[Python-ideas] I have an encrypted python module format: .pye

Mike Meyer mwm at mired.org
Sun May 13 20:26:19 CEST 2012 

On Sun, 13 May 2012 19:36:52 +1000
Steven D'Aprano <steve at pearwood.info> wrote:
> Mike Meyer wrote:
> > If it's not clear by now, a fancy encryption scheme won't protect your
> > sources from someone who really wants to read them. On the other hand,
> > shipping just the .pyc/.pyo files will stop casual browsing. The only
> > real difference here is how much effort it takes to get the source. To
> > carry Guido's analogy further, both lock your front door, one just
> > uses a better lock. Neither will stop a determined burglar.
> I think Guido's analogy is bogus and wrongly suggests that encrypting 
> applications just might work if you try hard enough. If we can lock the door 
> and keep strangers from peeking inside, why can't we encrypt apps and stop 
> people from peeking at the code?

But locking the door *won't* keep strangers from peeking inside. Not
if they really want to. It'll keep people from casually opening the
door, but it won't stop someone who really wants to see the insides
because they can:

> But the analogy doesn't follow. In the front 
> door example, untrusted people don't have a key and are forced to pick or 
> break the lock to get it.

Exactly. You can easily get tools to do all these things, as well as
others, to get past the lock.

> In the encryption example, untrusted people are given the key (as an
> environment variable), then trusted not to use it to read the source
> code!

This is pretty much required in any form of DRM. You have to give the
end user the keys in order for them to use what you gave them. Trying
to prevent them from then doing *other* things is done by obfuscating
how you get from the cyphertext to the plaintext. That's it can't work
is why the US container companies got laws passed making doing so
illegal.

> (Possibly on the assumption that they don't realise they have the key, or that 
> using it manually is too difficult for them.)

The difficulty level is immaterial. With the proper training and
tools, none of these things (picking locks, breaking down doors,
reverse engineering code obfuscation) is difficult. On the other hand,
you can raise the difficulty level of any of them by investing more in
whatever obstacles you're putting in the way.

They both do the same thing. That's why the analogy works.

	<mike
-- 
Mike Meyer <mwm at mired.org>		http://www.mired.org/
Independent Software developer/SCM consultant, email for more information.

O< ascii ribbon campaign - stop html mail - www.asciiribbon.org

More information about the Python-ideas mailing list