Is it possible to protect python source code by compiling it to .pyc or .pyo?

[Sam]

I would like to protect my python source code. It need not be foolproof as long as it adds inconvenience to pirates.

Is it possible to protect python source code by compiling it to .pyc or .pyo? Does .pyo offer better protection?

[Ned Batchelder]

On 1/16/14 7:58 PM, Sam wrote:
> I would like to protect my python source code. It need not be foolproof as long as it adds inconvenience to pirates.
>
> Is it possible to protect python source code by compiling it to .pyc or .pyo? Does .pyo offer better protection?
>

First, .pyc and .pyo are nearly identical: they are bytecode. The only
difference is that .pyo has been "optimized", which in this case simply
means that the docstrings and asserts are gone. It is not difficult to
see what a Python program does by looking at the bytecode, and the
standard library includes the dis module for disassembling it.

How to protect your code depends an awful lot on what kinds of secrets
are in the code, and how valuable those secrets are, and therefore how
hard someone will work to get at them.

--
Ned Batchelder, http://nedbatchelder.com

[Ben Finney]

Sam <light...@gmail.com> writes:

> I would like to protect my python source code.

Protect it from what? If there's some specific activity you want to
prevent or restrict, please say what it is, since “protect” is a rather
loaded term.

> It need not be foolproof as long as it adds inconvenience to pirates.

I doubt your software will be at risk from pirates, which are raiders on
the high seas.

If you mean something more specific, please explain, because “pirate” is
an even more loaded term that doesn't explain.

--
\ “Instead of a trap door, what about a trap window? The guy |
`\ looks out it, and if he leans too far, he falls out. Wait. I |
_o__) guess that's like a regular window.” —Jack Handey |
Ben Finney

[Chris Angelico]

On Fri, Jan 17, 2014 at 11:58 AM, Sam <light...@gmail.com> wrote:
> I would like to protect my python source code. It need not be foolproof as long as it adds inconvenience to pirates.
>
> Is it possible to protect python source code by compiling it to .pyc or .pyo? Does .pyo offer better protection?
>

The only difference between pyo and pyc is that the former is with
optimization done. And neither of them offers any real security.

Even if you compiled it down to machine code, you wouldn't do much to
deter pirates. All you'd do is make it so they have to take your code
as a whole instead of piece-meal.

Fighting against piracy using technology is pretty much guaranteed to
be a losing battle. How much time and effort can you put in, versus
the whole rest of the world? And how much harassment will you permit
on your legitimate users in order to slow down a few who want to rip
you off? I've seen some programs - usually games - that put lots and
lots of checks in (checksumming the program periodically and crashing
if it's wrong, "calling home" and making sure the cryptographic hash
of the binary matches what's on the server, etc, etc)... and they
still get cracked within the first day. And then legitimate purchasers
like me have to deal with the stupidities (single-player games calling
home??), to the extent that it's actually more convenient to buy the
game and then install a cracked version from a torrent, than to
install the version you bought. And there's one particular game where
I've done exactly that. It's just way too much fiddliness to try to
make the legit version work.

Distribute your code with a copyright notice, accept that a few people
will rip you off, and have done with it.

ChrisA

[Ethan Furman]

On 01/16/2014 05:09 PM, Chris Angelico wrote:
> On Fri, Jan 17, 2014 at 11:58 AM, Sam <light...@gmail.com> wrote:

>> I would like to protect my python source code. It need not be foolproof as long as it adds inconvenience to pirates.
>>
>> Is it possible to protect python source code by compiling it to .pyc or .pyo? Does .pyo offer better protection?

No and no.

> Distribute your code with a copyright notice, accept that a few people
> will rip you off, and have done with it.

Yes. One of the nice things about Python is being able to fix bugs myself [1].

--
~Ethan~


[1] Yes, I file upstream bug reports. :)

[Steven D'Aprano]

On Thu, 16 Jan 2014 16:58:48 -0800, Sam wrote:

> I would like to protect my python source code. It need not be foolproof
> as long as it adds inconvenience to pirates.

What makes you think that "pirates" will be the least bit interested in
your code? No offence intended, I'm sure you worked really, really hard
to write it, but the internet has hundreds of gigabytes of free and open
source software which is easily and legally available, not to mention
easily available (legally or not) non-free software at a relatively cheap
price. Chances are that your biggest problem will not be piracy, but
getting anyone to care or even notice that your program exists.

> Is it possible to protect python source code by compiling it to .pyc or
> .pyo? Does .pyo offer better protection?

Compiling to .pyc or .pyo will not give any protection from software
piracy, since they can just copy the .pyc or .pyo file. It will give a
tiny bit of protection from people reading your code, but any competent
Python programmer ought to be able to use the dis module to read the byte
code.

Perhaps if you explain what your program is, and why you think it needs
protection, we can give you some concrete advice.



--
Steven

[Joshua Landau]

On 17 January 2014 00:58, Sam <light...@gmail.com> wrote:
> I would like to protect my python source code. It need not be foolproof as long as it adds inconvenience to pirates.
>
> Is it possible to protect python source code by compiling it to .pyc or .pyo? Does .pyo offer better protection?

If you're worried about something akin to corporate espionage or
some-such, I don't know of a better way than ShedSkin or Cython. Both
of those will be far harder to snatch the source of. Cython will be
particularly easy to use as it is largely compatible with Python
codebases.

I offer no opinions, however, on whether this is a task worth doing. I
only suggest you consider the disadvantages and how they apply to your
individual case.

[Tim Delaney]

On 18 January 2014 08:31, Joshua Landau <jos...@landau.ws> wrote:

On 17 January 2014 00:58, Sam <light...@gmail.com> wrote:

> I would like to protect my python source code. It need not be foolproof as long as it adds inconvenience to pirates.
>
> Is it possible to protect python source code by compiling it to .pyc or .pyo? Does .pyo offer better protection?

If you're worried about something akin to corporate espionage or
some-such, I don't know of a better way than ShedSkin or Cython. Both
of those will be far harder to snatch the source of. Cython will be
particularly easy to use as it is largely compatible with Python
codebases.

Indeed - I've only had one time someone absolutely insisted that this be done (for trade secret reasons - there needed to be a good-faith attempt to prevent others from trivially getting the source). I pointed them at Pyrex (this was before Cython, or at least before it was dominant). They fully understood that it wouldn't stop a determined attacker - this was a place where a large number of the developers were used to working on bare metal.

If you're going to do this, I strongly suggest only using Cython on code that needs to be obscured (and if applicable, performance-critical sections). I'm currently working with a system which works this way - edge scripts in uncompiled .py files, and inner code as compiled extensions. The .py files have been really useful for interoperability purposes e.g. I was able to verify yesterday that one of the scripts had a bug in its command-line parsing and I wasn't going insane after all.

Also, remember that any extension can be imported and poked at (e.g. in the interactive interpreter). You'd be surprised just how much information you can get that way just using help, dir, print and some experimentation. The output I was parsing from one of the scripts was ambiguous, and it was one where most of the work was done in an extension. I was able to poke around using the interactive interpreter understand what it was doing and obtain the data in an unambiguous manner to verify against my parser.

The only way to truly protect code is to not ship any version of it (compiled or otherwise), but have the important parts hosted remotely under your control (and do your best to ensure it doesn't become compromised).

Tim Delaney