encrypting python modules

Paul Sijben paul.sijben at xs4all.nl
Mon Jan 14 10:01:14 CET 2008


Mike,

thanks for the constructive feedback.Indeed i probably need to patch
import in some way. Looks like there is no standard way to get this
done. So I guess I have do it myself...

In the famous last words department: how hard can that be? ;-)

Paul



Mike Meyer wrote:
> On Sat, 12 Jan 2008 09:47:26 +1100 Ben Finney <bignose+hates-spam at benfinney.id.au> wrote:
> 
>> Paul Sijben <paul.sijben at xs4all.nl> writes:
>>> I know that I can not stop a dedicated hacker deconstructing my code.
>> A direct consequence of this is that you can not stop *anyone* from
>> deconstructing your code if it's in their possession. It takes only
>> one dedicated, skilled person to crack your obfuscation system and
>> distribute an automated process for doing so to anyone interested.
> 
> Except that's not what he's trying to do.
> 
>>> However I can not imagine that I would be the first one planning to
>>> do this. So is there a solution like this available somewhere?
>> Trying to make bits uncopyable and unmodifiable is like trying to make
>> water not wet.
> 
> And again, that's not what he's trying to do. He wants to arrange
> things so that he doesn't have to support unmodified versions of his
> code, by making it impossible to import modified modules. While that's
> still impossible, once you decide how difficult you want to make it
> for people to do that, you can *probably* make it that difficult - but
> the process gets progressively more difficult and expensive as you
> make it harder.
> 
> I think he's contemplating only the simplest, least expensive step:
> adding an import hook that only allows imports of digitally signed
> modules. If planning to deploy on Windows, where he has to bundle a
> python with his application, he may well implement the hook in the
> interpreter instead of in python, so it's harder to find.
> 
> If you wanted to go to the expense, you could probably arrange things
> so that the digital signatures are the more vulnerable attack vectors,
> but I'd expect to spend millions of dollars doing so.
> 
>        <mike



More information about the Python-list mailing list