for what you said. Most of the users use pirated 
programs... more than 90% of the private persons, and over 50% of the 
companies, or even more.

> What stops them from doing un-intended things with it are good licenses 
> that grant them the rights they require without granting them the rights 
> they do not require.  You are not granting ownership rights, you grant 
> usage rights.

So? They will get the source code and give the program to other persons, 
that won't need to pay for it anymore.
Who stops them doing that? Do you think there is an institution in my 
country that visits the private persons and check to see if they have 
licences? Not even the companies care about that. Business Software Alliance 
of MS, Oracle, Corel, SAP and a few other companies visit from time to time 
the companies, and then they negociate with them for selling them some more 
licences, because they are found that they have illegal software. That's 
all.

> You may chose to restrict these rights, or not grant them at all.  In this 
> case, you may need to review which elements of OSS you may yourself use in 
> your program.

I cannot do this all the time, because for example I need to create a 
program that won't even probably have access to the internet.
It is a program that should work with a phone exchange for showing 
statistics about the number of spoken minutes for each line, and other 
things like that.
I need to create a Windows version and a Linux version also. It will be 
accessible in a web page, in the local intranet of the company, and it would 
be nice if it could be done with Catalyst, but of course, without showing 
the source code.

> I have not seen many users, who have a day job that requires that the get 
> specific work done, try to crack program source code, or reverse engineer 
> their apps.  It all comes down to the value you offer, and what you are 
> willing to enable.

No, of course they are not paid for this, but the system admin of some 
companies could try to get the source code, and give it to his friends from 
other companies.

> Protection has its purposes, though compiling programs is not what I would 
> call protection.  If you want to protect you need to mix encryption with 
> some sort of preventative execution measure, a DRM of sorts.  This 
> provides something akin to a higher speedbump, but it is only a speedbump. 
> It is not absolute protection.  The only way to get better protection is 
> to never ship the application, only the side effects.  Google doesn't ship 
> its applications, though they are some of the most widely used in the 
> world.  I am willing to be that the critical internal bits are not OSS.

I didn't say I want an absolute protection. I said what I need, but you try 
to convince me that what I want is bad, just because Catalyst cannot do it.
The protection perlapp offers is very good for what I need.
It is a very bad marketing to tell the client that the program he paid for 
is open source, because most of the users might think that in that case the 
program has no value, or that it could be very simple and that everyone else 
could get it for free, but he is forced to pay for it. And of course, he 
will get it and give to other friends that might need it.

> Hmmm.... So you think they should spend at least $90US of time to get the 
> program from the internal representation?
>
> So do you know about B::Deparse?

Oh yes, it would be very well if the program could be cracked only using 
B::Deparse.
In that case I can consider the source code secure enough.
The cracker must get the compiled version of the program from the memory, 
then use B::Deparse, and hope it will give good results... this is not a 
problem for me.

> I would suggest reflecting upon which goals you have in preventing access 
> to source.  Is it prevention of modification, protection of IP, 
> restriction of redistribution ...

It is restriction to redistribution what I want, and the laws don't help me 
at all.
Even to try putting the law work for me, and find the crackers, would cost 
me more than I can earn.

>> But I don't know if I understood correctly... from this discussion I 
>> think that it is not possible to do what I want using Catalyst.
>
> This has nothing to do with Catalyst.  This is (not really) a language 
> issue, and more correctly a basic computing issue.  Unless your code is 
> always encrypted, in memory, on disk, etc. there is little possibility to 
> prevent a determined hacker from getting it.  So if you take this off the 
> plate, that is, you make it so that getting at the source is not hard at 
> all, you effectively remove that attack vector against your code.  Now 
> focus upon what it is you do.  Heck, you can even hide your IP back behind 
> a nice XML-RPC/SOAP stack on a remote system or three, and distribute the 
> rest as OSS.

The computers of users are not always connected to the internet, so I cannot 
use this method.
I don't want an absolute security but just a way of hiding the source code 
and making harder to get it. perlapp can store the source code crypted, in 
memory, and it also has other advantages over PAR.
Other programs can be used to include all the modules they need in the 
executable, while Catalyst cannot do it.
This is what I said that Catalyst cannot do, or better said, I don't know 
how to do it, because I am almost sure it should be possible.

> Ok, the issue sounds like windows.  I don't want to comment on its support 
> as I don't use it for this.  We use Linux for our work, all of this works 
> just fine.

Of course Linux works just fine, but for very few people comparing with 
Windows, and I don't care what the users use, but sell my program. I have 
also noticed that most Linux users are users that know more about computers, 
that like only open/free source programs, and it is almost impossible to 
sell them something, because they think that all the programs should be 
free.

When talking for the public, they say that it is not important to have the 
programs for free, but have the source code, in order to see what it does, 
and beeing able to modify it for their own use, however, in fact they'll 
never like to buy software and always try to use free software, even 
pretending the the extra features provided by commercial software are not 
important.

I have heard for many times that PostgreSQL is same as good as Oracle, and 
that the extra features Oracle has are not very important, and the 
disadvantages of proprietary software are always presented by those who like 
Linux. I haven't heard a single person that says that he  like Linux, but 
that he also agrees buying commercial programs.

> FWIW: I have tried recent Catalyst under Cygwin (www.cygwin.com) and it 
> seems to work fine (thanks to MST and lots of others).  If you are 
> constrained to work on windows, try cygwin.

I am constraint to work under Windows, but this is not the only reason I am 
interested about this OS. I am interested because most of the users use it 
and if I'll target only the Linux users, I won't be able to sell anything, 
or much less.

With ActivePerl, perlapp, and Null Soft installer and other tools provided 
by Active State I can develop programs for Windows just like those made with 
Visual Basic, so it is possible to create Windows programs with perl.
Probably very few people will find that the program was created using perl.
If I can hide the source code I can put a software protection, a key or 
something like this, but if the source code is free, any user could just 
edit the source code and disable that protection, even if the user doesn't 
know perl.

And I might need to create the program for a software company that requires 
to hide the source code. I cannot tell them that they are stupid because the 
source code can be found anyway. That's what they are asking, and I need to 
give them this if it is possible.
No software company will agree to make open source programs for them, 
because they won't be able to sell them.
I think what I want could be done, and in that case Catalyst would be used 
in more other fields than the standard web pages.

Octavian