[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

comp.lang.python

Shipping Executables

rodmc

2/16/2010 9:41:00 PM

Hi,

I have been merrily programming away in Python now for a few years and
have a couple of applications I would like to possibly publish at some
point - with the exception of certain libraries they are more or less
100% Python. However I have read elsewhere online that Python due to
it's architecture is not so good for this, especially as it is easier
for people to hack into the code. Also where software requires some
security aspects I guess it would also not be much use, is this
correct?

Anyway I would appreciate any views or tips that people have?

Kind regards,

rod
9 Answers

geremy condra

2/16/2010 10:26:00 PM

0

On Tue, Feb 16, 2010 at 4:41 PM, rodmc <userprogoogle-139@yahoo.co.uk> wrote:
> Hi,
>
> I have been merrily programming away in Python now for a few years and
> have a couple of applications I would like to possibly publish at some
> point - with the exception of certain libraries they are more or less
> 100% Python. However I have read elsewhere online that Python due to
> it's architecture is not so good for this, especially as it is easier
> for people to hack into the code.

If you mean that it is difficult to stop people from modifying the
source code, then you're correct. If you mean that python
programs are more likely to have security problems than, say,
C, I think its safe to assume that you're not correct about that.

> Also where software requires some
> security aspects I guess it would also not be much use, is this
> correct?

I've never had any reason to feel more concerned about the
code that I write in python, and I use it for crypto research.

> Anyway I would appreciate any views or tips that people have?

I'd worry about developing a product worth stealing before I
worried about people stealing it ;)

Geremy Condra

Philip Semanchuk

2/17/2010 12:23:00 AM

0


On Feb 16, 2010, at 4:41 PM, rodmc wrote:

> Hi,
>
> I have been merrily programming away in Python now for a few years and
> have a couple of applications I would like to possibly publish at some
> point - with the exception of certain libraries they are more or less
> 100% Python. However I have read elsewhere online that Python due to
> it's architecture is not so good for this, especially as it is easier
> for people to hack into the code. Also where software requires some
> security aspects I guess it would also not be much use, is this
> correct?


Hi Rod,
The user's ability to hack into the code is usually considered one of
the strengths of Python & open source software in general. Since most
Python software that's distributed is open source, you're doing
something different than most. It'd help if you explain how you want
your software to differ from a typical open source distribution. Do
you not want people to change the code? Are you worried about your
code & ideas being stolen?



bye
Philip

Steven D'Aprano

2/17/2010 2:11:00 AM

0

On Tue, 16 Feb 2010 13:41:21 -0800, rodmc wrote:

> Hi,
>
> I have been merrily programming away in Python now for a few years and
> have a couple of applications I would like to possibly publish at some
> point - with the exception of certain libraries they are more or less
> 100% Python. However I have read elsewhere online that Python due to
> it's architecture is not so good for this, especially as it is easier
> for people to hack into the code.

Looks like you are looking to apply the philosophy "No user serviceable
parts inside".



> Also where software requires some
> security aspects I guess it would also not be much use, is this correct?

Absolutely 100% wrong. It is an fundamental principle of security that
you must not assume that the enemy is ignorant of your procedures.
"Security by obscurity" is not security at all.

See, for example:

http://en.wikipedia.org/wiki/Kerckhoffs'...

If you are trusting that your software will be secure because people
cannot read the source code, you have already failed. Hackers break into
computer systems without the source code as a matter of course: allowing
the source to be available generally makes so little difference as to be
no difference. Worse, keeping the source code secret *as a security
measure* lulls people into a false sense of security, letting them use
weak security confident that since nobody knows how weak it is, it will
be strong. That's not how it works.

If you have other reasons for wanting to keep the source code secret,
that's one thing. But doing it because it is more secure is foolish:
software simply isn't more secure when supplied as a binary instead of
source code.


> Anyway I would appreciate any views or tips that people have?

Don't worry about it. If your application is secure, it will be secure
even if everybody knows how it works. If it's not secure, then the bad
guys will learn how it works even without the source code.



--
Steven

geremy condra

2/17/2010 7:01:00 AM

0

On Wed, Feb 17, 2010 at 1:10 AM, Banibrata Dutta
<banibrata.dutta@gmail.com> wrote:
>
>
> On Wed, Feb 17, 2010 at 7:41 AM, Steven D'Aprano
> <steven@remove.this.cybersource.com.au> wrote:
>>
>> > security aspects I guess it would also not be much use, is this correct?
>> Absolutely 100% wrong. It is an fundamental principle of security that
>> you must not assume that the enemy is ignorant of your procedures.
>> "Security by obscurity" is not security at all.
>>
>> See, for example:
>>
>> http://en.wikipedia.org/wiki/Kerckhoffs'...
>>
> I believe, the use of work 'security' wasn't the best choice to describe the
> need, if I understand the original poster's intentions. The intentions of
> original poster were "intellectual property protection",

Which has little to do with the language in question.

> where-in they have
> indeed created something worth stealing, and would like to put it under
> lock-n-key. For that purpose, I do not think Python is the right choice.

Why?

> BTW for people who are non-believers in something being worth stealing
> needing protection, need to read about the Skype client.

Most of the people I know who were interested in REing skype were
a lot more interested in either interoperating with the protocol or ensuring
that skype wasn't deliberately including malware or a backdoor. In any
even I don't see this having anything to do with Python.

Geremy Condra

Steven D'Aprano

2/17/2010 7:36:00 AM

0

On Wed, 17 Feb 2010 02:00:59 -0500, geremy condra quoted Banibrata Dutta
<banibrata.dutta@gmail.com>:

>> BTW for people who are non-believers in something being worth stealing
>> needing protection, need to read about the Skype client.

Pardon me for breaking threading, but the original post has not come
through to my provider, only the reply from Geremy.

Many things are worth stealing and therefore need protection.

In any case, reverse engineering software is not theft. And even if it
were, keeping the source code secret is no barrier to a competent,
determined attacker or investigator. Skype is a good example: despite the
lack of source code and the secret protocol, analysts were able to
discover that TOM-Skype sends personally identifiable information,
encryption keys and private messages back to central servers.

In my personal opinion, releasing closed source software is prima facie
evidence that the software is or does something bad: leaking personal
information, infringing somebody else's copyright or patent, or just
being badly written. I'm not saying that every piece of closed source
software is like that, but when you hide the source, the burden of proof
is on you to prove that you're not hiding something unpleasant.



--
Steven

Steve Holden

2/17/2010 7:39:00 AM

0

geremy condra wrote:
[...]
> I'd worry about developing a product worth stealing before I
> worried about people stealing it ;)
>
> Geremy Condra

+1 FAQ entry!

regards
Steve
--
Steve Holden +1 571 484 6266 +1 800 494 3119
PyCon is coming! Atlanta, Feb 2010 http://us....
Holden Web LLC http://www.hold...
UPCOMING EVENTS: http://holdenweb.event...

Steve Holden

2/17/2010 7:40:00 AM

0

Philip Semanchuk wrote:
>
> On Feb 16, 2010, at 4:41 PM, rodmc wrote:
>
>> Hi,
>>
>> I have been merrily programming away in Python now for a few years and
>> have a couple of applications I would like to possibly publish at some
>> point - with the exception of certain libraries they are more or less
>> 100% Python. However I have read elsewhere online that Python due to
>> it's architecture is not so good for this, especially as it is easier
>> for people to hack into the code. Also where software requires some
>> security aspects I guess it would also not be much use, is this
>> correct?
>
>
> Hi Rod,
> The user's ability to hack into the code is usually considered one of
> the strengths of Python & open source software in general. Since most
> Python software that's distributed is open source, you're doing
> something different than most. It'd help if you explain how you want
> your software to differ from a typical open source distribution. Do you
> not want people to change the code? Are you worried about your code &
> ideas being stolen?
>
Do remember, though, that the Python license absolutely allows you to
create both open source and proprietary products as you choose.

regards
Steve
--
Steve Holden +1 571 484 6266 +1 800 494 3119
PyCon is coming! Atlanta, Feb 2010 http://us....
Holden Web LLC http://www.hold...
UPCOMING EVENTS: http://holdenweb.event...

rodmc

2/17/2010 1:54:00 PM

0


> > Hi Rod,
> > The user's ability to hack into the code is usually considered one of
> > the strengths of Python & open source software in general. Since most
> > Python software that's distributed  is open source, you're doing
> > something different than most. It'd help if you explain how you want
> > your software to differ from a typical open source distribution. Do you
> > not want people to change the code? Are you worried about your code &
> > ideas being stolen?

Thanks to everyone for their replies.

Normally I have no problem with adopting an open source model, indeed
I usually encourage it. However the main problem was related to end-
user licencing e.g. via some form of registration key. The other
problem was related to end-user private data and sending this via a
secure Internet connection. While I am ok with secure Internet
connection side of it I was concerned that with the source code being
available to others the security may in some way be reduced- however I
note one reply which says this is not the case.


Kind regards,

rod

Gib Bogle

2/21/2010 7:13:00 AM

0

Steven D'Aprano wrote:
> On Wed, 17 Feb 2010 02:00:59 -0500, geremy condra quoted Banibrata Dutta
> <banibrata.dutta@gmail.com>:
>
>>> BTW for people who are non-believers in something being worth stealing
>>> needing protection, need to read about the Skype client.
>
> Pardon me for breaking threading, but the original post has not come
> through to my provider, only the reply from Geremy.
>
> Many things are worth stealing and therefore need protection.
>
> In any case, reverse engineering software is not theft. And even if it
> were, keeping the source code secret is no barrier to a competent,
> determined attacker or investigator. Skype is a good example: despite the
> lack of source code and the secret protocol, analysts were able to
> discover that TOM-Skype sends personally identifiable information,
> encryption keys and private messages back to central servers.
>
> In my personal opinion, releasing closed source software is prima facie
> evidence that the software is or does something bad: leaking personal
> information, infringing somebody else's copyright or patent, or just
> being badly written. I'm not saying that every piece of closed source
> software is like that, but when you hide the source, the burden of proof
> is on you to prove that you're not hiding something unpleasant.

You are assuming that everyone who might be interested in copying your code is
able to reverse-engineer it. That might be true for software with a high
commercial value, but it is by no means true for all software. And in saying
"when you hide the source, the burden of proof is on you to prove that you're
not hiding something unpleasant" you are tacitly assuming that the users of the
software care about having such a thing proven. I submit that most users do not
have this "guilty until proven innocent" attitude.

To give a personal example: I plan soon to distribute (free) to anyone
interested some scientific software. For various reasons I do not intend to
distribute the source code at this stage. I'm quite confident that the users
(biologists) will have neither the desire nor the ability to reverse-engineer
it. Of course I'd be tremendously flattered if they did want to. I'm also
confident that they will not suspect me of "hiding something unpleasant". In
the worst case they might think the program is useless.