Protecting Python source

[Alex Martelli]

Alan Sheehan <adsheehan at eircom.net> wrote:

> Hi pythonistas,
> 
> I am looking for methods of deploying applications with end users so
> that the python code is tamper proof. What are my options ?

Like for any other language, the code you distribute _can_ be
decompiled, analyzed, studied, and modified, by any attacker determined
enough to bypass the technical and legal barriers.  If your code is
worth protecting, then it's worth attacking.

Like for any other language, a solid solution is to put crucial parts of
your application on a server that is entirely under your control,
accessed by the rest of the application (the part that you distribute)
via any distributed processing technology -- Corba, XML-RPC, pyro,
whatever.  The pluses and minuses are obvious: your application will run
only with network access (which is more and more widely available but
not yet universal); OTOH, you can exert fine control on who and when can
access the crucial parts (by subscription, pay per use, whatever
business model you fancy).  It's the only approach that can be made as
solid as the server you use, which is _very_ solid.  Even burning some
algorithms into a dedicated chip is less robust, since chips _do_ get
reverse engineered / decompiled too.

If all you want is to make the barriers as high as reasonably feasible,
crypted archives with a dedicated pyrex-coded module to decrypt and make
them accessible to the main program is one way.  Legal barriers however
tend to work better than technical ones, which may be perceived as
interesting challenges and stimulate attacks.  Note that just about any
piece of software that's widespread, whatever language and protection
scheme it may have used, is available in cracked form in the `warez'
circuits.  Go server-side as much as you can, and rely on the awesome
coercive powers of the state for the rest -- "go legal, young man".


Alex