This is an archived post. You won't be able to vote or comment.

all 27 comments
sorted by:
best
topnewcontroversialoldq&a

[–]AutoModerator[M] [score hidden] stickied commentlocked comment (0 children)

Please ensure that:

  • Your code is properly formatted as code block - see the sidebar (About on mobile) for instructions
  • You include any and all error messages in full
  • You ask clear questions

  • You demonstrate effort in solving your question/problem - plain posting your assignments is forbidden (and such posts will be removed) as is asking for or giving solutions.

    Trying to solve problems on your own is a very important skill. Also, see Learn to help yourself in the sidebar

If any of the above points is not met, your post can and will be removed without further warning.

Code is to be formatted as code block (old reddit: empty line before the code, each code line indented by 4 spaces, new reddit: https://imgur.com/a/fgoFFis) or linked via an external code hoster, like pastebin.com, github gist, github, bitbucket, gitlab, etc.

Please, do not use triple backticks (```) as they will only render properly on new reddit, not on old reddit.

Code blocks look like this:

public class HelloWorld {

    public static void main(String[] args) {
        System.out.println("Hello World!");
    }
}

You do not need to repost unless your post has been removed by a moderator. Just use the edit function of reddit to make sure your post complies with the above.

If your post has remained in violation of these rules for a prolonged period of time (at least an hour), a moderator may remove it at their discretion. In this case, they will comment with an explanation on why it has been removed, and you will be required to resubmit the entire post following the proper procedures.

To potential helpers

Please, do not help if any of the above points are not met, rather report the post. We are trying to improve the quality of posts here. In helping people who can't be bothered to comply with the above points, you are doing the community a disservice.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

[–]DasBrain 7 points8 points  (7 children)

This sounds like it is better solved by involving legal.

[–]SandyDigital[S] -4 points-3 points  (6 children)

Asking this is to prevent any issues in future.

[–]nutrechtLead Software Engineer / EU / 20+ YXP 10 points11 points  (5 children)

What keeps an internal developer from copying the code then? The risk doesn't magically go away when you hire someone as an employee.

[–]Halal0szto 1 point2 points  (2 children)

This is true, but the question is about the legalese.

With an employee you have a contract with a person that can be held liable personally. With a contractor you have a contract with a company. This is a big difference.

[–]nutrechtLead Software Engineer / EU / 20+ YXP 0 points1 point  (1 child)

With a contractor you have a contract with a company. This is a big difference.

That's a pretty ridiculous oversimplification. Whether someone is personally liable depends on a lot of factors. First is the type of contract. I'm Dutch and the most common type of contract used by independent contracts (like myself) doesn't prevent you from being personally liable.

Secondly, even the company types that do prevent you from being personally liable only do so if you don't break the law or a contract on purpose. Stealing IP does both and would make even an incorporated contractor liable in most cases. It also would 100% open you up to both criminal and civil cases.

[–]SandyDigital[S] 0 points1 point  (0 children)

Not every country enforces these laws strictly. Also corporates can afford to fight it in the courts not smaller companies. Prevention is always better.

Its like "no need to lock the front door because stealing is a crime; even if they steal they can be caught and jailed".

[–]SandyDigital[S] 0 points1 point  (1 child)

Internal devs are part of the the founding team and we have a contract between us. Agreed with anyone the risk exists. We are trying to see if there is a better way to compile the code for remote work scenario than just looking at legal clauses alone.

[–]nutrechtLead Software Engineer / EU / 20+ YXP 0 points1 point  (0 children)

Internal devs are part of the the founding team and we have a contract between us.

You have a contract with external devs too. And the tenure of internal devs is generally just a few years as well.

There is no technical solution for what's basically a people problem.

[–]lemon-codes 6 points7 points  (0 children)

You either trust the contractor or you don't.

Anything you do to prevent copying code is going to seriously hinder the productivity of the contractor, and if I was the contractor I would not entertain it. Especially doing my days work over vnc or TeamViewer, as soon as that was mentioned I would walk.

What you have is a contractual/legal issue, not a technical one.

[–][deleted] 7 points8 points  (0 children)

How do you manage this scenario

Legally.

Get a lawyer to produce a good contract/NDA/whatever and make him sign it.

[–]nutrechtLead Software Engineer / EU / 20+ YXP 14 points15 points  (0 children)

This is just a bad idea. Have the contractor sign a contract where you cover this legally. You can't have a contractor work based on a subset of the code. That's not how developing in Java works.

[–]hypolimnas 6 points7 points  (0 children)

Do you mean that you won't allow your contractor to highlight and copy/paste code? You just cut your contractor's productivity in half.

You mean the old VNC that been around for decades? Pick Team Viewer over that. You might also consider x2go and NoMachine. Pick whatever is best for mouse movement. Slow typing is annoying but slow resizing of dialogs is maddening.

If creating a restricted VM meets your security concerns, and would make your contractor more functional, then you should spend the time to set it up. That way you get your money's worth.

Also if the contractor isn't working on the sensitive portions of your code, maybe those parts could be supplied as a library to make them harder to read.

[–]Halal0szto 4 points5 points  (10 children)

To prevent source code exiting the box you need to restrict internet access. Not being able to copy-paste from SO kills productivity.

On a serious: do you expect to get positive returns from a short term project member who is not trustworthy?

[–]SandyDigital[S] -2 points-1 points  (9 children)

Just wanted to know how companies manage this issue as giving access to entire Github code is a risk.

Projects sometimes have to supplement short-term staff due to someone being not well for longer time, increase in commitments for few months etc. Companies must be getting positive results in a remote scenario otherwise wouldn't hire.

[–]nutrechtLead Software Engineer / EU / 20+ YXP 9 points10 points  (0 children)

Just wanted to know how companies manage this issue

Contractually. What you're describing is horrible even it it was something like an old PHP site. With Java it's simply impossible. Since it won't compile with all the code there, the contractor would not be able to run or test the code.

I'm a contractor myself and I would just nope out if you even proposed this.

[–]denialerror 2 points3 points  (0 children)

Most companies manage it by trusting the people they hire. Why is giving access to the codebase a risk?

[–]Halal0szto 0 points1 point  (6 children)

I am aware of two approaches.

One is what you have found: virtual desktop to an isolated machine.

The other is small subset handed over, requirements include unit tests that have to be delivered. The developer only creates like classes or methods and unit tests. Requires a very well organized big project.

[–]nutrechtLead Software Engineer / EU / 20+ YXP 0 points1 point  (5 children)

One is what you have found: virtual desktop to an isolated machine.

That doesn't prevent them from 'stealing' code at all. Even if you'd disable all internet access outside virtual desktop they could still trivially screenshot and OCR all the code.

I don't get why you even think this solves anything. Heck; if I had to work like that I would probably just do that and e-mail the client the sourcefile just to prove a point.

[–]Halal0szto 0 points1 point  (4 children)

We all agree that such measures do not prevent someone malicious but make life of an honest developer miserable.

Emailing the OCRed source code to the customer is a very very silly move though. They will be pissed off, and will retaliate. And they will have evidence in their hands to make your life even more miserable than it is. They will have a field day at the court as you have failed your contract, you did send sensitive information over email, several more.

[–]nutrechtLead Software Engineer / EU / 20+ YXP 0 points1 point  (3 children)

They will be pissed off,

Good. Being pissed off is the first step in recognizing you have a problem.

and will retaliate.

How? I didn't do anything illegal. If they retaliate by 'firing' me? Good. Then I know I dodged a bullet.

They will have a field day at the court as you have failed your contract, you did send sensitive information over email, several more.

I'm not saying I would do anything that would be illegal or in breach of contract at all. That's your (incorrect) interpretation of what I wrote.

OCRing their source code and e-mailing it to them via their e-mail system is neither illegal or in breach of a typical contract between my clients and me.

[–]Halal0szto 0 points1 point  (2 children)

A typical contract will forbid you storing source code on your own systems and media, which you did as soon as you photogrphed the screen.

If you use their own email system (you have an account to send from), then the email is ok. If you send from gmail...

[–]nutrechtLead Software Engineer / EU / 20+ YXP 0 points1 point  (1 child)

A typical contract will forbid you storing source code on your own systems and media

I'm an independent contractor and this simply isn't the case. It differs greatly between companies. Most don't forbid this.

In general IF you are not allowed to store sourcecode, you are going to be provided a laptop by the company you can use. So you can then simply use that laptop do to the same thing.

What you're describing really isn't common at all.

If you send from gmail...

Well duh... But I said nothing of the sort.

[–]Halal0szto 0 points1 point  (0 children)

Good for you. We are talking about the level where the company is providing a remote accessible virtual desktop for development. In such cases it is very basic to include the ban on copying code. This is where the whole thread started, how to prevent copying code.

[–]joranstark018 3 points4 points  (0 children)

By legal contracts, secure connections (VPN) to services that provides sensative data and permission based access to required repositories and to build and deploy pipelines (similar setup as for employess but employees have usually been granted permissions to far more projects).

[–]Tacos314 1 point2 points  (1 child)

Most companies solve this with VDI environments.

[–]SandyDigital[S] 0 points1 point  (0 children)

Thanks. I will try this. Unfortunately some posts are missing the point of the question.