[Zope] Obfuscating Python script

Dylan Reinhardt zope@dylanreinhardt.com
Tue, 21 Jan 2003 17:28:24 -0800


At 03:23 PM 1/21/2003, Satheesh Babu wrote:
>I need to make an app running off of an Access DB pretty quickly.

This sentence and "hey y'all, watch this" may well be the two things most 
commonly said right before a disaster. :-)

>My thinking is to implement logic using Python scripts. Is there any way
>one can obfuscate the script?

You can *uglify* it for sure.  You might slow down an experienced developer 
for a couple minutes.

But the larger answer to your question is no and if you're interested there 
are about 100 pieces of conventional wisdom on why this would be a bad idea 
anyway.

Also, there's really no such thing as "secret" data in an Access DB.  You 
know that already, right?

>May be write it as an ExternalMethod and only put in .pyc in Extensions?

You might as well just name the file secret_validation_code since the main 
thing protecting it will be your file system.

>Another way to do this would be to implement validation only in
>Javascript which can be pretty easily obfuscated.

Javascript is obfuscated out of the box, isn't it?  :-)

Javascript is a *very* bad choice for any important validation for at least 
2 reasons:
1. It's easily bypassed.
2. It's certain to work differently across platforms.

Worst of all (from your standpoint), you'd be pushing your highly sensitive 
algorithms to the client in plaintext.  Yikes!

If your algorithm is actually that sensitive, I'd write it as a library in 
C.  If it isn't worth doing that way, just use your file system to restrict 
access.

My $.02

Dylan