[Python-ideas] I have an encrypted python module format: .pye

[Guido van Rossum]

On Mon, May 14, 2012 at 10:35 AM, Mike Graham <mikegraham at gmail.com> wrote:
>  On Fri, May 11, 2012 at 6:27 PM, li wang <charlesw123456 at gmail.com> wrote:
>>
>> I want to use python in my product because I like and familiar with
>> python for many years, but I won't let the customer to read and modify
>> my code. So the best way is to encrypt my module .py to .pye.
>
> They scheme you describe only provides a false sense of security. That
> would be very bad.

You seem to be assuming security by obscurity is worse than no
security. I disagree (although I am not defending it as the sole form
of security). Many security professionals are not happy unless
multiple levels of security are in place, some of which can only be
described as obscurity.

> The only ways to protect your code are a) legally, which is the main
> one,

If you look into legal ways of protecting physical property you'll
find that having locks, fences etc. is often necessary for legal
protection to apply. That's why so often you'll find "no trespassing"
signs (in Holland these even have a specific reference to the law on
them).

> and b) by not giving it to anyone (and making them access things
> by a remote interface).
>
> A very strong -1 from me. Do not provide wrong-headed, insecure
> features like this.

I am -1 on including any support for encrypting bytecode in the
standard library, for the same reasons that we *removed* Bastion and
rexec -- since it cannot be made perfect, we'd be forever open to
criticism and possible liability if someone misunderstood the level of
security provided. But I am defending the right of users to implement
a level of obscurity that they are comfortable with. At the same time
it is good to point out the limits of such schemes.

-- 
--Guido van Rossum (python.org/~guido)