November 25, 2021
SaaS Compliance Caveatsview page source ain’t what it used to be
I read Heather Meeker’s blog and highly recommend it. Her recent piece on open source compliance for SaaS vendors is another good one, with two big caveats:
Transpiling, Bundling, and Minification
It’s perfectly normal to see three types of build tools in recent front-end build chains.
Finally, minifiers like Terser and Uglify not only remove insignificant whitespace, but strip out comments, scrunch variable names, refactor control structures, and perform all manner of other tricks to minimize file size and facilitate compression. These tools rarely advertise themselves as “obfuscators”, but they get halfway there by optimizing without a care for readability. Any front-end dev who actually wrote and committed minified-looking code like would be banished from teamwork immediately.
Along this chain, many tools also produce “source maps” showing what parts of their code inputs correspond to what parts of their code outputs. Taken together, those source maps allow web browsers to trace a path back from an error in the final client-side code bundle to a line and character position in a specific file of original source code. Debug versions of SaaS apps serve these source maps for developers. But companies rarely serve source maps—or the original source files they refer to—in production. Customers get only bundles of transpiled, minified code, which load much faster.
prototype remain. These will be handled well by the compression algorithms browsers and servers use, since they repeat so often. Note also that nearly all visible variable names—the names following
var keywords—are but one or two letters. The programmers didn’t name their variables that way. The minifier renamed them.
If you asked me to add a feature or fix a bug in this code, it wouldn’t be a maintenance project. It would be a reverse-engineering project. If I found it this code was originally GPL licensed, demanded “Corresponding Source” from Google, and got told I already have it—just click “View Source”—I’d call license violation.
WebAssembly, a standard kind of binary code for web browsers, isn’t so widely adopted as transpiling, bundling, and minifying. But some large and technically progressive firms are already using it in production apps. Rising-star programming languages, like Rust, already rely on it as compilation target for the Web.
Copyleft as Usual
All of that means more core functionality—the work SaaS companies tend to keep proprietary—gets “distributed” to the client side. It’s no longer safe to say that the “technology” is all on the server, with the client code merely adding sprinkles. A license compliance problem on the front end could be a real business problem.
For all those folks slinging front-end code in the SaaS business: Get yourself a license checker in CI and be grateful for good metadata. If they don’t exist for your language, get on that. A little prevention can save a lot of hassle.
Your thoughts and feedback are always welcome by e-mail.
back to top — edit on GitHub — revision history