PrestaShop Will Enforce Encrypted Modules Soon

[datakick]

If I understood the idea correctly, then I believe this could be very beneficial for the entire community ( if done right )

What is the problem?

Paid module licensing.

At the moment it's very hard for paid module developers to stop their customers from misusing their product ( illegal distributing / copying / sharing / multi installation etc). This could really cut their profits. You know, it's quite easy to find most paid modules on warez sites, free to download by anyone.

If developer wanted to fight this, it's a lot of work - if you are lucky and the warez site is located in US you can use DMCA takedown notice, but more often these are offshore servers in countries with limited digital rights legislations. Your options are very limited. In the end, this is the cost of business.

You could, of course, implement some sort of licensing mechanism inside your module. But then you will have hard time selling it on official marketplaces.

Solution

One solution is to have build-in licensing mechanism inside prestashop core that would ensure merchant have the rights to use the module (of course, you can always modify the prestashop core and disable this licensing mechanism, but that's not something that regular user will do)

We all know such mechanism is very easy to implement. Why haven't prestashop do it already? Because it's hard to make this open-source friendly. Nobody want single centralized license server that is controlled by one company (Prestashop). That would really hurt the PR.

The blockchain is ideal solution - it's decentralized, open and very secure.

How it works?

When you buy a module on marketplace, they will generate a license key(s) and put them into a shared ledger as a transaction. When you use the license key in your prestashop installation, your prestashop will consume the key - it will create a new transaction in shared ledger marking the key as used. These transactions are verified, and protected by proof-of-work concept in the same way it's used by cryptocurrencies. Basically, after a few minutes it's not possible to change old entries in shared ledger. Not unless you own the most powerful supercomputer in the world.

Benefits

This will benefits two parties. The module developer and marketplaces - they will see a nice bump in sales. Also, they will not have to worry about piracy copies of their work, since nobody could use them (on vanilla prestashop anyway)

Merchants, on the other hands, will not see any benefit - the only bonus for them is the proof of license purchase. But the important part is that this will not hurt them in any way. Not unless they are scumbags that wants to use paid modules for free. Also, merchants can still install and use modules from other sources (free modules, etc...)

This mechanism can really attract more developer to the platform. I personally would love it.

If prestashop rolls out a system like this, it would be really nice to back-port into 30bz.

A few things to consider

Open system

I believe for this to succeed it's important to keep this system open. This shared ledger has to work with multiple marketplaces, not only prestashop marketplace, so the developer can sell his module over different channels. And, of course, it must be possible for developer itself to generate and sell licenses. But this all it's very easily possible.

Who will pay for cpu

The blockchain technology requires enormous amount of cpu cycles to be spend. And that costs money. Cryptocurrencies solved this problem by mining - the miners do the heavy lifting, but they will get a rewards in form of bitcoins - every 10 minutes a few new bitcoins are generated and awarded to one lucky miner (or more probably to a cluster of miners).

How to motivate miners in prestatrust? There could be a fee associated with every transaction that will be awarded to miners. Or maybe miners can get a license for some module in exchange for their work, and they can later resell them to marketplaces / customers, or use them as they will. There are many possibilities.

We really don't know yet

At the moment we really don't know how this will turn out. Meanwhile, please, don't look at this initiative with prejudice. It may be very nice functionality.

But of course, execution is the king. They may very easily kill this idea.

[marci123]

@datakick said in PrestaShop Will Enforce Encrypted Modules Soon:

I believe for this to succeed it's important to keep this system open. This shared ledger has to work with multiple marketplaces, not only prestashop marketplace, so the developer can sell his module over different channels. And, of course, it must be possible for developer itself to generate and sell licenses. But this all it's very easily possible.

@datakick Thanks for this plausible explanation. I think as soon as you allow developers to generate and sell licenses themselves you open the door for piracy since there will be a loophole in the system (with regard to piracy). What do you think is the main purpose? Fighting piracy or binding custumers to the addon marketplace? Personally I think the latter is perhaps the main goal.

Regarding piracy ... using modules and other stuff from warez sites is not without risk. Especially in the ecommerce sector more serious merchants won't even consider using modules from such sites and on the other site, if a module cannot be copied this doesn't mean that warez users will buy it but they would most likely use something else instead. I think the damage caused by warez sites is a bit overrated. There will always be users who are honest and would never use modules from shady sources, and there will always be users who don't want to spend money and use everything as long as it is free. Those people however won't turn into paying customers if there is a licensing system, in most cases they would use something else instead. Considering those human factors it is questionable if it is worth the efforts. But we will see. I am curious how things will develop.

[Havouza]

A simple question. I buy a protected module and use it. But that shop is not successful so I close it and open another one. With fresh shop install.Now I still owns one module license and want to use it in my new shop. But can I?

[datakick]

@datakick Thanks for this plausible explanation. I think as soon as you allow developers to generate and sell licenses themselves you open the door for piracy since there will be a loophole in the system (with regard to piracy).

Not really, developer will register the module into the shared ledger using his own private key, and licenses will be generated using the same key. There's no way anyone could submit forged license key into the system without the private key.

What do you think is the main purpose? Fighting piracy or binding custumers to the addon marketplace? Personally I think the latter is perhaps the main goal.

Yes, this is my concern also. That's why I pointed to this issue in A few thinks to consider section. But I hope prestashop will be smart about this. If they don't, this system don't stand a chance.

Another thing to remember is that it's really hard to control these distributed systems. They are actually designed to prevent tampering. You can't impose any rules on the system without majority of nodes agreeing with them (well, majority of computer power, actually).

Basically, decision whether the transaction is valid is based on network consensus. When a new transaction is submitted to the system, it will be part of some block. Every node in the system will receive this block, but they will append it to their version of blockchain only if all transaction in this block are valid. So, if majority of nodes in the ecosystem decides that licenses generated by Envato are valid, there's nothing Prestashop marketplace can do about it. These transaction will be valid part of the blockchain forever. Unless Prestashop can harvest more then 50% of all computing power in the system and use it to kill the transaction.

Regarding piracy ... using modules and other stuff from warez sites is not without risk. Especially in the ecommerce sector more serious merchants won't even consider using modules from such sites and on the other site, if a module cannot be copied users from warez sites in most cases won't consider buying the module but would use something else instead. I think the damage caused by warez sites is a bit overrated. There will always be users who are honest and would never use modules from shady sources, and there will always be users who don't want to spend money and use everything as long as it is free. Those people however won't turn into paying customers if there is a licensing system, in most cases they would use something else instead. Considering those human factors it is questionable if it is worth the efforts. But we will see. I am curious how things will develop.

I totally agree serious merchants will not use modules from these warez sites. But they might be tempted to use the module multiple times (for example on their development site). Or they could simply forgot they have purchased it, and send it via email to their friend. Or they could hire some third-party developer to prepare the shop for them, and this developer could install some paid module to their system without their knowledge... These could stack up.

I'm saying that this system, if implemented right, will not harm honest merchants in any way. It's just a way to protect developers.

[datakick]

@Havouza said in PrestaShop Will Enforce Encrypted Modules Soon:

A simple question. I buy a protected module and use it. But that shop is not successful so I close it and open another one. With fresh shop install.Now I still owns one module license and want to use it in my new shop. But can I?

That probably depends on the license agreement. I can imagine there will be multiple types of licenses in the system - single user + single domain, single user + multiple domains, multiple user + multiple domains (for development agencies)

So, if you purchase single user + single domain, and you have already used the license key on domain A, then you will not be able to use it on domain B. If you have bought single user + multiple domain license, then sure, why not.

You see - this is exactly the case when even honest merchant can inadvertently infringe on developer's rights.

[marci123]

@datakick said in PrestaShop Will Enforce Encrypted Modules Soon:

I totally agree serious merchants will not use modules from these warez sites. But they might be tempted to use the module multiple times (for example on their development site). Or they could simply forgot they have purchased it, and send it via email to their friend. Or they could hire some third-party developer to prepare the shop for them, and this developer could install some paid module to their system without their knowledge... These could stack up.

If somebody buys a module it should be allowed to test it on a development site first, shouldn't it? If I had to buy two licenses in order to being able to use it on a development site I would avoid it. If using (and testing) a module becomes too complicated it could harm the sales too. The module maybe proteced from unlawful distriubution but it may also become unpopular since it is too restrictive to use. But we will see ...

[datakick]

@marci123 said in PrestaShop Will Enforce Encrypted Modules Soon:

If somebody buys a module it should be allowed to test it on a development site first, shouldn’t it?

Definitely agree it should be allowed to test it. And I hope it will be possible within this new system somehow.

I was just pointing out that it's quite easy to inadvertently infringe on someone's rights. And I wasn't really talking about the new system - this is the current situation. Even today, many paid modules have a single domain clause in their license agreement. (I actually never read the official addon's license agreement, but I wouldn't be surprised if they had such clause in it as well). And if you install such module on your development site, you are violating the license agreement, and you could get sued. You will probably not, but it could very easily happen.

[marci123]

@datakick said in PrestaShop Will Enforce Encrypted Modules Soon:

I was just pointing out that it's quite easy to inadvertently infringe on someone's rights.

Sure but I think this is something that has to be taken into account if you are a successful developer. Personally I would never even think of using a module from a warez site but as soon as a commercial product becomes too complicated to use due to protection measures I would probably look for another module that is easier to use. Unless it is a very exceptional module there is in most times an alternative solution at another market place with easier conditions (think of themeforest or codecanyon). This should be taken into account if thinking about protection measures.

[Havouza]

@datakick That is absolutely insane. If I buy one license of a software I can use it wherever I want. If I buy one license of Windows, I can use it for many computers in a row, because I own the license. Luckily I have left PS for good and I really hope TB will not implement it as long as I use it

[dprophitjr]

My humble opinion is that a developer should brand their module. Establish trust and awareness of who they are online. There will always be thieves. Branding is a feeling. I trust XYZ developer. It's up to us as a community to write about and talk about pirated, commercial open source pitfalls. Hidden or malicious code blocks inserted to serve botnets for example.

I believe you only copyright the images, stylesheet and documentation. Even possibly, unique function names. What is everyone's opinion on opening up the core of your module to github for others to fork and contribute? You could install Gitlab CE? Gitlab Enterprise is open sourced. But, if you want all the bells and whistles, you pay for it. But, people who are fans of Gitlab, regularly contribute code to the enterprise version. Corporations have a vested interest in seeing the whole product improve.

Is Gitlab a great example of commercial open source?

There is great power in the wisdom of crowds. If you remember a game show on US television entitled, "Who Wants To be a Millionaire", the contestant was allowed to ask the audience or phone a friend. Astoundingly, their friend got the answer correct 63% of the time. But, this will blow your mind. Answers from the (crowd) audience gave a correct answer 92% of the time.

[Traumflug]

@Occam

And I guess it wouldn’t be easy to encrypt simple interpreter languages like php.

One can obfuscate it, like changing variable names to random strings, like inserting a wild mix of Gotos, or similar things. This makes changing the code not impossible, but a lot more work. And there are encryption systems which are said to work, like http://www.ioncube.com/ AFAIK, these require to install a PHP module for doing the decryption.

So, something can be done. But all these make things for situations mentioned by @lesley, merchants fixing modules them selfs, harder as well, of course.

@marci123, @lesley, there's probably no doubt I love to be open source, too. Giving users access, so they can help them selfs. If you google for "Traumflug", you'll find myriads of contributions to open source. All of them done happily, no regret.

But experience with all these years of open source is, that users as well as competitors happily cheat if it's made too easy. Or in other words: open source and asking for money doesn't mix. Yes, there are companies working on open source commercially out there, but most, if not all, make their money not with open source directly, but with work adjacent to this. Like installation and maintenance services, like writing custom code, like delivering the required hardware.

Another experience is that open source tends to prohibit larger steps in development. That's not much of a problem with matured projects like the Linux kernel or thirty bee's shop core, because these evolute just fine in small steps.

But consider spending a year into writing some revolutionary module. Not cheap, still you offer it unencrypted, you sell a couple of copies. And then, two weeks later, another module developer offers a very similar module, just a bit shinier. 95% of your code plus some polish. Merchants will of course run for this shinier module, often just because it's newer, or because it's cheaper, and sales for the person who did all the hard work pretty much stops. Such scenarios happen regularly, which is why developers writing open source don't even start with large amounts of hard work.

What I want to say is that there are very valid reasons to not hand out source code. And selling modules unencrypted is almost like open sourcing them.

A good way out of the dilemma described here appears to be establishing mild protection mechanisms. They should make pirating software a substantial amount of work, so users prefer to pay some price instead of doing it. They should make very clear that this or that module is not open source. Selected merchants adjusting modules them selfs can get copies of the code. For some module maker business models that's necessary, we all need food on the table :-)

OMG. Can't believe I speak out for closing source code here :-}

[datakick]

@Havouza said in PrestaShop Will Enforce Encrypted Modules Soon:

If I buy one license of a software I can use it wherever I want.

No, you can't. You can use the module only in the extent of the license agreement. And if the license states that you can use it for one domain only, you can legally use it on one domain only.

This has nothing to do with the platform, it's just common law. By purchasing module, and it really doesn't matter if it's for 30bz or prestashop, you have established a binding contract.

So, basically, it's up to the module developer to choose licensing options. And then it's up to you to decide. If you don't want to buy a module that has license for single domain only then don't buy it. Go with the module from the competitor. But if you decide to buy it, then please respect the license contract.

[Havouza]

After having webshops for 11 + years I am pleased that I am soon out of it

[marci123]

@Traumflug said in PrestaShop Will Enforce Encrypted Modules Soon:

But consider spending a year into writing some revolutionary module. Not cheap, still you offer it unencrypted, you sell a couple of copies. And then, two week later, another module developer offers a very similar module, just a bit shinier. 95% of your code plus some polish. Merchants will of course run for this shinier module, often just because it's newer, or because it's cheaper, and sales for the person who did all the hard work pretty much stops. Such scenarios happen regularly, which is why developers writing open source don't even start with large amounts of hard work.

Yes I understand this problem. Still I am not sure if encryption (or similar) would be the best solution. When I think of WordPress .. there were a number of premium themes using ioncube and similar until Matt Mullenweg the founder decided all WordPress products - be it a theme or a plugin - have to be GPL https://wordpress.org/news/2009/07/themes-are-gpl-too/ .

Some people joked this was ridiculous and now you could share all premium themes and so on. Studiopress is one very successfull premium theme seller offering a theme framework and they were one of the first shifting to GPL. Now they are one of the biggest in the market. http://www.wpthemedetector.com/top-theme-providers/ The studiopress theme framework is very sophisticated. However, nobody has copied it yet (as product). The market is growing and if you look at the envato wall of fame with more than 1 mio dollar sales there are many wordpress theme sellers among them. http://elite.envato.com/wall-of-fame/ I think this proves that the open source model must not be feared.

[lesley]

This discussion brings up a major point and I think a few flaws in the system as well.

We have several clients with multiple sites. These are things you do with larger clients that have larger budgets. We generally have the array setup like this Dev Site -> Staging Site -> Production site. So 3 sites. The reason being is that the product stays synced with the live site, unless we are pushing a change to the production site. This allows us to have a dev site that we can test things on that will never make it to the staging site. Think about it as failed tests, things that might have seemed like a good idea, but did not pan out for whatever reason.

Its going to be hard to use a restrictive licensing server in an instance like above. I get that a developer might not have licensed his modules to be used in an instance like that, but at the same time I think addons or any store needs to have the licenses more open, they are impossible to work under really. For instance, even with a setup like I have mentioned, I have cloned a site locally to work on while traveling in an airport or else where. Now I am talking about 4 instances of the same module, if my employees want to do the same we could be talking about 8 instances. Are we going to have to have 8 licenses now? I don't think most developers are going to want to pay several thousand dollars in modules just to set up a development site that they can work on locally.

At the same time, maybe some developers know, but most merchants do not know. If you run multi-shop you are supposed to purchase a module license for each shop. This is something that I have always disagreed with. This is going to make the ownership of multi-shop out of reach for a lot of merchants, but at the same time I cannot understand how it is going to be enforced without a lot of changes to the module api either.

[Traumflug]

@marci123

I think this proves that the open source model must not be feared.

Yes, I'm aware of such success stories. And I can give you dozens of counter examples. Especially in the open source hardware market, where I was before joining thirty bees. With open source hardware, cheap cloners typically share about 95% of the market, while original developers get just those few customers caring about loyality or not caring about money. Accordingly these vendors have to survive from these remaining 5% (which is certainly possible in a > $10 mio market). And their R&D is on a hobbyist level at best to deal with this.

http://www.wpthemedetector.com/top-theme-providers/

They count installations, not sales. 9 of 10 such counts could be pirated copies :-)

When people ask me about open source, I usually answer "it's a shark basin".

[marci123]

@Traumflug said in PrestaShop Will Enforce Encrypted Modules Soon:

@marci123 Yes, I'm aware of such success stories. And I can give you dozens of counter examples. Especially in the open source hardware market, where I was before joining thirty bees.

ok, but hardware is another subject.

They count installations, not sales. 9 of 10 such counts could be pirated copies :-)

I have no doubt that there are a number of pirated copies among them and theme owners may use the themes on as many domains as they want to. But nevertheless is studiopress one of the most successful sellers. The founder says about himself that he is living a dream .. https://briangardner.com/about/

Maybe pirated copies aren't only bad. They can be cheap advertising as well. Somebody mentioned photoshop earlier in this thread. There have been a lot of pirated photoshop software copies prior to the abo model and I am pretty sure that these copies may have helped to make photoshop so popular. There are always two sides of the coin. I would always take care that protection measurements won't hurt the positive potential.

[Webshoptime]

Damn, again a big mistake from the Prestashop factory. I don't care anymore. TB rules ;)

[Guest]

@lesley this topic is very interesting as I mentioned something awhile back on the module store and licensing for multiple shops. For our company we run 3 ecommerce sites and we've had some modules we had to buy for each one, such as the SagePay where we had to pay 3 lots of £150ish! Due to this issue we've only bought modules for the store that really needed it and not the others.

I've previously suggested it would be nice to buy a license pack offering upto 5 installations (or more for larger companies) where you don't pay 5x the cost of 1 license but maybe 40% extra (or some other value). When you buy the license you could register with the company the websites you'll be using it on.

I'm also personally in favour of the module connecting to the developer site to say 'here I am' and the developer site responding with 'yes I've got you registered'. I used an Amazon module on Magento that did this and that method worked well. I also told him what my dev site was so he could exclude it from registering a false license.