Hello, on the filesystem we see files ending with .py and with .pyc - what's happening inside the ZODB? If I want to sell a Zope Product, can I savely delete all sources (.py)? How to shut the backdoor inside the ZODB? Can we somehow remove the ZMI (the sources or better all the functionality of the Zope Management Interface)? -- Best Regards, Marc Roland AICAT CA Technologies GmbH Dipl.-Ing.(FH) System Consultant Friedrich-Karl-Str. 101-103 Fon:+49/(0)221/971445-0 Fax:-5 Germany-50735 Koeln (Niehl)
Marc Roland wrote:
Hello,
on the filesystem we see files ending with .py and with .pyc - what's happening inside the ZODB? If I want to sell a Zope Product, can I savely delete all sources (.py)?
Yes. But be aware that the pyc files can be relatively easily decompiled.
How to shut the backdoor inside the ZODB? Can we somehow remove the ZMI (the sources or better all the functionality of the Zope Management Interface)?
It all depends on the situation. In that case you would probably want to add a new user. A sub-manager that could then visit the management interfaces he was allowed to. Or you could write custom interfaces for your app. -- hilsen/regards Max M Rasmussen, Denmark http://www.futureport.dk/ Fremtiden, videnskab, skeptiscisme og transhumanisme
Max M wrote:
Yes. But be aware that the pyc files can be relatively easily decompiled.
How to shut the backdoor inside the ZODB? Can we somehow remove the ZMI (the sources or better all the functionality of the Zope Management Interface)?
It all depends on the situation. In that case you would probably want to add a new user. A sub-manager that could then visit the management interfaces he was allowed to. Or you could write custom interfaces for your app.
What I think is, that inside the ZODB there are also two 'kinds of files'. Perhaps uncompiled and precompiled PythonScript? And source of all DTML -Methods and -Documents. With the ZMI you can look into the content of the ZODB. I want to create a CD-ROM with a autostarting ZServer. But my intention is to prevent the sources. At least a little bit. On the CD-ROM there is no need for a working ZMI any more, because the application should now be static (frozen version). So. How can we hide the sources from curious people? -- Best Regards, Marc Roland AICAT CA Technologies GmbH Dipl.-Ing.(FH) System Consultant Friedrich-Karl-Str. 101-103 Fon:+49/(0)221/971445-0 Fax:-5 Germany-50735 Koeln (Niehl)
On Tue, Jan 28, 2003 at 04:00:17PM +0100, Marc Roland wrote:
So. How can we hide the sources from curious people?
depending on their curiosity, a short answer may be : YOU CAN'T hth Jerome Alet -- (c) 1928-???? The letters U, S, and A and the U.S.A. flag are the copyrighted property of Disney Enterprises Inc. Any infringment will be punished with the death penalty. Details : http://yro.slashdot.org/article.pl?sid=03/01/15/1528253&tid=123
From: "Marc Roland" <mroland@aicat.de>
So. How can we hide the sources from curious people?
There's exactly one way to do this well: maintain control of the file system. He who has root owns Zope and all that comes with it. That includes any code done in Python and all data saved in ZODB. Where I've felt any particular proprietary interest in my code, I've arranged to structure the payment as an ongoing service contract, not as a one-time contract programming purchase. I do application hosting mostly, but in one case, I have a client who is using *my* hardware on their LAN. I don't worry about obscuring my code or protecting against client "improvements" because I'm the only person who can get at it. This is a good arrangement for the client, as it makes the cost of entry lower and pretty much everyone knows what a pain it is to use software that lacks service and support. Hosted apps aren't usually what customers think they want, but it's not that hard a sell if you provide some kind of code/password escrow to protect the customer against your untimely demise and/or bankruptcy. You may also find that the value of your code is enhanced by opening it up. But that's another discussion... :-) HTH, Dylan
Marc Roland wrote at 2003-1-28 09:51 +0100:
on the filesystem we see files ending with .py and with .pyc - You can look at tools that combine Python modules and packages into a big binary. "Freeze", "MacMillan Installer" and something from eGenix are examples.
When you look at the source of these tools, you can even encrypt the content (of course, the binary contains the decryption key; thus an expert will be able to get at the content...).
what's happening inside the ZODB? It stores objects as pickles. Customizing the storage, you can again use encryption.
Of course, again, the binary contains the decryption key....
... How to shut the backdoor inside the ZODB? Can we somehow remove the ZMI (the sources or better all the functionality of the Zope Management Interface)? The management functions are protected by permissions.
You can set up a permission mapping such that only the "Emergency User" would be able to use them. Changing the Zope Code, you can prevent the definition of an "Emergency User". But beware, this may hit you, too. It would be probably better to change the way, the emergency user is defined. I would not go this difficult route but bind the customer by an appropriate agreement (such that he does not sell your work) and by excellent support (such that he lets you do extensions than rather do it himself or a different constractor). Dieter
participants (6)
-
Dieter Maurer -
Dylan Reinhardt -
Jerome Alet -
Lennart Regebro -
Marc Roland -
Max M