Shipping Executables

[Steven D'Aprano]

On Tue, 16 Feb 2010 13:41:21 -0800, rodmc wrote:

> Hi,
> 
> I have been merrily programming away in Python now for a few years and
> have a couple of applications I would like to possibly publish at some
> point - with the exception of certain libraries they are more or less
> 100% Python. However I have read elsewhere online that Python due to
> it's architecture is not so good for this, especially as it is easier
> for people to hack into the code.

Looks like you are looking to apply the philosophy "No user serviceable 
parts inside".



> Also where software requires some
> security aspects I guess it would also not be much use, is this correct?

Absolutely 100% wrong. It is an fundamental principle of security that 
you must not assume that the enemy is ignorant of your procedures. 
"Security by obscurity" is not security at all.

See, for example:

http://en.wikipedia.org/wiki/Kerckhoffs'_Principle

If you are trusting that your software will be secure because people 
cannot read the source code, you have already failed. Hackers break into 
computer systems without the source code as a matter of course: allowing 
the source to be available generally makes so little difference as to be 
no difference. Worse, keeping the source code secret *as a security 
measure* lulls people into a false sense of security, letting them use 
weak security confident that since nobody knows how weak it is, it will 
be strong. That's not how it works.

If you have other reasons for wanting to keep the source code secret, 
that's one thing. But doing it because it is more secure is foolish: 
software simply isn't more secure when supplied as a binary instead of 
source code.


> Anyway I would appreciate any views or tips that people have?

Don't worry about it. If your application is secure, it will be secure 
even if everybody knows how it works. If it's not secure, then the bad 
guys will learn how it works even without the source code.



-- 
Steven