Sunday, May 25, 2008

Open Source Infections

This article is in response to a comment left on this article.

Below is an excerpt of the GPL from

When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things.

The GPL license states that the purpose is to give developers more freedom to use the source code; however, it's not truly free! Here is another excerpt from the GNU FAQ:

If I add a module to a GPL-covered program, do I have to use the GPL as the license for my module?

The GPL says that the whole combined program has to be released under the GPL. So your module has to be available for use under the GPL.

But you can give additional permission for the use of your code. You can, if you wish, release your program under a license which is more lax than the GPL but compatible with the GPL. The license list page gives a partial list of GPL-compatible licenses.

You have a GPL'ed program that I'd like to link with my code to build a proprietary program. Does the fact that I link with your program mean I have to GPL my program?

Not exactly. It means you must release your program under a license compatible with the GPL (more precisely, compatible with one or more GPL versions accepted by all the rest of the code in the combination that you link). The combination itself is then available under those GPL versions.

If so, is there any chance I could get a license of your program under the Lesser GPL?

You can ask, but most authors will stand firm and say no. The idea of the GPL is that if you want to include our code in your program, your program must also be free software. It is supposed to put pressure on you to release your program in a way that makes it part of our community.

You always have the legal alternative of not using our code.

The term "infect" perfectly describes what some open source licenses can do to code. Specifically, any code one writes that uses a GPL library can become "blanketed" by the GPL license. The author of the comment claims that this is FUD. It's not FUD, it's reality. Sure, open source software is great, and I have even written open source software myself. However, I can't use this code in a proprietary project because the license would make the proprietary project non-proprietary. The analogy of an infection paints a perfect picture regarding how the license would spread from the open source library to the proprietary code.

This isn't to say that all open source licenses are bad. It's important to differentiate between the GPL, LGPL, Apache License, MIT License, and other public licenses. To really label a license as giving developers the freedom to use the software however they want, one would need to look at the LGPL, Apache Commons, or another license that allows open source software to be integrated into a proprietary application.

While there is nothing wrong with the GPL, it's important to understand that there is a time and a place to use this license, and that GPL-licensed code may not be good for every project.

Saturday, May 10, 2008

Open Source JavaScript Compressor

Are you concerned about having your Firefox Extension JavaScript code compromised? XPI files can be extracted and code can be easily viewed. One solution that works very well for many organizations that wish to keep their JavaScript code secret is to use a JavaScript obfuscator.

Also known as a script compiler or script compressor, an obfuscator takes human-readable JavaScript code and converts it into text that is virtually impossible for humans to process. When you're ready to deploy your product live, your developers can "obfuscate" a version of the code for distribution and maintain the original human-readable version for continued maintenance and development.

In addition to making it difficult to reverse-engineer, compressed JavaScript files are generally 40% to 60% smaller than their aesthetically pleasing human-readable counterparts, as a result of comment, whitespace, and line break removal.

Please see the above link for a quick example of the difference between a human-readable JavaScript function and an obfucscated function. I wouldn't recommend purchasing this version though as there are open source versions out there that will accomplish the same goal.

This version is Dean Edward's Packer. The problem with this is that the website has a decoder. This kind of defeats the purpose of obfuscation, and I would recommend it only for compression and not obfuscation.

These tools appear to be a great way to keep proprietary JavaScript code from falling into the wrong hands. Obfuscation is not prefect or foolproof, but consider this question: Is a thief more likely to snoop around in a car with unlocked doors or one that is securely locked?

Here are some links to free or open source obfuscators. All three work from the command line:

- YUI Compressor
- ObfuscateJS JavaScript Obfuscator
- JSO (JavaScript Obfuscator)