views:

240

answers:

5

Possible Duplicate:
Protection of code from its own developers

My company is planning in hiring outsourcers to work for us, but concerned to give whole existing code to outside world.

What is the proper way to deal with security of sharing code in such cases?

Is it possible to restrict part of code for developers? So each of them could work on their project without having access to whole repository.

P.S. The code we have is very integrated, and its hard to extract "one module", each module can use files from different locations.

Thanks in advance

+3  A: 

I would suggest using Subversion (or a similar source control mechanism) and implementing strict access controls. This is what I've done in the past in similar situations. Not only can you prevent developers from changing (or even reading) parts of the source tree they're not authorized for but you can easily merge your changes in with the work they are doing.

EDIT: Sorry, I just saw the [cvs] tag. Try this article for CVS instead, or this CVS ACL software.

EDIT2: To address the comment by @baloo, what I do is, when code is checked in to the development server, a working copy on the development server is updated. That way, all testing is done via the webserver running on the development machine, allowing me to grant fine-grained access to developers -- they don't need all they code because they run and test their changes off my server.

Josh
But if everything is "very integrated", how would they work with the allowed part of code that wont work if they don't have all the source
baloo
Thanks Josh, I think this is the only way to go in my case.
Kelvin
@baloo: See my edited answer. I allow developers to test the code running off m y server. So I don't have to give them all the code, and when they check in their changes, the testing site (which I host) gets updated.
Josh
You could also have a post-commit hook compile dlls to a separate repo...
BlueRaja - Danny Pflughoeft
@BlueRaja: An excellent alternative. I do 99.9% of my coding in PHP, so it doesn't apply to me, but the concept is the same.
Josh
+6  A: 

Simple - don't give them any code you do not want them to have access to. Instead, either provide data in a database that they can work against, or give them a web service they can call, a compiled DLL, etc...

If this is not possible, perhaps you should rethink whether it makes sense to outsource in the first place?

Justin Ethier
Thanks Justin, but as I said, its very time consuming to define which files are needed each time. Every project may require something else, so its hard to manage updates.
Kelvin
+2  A: 

The code we have is very integrated, and its hard to extract "one module", each module can use files from different locations.

This is the rub. If they need all the code to run some of the code then nothing will stop them from accessing all the code. They can just simply read any file they want to get their hands on. You can look into opcode caching alternatives that you can control on your box.

Either way, if your code is that valuable, then you will have to guard it by hiring trustworthy reputable developers. Otherwise, do not outsource.

webbiedave
Thanks webbiedave, "reputable developers" is a good keyword, though trusting is the last option :)
Kelvin
A: 

Block internet access and usb drives on development machines, this way they cant copy the code. If they need to do research provide a shared computer that is not in the network with internet access.

alejandrobog
A: 

If it's very old and spaghetti-y code, I would ask myself whether it's worth putting much effort in protecting it at all. No disrespect to your code: I have produced "integrated" code in my time. :) But be sure there really is something worth stealing to a dishonest outsourcer, and determine what the worst thing is that could happen. Take into consideration the time the thief would have to invest to make it a workable product, and to extend it. Think three, five, ten years ahead. What about the next generation in technology x? How easily will the thief be able to upgrade the product? What will he need to invest without knowing the product as well as you do?

The effort put in protecting the code, and the ensuing limitations in working freedom and productivity and thus increased cost, could easily surpass the possible damage from a theft.

Ultimately, not knowing what kind of a product it is, only you can judge that, of course.

And it goes without saying that ultimately, you should be able to trust the people you hire.

Pekka