Protect Python Source
Alex Martelli
aleax at aleax.it
Fri Nov 1 03:57:35 EST 2002
hope wrote:
> Hi,
>
> If i am to develop a full fledge commercial application using Python :
>
> a. Can i compile my python source into binary ? I have read about py2exe
> for windows. Is there one for Linux ?
Yes, you can use McMillan's "installer" for both Windows and Linux, see:
http://www.mcmillan-inc.com/install1.html
> b. Can I distribute the bytecode only (.pyo, .pyd) and not the source
Yes, except that .pyd is not an extension used for bytecode but rather
for dynamically lodaed libraries used as Python extensions on Windows
(you may be thinking of .pyc, which IS the extension used for bytecode
that is not optimized, while .pyo indicates bytecode that IS optimized).
> (.py) ? Can the bytecode be 'de-compiled' to source ?
Of course! It's even easier than "dis-assembling" machine code back
into readable symbolic assembly languages, which is something that
'crackers' do for fun -- visit any 'warez' site to see how abundant
are the `cracks` available for all sorts of machine-coded commercial
programs.
Module dis in the Python standard library lets you disassemble
bytecode back to readable form. Recovering actual Python sources
is harder (just as it is if, say, you code in C, to recover actual
C sources rather than disassembled machine code) -- have a look
at decompyle, which you can find with Google, but it's not in
"production" state nor, I think usable with the latest releases
of Python.
> Please advice.
It is conceptually impossible to stop a halfway-competent 'cracker'
from disassembling any compiled form of your program if they have
any interest at all in it (or even if they don't: they DO do it just
for fun even for programs they have no earthly use for), as long as
you distribute your program in a fully executable form for general
purpose computers. If the GP computer can get at your program, as
it must to be able to execute it, so can the cracker. In some cases
you may be able to achieve a measure of protection if your program
can only execute when connected to some Internet site: in that kind
of scenario, you may be able to check that connections only come
from validly registered sites. But in general, you should rely on
the law to protect your programs against unauthorized use, not on
illusory "protection". "Security through obscurity isn't".
Alex
More information about the Python-list
mailing list