Ask for a tool to protect my .pyc file :)

[Steven D'Aprano]

On Sat, 07 May 2005 06:45:32 -0700, Robert Kern wrote:

> Lily Kakm wrote:
>> when I distribute my software, I will give the users .pyc file (maybe I can 
>> use py2exe, but I think there's no essential different), because I don't 
>> like them to know my source code.
>> 
>> But actually, through .pyc file is not so directly as .py file, but the user 
>> can also easily guest the detail of the program. Because in the .pyc file, 
>> the name of the variables are exist.
>> 
>> I ask you for a tool. Maybe it can hide the name of the variables.
> 
> That's not going to provide you any security. Any competent attacker 
> won't care what you name the variables.
> 
> If you want real security, don't distribute your code. Expose the 
> critical parts as a web service (or similar) instead.
> 
> If you want pretend security, .pycs or py2exe executables are enough.

Lily, I think the point that Robert is making is that you have to ask,
"Why do I want to keep my code secret?"

If the answer is "My code is very bad and I don't want people to see it
because I am ashamed", then distributing .pyc files is good enough. Or
better, learn to write better code.

If the answer is, "My code is worth a lot of money, and I don't want
people to copy it", then hiding variable names will not protect you. If
your code is worth enough money, then people will spend hundreds of hours
cracking whatever security you use. The more valuable your code, the more
time and effort they will spend.

And using variables like xxxxxxxy won't protect you from competent
programmers. As soon as they read the code and realise that xxxxxxxy is a
node, they will do a Search and Replace of "xxxxxxxy" to "some_node" and
have readable code again.

So why do you want to hide your code? Who do you expect to hide it from?

[snip]
>> xxxxxxxxxx = 100
>> xxxxxxxxxy = 500 - xxxxxxxxxx
>> 
>> It has the same function, but it can not easily be seen by the users.
> 
> Reads just fine to me.

In fairness Robert, would you really want to read 10,000 lines of code
like that? I know I wouldn't -- not even 100 lines. 

Obfuscated code like that is, well, obfuscated. That makes it the
opposite of well-written, easily maintained and understood code. This
isn't a impenetrable barrier to a motivated programmer, but it is hardly
easy to read.


>> Do you know where to download a tool like this.
> 
> You ask an open source software community for a free tool to keep your 
> source proprietary? High expectations.

Again, in fairness, source code obfuscation isn't wrong in and of itself.
For example, Lily might be a teacher running a course on
reverse-engineering, and wants some Python code that can't easily be
understood by just reading the source.

Well, it's possible *wink*

Lily, if you are still reading, I think it is very important that you
think about why you want to keep your source code secret. Then think about
the alternative: publish your code as Open Source software.

There are many companies these days who make money from Open Source
software, including IBM, Red Hat, Apple, Sun, all the way down to small
businesses like the one I work for. (Modesty prevents me mentioning the
name, but if you look at my email address you should be able to work it
out.)

If you aren't selling your software, but just want people to be able to
download it and use it, then think about the advantages of making the code
available. If you can't think what those advantages are, please ask, I'm
sure many people here will be more than happy to discuss it with you.

Finally, if you still decide that you want to keep your code secret, that
Open Source is not for you, then I suggest you do a Google search on
"python obfuscater". If you don't find anything, then you can always write
your own.



Steven.