Open response to Simon Stuart

As you may be aware, Simon Stuart is building what could basically be described as an App Store for Delphi packages.  I really like this idea.  But he’s apparently got some very strange–and downright harmful, on a couple points–ideas about how it should be set up.  When one of the commenters asked, “Hi. Will this RADStore be somehow simillar to nuget? Is it open source/can we help?” he responded with:

It cannot be open source due to the need to handle payment information (making such a system open source would be a MAJOR security risk)… but suggestions and feedback are (as always) greatly appreciated, and EVERYTHING is considered (no matter how crazy it may at first appear).

I couldn’t believe my eyes when I read that.  Stating that revealing the workings of a payment system would be a security risk goes against everything we know about effective security.  This idea is based on the concept of security by obscurity, which has been shown over and over again to not be secure at all.  The correct way to handle security–the only correct way to do so–is by heeding Kerckhoff’s principle: the system should be secure even if everything about the system except for the cryptographic key(s) is public knowledge.  For anyone to state that publishing the details of their system would be a security risk is tantamount to admitting that your system has security holes already and you don’t want anyone to be able to see what they are.  This does not inspire confidence in me as a potential user of the system!

When I tried to point that out in a comment of my own, instead of reasonable discussion he replied with an angry rant that not only completely missed the point of what I was trying to say, but also was very confusing coming from Simon specifically, because it demonstrated a profound ignorance of several things that a coder who has done what he has done for our community should be expected to understand.  It also shows that despite using “security” as his original reason, that doesn’t seem to be what he’s really afraid of here at all:

You seem to be under the impression that I will be making and using my own cryptographic systems. I’ve no intention of doing so! The bottom line is that open-sourcing this would enable others to take my work, rebrand it as their own, set up their own server-side back-end architecture, and run a competing store. This would be bad for everyone! It’d fracture distribution (when I’m explicitly building this to unify), and of course would destroy my potential for generating revenue via the store.

There is absolutely no reason to make this open source! PayPal isn’t open source, do you think that makes them less secure? No, because they use industry-standard cryptographic and security systems… I will be doing likewise!

The only reason I can see anyone wanting this to be open source is to steal the work and make a profit on it. Given how much I already give away (and others are already making money with), why should I give this away too? That’s like asking a car manufacturer to give away their latest model for free…. never going to happen!

I posted a reply, but he’s got automatic comment moderation on his blog, and it’s been a couple weeks and my response still hasn’t shown up.  I do think that this is an important discussion to have, though, and for the community to be able to understand and weigh in on, so I’m responding here.  This won’t be identical to my original response, but I’ll be making most of the same points, plus a few new ones.

You seem to be under the impression that I will be making and using my own cryptographic systems. I’ve no intention of doing so!

Not in the sense of “roll your own crypto,” no, I was never under that impression.  But the entire payment system is a cryptographically-secured system, and it all stands or falls on Kerckhoff’s principle.  It does no one any good if the crypto is 100% perfect but a buffer overflow, SQL injection vulnerability, or one of any number of other errors exists that lets someone in through the backdoor.  (Just look at Sony!)

The bottom line is that open-sourcing this would enable others to take my work, rebrand it as their own, set up their own server-side back-end architecture, and run a competing store. This would be bad for everyone! It’d fracture distribution (when I’m explicitly building this to unify), and of course would destroy my potential for generating revenue via the store.

…and selling me a car would enable me to run you down with it, but that’s no good reason not to do so unless you actually believe I would use the car in such a way.  Ability does not imply intent.  And the Delphi market is relatively small and highly specialized, and of course not every Delphi user is going to get this product.  There’s not that much of a pie to cut up, and being first to market is a significant advantage in its own right.

Potential competitors would have to take that into account.  To make it worthwhile, someone would have to not only copy the service, but make it significantly better, better enough that people would have a compelling reason to choose the new service over the already-established one.  And they would also need to copy not only his code, but his entire ecommerce infrastructure, which could be a non-trivial investment.

Plus, if the source were published under a protective license such as the MPL, they would be required to publish whatever improvements they made so that Simon could copy them in return.  So all in all there’s not much incentive for anyone to try and set up a competing system, and to be blunt, if someone does anyway and Simon truly couldn’t out-compete our hypothetical copier with the deck stacked in his favor like that, then his service deserves to fail.  You should never trust a businessman who’s afraid of competition.

There is absolutely no reason to make this open source! PayPal isn’t open source, do you think that makes them less secure? No, because they use industry-standard cryptographic and security systems

Wrong.  PayPal is secure because they have a small army of developers on a budget comparable to that of a major city to review their code and make sure it’s solid.  And without a similar budget, which Simon does not have, there’s only one way to obtain a comparable scope of code review: by publishing the code.  Every single user in Simon’s target market is by definition a programmer who has a personal interest in making sure that the service works well.  There’s no reason (aside from paranoia) to not want to take advantage of that!

The only reason I can see anyone wanting this to be open source is to steal the work and make a profit on it. Given how much I already give away (and others are already making money with), why should I give this away too? That’s like asking a car manufacturer to give away their latest model for free…. never going to happen!

*facepalm* There are so many things wrong there!  First off, it makes me cringe seeing the S-word brought into this context.  No one will, or can, “steal the work”.  Theft involves loss.  If I steal a car manufacturer’s latest model, they no longer have that car to sell.  But this service is essentially an idea, and stealing ideas is quite impossible outside of science fiction and fantasy.  I’m sorry if this comes across as pedantic, but it’s an important point to make since the concept of stealing ideas is being used far too frequently these days by people with a vested interest in retarding the progress of culture and science, particularly on the Internet.  And it’s completely incorrect, which is obvious enough that even a child can understand it.  Plus, we’re programmers, for heaven’s sake.  Precise terminology is very important.  So when you use words that are not only wrong, but loaded with associations with an agenda that is openly at war with a good percentage of your audience, it makes it very difficult for people to take you seriously.  Just something to consider.

OK, now that that’s off my chest, the first sentence seems really strange in light of the second one.  Simon has produced a lot of “work I already give away (and others are already making money with).”  It’s what he’s known for in the Delphi community, stuff like Lua4Delphi and his Kinect and Twitter libraries.  How can it be that a library writer does not understand the value to the community of having libraries available?

If Simon can’t see any reason for anyone wanting this to be open-source other than “to copy the work and make a profit on it (implied: to his detriment)” it can only be because he’s willfully not looking.  I can think of a handful of good reasons just off the top of my head:

  1. To review the code and ensure that it’s free from security holes and other bugs
  2. To contribute new features, which is why the person who started this conversation wanted it
  3. To extract the principles involved and use them to set up a similar service in a non-competing area.

Point 3 is more significant than you might think.  Right now, between Indy, DWS, and Smart, we have everything we need to create really powerful, useful, and cool sites entirely in Object Pascal code… except for one thing: a way to monetize it.  There is not any Delphi library that I’m aware of that makes it simple to accept and handle payments over the Internet.

If Simon were to even just put that part of the system up on Google Code and work with the community to establish a standard Delphi-based payment processing system, it would be the last piece of the puzzle.  This would prove a great benefit to our community, and IMO would gain him a lot more respect and “cred” than, say, an interface to a gimmicky, proprietary input device that hardly anyone is using anyway because you need a living room approximately the size of an aircraft hangar for it to work effectively.

Also, since what Simon seems to be most worried about with this whole thing is a loss of revenue due to competition, it’s worth considering that leading a project like this would raise his profile, and would draw attention to RADStore specifically, which would bring more users, thereby increasing revenue.

 

What do the rest of you think?  As always, any feedback is welcome.

38 Comments

  1. A. Bouchez says:

    All your statements do perfectly make sense to me.

    Open Sourcing a project, and using proven algorithms is the best way of ensuring good enough security for a small project.
    I’ve had several feedback about some of my projects since years, and most of them were very valuable. And changed were made to the source trunk, for the benefit of everyone!

    Of course, if the project has only a few reviewer, opening the source may be a risk. The only one looking at the code could have bad intent!

    For a IDE plugin, I’m quite confident that Embarcadero will provide one, sooner or later. That was my first thought when I read the Simon proposal. How a single man may assure 24/7 support, package review and customer follow-up? Then I was a bit confused by the fact he wanted to earn money for such a project, which IMHO should be free, or Embarcadero sponsored. An IDE is not an iPhone: this is a hacker piece, not a geek gadget.

    Then, the remarks about Open Source did show a big ignorance about what Open Source is, and what Open Source licenses are meant for. With the appropriate licence, no one could “steal” your code then make money from it! You are not forced to publish under the MPL or BSD license.

    About payments over the Internet, it is pretty easy to implement PayPal API. A few lines of code is enough, if you know how to parse HTML and send a HTTP request on a server.

    Thanks for your article. It raises some interesting points.

  2. Warren Postma says:

    Delphi itself is not open source. And we’re not accusing them of trying to do anything wrong by having a commercial business, are we? So why are we giving Simon a hard time if he wants to. If anyone could be crabby about him doing a closed-source implementation of a Delphi Component “App Store”, it should be Embarcadero, who is a few years late with bringing the idea to market themselves. No, I’m not talking about AppWave, which is about delivering actual complete runnable Apps (like Angry Birds or ER/Studio) to your computer in a fast and convenient “no install” fashion, I’m talking about a hypothetical inside-RAD-studio-IDE component store.

    The store exists for a closed-source product (Delphi) and will be SELLING closed source products (Delphi components). Why anyone thinks that this store should be open-source when all the other pieces of the puzzle are closed, is beyond me.

    There’s no reason that a web browser based in-app purchase system needs to be mistrusted as an attempt at “security by obscurity”. Not only is simon going to use SSL, if he has any brains, which I know he has, he’s also not going to be silly enough to write his own payment processing system, when putting a web browser in a window, and letting some existing internet payment system do its job will be faster and easier and more trustworthy.

    Seriously. Relax. The world is not ending. It’s a good idea, and I wish Simon luck.

    Warren

  3. As Warren has already said: Delphi isn’t open source, Windows isn’t open source… very little is open source and I will not be making RADStore open source.
    If you have a problem with that, don’t use it! I am not obligated to open source every single thing I make so that anyone can steal it to make profit.

    I am using recognized and commercially accepted methods of data protection (as I am legally required to do so and as must be legally certified here in my country).

    This post is nothing more than a bully-tactic intended to force my hand, and it will not work! I give enough away for free as it is, and I will NOT be giving RADStore’s source code away, PERIOD!

    • Mason Wheeler says:

      “Bullying” and attempting to “force your hand” were never my intentions, and the fact that you immediately accuse me of doing so says more about your thought processes than about mine. What I wanted to do here was attempt to reason with you and present a perspective that you apparently failed to consider.

      The fact that you refuse again to even attempt to reason back, and instead again resort to screaming and ranting and ridiculous talk about “stealing”–even after I demonstrated first that the premise is false and second that what you really mean is highly unlikely anyway–and offer not a single fact, example or demonstration as a counter-argument, shows that you unfortunately have no intention of being even the least bit reasonable. Apparently “everything is considered, no matter how crazy it may appear,” but things that make perfect sense are too crazy to even be considered at all.

      But honestly, the only crazy thing I see here is someone attempting to claim, with a perfectly straight face, that it’s possible to not only steal an idea, but to steal an idea whose originator has chosen to make it freely available. Under that logic, are the people using your open-source projects and making money off them thieves?

      • First of all: I had no idea who posted this article. Your name isn’t listed anywhere in here. It’s impossible to have meaningful debate with someone when you don’t even know who they are (from my perspective, this article is just text on a screen which could as easily have been posted by a 12 year old… how would I know?)

        I still disagree with you, though! I won’t be writing my own security, the security I use must be examined and verified by an oversight body before I’m legally allowed to launch the store, and the code will be peer-reviewed at that time.
        Let’s not forget that the security methods I’ll be employing are themselves already open source or at least open-infrastructure. Why should I make the entire system open source when your “concerns” are irrelevant as the focus of them is ALREADY open for all to see?

        I never said anyone was trying to steal the idea! I’m saying people want to STEAL THE ACTUAL WORK! It’s happened to me before, no reason to believe it wouldn’t happen again.

        Sorry but I’m not open sourcing… and nothing anyone says will convince me it’s a “good” thing to do!

        • Mason Wheeler says:

          Sorry about that. I’ve changed the tagline at the top of the blog to make it more clear who’s writing this.

          But again, stealing involves loss. Are you saying that open-sourcing this would allow some unscrupulous Delphi coder to take RADStore away from you? Because what it looks like you’re saying is that it would allow someone to copy the system and set up a competing service. That’s not stealing, and it doesn’t involve the entirety of your work anyway, only the code. In order to compete with you, they would still need to come up with both the infrastructure and the customer base, and no amount of your code would help them with that. That’s “ACTUAL WORK” that can neither be stolen nor trivially copied the way source code can, and it constitutes a large proportion of the value of your service.

          I’m sorry to hear that you’ve apparently been burned before in similar matters. But that doesn’t mean that everyone out there is like whoever did whatever it was they did to you in the past. The Delphi community is a community, and part of what that means is looking out for each other. Heck, if you did this and I saw someone trying to take advantage of it and screw you over, I’d be the fist to raise a stink about it, and everyone on DelphiFeeds would know what was going on and have a good reason to at not want to do business with them.

          The part I’m really interested in is point #3 from the end of my article. Having the missing piece to an end-to-end Object Pascal website stack available as a standardized library would mean that people could build sites like that without having to… you know, reinvent the wheel. 😉 I could use something like that myself, actually. (Can’t really talk about it yet, but it will in no way be in competition with RADStore or anything like it.)

          • Oswaldo says:

            I wonder. If you are so really interested in using his code for the “missing part” of whatever you think is missing (#3), why don’t you offer him some money to purchase the code (or better saying, purchase the work he has done on it so far)? Wouldn’t it worth for you? Couldn’t you pay for the effort? Why trying to convince him to give it away for free?
            I really don’t get this “open source” idea. In theory is beautiful, but in practice everyone just want things for free and no one contributes. I’m pretty sure if this RADStore is succesful and gives Simon money, he will improve the library much much more than hundreds of “contributors” would do if it’s made open source.

            • Not sure what practice you’ve had experience with, but in practice, yes, I do contribute code back to improve projects I find useful. Ask Alex Ciobanu or Eric Grange, or Sam Lantinga, the guy who runs the SDL project.

              Heck, ask Barry Kelly or Allen Bauer; I’ve left fingerprints all over the VCL and RTL in the last few years, and there are plenty of other Delphi users who have contributed more than I have. And the Delphi standard libraries aren’t even open-source, but they make the code available, and the community contributes fixes and features to it. In practice, sure, there are a lot of people who don’t contribute anything back, who just use the code as free code, but there are also enough users who do to make it worth it. You don’t need everyone to contribute to make it successful.

              And as for trying to license the code as you suggest, it wouldn’t do the community any good if I were to purchase a license from the author under proprietary terms that preclude my ability to share it with the community, which certainly seems like the most likely outcome assuming he was even willing to license it in the first place.

  4. Also A. Bouchez is an idiot if he thinks that running an online store should be done “for free”. I have to pay for the servers, the bandwidth, the storage… and I work my arse off. Am I supposed to be your slave, Mr. Bouchez? Is that the way the world works? I make, manage and maintain everything… hire staff at my own expense… then just GIVE everyone a COMPLETELY FREE in-IDE store from which to sell their components (from which they make their profit)?

    OR am I suppsoed to go a step further and force everyone to provide their components for free too? How much “free” is enough for you, hmmm?

    Clearly you fail to understand reality… and I’m done wasting my time with this “article!

    • Mason Wheeler says:

      For the record, I agree with you there. It’s unreasonable to expect someone to run a store and not make any money off it, especially if it’s a third party doing it and not Embarcadero providing the service as a loss leader. I still think you’re stuck in a too-narrow perspective and missing out on a worthwhile opportunity, though.

    • A. Bouchez says:

      The idiot salutes you!

      If you did read my comment, you would have found out that I did not write about an “Online Store”, but a “project”.
      In my mind, this “plug-in” could be just a platform to work with, proposing third-party services for payment: get the sources for Open Source project, get the .dcu and a link to Paypal (or other store) to get the source or the fully functional .dcu.
      Of course, it does not mean that everything on this platform should be Open Source.
      I was thinking of an “embedded Torry.net”, as a plug-in, with easy installation and sample code compilation.
      It may benefit for all.

      Money would come from support, or dedicated project using your tools.
      I can write it easily, since I’m maintaining and releasing a lot of Delphi source code – much more than you, if you take a look at http://synopse.info. And it can be proudly compared (being ever better sometimes) to components costing a lot of money.
      And I even don’t ask money for support.

      Of course, I do not have enough money to buy a huge car or a villa with sea view.
      (By the way, I’ve an amazing see view at Beaulieu sur Mer, France, but I do rent my small place)
      I’m happy with sharing and my employer enjoys my skills and being able to use my Open Source projects in its own softwares.
      I do fell more like “Neo” in the classic movie – happy to see the matrix in my IDE – than a new “B. Gates”.
      My reality is not your reality. But your money-driven reality is not mine. Period.
      This does not mean that my reality is better than yours, of course.
      There is nothing wrong with earning money from your work, but I’m still convinced the market is not big enough for a plug-in as you described. Perhaps for Visual Studio (or it does already exist, I do not know).
      I would rather search in torry.net or on sourceforge/github/googlecode for inspiring projects. If I’m not able to install those, I would have to do something else than programming.

  5. LDS says:

    There’s a basic mistake here. Open source are not more secure or better because their code is open. They could be *if and only if* enough competent people take the time and the effort to inspect the code and report/fix bugs. That’s not granted and while some high profile projects may achieve it, there are a lot that don’t and there’s really no difference if their code is open or not, everything is just up to the coders skills.
    And there are many just getting code from open source projects and using it completely ignoring the license with which it comes, effectively “stealing” it. Many in the so-called “Delphi community” just think about os projects as “free stuff I can reuse at will”. Sometimes it is easy to release a “better” product if you don’t have to start from scratch and then you just release compiled code without giving your changes back.
    Open source is just one mode to distribute software and it’s not by definition “better” than others (whatever Stallman may think). Stuart has all rights to choose the distribution model he finds better for him, and telling him he’s wrong just because he didn’t open source it is plainly wrong.

    • A. Bouchez says:

      I think it was never said that in here.

      The best distribution mode is the one chosen by the author, if it helps the project.
      Simon can do whatever he wants, of course.

      The point of this article was that he made close-minded assumptions about open source.

      • LDS says:

        It was said here, and there are a lot of close-minded assumption about closed source. Everything began with “*Not* making such a system open source is a major security risk” This is false and close-minded. Open source is not automagically more secure, as many open source zealots assert. There is no warranty someone with the right skills will inspect your code and report you issue just because the code is open. While some closed source project may undergo a full skilled peer review even if you don’t know.
        I can bring plenty of example of insecure open source projects simply because no one competent enough inspects their code continusly. OpenX was a few days ago compromised and used to inject malwares (also using Java – another open source project – exploits) through ads displayed on perfectly legitimate sites – I got AV alerts while opening avsim.net, one of the major flight simulator users site. Open X is an open source project with a long story of exploited vulnerabilities – and a very closed attitude when it comes to disclosure about the issues.

        • David Heffernan says:

          Neither one of open source or closed source is better than the other. Code built both ways have vulnerabilities as can readily be seen from the major OSs of the day.

          What Mason actually said was not that open sourcing it would make it secure. Rather, Mason contradicted Simon’s statement that open sourcing would make it less secure. There’s a huge difference in those statements.

          • Mason Wheeler says:

            Exactly. It’s not the open source per se that makes the code more secure; it’s having a solid code review system in place. Linus’s Law applies here, specific individual examples of highly dysfunctional projects notwithstanding. What I was trying to point out is that making the code open-source is the simplest (and least expensive!) way to obtain that level of review, that it was unlikely to have the downsides that Simon feared it would bring, and that it would bring benefits to him personally and to the community as a whole.

            • LDS says:

              Actually there are academic papers about how closed source code can *add* a level of security because the skill to reverse compiled code are harder to obtain than simply reading it – and you have to grab the compiled code, something which may not be that easy if it is running on a remote server you don’t have access to. Of course that’s not enough, but it is an added layer.
              IMHO for a small project the benefit of maybe obtaining a deep review by chance from a competent developer are more or less equal to the risk of someone spotting a vulnerability and exploiting it before it gets fixed – especially if money are involved. And being Delphi code, I believe Stuart is right about the other disadvantages. IMHO most of those advocating a “free” version of Delphi capabable of professional development are the same used to reap as much as “free” code they can put their hands on, no matter what the license is, for they closed, commercial applications.

  6. David Heffernan says:

    Mason and Arnaud are talking lots of sense here. Simon’s manner and downright rudeness and aggression are distasteful. You don’t have to agree here, but calling Arnaud an idiot speaks about Simon rather than Arnaud. One can disagree with another and still maintain civility and respect.

    • Iztok Kacin says:

      I agree, while both have some points I agree with, I think Mason put up a valid article with valid questions. He was civil and well articulated the whole time. I also find the Simon attitude very wrong any way you look it. Even if the 100% disagrees he can state that in a civil manner without having to call names and insult people.

      I cannot take him seriously with such an approach.

      • Chris Nillissen says:

        Talking in a civil and well articulated manner does not implicate best intentions. I am sure you are aware of the term “A wolf in sheeps clothing”. Don’t get me wrong I am not trying to judge Mason’s intentions, I just hate when people point fingers based on how each side is speaking/writing. I can understand that its human nature when pushed into a corner and provoked that he might get upset and start taking things personally. And what do people do when they get upset they may say errational things.

  7. Personally I would prefer that the App store was open source for many of the reasons that Mason has indicated, Simon is a one-man-band and will be a great challenge to write bug free secure code (after all, large corporations don’t seem to be able to do it). Simon might just be interfacing with the PayPal APIs, avoiding much of the hard stuff – which I would probably be OK with purchasing through. I would be vary hesitant to type my credit card into something that I have no idea about how my details are being transferred or stored (which is the case most of the time).

    I don’t have any huge issues with installing components, most of my issues are about compatibility with different Delphi versions (especially for components that are no longer maintained) and when the components rely on each other (actually it’s more of a nightmare). I wish Simon the best of luck with his endevour, although I suspect that Embarcadero are probably going to offer something similar based on their AppWave product.

  8. Colin Johnsun says:

    Not wanting to get into the argument of whether RADStore should be open-sourced or not – that is up to Simon.

    What I personally would liked to see is a common package manager for Delphi – something like Nuget for the .NET framework. It would provide the APIs that allow Delphi component vendors or Delphi project maintainers the ability to have a common way to install their software and make it available to the Delphi IDE seamlessly. It should be something that could handle versioning and library dependencies as well.

    The great thing about this is that it would provide a common reference point for all developers with regards to how to commonly handle version and library dependencies. That is, if you want to use the package manager then you need to make your libraries and component conform to the standards set out by the package manager.

    Naturally as an end-user, you should be able to configure the package manager to set the location of the base directories to where you’d like to place your libraries and components and maybe any other configurable options but from the point of view of the library/component provider you are installing your stuff into virtual directories.

    You only need to look over the fence in the .NET backyard to see how successful Nuget has taken off within the .NET community.

    Having a Delphi package manager also opens a window to developers to a “market-place” of Delphi components and libraries that they may not have been aware of and (hopefully) a frictionless way to install 3rd-party code into Delphi.

    Embarcadero really should be looking at this (not primarily) as a money-making venture but as a way to re-invigorate Delphi development. Having Embarcadero’s backing will also give it some legitimacy.

  9. Baoquan Zuo says:

    I was very confused about what Simon thought and how he acted.

    Personally, I think such a thing is very interesting and it is a BIG challenge for everyone as he needs enough wisdom and courage.

    If I decided to do it, my motivation, which is also the essentials, would be to provide a portal to serve for the community and simplify life of both vendors (open source/commercial) and end users. I did not take this as a big cake or even a business chance so that I would make it as simple as possible and enjoy the efforts. I would also pay some attention to learn how to get some helps to keep it running. At least, I am happy :^)

  10. Jon Robertson says:

    I’ve been very impressed with Simon’s work and community contributions over the years. I can only wish I could juggle as many open projects as he does and get anything productive done.

    That said, I’m very disappointed with the tone and sentiment in his posts regarding RADStore. Simon made the choice to make contributions to the community and many of us are thankful and appreciative of his contributions. Yet I can’t help the feeling that Simon feels he has been wronged in some way.

    When contributing to the community, it is just that: a contribution. Give it the license you want to protect it the way you want it protected. But we all take contributions we find and gain from them in some way, whether it be monetarily, educational, the pursuit of hacking, or half a dozen other possible gains.

    I agree with Colin. I would love to see something like NuGet, open sourced, and ideally backed by both Embarcadero and their Technology Partners. It has been discussed off and on through the years. But with limited resources, it never gained any traction.

  11. Bunny says:

    Don’t get me wrong. It’s Simon’s code, it’s his(their) store and finally a decision he has to live with. I am pretty sure he will know why he has chosen this path.

    Off Topic:
    Sharing – Open Source – Offering Help. Sharing is about offering to others something that does exist already. Of course it does not mean, to jump in and say, ‘Hello, I have a good idea, can we help to evolve your offering into the direction we think.’ – Invading – despite the best intentions the communication ends up this way – http://anyduck.blogspot.co.at/2012/07/no-comment.html. Dependent on the background (competitive/cooperative) you can decide who is the panda and who is the rabbit. What does not change, is the result. It does not make sense to offer unwanted help. Just a thought.

  12. Christoph says:

    As Colin said, everybody is free to go closed source or open source and commercial or not with his applications. A simple response to the commenters question like “Sorry, the application is designed to be commercial and closed source, not open source.” would have been sufficient; no need to defend that in any way.

    Accusing the person asking for open source of stealing the software is not only insulting the poor guy asking, it is insulting everyone doing open source – whether commercial or for free (and calling people idiots does not help as well).
    This is especially irritating if done by someone running a web-site “Proudly powered by WordPress”, probably on a LAMP stack, doing business with Android (partly OpenSource), Lua etc. and having a statement as follows “If you enjoy my Open Source projects, particularly if you are using them in commercial applications, as well as in-keeping with the spirit of Open Source, you’re encouraged (though by no means obligated)[…]” on the web-site under “Your support”.

    • LDS says:

      I guess he’s not insulting Wheeler for asking for open source. I believe he knows open source code is often “stole” and resold as closed source one even if the license forbids it. I’ve encountered often that situation. I’ve seen many Delphi (and non Delphi developers) wholly ignoring license requirements, especially those who began programming before the open source movement became part of everyday programming, and think about open source as “free code” only. People steal closed source code and applications, why shouldn’t they steal open source one? And if one believes it is better to protect his code, why shoudn’t he do so?
      If he uses WordPress or whatever else respecting the license his perfectly right. He released a lot of code using an open source model and it’s his right to ask for a contribuition. Attacking him when he decide to release something else under a different model as if he did a big mistake (using usual stupid arguments about security, community, ecc. ecc.) *is* an insult doing software – open or close.

  13. Daniel Luyo says:

    I see all this discussion absolutely pointeless.
    This RADstore is a private effort from Simos Stuart, and he is asking for ideas, not for permission.
    He could rollout the project the way he wants, maybe in Java, or C# o Lua or whatever, hosted in his own house or China or Ireland.
    He will decide the business model by himself and how much the fee will be.

    It’s up to the customers to buy or not, to trust or not.

    Maybe Embarcadero comes up with it’s own solution to compete, or some else like Amazon or myself.

  14. Jasper Bongertz says:

    I don’t know how many of you have ever implemented code to talk to a payment system using Delphi. Well, I have, and it included talking to PayPal, Mobile Payment, and WorldPay. And let me tell you this: there isn’t much that can be done wrong on the Delphi side, and the few things that you can do wrong are going to hurt the store, not the customers. The reason for that is that the payment systems will NEVER tell you any credit card details or other sensitive payment information of the customers. You don’t get the credit cards numbers, you don’t get account details (at least at the payment systems I used).

    Here’s a typical procedure how a payment happens:
    The store calls an URL with some parameters that include a price, a customer number, a cart id, a MD5 hash of all parameters salted with a pre shared secret that you know and the payment system knows (to prevent manipulation). And then the payment system will tell your store in the resulting page or via callback URL what the payment result was. If it was a success, you sold the item. You don’t see any credit card number, account number etc., just if the payment went through or not (and an error code if something went wrong, like “Card denied” or “Card outdated” etc.). The customer ID and cart ID is used to identify which result matches which call. Simple as that.

    So as I said: if a programmer writing code for a store does something stupid it will most likely only lead to bad guys pulling stuff for free out of the store. It will not compromise payment details of other customers, so there is no need for talking about Kerckhoff’s principle in regard to the store code to protect payment details. That is, if the payment systems used are like the ones I used.

    Just my 2 cents (and trying to cool down the situation, if a little late maybe) 😉

    • A. Bouchez says:

      You are right.
      I’ve the same experiment here. See my comment above (before being told to be an idiot) 😉
      > About payments over the Internet, it is pretty easy to implement PayPal API. A few lines of code is enough, if you know how to parse HTML and send a HTTP request on a server.

      No need to use cryptography or whatever for a payment store: you never get the credit card number, as you say.
      Governmental rules should only ask you to keep safe the customer information (name, address…), and allow them to review what you store in your registers in regard to them.

  15. First there is a number of different components to integrate Delphi with payment systems, like PayPal (http://www.nsoftware.com/ibiz/paypal/) and others, just google and you will find.

    Like anyone here we have been following Simon and his numerous OPEN SOURCE project, which he did for free. If you see the number of people that use vs the number of people that donate something, you won’t see that much. Maybe Simon will create some mechanism to integrate other site with his store, also he is already doing a lot allowing other developers to integrate.

    This idea to point others to release code as Open Source just doesn’t work. I just ask who support this idea, did you release your software as Open Source? Or at least a significant part of that? Probably not.

    Release the code as Open Source will not make that more security then anything.

  16. Chris Nillissen says:

    What do I think? Unfortunately I can only see this article (regardless of your principle intent) as a pointless attack. He was basically asked in if it was open source and the summery of his answer is that it’s not. End of story! What his reason for this is (right or wrong), is no one’s business but Simons.

    If your intentions are not “bullying” or “forcing his hand” then why is this not just a discussion between him and you personally? Why are you making a public spectacle with this article? The only thing I can assume is that he doesn’t want it to be open source and you’re not happy with that so this is just another way to push him on it. Otherwise what is you point in talking about this publicly? and pointing out his “flawed” logic/thinking.

    Do I think that open sourcing a project like this (one to help support the community) is a good idea? Yes.
    Do I respect his decision to not do that? Yes.
    Why? Because it’s his idea and ultimately his decision.

    Our community is rather small so let’s support our fellow Delphi programmers/community members, and let’s do it in a matter that is positive and constructive. There’s nothing wrong with making suggestions even if that includes trying to convince people that they might be wrong, but let’s respect their final decisions and not be negative or destructive about it.

    • I actually covered this at the very start of the article. I tried to talk about it on his side, in a more private venue, and the comment was effectively censored by being held indefinitely for moderation. That’s no way to have a conversation with somebody.

Leave a Reply to Mason Wheeler