Hi,
I have developed an application for commercial using Python code and libs. My client wants me to install/deploy the server components on his local server managed by his IT guy and not cloud! I am wary of doing that as i understand it is “reasonably easy” to reverse engineer the python code. I am really concerned about losing my IP!
Questions:
a) is reverse engineering possible by the user? if yes,
b) How can i secure my code through preventing access to source and/or controlled in a manner that it cannot be surreptitiously “reverse-engineered” by my client? (exclude legal options advice for me as the developer to chase )
c) Can i compile the python code to turn it into a binary?
The fact that Python is commonly distributed as source code does
make it somewhat easier to see how it works, but your concern stands
no matter what language you write the application in. If you provide
software to someone so that they can run it, that software can always be reverse-engineered, decompiled, disassembled, et cetera.
There are a variety of application packaging toolchains that can
compile your Python to some other executable format, but at best
you’re merely obscuring it. This is no roadblock to a determined
adversary who is already willing to violate your license and risk
being sued for doing so.
The only real “protection” for your intellectual property is legal
protection. Software you write is protected by international
copyright law. Talk to your lawyer about it.
Ultimately, if someone gets access to the code, they can use it. This is true no matter how much you obfuscate it. And for the record, tools that “compile” Python code tend not to do any sort of obfuscation (their main purpose is not to hide code, it’s to make a single-file runtime).
But no matter how much your client reads through the code, they won’t know it as well as you do. Take advantage of that. Offer a reasonable rate on continued support, so that it’s cheaper to hire you to make changes than to pay someone in-house to try to leaf through all of your code and figure out what it’s doing. (Trust me: I’ve been in the “leaf through someone else’s code” position enough times to know that it’s a HUGE job.) That, plus legal restrictions (giving them a license to use the code but not to modify it), should be sufficient.
talking about a commercial program, so I’m not going to participate.
I suddenly thought that I often saw stories of obfuscation in Lua.
I looked up XXTEA obfuscated compilation in Lua, but I didn’t understand it in the end
Obfuscation article by old Lua compile option in my country
(【Cocos2d-x】Luaスクリプトを簡単に暗号化 - Qiita)
I’m reading this topic, wondering if I would replace some of them with a language with such support (I’m a beginner)
I will post it in the hope that it will be of some help
It may be just an easy barrier for those who “intend to steal” as Everyone say.
If you want to “secure” the code more, you could consider compiling everything in Cython and distributing only the .so or .dll file together with a simple driver script in pure Python? This is simple, and should make it quite a bit harder for others to modify the code. So, it could give you more leverage when negotiating a support contract. Compiling pure Python code in Cython also tends to speed things up a bit, so it’s kind of a win-win
I am really concerned about losing my IP!
If you distribute your code with a clear license you could openly discuss this with your client. The copyright remains yours, unless you explicitly give it up, but the license could also stipulate whether or not modification, further distribution, patent development etc are allowed. Ultimately you should consult a lawyer. (Your contract should clearly state who owns the IP, I would think?)
Obfuscation techniques exist in all languages. But fundamentally, they don’t do anything to stop someone from taking your code and reusing it, and all they do is make it a bit harder to comprehend what’s going on.
Good news and bad news. If you’ve signed a contract for your client, or if they’ve paid you, the bad news is normally they would own the IP, not you. The good news is, securing their IP is their concern, and you are ideally placed to carry out further development for them e.g. as a contract extension or follow up work package. Otherwise, just don’t worry about securing Python code.
If you’ve independently developed a product, while not under contract to anyone else, then you do own the IP. Again, just don’t worry about securing Python code. Piracy will happen. It’s seldom worth worrying about. Deal with it commercially under an EULA. In this situation, it’s all just business. It’s completely up to you what price to sell a license for, and what terms you put in that license. Negotiate the price you want for whatever rights the customer is asking. You’re perfectly within your rights to supply your service via the cloud that reduces your risk and protects your IP, for one price. Yet also at your discretion, under a suitable contract, let a customer run it on prem under a different license for a different price.
)