This question is related with copyrights. The copyright is granted by default to the author of some code, however this requires to prove that some person is the “first” author of some piece of code. Consider the following example:
- Andy writes some code in 2010 and stores it in a not secure enough place.
- Brian copies that code in 2011 and registers this code in some service to associate it with some timestamp, to prove he had it written in 2011.
- Andy decides he should be able to prove he is the author of the yet not published code and gets proceeds as Brian in 2012.
- Carol has to judge who is the original author of that code in 2013 and all the evidence is in favor of Brian.
I think such a service is important and if I’m not mistaken there are some services like that which provide this for a price. At the same time nowadays there are quite a few git based services like Github, Bitbucket, Assembla, etc. that provide a version control system and store all the different versions made available for some code through time. They are free and offer really nice features. In some of them it is possible to define a repository as private and then switch it as public when the code is ready to be released.
The problem with the git based services is that they trust and believe the client on the dates for the commits. This means that if Brian commits in 2011 some code and publishes (pushes) it then David could manipulate the date in his computer to pretend he committed that code in 2009, beating Brian and Andy (the real author of the code).
So basically I would like to know if there is some kind of service like these that:
- handles timestamps in a trustworthy way
- allows publishing the code
- allows publishing the different versions and diffs
- allows private repositories that can be made public if shit happens
- is free
So far, the most reasonable approach I found is sending something through mail. Even though the MIME headers can be manipulated the SMTP servers in the route should not be reasonably trustworthy and they set the timestamp for the time the mail goes through them.
This is a whole mess when compared with bitbucket, for instance, you cannot read my e-mails (I truly hope). Bitbucket allows private repos, repos can be made public with all the previous versions and diffs, etc. The only problem: the timestamps an be manipulated and thus they are not trustworthy.
So the question is: do you know about any service like this?
PD: Emails should be as valid as regular mail or escrows, even though they may raise more eyebrows among lawyers. But even if a tarball in an email is something simple to produce and do, it’s much more natural to simply use some CVS, which should be used anyway. They do even have the timestamps already and I guess that should work in centralized systems like subversion, where the timestamp is set by the server. So maybe services that allow subversion repositories (SourceForge, Assembla, Google Code, etc.) could be enough? Would they be enough? Do you know about other (possibly better) alternatives? Assembla seems to be the only one fulfilling all the requisites.
Thank you.
3
The Bitcoin cryptocurrency can provide this service as a side effect of the currency bookkeeping method (the blockchain; a P2P shared ledger that’s cryptographically signed).
Take a hash of your code at a given point in time (use some sort of version-control software to ensure you can get back to that point), and use a utility like BitcoinTimestamp to embed that hash in the blockchain (which automatically gives it a timestamp).
The popular Bitcoin dice game SatoshiDice uses that method to publicly verify that it hasn’t changed its secret numbers since the time the hash was calculated.
This service can keep that timestamp around as long as some P2P node continues to broadcast the blockchain files. If the cryptocurrency fails, the P2P network may dissolve and you’d lose the ability to verify your timestamp, but that’s true of any escrow service, and this system at least doesn’t have a single point of failure (being a P2P network).
2
There are escrow services, you can put your code in escrow for a fee. I’m not a lawyer, but I guess that would be enough to prove copyright? The other option is the standard Post Office copyright, put your code on a usb stick, in a tamperproof envelope, and mail it to yourself. Then when question of copyright comes up, you have your code available to you.
1