tags:

views:

240

answers:

5
+5  Q: 

How to restrict code from developers

Possible Duplicate:
Protection of code from its own developers

My company is planning in hiring outsourcers to work for us, but concerned to give whole existing code to outside world.

What is the proper way to deal with security of sharing code in such cases?

Is it possible to restrict part of code for developers? So each of them could work on their project without having access to whole repository.

P.S. The code we have is very integrated, and its hard to extract "one module", each module can use files from different locations.

Thanks in advance

+3  A: 

I would suggest using Subversion (or a similar source control mechanism) and implementing strict access controls. This is what I've done in the past in similar situations. Not only can you prevent developers from changing (or even reading) parts of the source tree they're not authorized for but you can easily merge your changes in with the work they are doing.

EDIT: Sorry, I just saw the [cvs] tag. Try this article for CVS instead, or this CVS ACL software.

EDIT2: To address the comment by @baloo, what I do is, when code is checked in to the development server, a working copy on the development server is updated. That way, all testing is done via the webserver running on the development machine, allowing me to grant fine-grained access to developers -- they don't need all they code because they run and test their changes off my server.

Josh  2010-05-21 20:24:29
But if everything is "very integrated", how would they work with the allowed part of code that wont work if they don't have all the source
baloo  2010-05-21 20:36:58
Thanks Josh, I think this is the only way to go in my case.
Kelvin  2010-05-21 20:41:17
@baloo: See my edited answer. I allow developers to test the code running off m y server. So I don't have to give them all the code, and when they check in their changes, the testing site (which I host) gets updated.
Josh  2010-05-21 20:44:12
You could also have a post-commit hook compile dlls to a separate repo...
BlueRaja - Danny Pflughoeft  2010-05-21 21:13:16
@BlueRaja: An excellent alternative. I do 99.9% of my coding in PHP, so it doesn't apply to me, but the concept is the same.
Josh  2010-05-21 21:20:00
+6  A: 

Simple - don't give them any code you do not want them to have access to. Instead, either provide data in a database that they can work against, or give them a web service they can call, a compiled DLL, etc...

If this is not possible, perhaps you should rethink whether it makes sense to outsource in the first place?

Justin Ethier  2010-05-21 20:25:14
Thanks Justin, but as I said, its very time consuming to define which files are needed each time. Every project may require something else, so its hard to manage updates.
Kelvin  2010-05-21 20:37:36
+2  A: 

The code we have is very integrated, and its hard to extract "one module", each module can use files from different locations.

This is the rub. If they need all the code to run some of the code then nothing will stop them from accessing all the code. They can just simply read any file they want to get their hands on. You can look into opcode caching alternatives that you can control on your box.

Either way, if your code is that valuable, then you will have to guard it by hiring trustworthy reputable developers. Otherwise, do not outsource.

webbiedave  2010-05-21 20:31:57
Thanks webbiedave, "reputable developers" is a good keyword, though trusting is the last option :)
Kelvin  2010-05-21 20:54:24
A: 

Block internet access and usb drives on development machines, this way they cant copy the code. If they need to do research provide a shared computer that is not in the network with internet access.

alejandrobog  2010-05-21 21:16:02
A: 

If it's very old and spaghetti-y code, I would ask myself whether it's worth putting much effort in protecting it at all. No disrespect to your code: I have produced "integrated" code in my time. :) But be sure there really is something worth stealing to a dishonest outsourcer, and determine what the worst thing is that could happen. Take into consideration the time the thief would have to invest to make it a workable product, and to extend it. Think three, five, ten years ahead. What about the next generation in technology x? How easily will the thief be able to upgrade the product? What will he need to invest without knowing the product as well as you do?

The effort put in protecting the code, and the ensuing limitations in working freedom and productivity and thus increased cost, could easily surpass the possible damage from a theft.

Ultimately, not knowing what kind of a product it is, only you can judge that, of course.

And it goes without saying that ultimately, you should be able to trust the people you hire.

Pekka  2010-05-21 21:26:56

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases