https://michaeljaylissner.com/2010-02-24T17:15:54-08:002010-02-24T17:15:54-08:00Mike Lissnertag:michaeljaylissner.com,2010-02-24:posts/2010/02/24/using-revision-control-on-a-django-project-without-revealing-your-passwords/

<p>Just a quick post today, since this took me way too long to figure out. If you have a django project that you want to share without sharing the private bits of settings.py, there is an easy way to do&nbsp;this. </p> <p>I tried for a while to to set up mercurial hooks that would strip out my passwords before each commit, and then place them back after each commit, thus avoiding uploading them publicly. This does not work however because all of the mercurial hooks happen after snapshots of the modified files have been made. So you can edit the files using a hook, but your edits will only go into effect upon the <strong><em>next</em></strong> check in. Clearly, this will not&nbsp;do.</p> <p>Another solution that I tried was the mercurial <a href="http://mercurial.selenic.com/wiki/KeywordExtension">keyword extension</a>. This could work, but ultimately it does not because you have to remember to run it before and after each commit &mdash; something I know I&#8217;d forget sooner or&nbsp;later.</p> <p>The solution that <strong><em>does</em></strong> work is to split up your settings.py file into multiple pieces such that there is a private file and a public file. I followed the instructions <a href="http://code.djangoproject.com/wiki/SplitSettings#UsingalistofconffilesTransifex">here</a>, with the resulting code looking being checked in <a href="https://github.com/freelawproject/courtlistener/blob/master/alert/settings.py">here</a> and <a href="https://github.com/freelawproject/courtlistener/blob/master/alert/settings/10-public.py">here</a>. There is also a file called &#8220;20-private.py&#8221; which is not uploaded publicly, and which contains all the private bits of code that would normally be found in settings.py. Thus, all of my settings can be found my django, but I do not have to share my private&nbsp;ones.</p>

2010-01-15T10:27:18-08:00Mike Lissnertag:michaeljaylissner.com,2010-01-15:posts/2010/01/15/how-to-protect-your-open-source-code-from-theft-and-a-mercurial-hook-to-help/

<p><strong>Updated, 2010-01-24:</strong> Some edits regarding the Affero license (thanks to Brian at <a href="http://cyberlawcases.com/">http://cyberlawcases.com</a> for the&nbsp;corrections).</p> <p>I&#8217;ve finally begun doing some of the actual coding for <a href="http://www.ischool.berkeley.edu/programs/masters/projects/2010/judicialnlp">my final project</a> so the time has come to set up <a href="https://github.com/freelawproject/courtlistener">a mercurial repository</a> to hold the&nbsp;code.</p> <p>Once we complete our project, we will have built a free product that competes with some of the core functionality of both LexisNexis and Westlaw, so something we wanted to do was make sure they couldn&#8217;t steal our code, enhance their product and thus moot&nbsp;ours.</p> <p>To achieve this, we&#8217;re using the <a href="http://www.gnu.org/licenses/agpl.html"><span class="caps">GNU</span> Affero General Public License v3</a>, which allows people to take our code for free, but requires that they publicly share any modifications that they make to the code. The normal <span class="caps">GNU</span> General Public License allows the code to be used at no cost, but only requires that changes to the code be shared with the public if one distributes the changed version to the public. With a server-based project, like ours, one could operate modified versions of the code without ever having a need to distribute any of the software to the public. This loophole is closed by the Affero&nbsp;license.</p> <p>In order to license our work, we must be its copyright holder. This is easy enough, since we get copyright instantly in the U.S., but, as has been demonstrated in <a href="http://en.wikipedia.org/wiki/Jacobsen_v._Katzer">Jacobsen v. Katzer</a>, in order to seek remedies for copyright violations, we would have to register everything we made with the copyright office. This <a href="http://www.copyright.gov/docs/fees.html">costs $35</a> per registration, and with open source software, it&#8217;s not clear whether each and every version needs to be registered or just major releases, or&nbsp;what. </p> <p>Since this is too onerous to be practical, an additional approach to protecting our works is useful, and in the <span class="caps">DMCA</span> (<a href="http://www.copyright.gov/title17/92chap5.html#506">17 <span class="caps">U.S.C.</span>§ 506(d)</a>), remedies are provided for the &#8220;fraudulent removal of copyright notice.&#8221; Although these do not (in any way) match the protections provided by normal copyright registration, they are a useful place to begin. Thus, if we place a copyright notice into each file of our code, those using our code must either risk violating the <span class="caps">DMCA</span> by removing these notices, or leave our copyright information intact. (Placing such notices in each file is also <a href="http://www.fsf.org/licensing/licenses/gpl-howto.html">the recommendation</a> of the Free Software&nbsp;Foundation.)</p> <p>To place our information into each and every file of code that we upload publicly, I wrote <a href="https://michaeljaylissner.com/archive/checklicense.py">a short mercurial hook</a> that adds copyright and licensing information it to the top of every file that is modified or added to the repository. To use the script, simply make it executable, place it in the .hg directory of your project, and add the following lines to&nbsp;.hg/hgrc:</p> <div class="highlight"><pre>[hooks] pretxncommit = .hg/checklicense.py </pre></div> <p>A couple of things I should note about this script is that it currently only checks for java and python files, and that it requires files called java_license.txt and python_license.txt to be in the root of your repository. It should be fairly easy to modify though to fit your own&nbsp;needs.</p>