I’m deploying a Python application using PyInstaller, but instead of bundling everything normally, I’m embedding a custom Python interpreter and loading several internal packages from a separate folder. The structure looks something like this:
Each of these packages contains Python source files that my embedded interpreter imports at runtime.
My goal
I want to prevent users from accessing the source code inside these packages. Ideally, I’d like to distribute only compiled modules, not the original .py files
Nuitka should compile your Python code. I’ve not looked in to whether it can link in a custom Python interpreter instead of a normal one, but it’s pretty flexible.
Compiling your Python code with the Apache 2.0 option will deter casual snoopers just as much as compiling any other language will.
There is a commercial add on for Nuitka too that adds more security hardening. I’ve not used that, but it looks well thought out, and Kay’s a genuine wizard.
Not sure how well it’ll play with bundling into PyInstaller, but I added DLL packing into my pymsbuild backend for this kind of thing. It precompiles source files to .pyc and then bundles them into a normal looking .pyd/.so, so that you can carry an entire package worth of sources/data as a single file.
I added an encryption option as a proof-of-concept, but it’s really not worth it. The main thing I needed was to minimise disk IO while remaining entire read-only and not using extraction, which is important for a lot of our stuff at work.
We also use it for the Python install manager, which is mostly written in Python, but it’s more about reducing load time than hiding the sources (since it’s an OSS project, that would be a silly thing to do!)