On Sat, 07 May 2005 06:45:32 -0700, Robert Kern wrote: > Lily Kakm wrote: >> when I distribute my software, I will give the users .pyc file (maybe I can >> use py2exe, but I think there's no essential different), because I don't >> like them to know my source code. >> >> But actually, through .pyc file is not so directly as .py file, but the user >> can also easily guest the detail of the program. Because in the .pyc file, >> the name of the variables are exist. >> >> I ask you for a tool. Maybe it can hide the name of the variables. > > That's not going to provide you any security. Any competent attacker > won't care what you name the variables. > > If you want real security, don't distribute your code. Expose the > critical parts as a web service (or similar) instead. > > If you want pretend security, .pycs or py2exe executables are enough.
Lily, I think the point that Robert is making is that you have to ask, "Why do I want to keep my code secret?" If the answer is "My code is very bad and I don't want people to see it because I am ashamed", then distributing .pyc files is good enough. Or better, learn to write better code. If the answer is, "My code is worth a lot of money, and I don't want people to copy it", then hiding variable names will not protect you. If your code is worth enough money, then people will spend hundreds of hours cracking whatever security you use. The more valuable your code, the more time and effort they will spend. And using variables like xxxxxxxy won't protect you from competent programmers. As soon as they read the code and realise that xxxxxxxy is a node, they will do a Search and Replace of "xxxxxxxy" to "some_node" and have readable code again. So why do you want to hide your code? Who do you expect to hide it from? [snip] >> xxxxxxxxxx = 100 >> xxxxxxxxxy = 500 - xxxxxxxxxx >> >> It has the same function, but it can not easily be seen by the users. > > Reads just fine to me. In fairness Robert, would you really want to read 10,000 lines of code like that? I know I wouldn't -- not even 100 lines. Obfuscated code like that is, well, obfuscated. That makes it the opposite of well-written, easily maintained and understood code. This isn't a impenetrable barrier to a motivated programmer, but it is hardly easy to read. >> Do you know where to download a tool like this. > > You ask an open source software community for a free tool to keep your > source proprietary? High expectations. Again, in fairness, source code obfuscation isn't wrong in and of itself. For example, Lily might be a teacher running a course on reverse-engineering, and wants some Python code that can't easily be understood by just reading the source. Well, it's possible *wink* Lily, if you are still reading, I think it is very important that you think about why you want to keep your source code secret. Then think about the alternative: publish your code as Open Source software. There are many companies these days who make money from Open Source software, including IBM, Red Hat, Apple, Sun, all the way down to small businesses like the one I work for. (Modesty prevents me mentioning the name, but if you look at my email address you should be able to work it out.) If you aren't selling your software, but just want people to be able to download it and use it, then think about the advantages of making the code available. If you can't think what those advantages are, please ask, I'm sure many people here will be more than happy to discuss it with you. Finally, if you still decide that you want to keep your code secret, that Open Source is not for you, then I suggest you do a Google search on "python obfuscater". If you don't find anything, then you can always write your own. Steven. -- http://mail.python.org/mailman/listinfo/python-list
