Secure Ruby Compiler

It's a choice. If you want to share your source, that is your decision.
If you don't, that is also your decision.

i could burn down your house, and that would be my decision.
or i could not, and that would be my decicion.

but some human interactive conduct helps dynamically maximize
resources and reduce scarcity better than others.

One example of the need to obfuscate code: You have a "power user"
that continually hoses their system by making changes where they
shouldn't be. Locked up source would prevent this.

so would educating the user by successfully communicating the context
of why those changes are a bad idea in the nature of the code itself.
"protecing" users by keeping them niave only increases your time spent
(dare i say, wasted) on unproductive work. you can't be every user's
mommy, nor do most developers want to be.

>open-source software. (and ironically, the GPL proves that most
>people do not, in fact, steal licensed code.)

How does the GPL prove that? (I'm just asking, not trying to start
a flame war or anything.)

despite the *incredible* volume of GPL'd code available on the
internet, there have only been about 3 cases of someone (namely
companies) stealing GPL'd code.

it's not definitive proof. you could argue only 3 people have been
*caught* infringing on the GPL license. or that the GPL popularity
has many eyes finding infringers a shallow search. however, i feel a
statistically safe statement can still be made that just because users
can read the code does not mean they are more likely to infringe their
licences.

i think it's a myth fueled by fear of losing control of something that
authors never really had to begin with. "A man is no fool who gives
up what he cannot keep, to gain what he cannot lose." -- Ben
Schoenbauer

Regards,
   JJ

-z

I love your passion for open source. I love open source too.

*BOOOP* *BOOOP* i think we're passing the buoy horns announcing
we're leaving ruby topic waters...

zuzu wrote:
[snip]
> users have a right to understand the code they are running.
[snip]

What specific code do they have the right to understand? All code? I
want to have that "right to understand" too! Where can I obtain it?

i hesitate to offer an absolute, but for now i will say all code
running on computing hardware you own. you can obtain it by
exercising your right in doing so.

Was that "right to understand" conveyed by law or a private contracts?

rights are supposidly innate, not granted by law. for example, the
american bill of rights does not grant rights, but defines which
rights the government may not legislate against.

however, in practice, rights are defined by the process of exercising them.

What if the user is too stupid to understand the code?

the ability for the human mind to learn is defined by biological
hardware (the brain). in fact the biological purpose of the brain is
to learn to adapt to its environment faster than the dna that composed
it can. read 'the human use of human beings' by norbert wiener,
'cosmos' by carl sagan, and 'age of spiritual machines' by ray
kurzweil for starters.

Does the
developer have to simplify the code until it could be understood by all
users?

no, but statistically the developer's best interest for the code to
improve, adapt, and extend (aka evolve) by presenting the code "as
simply as possible, but no simpler".
http://c2.com/cgi/wiki?EinsteinPrinciple

If the developer refuses to simplify the code, are they
criminals or merely commiting a breach of contract?

neither, a license is not a contract.

[snip]
>(and ironically, the GPL proves that most
> people do not, in fact, steal licensed code.)
[snip]

How does GPL prove this? I'm not disagreeing with you, I'm just trying
to understand how the GPL proves that fact.

foremost, i mis-stated "steal", as theft denotes denial of use. i
meant license infringement, as i wrote for the rest of that email.
that said, GPL as an *example* statistically seems to support my
proposed hypothesis.

I reread the GPL and I couldn't find any statistical data comparing
number of people who steal vs comply with licensed code. All it contains
is a bunch of terms and conditions--no quantifiable data on theft.

again, not the GPL itself. i made a personal observation comparing
the total volume of code under the GPL license available on the
internet compared to number of accusations of GPL infringement as
reported by the slashdot(.org) news aggregator, whose content
specifically covers such matters. with reasonable certainty, if
anyone with web access has observed a GPL infringement, that
observation will be reported on slashdot.

Perhaps the GPL is obfuscated so that the statistical data on theft is
hidden from plain view. ASCII stenography? Hmmmm.

i find this statement asinine.

> obfuscation is a tool of oppression to secure a monopoly on an idea. (even copyrights are
> supposed to be TEMPORARY.)
>

Well, I don't like oppression and I don't like monopoly (but the game
"Monopoly" is kinda fun).

"how can a thimble be a landlord?"

Obfuscation is a tool of oppression? Like airplanes are a tool for
terrorism?

sure. tools are amoral. humans choose how they are used and for what purpose.

Should they both be banned?

of course not. however, by rule of law, some human activities are
deemed illegal within the boundaries of jurisdiction.

Hmmm, it could mean fewer
visits from the mother-in-law...maybe not a bad idea!

To be fair, we can probably imagine at least one undesirable use for
every invention known to humankind.

as i said.

It doesn't mean it is the only use
for the inventions--maybe it just means we need to use our imagination
to think of more positive uses.

I wouldn't use obfuscation for oppression. I'd use obfuscation to hide
passwords when full-blown encryption isn't very practical or necessary.
  For example, obfuscating a script that contains a database connection
password that I'm hosting on a shared server just in case an
unauthorized person gains read access to the script.

obfuscation, or rather, steganography as one form of obfuscation,
serves a different purpose than cryptography. cryptography relies on
probability and mathematical difficulty. obfuscation is applied
socially as disguise.

ps

Data needs to be overwritten between 9 times (DOD 5220.22-M standard) -
27+ times (Guttman) before it is safe from modern HD recovery tools.
Encrypt (or at a minimum, obfuscate) data you don't want to become
public (anything useful for id theft or credit card fraud). Most of us
don't consider this when selling our computer or changing web hosting
providers.

http://www.gnupg.org/
(also one example of software which *must* be Free to do its job.)

-z

John Johnson wrote:

It's a choice. If you want to share your source, that is your decision.
If you don't, that is also your decision.

One example of the need to obfuscate code: You have a "power user"
that continually hoses their system by making changes where they
shouldn't be. Locked up source would prevent this.

So would changing the permissions on the file and taking root access from
the user.

Hello Erik,

No. The idea of RubyScript2Exe is to let a script run on
Windows in the simplest way possible (or "How can my mother
start an application?"). Manually copying one or more DLL's
isn't the simplest way. You could as well install Ruby...

The "hiding my code" in this thread is just a side effect of
RubyScript2Exe, not one of its goals.

Do you really care about size? I usually don't...

As long as less then 20% of the worlds computer user population has high
bandwidth access there is problem. One of the papers in the marketing
area of "www.download.com" (still the worlds largest download service)
is a statistic about "size <-> download numbers" and there is a clear
indication that programs over 5 MB are getting less downloads
then competitive programms.

So yes, depending on my targeted customers, i care about size.

That's completely different. Burning down my house infringes on my rights.
Obfuscating your source does not.

Regards,
   JJ

zuzu wrote:

I love your passion for open source. I love open source too.

*BOOOP* *BOOOP* i think we're passing the buoy horns announcing
we're leaving ruby topic waters...

zuzu wrote:
[snip]

users have a right to understand the code they are running.

[snip]

What specific code do they have the right to understand? All code? I
want to have that "right to understand" too! Where can I obtain it?

i hesitate to offer an absolute, but for now i will say all code
running on computing hardware you own. you can obtain it by
exercising your right in doing so.

I wish that were true but the law would disagree with you.

Possession != lawful ownership (car thieves realize this when they're pulled over by the cops--imagine the judge listening to thieves argument about exercising their "right" to take possesion of the car). They illustrate what happens to people that go thru life insisting they are right and the law is wrong.

Sadly, most software is LICENSED and not actually SOLD. When consumers BUY products, they have been GRANTED OWNERSHIP. When consumers LICENSE products, their rights are restricted to those in the LICENSE AGREEMENT.

The good news is that if consumers don't like the LICENSE they can choose not to buy the product. Better news is that if consumers could not see the license before purchasing (like shrinkwrap) they can receive a refund.

Was that "right to understand" conveyed by law or a private contracts?

rights are supposidly innate, not granted by law. for example, the
american bill of rights does not grant rights, but defines which
rights the government may not legislate against.

however, in practice, rights are defined by the process of exercising them.

Perhaps your definition of "rights" is different from mine. In the context of OWNERSHIP, a "right" means "legal claim" which means to "lawfully own" something.

If you meant something other than "legal claim" when using the term "right" then the conversation was silly because we're talking about different things.

I suspect by "right" you probably mean "choice". We can "choose" to do anything we want but that can lead to a dramatic loss of future choices if we go to jail/prison for ignoring the law. Car thieves "choose" to drive other people's cars but they don't have a "right" or "legal claim" to those cars so they end up in jail.

What if the user is too stupid to understand the code?

the ability for the human mind to learn is defined by biological
hardware (the brain). in fact the biological purpose of the brain is
to learn to adapt to its environment faster than the dna that composed
it can. read 'the human use of human beings' by norbert wiener,
'cosmos' by carl sagan, and 'age of spiritual machines' by ray
kurzweil for starters.

Does the
developer have to simplify the code until it could be understood by all
users?

no, but statistically the developer's best interest for the code to
improve, adapt, and extend (aka evolve) by presenting the code "as
simply as possible, but no simpler". http://c2.com/cgi/wiki?EinsteinPrinciple

If the developer refuses to simplify the code, are they
criminals or merely commiting a breach of contract?

neither, a license is not a contract.
The GPL Is a License, not a Contract [LWN.net]

That articles proves my point.

More correctly, a license is not a contract IF AND ONLY IF there is no exchange of obligations.

Traditional licenses had no exchange of values--rights were granted with nothing expected in return--so they weren't a contract. The article simply argues that the GPL fits that description.

But most other software licenses DO NOT fit that description because they require certain things "in consideration" for granting certain rights to the licensee.

article: "A contract, on the other hand, is an exchange of obligations, either of promises for promises or of promises of future performance for present performance or payment. The idea that 'licenses' to use patents or copyrights must be contracts is an artifact of twentieth-century practice, in which licensors offered an exchange of promises with users: 'We will give you a copy of our copyrighted work,' in essence, 'if you pay us and promise to enter into certain obligations concerning the work.' With respect to software, those obligations by users include promises not to decompile or reverse-engineer the software, and not to transfer the software."
....
"The GPL, however, is a true copyright license: a unilateral permission, in which no obligations are reciprocally required by the licensor."

The article clearly states that software licenses that require certain obligations from users are in fact contracts.

So if the license does not specifically "grant ownership" of the software to the user, the user is not the lawful owner of the software. To make this abundantely clear, most commercial software license agreements explicitely state something like:

"The SOFTWARE is licensed, not sold. AUTHOR reserves all rights not expressly granted to you in this EULA. "

[snip]

(and ironically, the GPL proves that most
people do not, in fact, steal licensed code.)

[snip]

How does GPL prove this? I'm not disagreeing with you, I'm just trying
to understand how the GPL proves that fact.

foremost, i mis-stated "steal", as theft denotes denial of use. i
meant license infringement, as i wrote for the rest of that email.
that said, GPL as an *example* statistically seems to support my
proposed hypothesis.

I reread the GPL and I couldn't find any statistical data comparing
number of people who steal vs comply with licensed code. All it contains
is a bunch of terms and conditions--no quantifiable data on theft.

again, not the GPL itself. i made a personal observation comparing
the total volume of code under the GPL license available on the
internet compared to number of accusations of GPL infringement as
reported by the slashdot(.org) news aggregator, whose content
specifically covers such matters. with reasonable certainty, if
anyone with web access has observed a GPL infringement, that
observation will be reported on slashdot.

People would have to find out about infringement before making accusations. Also, people who find out might not be willing to make the accusation because it's their employer or they fear a slander/libel lawsuit.

Perhaps the GPL is obfuscated so that the statistical data on theft is
hidden from plain view. ASCII stenography? Hmmmm.

i find this statement asinine.

I think many people will find many statements in this thread very asinine.

obfuscation is a tool of oppression to secure a monopoly on an idea. (even copyrights are
supposed to be TEMPORARY.)

Well, I don't like oppression and I don't like monopoly (but the game
"Monopoly" is kinda fun).

"how can a thimble be a landlord?"

LOL.

Obfuscation is a tool of oppression? Like airplanes are a tool for
terrorism?

sure. tools are amoral. humans choose how they are used and for what purpose.

Should they both be banned?

of course not. however, by rule of law, some human activities are
deemed illegal within the boundaries of jurisdiction.

So you agree that obfuscation can have practical purposes other than "oppression to support a monopoly"?

Lothar,

First, it's worth noting that applications implemented in Ruby usually
(though not always) have much smaller file sizes than equivalent
"native" binaries, since the only download needed is the source code
(which is itself quite compact due to Ruby's compact syntax). In
addition, the entire Ruby runtime is a smaller download than any
recent JRE or Python distribution; with a little judicious pruning, it
could almost certainly be reduced further.

If you're targeting Windows, then I highly recommend Exerb. Along with
UPX, (an executable "packer", which transparently compresses binaries)
I've used it to produce standalone Windows EXE files from Ruby scripts
which were 200-300KB in size. With a full GUI toolkit, you should
still be able to come in around the 1MB mark.

One interesting offshoot of the PP installer distribution of Ruby
might be an ActiveX control version of Ruby, optimized for size. I
think that it should be entirely possible to produce a (mostly) static
binary, compressed with UPX, well under 1MB in size. That would
greatly simplify the requirements for distributing Ruby applications
on Windows, which is where users are likely to be the most put off by
the need to install any additional software.

Just my $0.02.

Lennon

>> It's a choice. If you want to share your source, that is your
>> decision.
>> If you don't, that is also your decision.
>
> i could burn down your house, and that would be my decision.
> or i could not, and that would be my decicion.

That's completely different. Burning down my house infringes on my
rights.
Obfuscating your source does not.

how does obfuscated code not infringe my rights?

would you eat food without a knowing the ingredients?
or take drugs without knowing how they work?
do you think ignorance of pollutants in the air and water puts your
health at risk?

Regards,
   JJ

-z

I use Exerb, EZExerb, and NSIS with HMSoft's interface.

I use SQLite and FXRuby(FOX), and the pre-compressed EXE is over 5
megs. After NSIS compresses it and wraps in all of the other
dependencies I usually get between 1.5 megs and 1.7 megs.

I don't use UPX, though I looked into it once... I should look into it again.

I agree that a 5 meg application is a little outrageous, but when you
think about it... I'm including Scintilla, SQLite, FOX, and OpenGL
support as well - but I'm definetly not using everything that each has
to offer... and that means that I can do more than I've wanted to in
under 2 megs - which isn't that bad in my opinion.

Join all of the above with the fact that I'm writing everything in
Ruby... yeah... I'm almost in heaven.

The only thing I haven't been able to get that I might want would be
_true_ protection of my source code, and a final EXE size of under a
meg ( maybe this could happen with UPX ).

-Rich

Seriously guys.

Calm down.

-Rich

On the subject of the pros and cons of open source vs. proprietary closed
source in the Ruby ML: how about that Portugal/Greece final! What a game.

  Sean O'Dell

>> It's a choice. If you want to share your source, that is your
>> decision.
>> If you don't, that is also your decision.
>
> i could burn down your house, and that would be my decision.
> or i could not, and that would be my decicion.

That's completely different. Burning down my house infringes on my
rights.
Obfuscating your source does not.

how does obfuscated code not infringe my rights?

It just doesn't.

would you eat food without a knowing the ingredients?

Yes.

or take drugs without knowing how they work?

Yes.

do you think ignorance of pollutants in the air and water puts your
health at risk?

No.

Gavin

Because you have the choice not to use it.

are you isng LZMA compression or others? latest nsis should support
LZMA wich is told to be remove an average 20% than the previous best
(don't remeber what it was.. maybe bz2)

UPX can only compress the Ruby core files and DLLs you feed into
Exerb, not the finished EXE, but I've found it still usually gives a
40-50% reduction in the total binary size. So, your installed app
might run in the 2.5-3.0MB range, with the installer about the same as
it is now, since multiple compression runs usually don't but you much.

UPX might offer a pretty good way to protect reg. key algorithms and
other sensitive strings, as well; as a naive solution, you could just
try compiling them into a simple C extension, and running UPX on the
shared object for that library. The DLL/SO file would then be in a
packed binary format that should frustrate at least casual crackers,
and forcing you to extern sensitive strings into an outside extension
might help you take into account which items were indeed sensitive,
rather than just obfuscating everything.

Lennon

0-1 Software Libre wins!

-z

sure, and slaves have the choice not to work.

choices are limited by available information/knowledge, precisely the
problem at hand.

-z