0

I am thinking about selling Magento modules on my website and need your advise what would be the best way to do it.

Here is what I thought:

  1. Install Magento store on my website
  2. When client purchase the module from my store - he is required to enter his domain name
  3. If order is successfully processed and payment is received - Magento or standalone script encode purchased module using ionCube or Zend Guard "On-The-Fly" and generates license to work on provided domain name only.

Is there a script that can do all of this? Or should I write my own code? What do you think about encoding scripts in order to protect your work?

Any thoughts and suggestions are welcome.

Thanks

Kelvin
  • 8,813
  • 11
  • 38
  • 36

1 Answers1

2

This is really a matter of opinion and debat-able, however below is my feeling towards such:

Disadvantages of encrypting your code:

  • Obviously: It is (almost) impossible to modify or extend for custom needs, without having to contact the original developer which adds more cost to your end user as well as causing more time for “custom” development.
  • 3rd party server software like Zend Optimizer is needed in order to execute the encrypted code. Which can be a headache by itself.
  • Confusion during transfer for binary and text data, ultimately corrupting your binary encrypted data.
  • It is impossible to have others contribute to your code to improve it, and/or help with bug finding and fixes.
  • As a store owner or maintainer I’m less confident you are not utilizing any of my data collected from my stores.
  • Maintenance becomes chaotic. Having to re-encrypt every release, can be quite pain staking. This is especially true if you have a bug fix that needs to be offered to all of your customers using it – however, the ones with “Custom” versions will require re-encryption for all. Unless your using some kind of release management that handles this automatically for you. Most don’t I’m sure.

Full article: http://www.molotovbliss.com/magento-module-developers-stop-encrypting-and-domain-jailing

With that said, I've changed my mind on phone home calls. Since I've posted this article.

I'm okay with modules making phone calls home to a developers site to check for licensing, if you have a simple observer that did such and was done properly (By properly I mean don't break my site because your phone home server is down, and don't make my end users wait for the validation), I wouldn't see any problem with obfuscating this portion of code as long as it didn't interfere with the modules overall functionality, i.e., it is strictly there for checking a license, no module functionality encrypted. I believe Boris (unigry) does such and works well, even though I've had to jump through many hoops at times to get ionCube loader working on different environments, so this still something to consider not doing, and just having hope in peoples integrity and honesty to not pirate.

With that said, domain wide acceptance should be standard, I shouldn't need to send in support requests to get my subdomain added to your white list of domains. Personally if you can obfuscate and encode without the need of an apache/php module is a huge plus. General end users won't know where to remove such code at times.

To answer your question, a home brew script and process would be ideal, as using a cookie cutter solution would be easier to reverse engineer.

B00MER
  • 5,471
  • 1
  • 24
  • 41