I have a temperature measuring device for industrial purposes with a TCP/IP interface. This device speaks a proprietary protocol which is not published from the manufacturer of the device.
I am thinking of writing a Node-RED node to get data out of this device. I'd like to partly refund the software development efforts by licensing the node (e.g. 20-50 US$ per node).
My idea is to make a licence-key input field in the node configuration. Without licence-key basic operations can be performed but to unlock all features, a licence-key is required.
For requesting a licence-key, the MAC- or TCP/IP-address are shown in a dialog box and then the licence-key is generated depending on that address. I don't want the node to make internet-calls to check the validity of the licence-key. Everything should work offline.
Does this idea sound crazy from a technical point of view?
Are there experiences of how this can be done?
Hi, before I get to any technical part, you need to assure yourself that whatever licensing model you apply to your code is compatible with Node-RED's. You will need to add that license to your module & you may well still need to reference Node-RED's license as well. I'm not an expert in this area so if in doubt, you should check with a suitable professional.
I think that you would have to also check in With @knolleary if you were considering publishing the node module to npm with the node-red tag on it. To make sure that it was OK for it to appear in the flows library.
Technically there are a couple of issues you need to deal with:
How will you protect your code? As a node is simple a collection of HTML and JavaScript, what's to stop someone simply copying it and taking out the license-key processing?
You wouldn't be able to use an IP address in your license-key calculations since that is set locally by the local network and will change if the device is moved and will be the same if a client uses a non-Internet routable address space (as they should generally do).
MAC address isn't so bad but make sure that your devices can't have their MAC address changed (as some devices can).
At the end of the day, any responses given here come with the caveat that they are not professional advice. If you aren't sure how/whether this would work and how to protect yourself and others from professional/commercial mistakes then you might want to get paid help.
My plan was, to make a limitied feature set available for free and - with a valid licence key - the user gets additional features unlocked. To publish the node in the Node-RED flows library is required so any user can install it via the Node-RED pallette feature.
I hope this complies with the Node-RED licence. Any valuable input is welcome here.
The code protection is tough indeed. Maybe obfuscation or kind of code compilation can help here? Full protection very hard to achieve, lighter protection is acceptable. But how to avoid that the licence-key processing can be remove and the node gets republished?
The license of Node-RED itself (Apache 2) does not place any requirements on how a node author chooses to license and distribute their own node.
That is a hard problem to solve. There is absolutely nothing to stop someone republishing your node, other than the risk of you discovering they have done so and then taking enforcement action over their breaking the terms of the license.
I believe most of the business logic needs to placed in such sw, like a dll or service developed in C++. I also believe that in that part the actual communication with the device has to be "running" and controlled, you also need some mechanism in there that checks (eventually online?) that there is a valid license present. As @TotallyInformation already explained, the code used to build the node can't be protected. Once in a software project we generated customer licenses based on the cpu serial number since that was considered relative stable whereas basing anything on mac addresses was abandoned, if the customer is changing NIC, he would need a new license. Most common and, to my knowledge, best way to license protect a sw is to use a dongle but that will be too expensive in your case. You would also have to provide a service where your customers send in some data to you, you calculate the key and return it to the customer that would want a nice way to enter it
EDIT: Is the device that unique and frequently used so you believe it is worth the effort, is the demand huge for such a thing?
The device is not used very often and the demand is not huge. I don't want to put much effort in this licencing thing. As I see there are several levels of licence protection and no perfect solution. Probably I will go for a solution that fits my needs:
user can install the node via Node-RED pallette
the node can be used out-of-the-box with basic features
there is a licence key input field and an alert box "request licence key" which shows the ip-address of the Node-RED instance currently running
the node will be updated frequently (bug fixes/new features) in order to make cloning of the node unattractive and keeping it updated high effort
or
shifting the non-free bussines logic to a cloud service that depends on a valid login
Are there Node-RED nodes known that do such kind of licensing?
Many of us will not let our devices talk to the big bad outside world once installed in a production environment. The key code would have to work one time connecting to your server or check against already stored value / hash / or code generated by users hardware that produces one side of the key you can validate one time to another via email or something.
The Idea behind opensource projects like node-red and its nodes is to charge for a / your service / hosting / updates and not the product(code).
Total honesty. You may not like this. Rather you know before you do all the hard work.
If a company had the temp devices your writing a node for and wanted me to connect them up I would look at your code as a base to see how you talk to the device write down all the communication information you slaved over figuring out (as its their device and communication protocol they did not release .... not yours...theirs) and then remove all copies of your work and write up my own code in a clean environment to talk to the temp sensors.
@TotallyInformation: a support plan for a Node-RED node? I don't think that the Flow-Designer oders a paid support plan when installing a node from the pallette.
But if he/she can unlock a feature for some onetime bucks this is far easier than committing to a recurring payment. either in a (large) organisation or for a smart home maker.
If the device has a unique & fixed serial number, you might tie the license to that if the api supports that you can retrieve it. If so, you could consider to become a re-seller of the device. Your USP would be that you include node sw and license as a package with the device
Nothing personal, but I think you're crazy.
The effort required to generate cash may well be more than the work to sniff and decode the protocol.
Plus the number of users will be low, but the chance of them demanding support is high if they pay for the node.
And then how do you morally justify being the only person seeking payment in an open source ecosystem ? So much work has been done by so many others to get the platform to where it is, all for free.
Exactly what sensor is it ?
How do people currently 'talk' to these sensors ?
Why choose a sensor with a closed protocol if you then want to communicate with it ?
@GeneCode@effgee Don't agree. How should software engineers make money in the Node-RED ecosystem? I don't want to teach someone, teaching doesn't scale and writing nodes should be directly awarded. Writing nodes is not my first job either. Open Source is great but not everybody has funded research projects or generous sponsors for writing great software and donating it to the public.
There are ecosystems where making money works very well. For example the Wordpress plugin ecosystem is somewhat similar to Node-RED and there are tons of plugins with a "pro" version. Unfortunately I have no clue about how licensing works there. But the developer community is far more attracted when they can make money.
Perhaps this thread is a good start to think about "protected IP" node. It would be a container node with node-red flows inside, but which contents would be encrypted by the password, or distributed as compiled/obfuscated Javascript code, not suitable for reverse-engineering, but still suitable for flow copy-paste node-red function. E.g. users could share it freely, but noone would be able to see what's inside without a password or permission from author. I think I would be interested in such node as well.
I have seen such scheme for example in Excel VB scripts - they are executable, but code is protected.
Back to your original point about how to protect your IP - you are right that the Wordpress plugin ecosystem is one to learn from. They have all the same issues around how to manage a paid-for version of their code - being php, just as copy and pastable as a Node-RED node. Yet as you point out - they have a very successful ecosystem.
And for the record - the Node-RED project has absolutely no issue with developers wanting to commercialise their nodes.
I would suggest that, before you spend any time on this with a hope to commercialize it, you consult an attorney versed in Intellectual Property rights. If you start advertising that you have broken another entities proprietary protocol and are selling nodes with it, you may find yourself a defendant in a legal action by the manufacturer of the temp nodes. If they are a large corporation, your chances of prevailing are likely small, and defending yourself could be far more costly than your licensing fees. Hacking as a maker exposes you to far less risk than advertising to the world that you have hacked a Siemens or Rockwell proprietary protocol.
@daviddohm Thank you. Before I start I will ask the device manufacturer for permission first. I really don't want to have any legal issues concerning disclosing company secrets.
