Don't be a chiropractor
Category domino
Another security-related post. First, a big kudos to IBM: as always, Notes/Domino security reigns supreme. While Java can be decompiled rather easily, LotusScript can not. If, instead of typing your script directly within Designer, you store it in a text file (generally with a .lss extension) and then place a %INCLUDE directive where the script would ordinarily live, when you save the design element, Designer compiles the code as if the contents of the file specified in the %INCLUDE were there instead of the directive. Once you've done that, there's no way (that I know of, anyway) to retrieve that portion of the source from the design element itself... you must have the separate source file. In fact, if you attempt to recompile the element without access to that file, it breaks; either it simply won't compile, or the recompiled element no longer contains any of the code defined in that file. In other words, if you're selling a template and have no intention of open sourcing it, this is a pretty solid way to hide your script code.
Secondly, an apology to any actual chiropractors for the slander that is about to follow. As far as I know, I don't personally know any chiropractors, and have never gone to one, so the reputation may be ill-deserved, but everyone I know who's described the experience has done so almost identically: they seem to be great at addressing short term needs, but once you go, you have to keep going. Each time, you feel great immediately afterwards; they've provided much-needed relief. But before long, the same symptoms come back, often worse than before. Again, I don't have any direct personal experience in this area, so that could be a completely unfair generalization.
Finally, if you're an organization selling a product to many customers, by all means, feel free to keep your source inaccessible to those customers if there are legitimate reasons for doing so. In addition to simply safeguarding your intellectual property to ensure that you'll be around long-term to support and enhance the product, there's definitely something to be said for knowing, when a customer reports a problem, that the code they're running is still the code that you wrote. I shudder to guess how many times someone has called IBM to tell them that their mail template is broken, not realizing (or unwilling to admit) that something they mucked with is causing the aberration. So I'm fine with hidden source in that scenario. But... if you're just some guy who was brought in by a specific client to develop a Domino app specifically for that client - even if certain portions of functionality it will contain are fairly universal in nature - don't tie everything in that app to a script library that consists only of a single %INCLUDE and then walk out the door with that file without giving it to the client. That's not cool. That's chiropractic consulting: the client is forced to come back to you to make any changes, 'cause if they try to do it themselves (or bring in a competitor), they'll have to waste time and money rewriting everything except the interface... even recompiling the library without that file breaks their entire app. If you're ninja enough, they'll keep coming back anyway because they're satisfied with the result every time they do - not because that's their only option.
This scenario is purely hypothetical, of course. All the same, if you do know of a way to extract $ScriptLib_O to get at the original source, please contact me directly (i.e. email, phone, IM), but not via a comment. For the reasons listed above, I'm glad you can't just Google something like this.
Another security-related post. First, a big kudos to IBM: as always, Notes/Domino security reigns supreme. While Java can be decompiled rather easily, LotusScript can not. If, instead of typing your script directly within Designer, you store it in a text file (generally with a .lss extension) and then place a %INCLUDE directive where the script would ordinarily live, when you save the design element, Designer compiles the code as if the contents of the file specified in the %INCLUDE were there instead of the directive. Once you've done that, there's no way (that I know of, anyway) to retrieve that portion of the source from the design element itself... you must have the separate source file. In fact, if you attempt to recompile the element without access to that file, it breaks; either it simply won't compile, or the recompiled element no longer contains any of the code defined in that file. In other words, if you're selling a template and have no intention of open sourcing it, this is a pretty solid way to hide your script code.
Secondly, an apology to any actual chiropractors for the slander that is about to follow. As far as I know, I don't personally know any chiropractors, and have never gone to one, so the reputation may be ill-deserved, but everyone I know who's described the experience has done so almost identically: they seem to be great at addressing short term needs, but once you go, you have to keep going. Each time, you feel great immediately afterwards; they've provided much-needed relief. But before long, the same symptoms come back, often worse than before. Again, I don't have any direct personal experience in this area, so that could be a completely unfair generalization.
Finally, if you're an organization selling a product to many customers, by all means, feel free to keep your source inaccessible to those customers if there are legitimate reasons for doing so. In addition to simply safeguarding your intellectual property to ensure that you'll be around long-term to support and enhance the product, there's definitely something to be said for knowing, when a customer reports a problem, that the code they're running is still the code that you wrote. I shudder to guess how many times someone has called IBM to tell them that their mail template is broken, not realizing (or unwilling to admit) that something they mucked with is causing the aberration. So I'm fine with hidden source in that scenario. But... if you're just some guy who was brought in by a specific client to develop a Domino app specifically for that client - even if certain portions of functionality it will contain are fairly universal in nature - don't tie everything in that app to a script library that consists only of a single %INCLUDE and then walk out the door with that file without giving it to the client. That's not cool. That's chiropractic consulting: the client is forced to come back to you to make any changes, 'cause if they try to do it themselves (or bring in a competitor), they'll have to waste time and money rewriting everything except the interface... even recompiling the library without that file breaks their entire app. If you're ninja enough, they'll keep coming back anyway because they're satisfied with the result every time they do - not because that's their only option.
This scenario is purely hypothetical, of course. All the same, if you do know of a way to extract $ScriptLib_O to get at the original source, please contact me directly (i.e. email, phone, IM), but not via a comment. For the reasons listed above, I'm glad you can't just Google something like this.
Comments
Pops - I should have taken bets on spelling, there is always one (or more) who don't accept confrontation and retreat into spelling attax :) Be young at heart Pops - go see a chiropractor - could save your life and let you read the dictionary for longer.
Tim - I read your blog regularly. Your OK. Just be prepared for the occasional badly written post to excite comment. This one did :)
Posted by Bruce Langner At 11:47:59 PM On 12/17/2007 | - Website - |
I go to a chiropractor every two weeks, and also get a 30 minute neuromuscular massage. I understand the benefits, and I also understand why I need both services and how they work and what they do for me. If you're interested in learning more let me know. I'm glad to share.
Posted by Charles Robinson At 09:07:25 AM On 12/13/2007 | - Website - |
Posted by Mike At 08:18:58 AM On 12/14/2007 | - Website - |
"We're electronic plumbers: we do our job right, nobody notices; but if we don't, a lot of people might have a really crappy day."
Posted by Tim Tripcony At 04:43:16 PM On 12/16/2007 | - Website - |
/me starts pondering how he can best equate certain styles of consulting to psychiatry, acupuncture, and crystal mediation.
I wonder if Bruce would have had a similar reaction if you'd compared the forced-return technique to, say, a divorce lawyer?
Posted by Nathan T. Freeman At 10:11:49 AM On 12/16/2007 | - Website - |
"Oh, and the disclaimer that apologises for humiliation performed in ignorance."
I read Tim's blog about once a week to keep up on some of the advances of Lotus Notes since I "retired" as version 5 was being released. I also find some amusement now and then to brighten my day, such as when someone uses the word "ignorance" in a paragraph that has two spelling errors. With your last name I am assuming that your surname could possibly be British so I will give you the second questionable spelling as a possibility. Here's what Merriam-Webster has to say..apologise
Main Entry:apol·o·gise
British variant of apologize
Ok,I'll give you that one but what origin is denegrate?
Just kidding, an old man has to have some fun now and then.
Posted by Pops At 04:46:10 PM On 12/14/2007 | - Website - |
@Bruce, point taken. I could have stated my case without the analogy, and probably should have. I'll keep that in mind going forward.
@Mike, not entirely hypothetical. I've seen this happen upon occasion.
Posted by Tim Tripcony At 01:55:04 PM On 12/14/2007 | - Website - |
Posted by Tim Tripcony At 03:43:45 PM On 12/18/2007 | - Website - |
So Tim, why would you want to denegrate an entire profession publicly, based on hearsay, just to illustrate a codes of conduct post? Look forward to your post on ethics. Oh, and the disclaimer that apologises for humiliation performed in ignorance.
Your Lotus Notes tips are OK though.
Posted by Bruce Langner At 09:19:44 PM On 12/13/2007 | - Website - |
I'm not a native English speaker, so don't be surprised if all you guys find any spelling or grammar errors.
Posted by Starrow Pan At 02:35:41 AM On 09/04/2009 | - Website - |