How would I package and sell a Django app?
Question:
Currently I am hosting a Django app I developed myself for my clients, but I am now starting to look at selling it to people for them to host themselves.
My question is this: How can I package up and sell a Django app, while protecting its code from pirating or theft? Distributing a bunch of .py files doesn’t sound like a good idea as the people I sell it to too could just make copies of them and pass them on.
I think for the purpose of this problem it would be safe to assume that everyone who buys this would be running the same (LAMP) setup.
Answers:
The way I’d go about it is this:
- Encrypt all of the code
- Write an installer that contacts the server with the machine’s hostname and license file and gets the decryption key, then decrypts the code and compiles it to python bytecode
- Add (in the installer) a module that checks the machine’s hostname and license file on import and dies if it doesn’t match
This way the user only has to contact the server when the hostname changes and on first install, but you get a small layer of security. You could change the hostname to something more complex, but there’s really no need — anyone that wants to pirate this will do so, but a simple mechanism like that will keep honest people honest.
You could package the whole thing up as an Amazon Machine Instance (AMI), and then have them run your app on Amazon EC2. The nice thing about this solution is that Amazon will take care of billing for you, and since you’re distributing the entire machine image, you can be certain that all your clients are using the same LAMP stack. The AMI is an encrypted machine image that is configured however you want it.
You can have Amazon bill the client with a one-time fee, usage-based fee, or monthly fee.
Of course, this solution requires that your clients host their app at Amazon, and pay the appropriate fees.
Don’t try and obfuscate or encrypt the code – it will never work.
I would suggest selling the Django application “as a service” – either host it for them, or sell them the code and support. Write up a contract that forbids them from redistributing it.
That said, if you were determined to obfuscate the code in some way – you can distribute python applications entirely as .pyc (Python compiled byte-code).. It’s how Py2App works.
It will still be re-distributable, but it will be very difficult to edit the files – so you could add some basic licensing stuff, and not have it foiled by a few #s..
As I said, I don’t think you’ll succeed in anti-piracy via encryption or obfuscation etc.. Depending on your clients, a simple contract, and maybe some really basic checks will go a long much further than some complicated decryption system (And make the experience of using your application better, instead of hopefully not any worse)
You’ll never be able to keep the source code from people who really want it. It’s best to come to grips with this fact now, and save yourself the headache later.
One thing you might want to consider is what FogBugz does. Simply include a small binary (perhaps a C program) that is compiled for the target platforms and contains the code to validate the license.
This way you can keep the honest people honest with minimal headache on your part.
“Encrypting” Python source code (or bytecode, or really bytecode for any language that uses it — not just Python) is like those little JavaScript things some people put on web pages to try to disable the right-hand mouse button, declaring “now you can’t steal my images!”
The workarounds are trivial, and will not stop a determined person.
If you’re really serious about selling a piece of Python software, you need to act serious. Pay an attorney to draw up license/contract terms, have people agree to them at the time of purchase, and then just let them have the actual software. This means you’ll have to haul people into court if they violate the license/contract terms, but you’d have to do that no matter what (e.g., if somebody breaks your “encryption” and starts distributing your software), and having the actual proper form of legal words already set down on paper, with their signature, will be far better for your business in the long term.
If you’re really that paranoid about people “stealing” your software, though, just stick with a hosted model and don’t give them access to the server. Plenty of successful businesses are based around that model.
May I speak frankly, as a friend? Unless your app is Really Amazing, you may not get many buyers. Why waste the time on lawyers, obfuscation, licensing and whatnot? You stand to gain a better reputation by open-sourcing your code…and maintaining it.
Django comes from the open-source end of the spectrum from licensing (and obfuscating). Granted, the MIT license is more common than the GPL; still they are both very far removed from anything like Microsoft’s EULA. A lot of Djangophiles will balk at closed source code, simply because that’s what Microsoft does.
Also, people will trust your code more, since they will be able to read it and verify that it contains no malicious code. Remember, “obfuscating” means “hiding;” and who will really know exactly what you’ve hidden?
Granted, there’s no easy way to monetize open-sourced code. But you could offer your services or even post a campaign on Pledgie.com, for those who are thankful for all your great work.
Currently I am hosting a Django app I developed myself for my clients, but I am now starting to look at selling it to people for them to host themselves.
My question is this: How can I package up and sell a Django app, while protecting its code from pirating or theft? Distributing a bunch of .py files doesn’t sound like a good idea as the people I sell it to too could just make copies of them and pass them on.
I think for the purpose of this problem it would be safe to assume that everyone who buys this would be running the same (LAMP) setup.
The way I’d go about it is this:
- Encrypt all of the code
- Write an installer that contacts the server with the machine’s hostname and license file and gets the decryption key, then decrypts the code and compiles it to python bytecode
- Add (in the installer) a module that checks the machine’s hostname and license file on import and dies if it doesn’t match
This way the user only has to contact the server when the hostname changes and on first install, but you get a small layer of security. You could change the hostname to something more complex, but there’s really no need — anyone that wants to pirate this will do so, but a simple mechanism like that will keep honest people honest.
You could package the whole thing up as an Amazon Machine Instance (AMI), and then have them run your app on Amazon EC2. The nice thing about this solution is that Amazon will take care of billing for you, and since you’re distributing the entire machine image, you can be certain that all your clients are using the same LAMP stack. The AMI is an encrypted machine image that is configured however you want it.
You can have Amazon bill the client with a one-time fee, usage-based fee, or monthly fee.
Of course, this solution requires that your clients host their app at Amazon, and pay the appropriate fees.
Don’t try and obfuscate or encrypt the code – it will never work.
I would suggest selling the Django application “as a service” – either host it for them, or sell them the code and support. Write up a contract that forbids them from redistributing it.
That said, if you were determined to obfuscate the code in some way – you can distribute python applications entirely as .pyc (Python compiled byte-code).. It’s how Py2App works.
It will still be re-distributable, but it will be very difficult to edit the files – so you could add some basic licensing stuff, and not have it foiled by a few #s..
As I said, I don’t think you’ll succeed in anti-piracy via encryption or obfuscation etc.. Depending on your clients, a simple contract, and maybe some really basic checks will go a long much further than some complicated decryption system (And make the experience of using your application better, instead of hopefully not any worse)
You’ll never be able to keep the source code from people who really want it. It’s best to come to grips with this fact now, and save yourself the headache later.
One thing you might want to consider is what FogBugz does. Simply include a small binary (perhaps a C program) that is compiled for the target platforms and contains the code to validate the license.
This way you can keep the honest people honest with minimal headache on your part.
“Encrypting” Python source code (or bytecode, or really bytecode for any language that uses it — not just Python) is like those little JavaScript things some people put on web pages to try to disable the right-hand mouse button, declaring “now you can’t steal my images!”
The workarounds are trivial, and will not stop a determined person.
If you’re really serious about selling a piece of Python software, you need to act serious. Pay an attorney to draw up license/contract terms, have people agree to them at the time of purchase, and then just let them have the actual software. This means you’ll have to haul people into court if they violate the license/contract terms, but you’d have to do that no matter what (e.g., if somebody breaks your “encryption” and starts distributing your software), and having the actual proper form of legal words already set down on paper, with their signature, will be far better for your business in the long term.
If you’re really that paranoid about people “stealing” your software, though, just stick with a hosted model and don’t give them access to the server. Plenty of successful businesses are based around that model.
May I speak frankly, as a friend? Unless your app is Really Amazing, you may not get many buyers. Why waste the time on lawyers, obfuscation, licensing and whatnot? You stand to gain a better reputation by open-sourcing your code…and maintaining it.
Django comes from the open-source end of the spectrum from licensing (and obfuscating). Granted, the MIT license is more common than the GPL; still they are both very far removed from anything like Microsoft’s EULA. A lot of Djangophiles will balk at closed source code, simply because that’s what Microsoft does.
Also, people will trust your code more, since they will be able to read it and verify that it contains no malicious code. Remember, “obfuscating” means “hiding;” and who will really know exactly what you’ve hidden?
Granted, there’s no easy way to monetize open-sourced code. But you could offer your services or even post a campaign on Pledgie.com, for those who are thankful for all your great work.