Pyarmor, guard your python scripts

Chris Angelico rosuav at gmail.com
Tue Sep 15 18:59:36 CEST 2015


On Wed, Sep 16, 2015 at 2:40 AM, Grant Edwards <invalid at invalid.invalid> wrote:
> On 2015-09-15, Chris Angelico <rosuav at gmail.com> wrote:
>>
>>> I you may be underestimating the laziness and overestimating the
>>> cleverness of most people. ;)
>>
>> Heh :) But in that case, you can probably get away with just
>> zipimport. Deflation sure isn't encryption, but the code is pretty
>> thoroughly concealed anyway.
>
> I agree completely.  There are three categories of protection:
>
>   1) The program never leaves your computer.
>
>   2) Obfuscation to deter the idle curious from mucking about.
>
>   3) Put the source code on the interwebs.

Agreed. #3 is the protection that I use for most of my code, and it's
protected me several times from a threat that's far more serious (in
my mind) than someone ripping off my code: it's kept my code safe from
hard drive failures. Yeah, nothing like seeing errors spewing off a
drive that's suddenly died to make you appreciate distributed source
control! (Oh look, my private key is no longer accessible. How
terrible... I have to go to GitHub and register a new public key
before I can continue development. That's gonna set me back... five
whole minutes!)

#1 wasn't really viable until the always-on internet connection became
a normal thing, but today, it's actually pretty easy. Shove your
application up onto cheap hosting somewhere, and make it accessible
via the web... anyone can do it, and your code needs no obfuscation to
be truly secure.

> In category 2 you find the single-file/directory-app bundlers[1]
> (which IIRC mostly use something like zipimport) and various other
> "encryption" wrappers.  They all provide pretty much the same minimal
> "protection".
>
> [1] Most of which are intended to provide ease of distribution and
>     installation -- the obfuscation is mostly a side-effect.

Right. Anyone who thinks zipapp is good for security is wrong, but it
sure can be handy for packaging up a one-click "here, download and run
this" Windows .exe file. Any obfuscation should be seen as a freebie,
on par with the toy you get in a fast-food meal.

ChrisA


More information about the Python-list mailing list