Is it possible to protect python source code by compiling it to .pyc or .pyo?
Tim Delaney
timothy.c.delaney at gmail.com
Fri Jan 17 17:02:42 EST 2014
On 18 January 2014 08:31, Joshua Landau <joshua at landau.ws> wrote:
> On 17 January 2014 00:58, Sam <lightaiyee at gmail.com> wrote:
> > I would like to protect my python source code. It need not be foolproof
> as long as it adds inconvenience to pirates.
> >
> > Is it possible to protect python source code by compiling it to .pyc or
> .pyo? Does .pyo offer better protection?
>
> If you're worried about something akin to corporate espionage or
> some-such, I don't know of a better way than ShedSkin or Cython. Both
> of those will be far harder to snatch the source of. Cython will be
> particularly easy to use as it is largely compatible with Python
> codebases.
>
Indeed - I've only had one time someone absolutely insisted that this be
done (for trade secret reasons - there needed to be a good-faith attempt to
prevent others from trivially getting the source). I pointed them at Pyrex
(this was before Cython, or at least before it was dominant). They fully
understood that it wouldn't stop a determined attacker - this was a place
where a large number of the developers were used to working on bare metal.
If you're going to do this, I strongly suggest only using Cython on code
that needs to be obscured (and if applicable, performance-critical
sections). I'm currently working with a system which works this way - edge
scripts in uncompiled .py files, and inner code as compiled extensions. The
.py files have been really useful for interoperability purposes e.g. I was
able to verify yesterday that one of the scripts had a bug in its
command-line parsing and I wasn't going insane after all.
Also, remember that any extension can be imported and poked at (e.g. in the
interactive interpreter). You'd be surprised just how much information you
can get that way just using help, dir, print and some experimentation. The
output I was parsing from one of the scripts was ambiguous, and it was one
where most of the work was done in an extension. I was able to poke around
using the interactive interpreter understand what it was doing and obtain
the data in an unambiguous manner to verify against my parser.
The only way to truly protect code is to not ship any version of it
(compiled or otherwise), but have the important parts hosted remotely under
your control (and do your best to ensure it doesn't become compromised).
Tim Delaney
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20140118/6f0a21d1/attachment.html>
More information about the Python-list
mailing list