You have some points and I agree about the patents.
Yes, I can't reverse-engineer your code, but is it something really that unique and original?
You say if it was open it would "reduce innovation", but if it was, I think we would just see that everyone does the same things... in a slightly different syntax.
What you think was something "smart" only your company does, is something "smart" everyone does. Because after all, there are only so many ways to call a function, create an if... make a CRUD.
If we stopped wasting time with those "smart" things, maybe someone might start doing something that others would soon use and improve upon.
We can't think code is a special sauce because it's just a tool. Code is just the plate.
Isn't CRUD just open-source everywhere? I mean, mine is based on an MIT-licensed module.
I make a system that stores secret client data that is highly valuable to them, and highly dangerous to lose control of. The system is unique in the fact that the combination of security and database access I use is one of millions of possible combinations of such things, one that would be very hard for someone to hack unless they just knew exactly how things were implemented. If someone had the code it would be easier to identify an exploit that could compromise things. They don't, hence it's massively more secure.
You seem to take the attitude that people close source stuff because they arrogantly think that "it's special". I don't believe that. As I say, I do it so my servers are secure. That said, I certainly don't build CRUD apps or applications where CRUD is the core purpose. I have lots of other algorithms and processes, I'd happily tell anyone how they work, build libraries of the generally useful ones and MIT license them, in fact, I've done just that with every "cool thing I don't see working elsewhere". Still never going to open source my application's actual code base.
EDIT:
Other people spend years and millions researching things - new ways of compressing data, new AI techniques, and whatever. They can only do this because someone invests and pays them in advance of a discovery. If that discovery cannot be monetised then the investment will dry up and we'll be reduced to finding things by happy accident when we are doing something else.
I understand there are several security implications and that what I wrote is a naive view.
Someone more focused on security could give a better input but from my understanding, I saw over and over again that "security by obscurity" is never enough.
I heard about novel ways of compressing data or storing them, but they usually are about a custom solution for the in house use case. Are they actually unique? Who knows how many companies might have the same or similar solution to the same problem.
Even then, they can monetize. There are multiple open source projects that monetize their projects.
The point is that with "one less wheel" to be reinvented, everyone could have that better compression algorithm and build upon that technology to go even beyond.
My point would be this: your app is not more “secure” because it’s private. It still has all the same vulnerabilities as it would if it were public. Although obviously it’s easier to find a vulnerability if you have the entire code. I think security is often an afterthought to a lot of private backends because it “feels” safer. There are also plenty of ways to leak code and figure out what technology someone is using. Also exploits happen but usually backends are hacked by going through the front door, AKA someone’s username and password. The problem with open source projects often isn’t people finding exploits, but exploits being introduced by others on accident or on purpose. Obviously this can be mitigated but it’s always a risk. Specifically I keep most of my code private not because I think it’s special but because I don’t think it’s “special” enough, meaning it won’t add anything that’s not already out there. Open source works well for things that don’t have to worry about security and credentials but it becomes a real pain in the ass. It takes a lot more effort to manage an open source project effectively.
A key exists for my front door. If I leave the key in the front door it is effectively open. If I leave the key in a locked box, it's more secure no? Sure you can break open that box and extract the key. So if I hide the box, then it's more secure right? Now you have to search for it. It is more secure, but not 100% secure, many people will be deterred. Pen Testing frequently identifies information leakage, so I will have reduce that - reduced but not eliminated.
In short, I'm still taking my key out of the front door, and I'm sure my insurers think my house is secure enough.
The problem with open source projects often isn’t people finding exploits, but exploits being introduced by others on accident or on purpose.
I would be more worried about those being added in closed source projects.
Take the xz incident, having the code people were able to reverse engineer what was going on.
But on the CrowdStrike incident, while people engineered why it crashed the machines, this could have been someone adding a exploit in a jiatan way to exploit it later.
Many places you commit what you need, check what you need, but if someone had added some xz jiatan level thing... who would know? how long it would go unoticed?
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
You have some points and I agree about the patents.
Yes, I can't reverse-engineer your code, but is it something really that unique and original?
You say if it was open it would "reduce innovation", but if it was, I think we would just see that everyone does the same things... in a slightly different syntax.
What you think was something "smart" only your company does, is something "smart" everyone does. Because after all, there are only so many ways to call a function, create an
if... make a CRUD.If we stopped wasting time with those "smart" things, maybe someone might start doing something that others would soon use and improve upon.
We can't think code is a special sauce because it's just a tool.
Code is just the plate.
Isn't CRUD just open-source everywhere? I mean, mine is based on an MIT-licensed module.
I make a system that stores secret client data that is highly valuable to them, and highly dangerous to lose control of. The system is unique in the fact that the combination of security and database access I use is one of millions of possible combinations of such things, one that would be very hard for someone to hack unless they just knew exactly how things were implemented. If someone had the code it would be easier to identify an exploit that could compromise things. They don't, hence it's massively more secure.
You seem to take the attitude that people close source stuff because they arrogantly think that "it's special". I don't believe that. As I say, I do it so my servers are secure. That said, I certainly don't build CRUD apps or applications where CRUD is the core purpose. I have lots of other algorithms and processes, I'd happily tell anyone how they work, build libraries of the generally useful ones and MIT license them, in fact, I've done just that with every "cool thing I don't see working elsewhere". Still never going to open source my application's actual code base.
EDIT:
Other people spend years and millions researching things - new ways of compressing data, new AI techniques, and whatever. They can only do this because someone invests and pays them in advance of a discovery. If that discovery cannot be monetised then the investment will dry up and we'll be reduced to finding things by happy accident when we are doing something else.
I understand there are several security implications and that what I wrote is a naive view.
Someone more focused on security could give a better input but from my understanding, I saw over and over again that "security by obscurity" is never enough.
I heard about novel ways of compressing data or storing them, but they usually are about a custom solution for the in house use case. Are they actually unique? Who knows how many companies might have the same or similar solution to the same problem.
Even then, they can monetize. There are multiple open source projects that monetize their projects.
The point is that with "one less wheel" to be reinvented, everyone could have that better compression algorithm and build upon that technology to go even beyond.
My point would be this: your app is not more “secure” because it’s private. It still has all the same vulnerabilities as it would if it were public. Although obviously it’s easier to find a vulnerability if you have the entire code. I think security is often an afterthought to a lot of private backends because it “feels” safer. There are also plenty of ways to leak code and figure out what technology someone is using. Also exploits happen but usually backends are hacked by going through the front door, AKA someone’s username and password. The problem with open source projects often isn’t people finding exploits, but exploits being introduced by others on accident or on purpose. Obviously this can be mitigated but it’s always a risk. Specifically I keep most of my code private not because I think it’s special but because I don’t think it’s “special” enough, meaning it won’t add anything that’s not already out there. Open source works well for things that don’t have to worry about security and credentials but it becomes a real pain in the ass. It takes a lot more effort to manage an open source project effectively.
A key exists for my front door. If I leave the key in the front door it is effectively open. If I leave the key in a locked box, it's more secure no? Sure you can break open that box and extract the key. So if I hide the box, then it's more secure right? Now you have to search for it. It is more secure, but not 100% secure, many people will be deterred. Pen Testing frequently identifies information leakage, so I will have reduce that - reduced but not eliminated.
In short, I'm still taking my key out of the front door, and I'm sure my insurers think my house is secure enough.
I would be more worried about those being added in closed source projects.
Take the xz incident, having the code people were able to reverse engineer what was going on.
But on the CrowdStrike incident, while people engineered why it crashed the machines, this could have been someone adding a exploit in a jiatan way to exploit it later.
Many places you commit what you need, check what you need, but if someone had added some xz jiatan level thing... who would know? how long it would go unoticed?