Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I've started to write a file format specification for a domain-specific data type. My goal is to improve interoperability between a large number of data providers and search algorithms. I want the result to be available for use, patent-free and without distribution fees.
I'm looking for advice on which license to use, both for the specification and for the contributor agreement, if I need one.
If this were software then I know enough about the GPL, MIT, etc. licenses to make an informed decision. If this were a straight document then I would pick one of the Creative Commons licenses, likely CC by attribution.
Looking around, I don't find any common license statement or much in the way of advice. I'm leaning towards the one used in RFC (for example, the HTTP/1.1 copyright statement) but that says "this document itself may not be modified in any way" (with exceptions), which is something I'm not used to from developing code under the MIT and GPL licenses. But that restrictions seems pretty common in specifications.
Unlike most documents but like code, specifications can be affected by patent. Is it best practices these days to also state that the specification is patent-free and require any contributors to reveal any patent conflicts they may know of and/or freely license those patents for the purposes of implementing the spec?
Should I require some sort of contributor agreement?
Or should I just wing it, choose the RFC copyright statement (or CC-By-Attribution), and not worry about this?
"this document itself may not be modified in any way" (with exceptions) [...] But that restrictions seems pretty common in specifications.
Actually, it is pretty much a requirement. If anybody could change it at will, it wouldn't be much of a specification: that would defeat the whole purpose to "improve interoperability between a large number of data providers and search algorithms".
Dalke: Is it? I'm so used to implementation-defined and ad hoc format definitions and people who break the spec left and right that I didn't think it would add anything, and protection would hinder future extension if I decide to not continue maintaining the code. I thought conformance was better handled by trademark law, like how DRM-based CDs which violate Phillips' Red Book can't use the "CD" logo.
[...] which is something I'm not used to from developing code under the MIT and GPL licenses
Actually, you are used to it, you just don't realize it: the whole reason why you were able to just write the three letters "GPL" above and blindly assume that everybody knows precisely what you mean, is because the GPL itself contains exactly that same restriction. ("Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.") The GPL itself is not distributed under a Free License, precisely because if anybody where allowed to modify it, it would lose its meaning.
Dalke: You're right, although the GFDL's "invariant section" sprang immediately to mind when I was considering the possibilities. I will point out that people do things in the license grant which modify the terms of the GPL to, among other things, make it non-free, and I've personally modified the three-clause BSD license to scratch out Berkeley and put in my name, but those are quibbles.
Is it best practices these days to also state that the specification is patent-free and require any contributors to reveal any patent conflicts they may know of and/or freely license those patents for the purposes of implementing the spec?
Yes. It is clear from your question that you care a great deal about making the barrier for implementors as low as possible. Then, what good is a free, open, royalty-free specification if I have to pay for a patent license anyway? This has to be addressed, preferably by an IP/patent lawyer with extensive expertise in such questions (including, but not limited to, the specific challenges that open source projects face with regards to patent licensing).
There are some quite subtle pitfalls in there. For example, one common theme is to require that patent licenses be made available under what is usually called FRAND (or RAND) terms, which stands for fair, reasonable and non-discriminatory. Which sounds good, right? Except there's a subtle problem there: charging 1 cent for every copy is certainly reasonable and if you charge everybody the same amount, it's also fair and non-discriminatory. Except that open source projects (and even freely distributable proprietary ones) cannot enforce those terms, therefore they cannot implement the specification.
Dalke: Very true. But for licenses that's a well described topic. There are reams of text on the matter, and suggestions, and podcasts, and even automated license choosers. For specifications, not so much. I did know about the RAND issue, and I've heard stories about other spec where a contributor at the end said "Oh! Look at that! We've got a patent on it. Well lucky us!" A question is how much I should worry about it.
So, proper patent promises or covenants or whatever you call them, are very important. (As are trademarks, by the way.)
For example, the W3C originally wanted to adopt a RAND license for its specifications, but after significant protests from projects such as Mozilla and Apache, they decided upon a royalty-free model. So, even an organization which cares deeply about freedom and openness almost made a mistake with the potential of killing every single open source web browser, feedreader and XML parser.
Or should I just wing it, choose the RFC copyright statement (or CC-By-Attribution), and not worry about this?
"Winging" important legal decisions is how people end up bankrupt or even in jail. Or at least extremely unhappy. While the first two are pretty unlikely in this case, I assume that you will be unhappy if you find out in two years that your specification is completely useless because of a glitch in its patent/copyright/IP legalese.
Dalke: I knew that word would be a draw. ;)
There are legal firms that specialize in pro bono work for non-profit developers of open source projects; maybe one of those will help you. The most well-known ones are probably the Software Freedom Law Center (SLFC) in the US and the Institut für Rechtsfragen der Freien und Open Source Software (ifrOSS) in Germany.
And whaddaya know, the fourth news item on the ifrOSS homepage is about the Open Web Foundation Agreement, which is a license template by the Open Web Foundation specifically for open, non-proprietary community-driven specifications for web technologies.
Dalke: Thanks. I'm in Sweden, so I wonder how well those resources will apply to me. Looking at the OWF I see it's US-based but it tries hard to be international, and I see one thing I don't like; the requirement for attribution. It does look like they are the people to talk to. Thanks for the pointer!
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I have some ideas and I would like to create a prototype for a mobile application before deciding on which one I should proceed and which to reject.
Is there any recommended procedure that I should follow in order to convert my idea into a basic prototype mobile application?
Should it reach only a mockup state or would it better to have something basic working?
Thank you in advance!
Step 1: Document It
Simply having an "idea" is worthless--you need to have proof of when you came up with the invention ideas. Write down everything you can think of that relates to your invention, from what it is and how it works to how you'll make and market it. This is the first step to patenting your idea and keeping it from being stolen. You've probably heard about the "poor man's patent"--writing your idea down and mailing it to yourself in a sealed envelope so you have dated proof of your invention's conception. This is unreliable and unlikely to hold up in court. Write your idea down in an inventor's journal and have it signed by a witness. This journal will become your bible throughout the patent process. An inventor's journal can by any bound notebook whose pages are numbered consecutively and can't be removed or reinserted. You can find specially designed inventor's journals at bookstores (try Nolo Pressor the Book Factoryto start), or you can save money and purchase a generic notebook anywhere they're sold, such as the grocery store, office supply store, stationary store, etc. Just make sure it meets the requirements above.
Step 2: Research It
You will need to research your idea from a legal and business standpoint. Before you file a patent, you should:
Complete an initial patent search. Just because you haven't seen your invention doesn't mean it doesn't already exist. Before you hire a patent attorney or agent, complete a rudimentary search for free at www.uspto.govto make sure no one else has patented your idea. You should also complete a non-patent "prior art" search. If you find any sort of artwork or design related to your idea, you cannot patent it--regardless of whether a prior patent has been filed.
Research your market. Sure, your brother thinks your idea for a new lawn sprinkler is a great idea, but that doesn't mean your neighbor would buy one. More than 95 percent of all patents never make money for the inventor. Before you invest too much time and money into patenting your invention, do some preliminary research of your target market. Is this something people will actually buy? Once you know there's a market, make sure your product can be manufactured and distributed at a low enough cost so that your retail price is reasonable. You can determine these costs by comparing those of similar products currently on the market. This will also help you size up your competition--which you will have, no matter how unique you think your invention is.
Step 3: Make a Prototype
A prototype is a model of your invention that puts into practice all of the things you have written in your inventor's journal. This will demonstrate the design of your invention when you present it to potential lenders and licensees. Do not file a patent before you have made a prototype. You will almost always discover a flaw in your original design or think of a new feature you would like to add. If you patent your idea before you work out these kinks, it will be too late to include them in the patent and you will risk losing the patent rights of the new design to someone else.
Here are some general rules of thumb when prototyping your invention:
Begin with a drawing. Before you begin the prototyping phase, sketch out all of your ideas into your inventor's journal.
Create a concept mockup out of any material that will allow you to create a 3-D model of your design.
Once you're satisfied with the mockup, create a full-working model of your idea. There are many books and kits that can help you create prototypes. If your invention is something that will cost a lot of money or is unreasonable to prototype (like an oil refinery process or a new pharmaceutical drug), consider using a computer-animated virtual prototype.
Step 4: File a Patent
Now that you have all of the kinks worked out of your design, it's finally time to file a patent. There are two main patents you will have to choose from: a utility patent (for new processes or machines) or a design patent (for manufacturing new, nonobvious ornamental designs). You can write the patent and fill out the application yourself, but do not file it yourself until you have had a skilled patent professional look it over first. If the invention is really valuable, someone will infringe on it. If you do not have a strong patent written by a patent attorney or agent, you will be pulling your hair out later when a competitor finds a loophole that allows them to copy your idea. It's best to get the legal help now to avoid any legal problems in the future.
When searching for a patent attorney or agent, remember one thing: If you see them advertised on TV, run away! Once you are far, far away, follow these steps to choosing the best patent professional:
Do your homework. Have your inventor's journal, prototype and notes with you. This will save them time, and you money. This will also help persuade them to work with you.
Make sure they are registered with the U.S. Patent and Trademark Office.
Ask them what their technical background is. If your invention is electronic, find a patent professional who is also an electrical engineer.
Discuss fees. Keep your focus on smaller patent firms. They are less expensive and will work more closely with you. Agree to the estimated total cost before hiring your patent professional.
Step 5: Market Your Invention
Now it's time to figure out how you're going to bring your product to market. Create a business plan: How will you get money? Where will you manufacture the product? How will you sell it? Now is a good time to decide if you will manufacture and sell the product yourself, or license it for sale through another company. When you license your product you will probably only receive two percent to five percent in royalty fees. This often scares away inventors who feel they deserve more. But consider the upside: You will not have the financial burden associated with maintaining a business. This could end up making you more money in the long run.
Following these five steps will ensure an easy road to patenting your invention. Just remember that an easy road doesn't necessarily mean a short one. From the time you conceive your idea to the time you see your product on the shelf is a very long process. Most inventions take years to come to fruition. Have patience and follow due diligence in your steps to patenting your invention and your years of hard work will finally pay off.
Furthermore, there are plenty of other wireframing and diagramming apps available, which may also be of interest. Please note, though, not all the tools listed below offer mobile-specific functionality; several are rather basic. However, each is worth exploring to see if it fits your requirements:
Framer - Modern prototyping tool
Indigo Studio - Rapid, interactive prototyping
Mockingbird - Wireframes on the fly
Simulify - Interactive, shareable wireframes, mockups and prototypes
Solidify - Create clickable prototypes
Lovely Charts - Diagramming app with desktop and mobile versions
ForeUI - Easy to use UI prototyping tool
Creately - Realtime diagram collaboration
JumpChart - Architecture, layout and content planning
Lumzy - Mockup creation and prototyping tool
Concept.ly - Convert wireframes and designs into interactive apps
Frame Box - Easy, simple wireframing
Realizer - Interactive presentation prototypes
Cacoo - Diagrams with realtime collaboration
Mockup Builder - Super-easy prototyping and mockups
Appery.io - Develop cross platform mobile apps fast
Mockup Designer - Basic wireframing tool hosted on GitHub
ClickDummy - Turn mockups into clickable prototypes
Mockups.me - Create and present interactive UI wireframes
Mockabilly - iPhone mockups with genuine iphone behavior
RWD Wireframes - Wireframing tool for responsive layouts
Blocks - Create annotated HTML prototypes
UX Toolbox - Create, document and share wireframes and prototypes
From all these wireframes i will recommend balsamiq mockups.All the best for your Idea !!!
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 7 years ago.
Improve this question
Building a commercial product may use various open source libraries that have use of other libraries. In an ideal world you would know which licenses they use and whether it is safe to use them.
However, if you use an open source product (or commercial can apply here also) that is in breach of licensing and you don't know about it how does this affect what you do?
So for example I use Product A that uses a licence than means product A and anything that uses it has to be open source. However Product A has breached the rules but hidden the fact.
Now this means my product is also supposed to be open source but I have no idea it should be. Can i be in breach of the license even though I don't know I am?
As it happens I am customizing a EULA for a commercial software component (using a template from a Legal firm) and I found this clause in it
(b) that the use of the Software by the Licensee in accordance with the terms of this EULA will not infringe the Intellectual Property Rights of any third party;
What I would do is scour the license of the component you are using as you may find this clause. If so (Im not a lawyer and this does not constitute legal advise), you may be able to reasonably assume that so long as you are complying with the license of the component you do own, you will not infringe the license of any component you do not own.
I'm not a lawyer (tm), but I'd say that you are responsible, of course. If you use a product A that uses another product B, you must know about that fact that B is used and also you must know about the licensing terms of B, as - effectively - you're using B yourself.
But that's just what I'd expect...
Licensing is like a chain. If for example one component makes use of some other work in an unlicensed way, the whole chain is broken, the other work can not be rightfully licensed to others.
For copyright it does normally not depend whether you know what you're doing or not. Sounds harsh, just saying upfront as you asked for commercial distribution.
If you create a work, you should do what that requires:
Locate all third party code you make use of.
Locate all binary blobs.
Catalog the components.
Find out who hold copyright and under which license each compontent is available, retrieve the licenses and store them with the software (if the software does not ship with the actual license text, document from where and why you've stored the texts).
If it's not clear under which license a component is available, contact the coypright owner/author. You should prefer written communication.
Verify that you full-fill the requirements of each license.
Verify that all components are license-wise compatible with each other.
I think doing this pro-actively is important because otherwise you can't argue that you did not know if you can't document what you did know. It would be just meaning that you didn't want to know which hardly can't offer any sort of protection. To which level you need to find out about an identifiable component I would say it depends (saying: How far you need to take this).
Ask your lawyer and do some risk analysis: You might not be legally obligated to check that subcomponent A which makes use of A-B and A-C has properly checked for the right of these two components. But in case it turns out that A-B was violated and A is not rightfully licensed to you regardless what the licensor of A told you, you can still loose any usage rights for A-B which could turn out that you must drop A. So for critical components you might want to do more than the law requires you to do.
In a commercial context "assuming" might be counter-productive. Ask your lawyer about that.
The work to clarify copyrights and licenses, it's progress as well as the underlying processes should be documented. You should also look for legal help with such processes as if you run into conflicts (and software licensing can be complicated) you need to legally discuss what you have as well. Depending on which components you use, expect this to be quite some work.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
This is the only product that I know that a consumer must agree to something that only lawyer can (something) understand. I'm sure car accidents kill more people each year than software accidents. But I don't sign anything like an EULA when I buy a car.
So why does software have EULA? Were there a bad accident that triggered the need for software companies to protect themselves? (and what was the first software that had EULA?)
[Update] Just to clear my point: I don't understand why software have EULA. No other product that I can think of does (not even gun)! So what makes software different that this product needs some sort of "liability limitations"?
By the way, Wikipedia says that "The legal status of shrink-wrap licenses in the US is somewhat unclear."
The difference is that you are purchasing a license to use software, not the software itself (which the software company still owns). The EULA stipulates the method with which you can use the software. Similar agreements are in place when you rent things (e.g. a home), lease equipment, etc.
An EULA is designed to be a contract that conveys or limits “usage” rights, hence the name End User Licensing Agreement. It has nothing more to do with a copyright than the mortgage loan contract that I have with my bank. That is why the legality of shrink-wrapped licenses is questionable. It is a contract that you do not get to read until after you purchase a product. It is clear from many responses here that the vast majority of people have not wrapped their heads around the idea the copyright does not extend to “usage” rights.
One responder wrote “Actually, the book is yours but the rights to the book are not. Just as in software, you purchased the physical media, but are bound by law on how you can use it.” Nothing could be farther from the truth. There is no law that restricts how you can use the book. Any restriction on usage would have to be agreed upon by you and the retailer as part of the sale.
Consider that in the absence of copyright, the copying and distribution of books would be perfectly legal. A book would be typical tangible property and nothing more. Copyright limits your ability to legally copy and distribute the content of the book. No additional agreement is necessary. Copyright in no way dictates how you can use your book and copyright law does not convey to the author the power to convey, limit, or negotiate “usage” rights. The only way that they can limit usage rights is through a separate contract that would have to be completed as part of the sale or rental.
There was some confusion regarding the GPL. The GPL is not an EULA. It is a copyright license that permits copying and distribution of the content so long as you comply with the restrictions of the license. In absence of the GPL (say you choose not to accept it), you can still use the software, but you are restricted from copying or distributing the software by Copyright Law.
EULA exist for various purposes. Companies that develop software want to negotiate a position that puts them at the least risk and gives them maximum leverage.
If a consumer receives software without any license, consider what they might consider their rights:
They may believe they can copy the software, as many times as they want.
They may consider re-selling the software, and still keeping a copy for them self.
They may believe the software must work perfectly, with zero bugs (as they understand a bug)
They may believe it is fully waranteed against any perceived defect, and try to return it, for a full refund, at any point in the future.
In short, the EULA disabuses consumers of these notions. It defines ownership and copyright of the software, limits on its use, distribution, features, and quality.
Now it is true that as lawyers get involved in the EULAs more and more, stranger and stranger provisions creep in, such as provisions that you cannot review the software on a blog, or you cannot bad-mouth the software to the press, or that the publisher owns content created with the software.
But fundamentally, the EULA is supposed to be about the producer and the consumer coming to an understanding of what is, and is not, an acceptable use of the software.
Actually, what is quite funny, in Germany EULAs are pretty much legally-non binding, since you only get to see them after the purchase, so for us the answer to your question is:
To intimidate the user from doing stuff the company does not want
There are basically three reasons for EULAs:
Software is much more copyable than any other product I can think of. It is almost never left on its distribution medium. That creates a huge temptation to, for example, buy one copy of Windows and install it on all of a company's thousand computers. Developers want to explicitly lay out how many computers the software may be installed on.
Software often has undetected problems. Even the best QA department never finds all the bugs in a software product. Developers know this and want to be legally covered.
Software can often be easy to take apart to discover a developer's trade secrets or other information the developer doesn't want others to know. Developers want to legally restrict this to protect their advantage over competitors.
Of course, there are sometimes other reasons for other terms. EULAs for Apple's Mac applications, for example, usually state that you can only install the software on an Apple-branded computer; this ensures that Apple's software (which is usually sold much cheaper than it would be from any other developer) increases sales of Apple hardware. The GNU GPL tries to ensure that the innovations in derivative software remain available to the community that developed the original. There are as many reasons as there are clauses.
It depends on the exact wording of the EULA. Often, it's written to reinforce existing laws, such as copyright, by directly informing the user that it's unlawful to copy the program. It also adds on other restrictions such as no reverse engineering, restricting the intellectual property.
Additional clauses may include "not to be used in nuclear projects" or similar. This is merely covering the developer's bases, as it is extremely unlikely that a nuclear system developer would use a non-realtime, non-approved system without extreme amounts of research.
A further clause could restrict certain classes of users, such as military or government, which the developer feels strongly against.
As for which software had the first EULA, I have no idea.
Cars and guns technically have something like a EULA... we just call them "licenses". You have to learn the limitations and rules of their operation, then take some tests and sign some papers.
Nobody has mentioned the obligations of the provider, which are often in the EULA too. If I make your software a critical piece of my corporate infrastructure and you go bust I want to be able to get my hands on the code so your failure doesn't precipitate mine.
As someone said, this is more akin to a rental agreement than a purchase agreement, which is why the analogy with a gun does not really apply.
For proprietary software, License tells about your right to use specific software copy and impossibility to re-sell it, also your and software authors rights and charges
For open source software, License also tells about your right and charge about source code (distribute, do not do that, do that with limitations)
When you use a gun at a firing range, don't you have to sign some type of release or waiver? The logic is similar.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 7 years ago.
Improve this question
Which of the licensing options for the Ext JS library will apply if I use it in our in-house company CMS?
Take a look at this quote from Planet MySQL - GPL and Javascript:
[...] The whole story becomes a bit more
complicated when GPL is applied to a
javascript library. When users are
using the library, they will download
HTML, CSS images and the javascript
library. The first thing to realize is
that you are distributing the code. It
was on your server and now it on the
computer of the user. This gives any
user the right to look at the
javascript code and reuse it for
another project. This means that you
can’t obfuscate the javascript code
and people can copy/paste it for there
own use. This probably how you
currently look at javascript anyway.
But how about the HTML, CSS and
images, can that be publicly used? No
it can’t. Those items aren’t code as
defined in the GPL license, it should
be considered data. Therefor GPL
doesn’t ally to that part of the
application.
A web application will probably not
only have client side code, it will
also have a part on the server in the
form as PHP (or JSP, or Ruby, or ..)
scripts. The big question is, do we
need to release that part as well
(under GPL license). Although we as
developers think of the client and
server part being 2 parts of the same
application, GPL does not. When using
AJAX, the client code is interacting
with the server. However you can
compare it to any other client/server
application. This may be interpreted
as 2 applications between which data
is transfered, therefor both may have
different license. This is called the
‘ASP loophole’ and is as an error by
some. When GPLv3 was drawn up, a clear
decision was made to not close this
loophole.
As with regards to whether or not internal usage constitutes distribution, this is from the GPL FAQ:
Is making and using multiple copies within one organization or company "distribution"? No, in that case the organization is just making the copies for itself. As a consequence, a company or other organization can develop a modified version and install that version through its own facilities, without giving the staff permission to release that modified version to outsiders. However, when the organization transfers copies to other organizations or individuals, that is distribution. In particular, providing copies to contractors for use off-site is distribution.
So IANAL, but I'd say you'd be pretty safe to use a GPL'd javascript library for internal systems, and even if you start exposing it to the rest of the world, the only restriction that applies is that if you use GPL'ed javascript libraries in your front end code, you'd have to make unobfuscated versions of your javascript files available. If you only use ExtJS for the admin area (and the admin area is only accessed by your employees) you'd still be clear of the distribution clause of GPL, the way I understand it.
Interestingly, there's another version of GPL called AGPL, which tries to close this "loophole".
The GPLv3 will apply unless you buy a commercial license. That is to say, unless you buy a commercial license, your company needs to agree to distribute the software to anyone to whom you distribute a copy of any part (ie. by sending it over to their browser) and otherwise comply with the terms of the GNU GPLv3.
Now, if this is only going to be used by employees of your company, and you don't mind giving your employees copies of your internal-only software (and, potentially, permission to personally redistribute the same), you may not mind being bound by the GPLv3. Ask your lawyer for their opinion as to whether letting employees use the software when acting as agents of the company requires licensing them a copy which they can redistribute when not acting as agents of the company -- my personal interpretation is that it doesn't, but I'm not a lawyer, cannot give legal advice, am not giving legal advice, and may well be wrong anyhow.
Bottom line: if you license your software under the GPLv3 and comply with that license, you're fine deriving from Ext; the GPL doesn't require you to distribute your source to anyone you haven't distributed any portion of the derived work to, so if it's truly in-house and never leaked (even via third-party folks downloading copies of the javascript files into their web browser), you may well be OK -- but find out what your management and legal council are comfortable with!
Now, if you (or your corporate lawyer) isn't comfortable with that (and not being comfortable with that would not be particularly surprising!), you can buy a commercial license. They're pretty reasonably priced, especially if you're buying them on a per-developer basis for only a small number of people.
According to the official license information, if you are going to derive a commercial advantage from your CMS, you are required to purchase the appropriate number of commercial licenses, unless you distribute your source code with a GPL license. In other words, you are not required to purchase commercial licenses for Ext even if you make a profit on your CMS, as long as you make your source code available under a GPL license.
http://extjs.com/products/license.php
http://extjs.com/company/dual.php
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
My company is looking to start distributing some software we developed and would like to be able to let people try the software out before buying. We'd also like to make sure it can't be copied and distributed to our customers' customers.
One model we've seen is tying a license to a MAC address so the software will only work on one machine.
What I'm wondering is, what's a good way to generate a license key with different information embedded in it such as license expiration date, MAC address, and different software restrictions?
I've used both FLEXlm from Macrovision (formerly Globetrotter) and the newer RLM from Reprise Software (as I understand, written by FlexLM's original authors). Both can key off either the MAC address or a physical dongle, can be either node-locked (tied to one machine only) or "floating" (any authorized machine on the network can get a license doled out by a central license server, up to a maximum number of simultaneously checked-out copies determined by how much they've paid for). There are a variety of flexible ways to set it up, including expiration dates, individual sub-licensed features, etc. Integration into an application is not very difficult. These are just the two I've used, I'm sure there are others that do the job just as well.
These programs are easily cracked, meaning that there are known exploits that let people either bypass the security of your application that uses them, either by cutting their own licenses to spoof the license server, or by merely patching your binary to bypass the license check (essentially replacing the subroutine call to their library with code that just says "return 'true'". It's more complicated than that, but that's what it mostly boils down to. You'll see cracked versions of your product posted to various Warez sites. It can be very frustrating and demoralizing, all the more so because they're often interested in cracking for cracking sake, and don't even have any use for your product or knowledge of what to do with it. (This is obvious if you have a sufficiently specialized program.)
Because of this, some people will say you should write your own, maybe even change the encryption scheme frequently. But I disagree. It's true that rolling your own means that known exploits against FLEXlm or RLM won't instantly work for your application. However, unless you are a total expert on this kind of security (which clearly you aren't or you wouldn't be asking the question), it's highly likely that in your inexperience you will end up writing a much less secure and more crackable scheme than the market leaders (weak as they may be).
The other reason not to roll your own is simply that it's an endless cat and mouse game. It's better for your customers and your sales to put minimal effort into license security and spend that time debugging or adding features. You need to come to grips with the licensing scheme as merely "keeping honest people honest", but not preventing determined cracking. Accept that the crackers wouldn't have paid for the software anyway.
Not everybody can take this kind of zen attitude. Some people can't sleep at night knowing that somebody somewhere is getting something for nothing. But try to learn to deal with it. You can't stop the pirates, but you can balance your time/effort/expense trying to stop all piracy versus making your product better for users. Remember, sometimes the most pirated applications are also the most popular and profitable. Good luck and sleep well.
I'd suggest you take the pieces of information you want in the key, and hash it with md5, and then just take the first X characters (where X is a key length you think is manageable).
Cryptographically, it's far from perfect, but this is the sort of area where you want to put in the minimum amount of effort which will stop a casual attacker - anything more quickly becomes a black hole.
Oh, I should also point out, you will want to provide the expiration date (and any other information you might want to read out yourself) in plain text (or slightly obfuscated) as part of the key as well if you go down this path - The md5 is just to stop the end user from changing he expiration date to extend the license.
The easiest thing would be a key file like this...
# License key for XYZZY
expiry-date=2009-01-01
other-info=blah
key=[md5 has of MAC address, expiry date, other-info]
We've used the following algorithm at my company for years without a single incident.
Decide the fields you want in the code. Bit-pack as much as possible. For example, dates could be "number of days since 2007," and then you can get away with 16-bits.
Add an extra "checksum" field. (You'll see why in a second.) The value of this field is a checksum of the packed bytes from the other fields. We use "first 32 bits from MD5."
Encrypt everything using TEA. For the key, use something that identifies the customer (e.g. company name + personal email address), that way if someone wants to post a key on the interweb they have to include their own contact info in plain text.
Convert hex to a string in some sensible way. You can do straight hex digits but some people like to pick a different set of 16 characters to make it less obvious. Also include dashes or something regularly so it's easier to read it over the phone.
To decrypt, convert hex to string and decrypt with TEA. But then there's this extra step: Compute your own checksum of the fields (ignoring the checksum field) and compare to the given checksum. This is the step that ensures no one tampered with the key.
The reason is that TEA mixes the bits completely, so if even one bit is changed, all other bits are equally likely to change during TEA decryption, therefore the checksum will not pass.
Is this hackable? Of course! Almost everything is, but this is tight enough and simple to implement.
If tying to contact information is not sufficient, then include a field for "Node ID" and lock it to MAC address or somesuch as you suggest.
Don't use MAC addresses. On some hardware we've tested - in particular some IBM Thinkpads - the MAC address can change on a restart. We didn't bother investigating why this was, but we learned quite early during our research not to rely on it.
Obligatory disclaimer & plug: the company I co-founded produces the OffByZero Cobalt licensing solution. So it probably won't surprise you to hear that I recommend outsourcing your licensing, & focusing on your core competencies.
Seriously, this stuff is quite tricky to get right, & the consequences of getting it wrong could be quite bad. If you're low-volume high-price a few pirated copies could seriously dent your revenue, & if you're high-volume low-price then there's incentive for warez d00dz to crack your software for fun & reputation.
One thing to bear in mind is that there is no such thing as truly crack-proof licensing; once someone has your byte-code on their hardware, you have given away the ability to completely control what they do with it.
What a good licensing system does is raise the bar sufficiently high that purchasing your software is a better option - especially with the rise in malware-infected pirated software. We recommend you take a number of measures towards securing your application:
get a good third-party licensing system
pepper your code with scope-contained checks (e.g. no one global variable like fIsLicensed, don't check the status of a feature near the code that implements the feature)
employ serious obfuscation in the case of .NET or Java code
The company I worked for actually used a usb dongle. This was handy because:
Our software was also installed on that USB Stick
The program would only run if it found the (unique) hardware key (any standard USB key has that, so you don't have to buy something special, any stick will do)
it was not restricted to a computer, but could be installed on another system if desired
I know most people don't like dongles, but in this case it was quite handy as it was actually used for a special purpose media player that we also delivered, the USB keys could thus be used as a demo on any pc, but also, and without any modifications, be used in the real application (ie the real players), once the client was satisfied
We keep it simple: store every license data to an XML (easy to read and manage), create a hash of the whole XML and then crypt it with a utility (also own and simple).
This is also far from perfect, but it can hold for some time.
Almost every commercial license system has been cracked, we have used many over the years all eventually get cracked, the general rule is write your own, change it every release, once your happy try to crack it yourself.
Nothing is really secure, ultimately look at the big players Microsoft etc, they go with the model honest people will pay and other will copy, don't put too much effort into it.
If you application is worth paying money for people will.
I've used a number of different products that do the license generation and have created my own solution but it comes down to what will give you the most flexibility now and down the road.
Topics that you should focus on for generating your own license keys are...
HEX formating, elliptic curve cryptography, and any of the algorithms for encryption such as AES/Rijndael, DES, Blowfish, etc. These are great for creating license keys.
Of course it isn't enough to have a key you also need to associate it to a product and program the application to lock down based on a key system you've created.
I have messed around with creating my own solution but in the end when it came down to making money with the software I had to cave and get a commercial solution that would save me time in generating keys and managing my product line...
My favorite so far has been License Vault from SpearmanTech but I've also tried FlexNet (costly), XHEO (way too much programming required), and SeriousBit Ellipter.
I chose the License Vault product in the end because I would get it for much cheaper than the others and it simply had more to offer me as we do most of our work in .NET 3.5.
It is difficult to provide a good answer without knowing anything about your product and customers. For enterprise software sold to technical people you can use a fairly complex licensing system and they'll figure it out. For consumer software sold to the barely computer-literate, you need a much simpler system.
In general, I've adopted the practice of making a very simple system that keeps the honest people honest. Anyone who really wants to steal your software will find a way around any DRM system.
In the past I've used Armadillo (now Software Passport) for C++ projects. I'm currently using XHEO for C# projects.
If your product requires the use of the internet, then you can generate a unique id for the machine and use that to check with a license web service.
If it does not, I think going with a commercial product is the way to go. Yes, they can be hacked, but for the person who is absolutely determined to hack it, it is unlikely they ever would have paid.
We have used: http://www.aspack.com/asprotect.aspx
We also use a function call in their sdk product that gives us a unique id for a machine.
Good company although clearly not native English speakers since their first product was called "AsPack".