P is for PHP
Right about now I imagine all those folks who downloaded the promotional free versions of ExpressionEngine given out over the weekend are finding something out: not all PHP is ‘open’. PHP source code can be encrypted so that the source code cannot be viewed, much less edited or copied. From the bit of open code within the EE files, it would seem that pMachine, Inc. (parent company for EE) is using Source Guardian’s encryption technology to protect their code. Encryption adds an extra step of security, but more than that, protects a company’s proprietary technology.
Which *blushes, kicks dirt, looks sheepish* I should have remembered before making the statement about EE.
My apologies for being wrong about ExpressionEngine’s use of encryption. Now, who has a copy that they’ll allow me access to so I can peek at the code? I am intrigued by the module architecture associated with the tool.
These source code protection systems are rather ingenious. How they work is that they provide client side applications that encrypt the PHP files and generate matched decoder files that are then included as part of the install of the source code. The call to load these decryptor files is in ‘plain view’ so that the PHP installation can run this part of the code without any additional software. Once the encryption functionality been loaded, it acts as a filter, providing the processing necessary to decrypt the code and allow it be to processed. You can see these files in a subdirectory included with ExpressionEngine labeled ‘ixed’.
Of course, for this type of system to be successful for webloggers, it must run in most environments without having to make any administrative changes on the server, and this depends on how secure the PHP installation is. For instance, if the server is running PHP in what is known as PHP safe mode, and has disabled dynamic module loading (the ability to load new PHP modules in at run time, which is what Source Guardian needs), then the application will fail and the only way for it to run would be for the system administrator’s to either disable that aspect of PHP safe mode or, what is more likely, to add an entry to the PHP configuration to allow this application to run.
(Note for Hosting Matters users: Hosting Matters servers are not running safe mode. Why? Safe mode is a pain in the butt, and breaks most of the really great open source PHP applications. As the PHP developers themselves have said, security should reside in the server management and operating system, not in the language tools. )
I think the fact that PHP can be encrypted is a surprise for some people because it’s such a major component of the whole open source movement. Myths aside, yes, you can use LAMP technologies, including PHP, to create closed source, proprietary, protected, copyrighted, encrypted applications. Contrary to any expectations you might have because of my strong, verbal support for open source technologies, I don’t believe there’s anything wrong with proprietary software–not as long as good faith is maintained between the company publishing the software and the customers using it.
Is there a risk that if the company folds, the customer is stuck with something that is no longer supported? Sure, but the same can be said of open source projects that never inspire any new community effort; Source Forge is littered with these.
I prefer using open source products as much as possible for my own site and home use because as I’ve said before, I’m a tweaker. I like to tweak the code, and I like to make the tweaks available for others to use. But I see nothing wrong with people using closed source applications. If I felt that all closed source applications were wrong, I’d have to give up my beloved Adobe Photoshop. I’ll sacrifice my two laptops out the window before I let you take Photoshop from either one of them.
(Fly, TiBook! Fly!)
And you couldn’t hold a gun to my head to get me to have anything to do with C code, again, open source or not. No, I take it back. You couldn’t hold a gun to my cat’s head, and get to me to work with C code, again.
This isn’t to say you can’t tweak in ExpressionEngine. It provides a ‘plugin’ environment, just as Movable Type, WordPress, and Textpattern do. The only difference with these applications is you can’t hack the internal code in ExpressionEngine even if you wanted to; you can with Movable Type but you shouldn’t because of license and future compatibility; and you’re welcome to with Textpattern and WordPress, and can distribute the hacks legally–as long as you and the other users of your hacks are aware that your code may be overwritten in future versions of these products, so you’re better off trying to work within the plugin environment as much as possible.
Speaking of WordPress, hacking, and plugins, back to work…