[nodejs] Re: Secure distribution of NodeJS applications

You can research things such as BoxedApp . They're quite expensive. They solve the problem. -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to

[nodejs] Re: Secure distribution of NodeJS applications

Instead of trying to villify the poster (because a few posters here who are saying that securely boxing applications is useless appear to have little understanding of how some companies operate, and the fact that even though its theoretically possible to reverse engineer something, its practical

[nodejs] Re: Secure distribution of NodeJS applications

I have a similar requirement for a project, and came to the conclusion that node core could be extended and recompiled to produce custom binaries (someone with more knowledge can correct me if I am wrong here). With a little bit of care, you should also get the benefit of all the cross-platfor

[nodejs] Re: Secure distribution of NodeJS applications

quoth Jeremy Rudd as of Thu, 23 Feb 2012 07:56:43 -0800: > *What:* Can NodeJS apps be distributed as binary? ie. you compile the > .js app via V8 into its native binary, and distribute the binary to our > clients? ... or is minifying the code all you can do? > > *Why:* We build serverside applica

[nodejs] Re: Secure distribution of NodeJS applications

I think original poster knows about business/contracts protection. His question seems to me technical, and would be far from ideal to consider the case closed. Aside from the "secure" aspect, I believe the very first intend of node.js was to easily build scalable network applications. Now, imagin

[nodejs] Re: Secure distribution of NodeJS applications

It'd be neat to be able to have specific modules' (bundled in the node executable) exported functions not show their source code when .toString()'ed, kind of like how native C++ functions show "[native code]" when .toString()'ed. -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://

[nodejs] Re: Secure distribution of NodeJS applications

if you put your js libs in the lib directory of the node.js source and run make, the libs will be included as natives in the compiled node binary. you can then just require them without a path. e.g. if you have a module named test.js in the lib dir, then just do the following: var test = require("

[nodejs] Re: Secure distribution of NodeJS applications

On Feb 24, 11:52 pm, Lalo Martins wrote: > And please don't co-opt the word “secure” for it. I'm a dev, not management. I understand the field internally and so I'm trying to start discussions to securely distribute NodeJS apps. Anyone wants to vote if C++ EXE's are harder to decompile than .NET

[nodejs] Re: Secure distribution of NodeJS applications

On Feb 26, 7:18 pm, manimal45 wrote: > It would be awesome if 'customers' could download node.js apps as > executable. > This would open the road for many new applications where a central > "cloud" server instance could communicate with customers > infrastructure via agents. I second this. There

[nodejs] Re: Secure distribution of NodeJS applications

On Feb 26, 8:09 pm, mscdex wrote: > It'd be neat to be able to have specific modules' (bundled in the node > executable) exported functions not show their source code > when .toString()'ed, kind of like how native C++ functions show > "[native code]" when .toString()'ed. Exactly. I mean which ap

[nodejs] Re: Secure distribution of NodeJS applications

V8 primarily stores javascript as javascript code and it's been stated in multiple places that javascript source code as source code is actually one of the most efficient ways to ways to store js source. This article

[nodejs] Re: Secure distribution of NodeJS applications

To further expatiate, the reason behind using JavaScript source itself as the storage is made clear on what little documentation exists for V8. http://code.google.com/apis/v8/design.html Essentially the code is compiled to machine code as it's run, upon demand, based on system conditions and

[nodejs] Re: Secure distribution of NodeJS applications

On Feb 26, 7:18 pm, manimal45 wrote: > It would be awesome if 'customers' could download node.js apps as > executable. I've opened a new issue for this. Add your comments there! https://github.com/joyent/node/issues/2835 -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github

[nodejs] Re: Secure distribution of NodeJS applications

> There is no such thing as a javascript binary. The code included with node > is stored in string format in the node executable. No worries, what if the code was compiled via V8, and then stored as a data file? Whatever format it is in, if you could just load the same datafile you would'nt need t

[nodejs] Re: Secure distribution of NodeJS applications

Well, if you can't be bothered listening to my arguments, here's the quick answer: don't use Node. best, Lalo Martins -- Now go and make your dreams inevitable. http://lalomartins.info/ GNU: never give up freedom

[nodejs] Re: Secure distribution of NodeJS applications

One simple approach is to simply try to slow down the competition from stealing your code. Minimizing your code with something like uglify, should make it harder for someone to take code and continue to work with it (to make enhancements and changes), at least it would slow them down. > > Then y

[nodejs] Re: Secure distribution of NodeJS applications

I realize this thread has largely devolved into a philosophical discussion about whether one *should* do this, but I think the technical question of how one *could* do this is still a valid one. I've thought about this a while and so far the only practical and secure answer I've come up with is

Re: [nodejs] Re: Secure distribution of NodeJS applications

> Distributing source code means clients can easily steal our solution and stop paying licensing fees. This has been a problem since the beginning of the software industry. The only proven solution is to give enough support to make it worth their paying for. Obfuscating and DRM never fully work

Re: [nodejs] Re: Secure distribution of NodeJS applications

Correct. > Ok, I tried my best to keep my peace, but I can't resist posting this. > > This is a terrible, terrible misguided idea. And please don't co-opt the > word “secure” for it. This has nothing to do with security for either > party; on the contrary, it's more about dealing with your insecu

Re: [nodejs] Re: Secure distribution of NodeJS applications

On Mon, Feb 27, 2012 at 11:00 AM, Jeremy Rudd wrote: > > On Feb 26, 8:09 pm, mscdex wrote: > > It'd be neat to be able to have specific modules' (bundled in the node > > executable) exported functions not show their source code > > when .toString()'ed, kind of like how native C++ functions show >

Re: [nodejs] Re: Secure distribution of NodeJS applications

Hallo Jeremy, as a dev you are in the right position to tell the management the truth: Every effort spent in "securing" an application from theft is a effort better spend on other areas while developing the software. They really have to decide if it pays out to "secure" the software more and more.

Re: [nodejs] Re: Secure distribution of NodeJS applications

A software company has to offer more than just a binary. -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group,

Re: [nodejs] Re: Secure distribution of NodeJS applications

On Mon, Feb 27, 2012 at 6:57 AM, Jeremy Rudd wrote: > > There is no such thing as a javascript binary. The code included with > node > > is stored in string format in the node executable. > > No worries, what if the code was compiled via V8, and then stored as a > data file? > Whatever format it i

Re: [nodejs] Re: Secure distribution of NodeJS applications

On Mon, Feb 27, 2012 at 4:02 PM, Dean Landolt wrote: > > > Whatever format it is in, if you could just load the same datafile you >> would'nt need >> the source code again. > > Wrong. > In my opinion, this is not a Node problem to solve. Obfuscation/source >> code >> > hiding is an opportunity

Re: [nodejs] Re: Secure distribution of NodeJS applications

I don't have experience with hiding source code (I tend to put everything I write on github out of habit), but I do know about keeping parts of code secure and out of the hands of anyone who might write a script using my library. A quick example is a task I was working on at HP to ass http proxy s

Re: [nodejs] Re: Secure distribution of NodeJS applications

*add HTTP proxy support (I should check more before sending) On Fri, Mar 2, 2012 at 8:29 AM, Tim Caswell wrote: > I don't have experience with hiding source code (I tend to put everything > I write on github out of habit), but I do know about keeping parts of code > secure and out of the hands o

Re: [nodejs] Re: Secure distribution of NodeJS applications

> > And if your company is small and your clients are big, the balance of > power might be against you. In my experience, large enterprises pirate the least. They have too much to lose not to pay a little license fee, they pre-plan their expenditures far in advance, and the money comes out of a c

Re: [nodejs] Re: Secure distribution of NodeJS applications

I don't know why he doesn't just create a few core components in a c library/module and use guilty or closure to obfuscate the rest... Or, look into an ASP (Application Service Provider) model.As to binary deployments... .net and java are both mentioned as more professional, and neither are stand a

Re: [nodejs] Re: Secure distribution of NodeJS applications

On 2/26/12 9:18 AM, manimal45 wrote: I think original poster knows about business/contracts protection. His question seems to me technical, and would be far from ideal to consider the case closed. The original poster probably does not know about copyright and contracts, otherwise they would n

Re: [nodejs] Re: Secure distribution of NodeJS applications

On Mon, Mar 5, 2012 at 12:42 AM, Ken wrote: > I realize this thread has largely devolved into a philosophical discussion > about whether one *should* do this, but I think the technical question of > how one *could* do this is still a valid one. I've thought about this a > while and so far the on

Re: [nodejs] Re: Secure distribution of NodeJS applications

On Mon, Mar 5, 2012 at 6:42 AM, Ken wrote: > I realize this thread has largely devolved into a philosophical discussion > about whether one *should* do this, but I think the technical question of > how one *could* do this is still a valid one. It is _not_ a philosophical conclusion that in most c

Re: [nodejs] Re: Secure distribution of NodeJS applications

oliver is correct. have had this argument many times. all you can ever do is make the source code difficult to get at and it's a question of how much effort you want to expend to do that. with something like v8, it's going to be difficult to even make it difficult as all someone will have to do

Re: [nodejs] Re: Secure distribution of NodeJS applications

The *private* key would be kept by you. You do have to "give" them the * public* key in some sense, but it would be embedded within the custom built node executable, probably somewhere within the call chain for require. The encrypted javascript files could be required by this version of node

Re: [nodejs] Re: Secure distribution of NodeJS applications

On Tue, Mar 6, 2012 at 4:32 AM, Ken wrote: > > > The *private* key would be kept by you. You do have to "give" them the * > public* key in some sense, but it would be embedded within the custom > built node executable, probably somewhere within the call chain for > require. The custom built no