Re: Pyarmor, guard your python scripts

2015-10-06 Thread Josef Pktd 
On Monday, October 5, 2015 at 11:27:58 PM UTC-4, Ian wrote:
> On Oct 5, 2015 4:27 PM, "Ben Finney"  wrote:
> 
> >
> 
> > Josef Pktd  writes:
> 
> >
> 
> > > related
> 
> >
> 
> > Care to give us a summary of what that is, and describe what you think
> 
> > is the relevant point?
> 
> Following the link reveals it to be the video of a talk on Python exe 
> compilation from PyCon 2014.
> 
> If you're worried about the safety of the link, know that youtu.be is the 
> official URL shortener for YouTube and only leads to YouTube videos.

The talk is by Brandon Rhodes that I found quite refreshing the first time I 
attended Pycon https://us.pycon.org/2014/schedule/presentation/201/
The approach is building an exe file, but the motivation is the same as here.

About the keys:

Consider it as price discrimination between "cheap" hackers and plain users.

When I was a student I wasn't very reluctant to install cracked versions, but 
as far as I remember, I haven't installed a cracked version of a program in 15 
years or so. 
All the application and music on the ipads in my family are legitimate 
versions, either free minimal functionality versions or purchased on apps store 
or through itunes.

The python community in general seems to be a lot in favor of SaaS but not much 
in favor of selling (small) software products. When we got our first ipad, (I'm 
traditionally a Windows user) I was surprised how large the market for small 
and larger programs is and the opportunities that it provides for single 
developers or small groups of developers. In contrast, SaaS requires a much 
larger setup cost and larger scale.

I pretty much share Jondy Zhao's view.


That doesn't mean it's always a good idea. I have been working for many years 
on BSD licensed open source software.

Josef

-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-10-05 Thread sohcahtoa82 
On Thursday, September 17, 2015 at 10:55:19 PM UTC-7, Jondy Zhao wrote:
> On Friday, September 18, 2015 at 11:06:25 AM UTC+8, Ben Finney wrote:
> > Jondy Zhao  writes:
> > 
> > > For example, I develop a game by python. What I want to do is that the
> > > player or the agent could not simply copy the game to others. For the
> > > player or the agent, they needn't research the game.
> > 
> > Deciding for the customer what they may not do, on their own computer,
> > is quite hostile. Please don't enable such restrictions.
> > 
> 
> This is only one possible way to distribute encrypted scripts. As I thought 
> the user of Pyarmor would be the producer of commercial software, so they 
> could bind their license file to netcard, harddisk, cpu, etc.
> 
> > -- 
> >  \   "We must find our way to a time when faith, without evidence, |
> >   `\disgraces anyone who would claim it." --Sam Harris, _The End of |
> > _o__) Faith_, 2004 |
> > Ben Finney

DRM does not prevent piracy.

End of story.

The only thing DRM does is piss off your legitimate users by forcing them to 
jump through hoops if they happen to upgrade or replace their computer.
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-10-05 Thread Ben Finney 
Josef Pktd  writes:

> related

Care to give us a summary of what that is, and describe what you think
is the relevant point?

-- 
 \  “The best way to get information on Usenet is not to ask a |
  `\   question, but to post the wrong information.” —Aahz |
_o__)  |
Ben Finney

-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-10-05 Thread Ian Kelly 
On Oct 5, 2015 4:27 PM, "Ben Finney"  wrote:
>
> Josef Pktd  writes:
>
> > related
>
> Care to give us a summary of what that is, and describe what you think
> is the relevant point?

Following the link reveals it to be the video of a talk on Python exe
compilation from PyCon 2014.

If you're worried about the safety of the link, know that youtu.be is the
official URL shortener for YouTube and only leads to YouTube videos.
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-10-05 Thread Josef Pktd 
related
https://youtu.be/wsczq6j3_bA?t=20m9s

Josef
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-18 Thread Jondy Zhao 
On Friday, September 18, 2015 at 11:06:25 AM UTC+8, Ben Finney wrote:
> Jondy Zhao  writes:
> 
> > For example, I develop a game by python. What I want to do is that the
> > player or the agent could not simply copy the game to others. For the
> > player or the agent, they needn't research the game.
> 
> Deciding for the customer what they may not do, on their own computer,
> is quite hostile. Please don't enable such restrictions.
> 

This is only one possible way to distribute encrypted scripts. As I thought the 
user of Pyarmor would be the producer of commercial software, so they could 
bind their license file to netcard, harddisk, cpu, etc.

> -- 
>  \   "We must find our way to a time when faith, without evidence, |
>   `\disgraces anyone who would claim it." --Sam Harris, _The End of |
> _o__) Faith_, 2004 |
> Ben Finney

-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-18 Thread Chris Angelico 
On Fri, Sep 18, 2015 at 6:05 PM, Jondy Zhao  wrote:
> I know you hate it. But I have purchased some commercial software in this way 
> before, a tool named ERWIN used to create relation database. The license I 
> got from software provider is bind to the network card of my PC. I can't use 
> this tool in any other machine. This is true case.
>
> The world is wide, maybe it's better to be tolerant of all things.

Tolerant, perhaps - but that doesn't mean we encourage it. So, first
and foremost, I *will not* code anything that encourages people to do
this. And secondly, I generally will not buy anything that uses any
form of DRM. (There are a *very* few exceptions.) Frankly, I'd prefer
to pirate something and then make a donation to the author than buy it
with DRM.

So. no. No matter how wide the world is, I *WILL NOT* encourage the
use of this software.

ChrisA
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-18 Thread alister 
On Thu, 17 Sep 2015 22:38:32 -0700, Jondy Zhao wrote:

> On Friday, September 18, 2015 at 1:02:09 PM UTC+8, Chris Angelico wrote:
>> On Fri, Sep 18, 2015 at 12:40 PM, Jondy Zhao 
>> wrote:
>> > The loader only can see the compiled scripts as ast nodes, even if
>> > the load some tools could dump the separated ast node to bytecode and
>> > de-compile it, think of one script is divided into thousands of
>> > pieces, it's not easy to assemble them again.
>> >
>> > The final solution is to distribute the loader with encrypted
>> > scripts, only my own loader can run the encrypted scripts.
>> 
>> So anyone who's going to run your program needs your loader. If someone
>> wants to redistribute your code, s/he can simply distribute the loader
>> as well - and you're right back where you started. You have still
>> achieved nothing in terms of preventing redistribution.
>> 
>> Please do not do this. Not only are you not achieving the goal you
>> think you are, you're making a mess for people to have to deal with.
>> 
>> ChrisA
> 
> But the loader and the encrypted scripts could be bind to one fixed
> computer when I distribute them to end users, so the end users can't
> redistribute them to any other machines. Actually this is what some
> commercial software does.

Making life difficult for legitimate users whilst causing Pirates minor 
difficulties at best (crack once distribute many)..

Copyright legislation is what provides you with protection if you need it

Commercial users do not risk running unlicensed software because of the 
damage a piracy case against them would cause to their business, not 
because they cant get it!
 



-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-18 Thread Jondy Zhao 
On Friday, September 18, 2015 at 4:08:57 PM UTC+8, alister wrote:
> On Thu, 17 Sep 2015 22:38:32 -0700, Jondy Zhao wrote:
> 
> > On Friday, September 18, 2015 at 1:02:09 PM UTC+8, Chris Angelico wrote:
> >> On Fri, Sep 18, 2015 at 12:40 PM, Jondy Zhao 
> >> wrote:
> >> > The loader only can see the compiled scripts as ast nodes, even if
> >> > the load some tools could dump the separated ast node to bytecode and
> >> > de-compile it, think of one script is divided into thousands of
> >> > pieces, it's not easy to assemble them again.
> >> >
> >> > The final solution is to distribute the loader with encrypted
> >> > scripts, only my own loader can run the encrypted scripts.
> >> 
> >> So anyone who's going to run your program needs your loader. If someone
> >> wants to redistribute your code, s/he can simply distribute the loader
> >> as well - and you're right back where you started. You have still
> >> achieved nothing in terms of preventing redistribution.
> >> 
> >> Please do not do this. Not only are you not achieving the goal you
> >> think you are, you're making a mess for people to have to deal with.
> >> 
> >> ChrisA
> > 
> > But the loader and the encrypted scripts could be bind to one fixed
> > computer when I distribute them to end users, so the end users can't
> > redistribute them to any other machines. Actually this is what some
> > commercial software does.
> 
> Making life difficult for legitimate users whilst causing Pirates minor 
> difficulties at best (crack once distribute many)..
> 
> Copyright legislation is what provides you with protection if you need it
> 
> Commercial users do not risk running unlicensed software because of the 
> damage a piracy case against them would cause to their business, not 
> because they cant get it!

I agree with you absolutely. Maybe I can show you the purpose of Pyarmor by the 
following case:

When we express a box, we can close this box with a lock, this equals encrypted 
scripts, or we just close the box without a lock. Pyarmor is just as this lock, 
it make the box more security, but it can not protect the box completely.

-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-18 Thread alister 
On Fri, 18 Sep 2015 01:31:50 -0700, Jondy Zhao wrote:

> On Friday, September 18, 2015 at 4:08:57 PM UTC+8, alister wrote:
>> On Thu, 17 Sep 2015 22:38:32 -0700, Jondy Zhao wrote:
>> 
>> > On Friday, September 18, 2015 at 1:02:09 PM UTC+8, Chris Angelico
>> > wrote:
>> >> On Fri, Sep 18, 2015 at 12:40 PM, Jondy Zhao 
>> >> wrote:
>> >> > The loader only can see the compiled scripts as ast nodes, even if
>> >> > the load some tools could dump the separated ast node to bytecode
>> >> > and de-compile it, think of one script is divided into thousands
>> >> > of pieces, it's not easy to assemble them again.
>> >> >
>> >> > The final solution is to distribute the loader with encrypted
>> >> > scripts, only my own loader can run the encrypted scripts.
>> >> 
>> >> So anyone who's going to run your program needs your loader. If
>> >> someone wants to redistribute your code, s/he can simply distribute
>> >> the loader as well - and you're right back where you started. You
>> >> have still achieved nothing in terms of preventing redistribution.
>> >> 
>> >> Please do not do this. Not only are you not achieving the goal you
>> >> think you are, you're making a mess for people to have to deal with.
>> >> 
>> >> ChrisA
>> > 
>> > But the loader and the encrypted scripts could be bind to one fixed
>> > computer when I distribute them to end users, so the end users can't
>> > redistribute them to any other machines. Actually this is what some
>> > commercial software does.
>> 
>> Making life difficult for legitimate users whilst causing Pirates minor
>> difficulties at best (crack once distribute many)..
>> 
>> Copyright legislation is what provides you with protection if you need
>> it
>> 
>> Commercial users do not risk running unlicensed software because of the
>> damage a piracy case against them would cause to their business, not
>> because they cant get it!
> 
> I agree with you absolutely. Maybe I can show you the purpose of Pyarmor
> by the following case:
> 
> When we express a box, we can close this box with a lock, this equals
> encrypted scripts, or we just close the box without a lock. Pyarmor is
> just as this lock, it make the box more security, but it can not protect
> the box completely.

And if the person at the other end looses the key it causes a great deal 
of trouble.

Alternatively the highway man that holds up the delivery truck simply 
takes a pair of bolt cutters to the lock...

yes it stops a casual snooper but that is all




-- 
A statesman is a politician who's been dead 10 or 15 years.
-- Harry S. Truman
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-18 Thread Jondy Zhao 
On Friday, September 18, 2015 at 6:06:51 PM UTC+8, alister wrote:
> On Fri, 18 Sep 2015 01:31:50 -0700, Jondy Zhao wrote:
> 
> > On Friday, September 18, 2015 at 4:08:57 PM UTC+8, alister wrote:
> >> On Thu, 17 Sep 2015 22:38:32 -0700, Jondy Zhao wrote:
> >> 
> >> > On Friday, September 18, 2015 at 1:02:09 PM UTC+8, Chris Angelico
> >> > wrote:
> >> >> On Fri, Sep 18, 2015 at 12:40 PM, Jondy Zhao 
> >> >> wrote:
> >> >> > The loader only can see the compiled scripts as ast nodes, even if
> >> >> > the load some tools could dump the separated ast node to bytecode
> >> >> > and de-compile it, think of one script is divided into thousands
> >> >> > of pieces, it's not easy to assemble them again.
> >> >> >
> >> >> > The final solution is to distribute the loader with encrypted
> >> >> > scripts, only my own loader can run the encrypted scripts.
> >> >> 
> >> >> So anyone who's going to run your program needs your loader. If
> >> >> someone wants to redistribute your code, s/he can simply distribute
> >> >> the loader as well - and you're right back where you started. You
> >> >> have still achieved nothing in terms of preventing redistribution.
> >> >> 
> >> >> Please do not do this. Not only are you not achieving the goal you
> >> >> think you are, you're making a mess for people to have to deal with.
> >> >> 
> >> >> ChrisA
> >> > 
> >> > But the loader and the encrypted scripts could be bind to one fixed
> >> > computer when I distribute them to end users, so the end users can't
> >> > redistribute them to any other machines. Actually this is what some
> >> > commercial software does.
> >> 
> >> Making life difficult for legitimate users whilst causing Pirates minor
> >> difficulties at best (crack once distribute many)..
> >> 
> >> Copyright legislation is what provides you with protection if you need
> >> it
> >> 
> >> Commercial users do not risk running unlicensed software because of the
> >> damage a piracy case against them would cause to their business, not
> >> because they cant get it!
> > 
> > I agree with you absolutely. Maybe I can show you the purpose of Pyarmor
> > by the following case:
> > 
> > When we express a box, we can close this box with a lock, this equals
> > encrypted scripts, or we just close the box without a lock. Pyarmor is
> > just as this lock, it make the box more security, but it can not protect
> > the box completely.
> 
> And if the person at the other end looses the key it causes a great deal 
> of trouble.
> 
> Alternatively the highway man that holds up the delivery truck simply 
> takes a pair of bolt cutters to the lock...
> 
> yes it stops a casual snooper but that is all
> 
> 
In reality, when we leave the house, we lock the door, even the lock could not 
make sure the safe of our property. It's just make it difficult. It's same in 
the software world. Someone need the lock in both of the world. 

And if the highway man need leave the trunk for many days, whether they lock 
the truck or ask someone to take care of it or not.

> 
> 
> -- 
> A statesman is a politician who's been dead 10 or 15 years.
>   -- Harry S. Truman

-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-18 Thread Ben Finney 
Jondy Zhao  writes:

> In reality, when we leave the house, we lock the door, even the lock
> could not make sure the safe of our property. It's just make it
> difficult. It's same in the software world. Someone need the lock in
> both of the world.

Yes, please don't encourage authors to put locks into people's computers
that restrict those people's access to use them.

And we won't come to install a lock that restricts your access to your
house.

In other words: Please don't arrogate to anyone the presumed right to
restrict how people run programs on their own computers.

-- 
 \   “It ain't so much the things we don't know that get us in |
  `\trouble. It's the things we know that ain't so.” —Artemus Ward |
_o__) (1834–1867), U.S. journalist |
Ben Finney

-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-18 Thread Jondy Zhao 
On Friday, September 18, 2015 at 9:08:27 PM UTC+8, Lorenzo Sutton wrote:
> On 18/09/2015 13:41, Jondy Zhao wrote:
> [...]
> > In reality, when we leave the house, we lock the door, even the lock could
> > not make sure the safe of our property. It's just make it difficult.
> > It's same in the software world. Someone need the lock in both of the world.
> 
> I think you meant "in the *proprietary* software world".
> 

Exactly.

> This discussion on the topic, and in particular this answer, on 
> Stackoverflow are quite inspiring:
> 
> http://stackoverflow.com/questions/261638/how-do-i-protect-python-code/261727#261727
> 
> Lorenzo.

-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-18 Thread Lorenzo Sutton 

On 18/09/2015 13:41, Jondy Zhao wrote:
[...]

In reality, when we leave the house, we lock the door, even the lock could
not make sure the safe of our property. It's just make it difficult.
It's same in the software world. Someone need the lock in both of the world.


I think you meant "in the *proprietary* software world".

This discussion on the topic, and in particular this answer, on 
Stackoverflow are quite inspiring:


http://stackoverflow.com/questions/261638/how-do-i-protect-python-code/261727#261727

Lorenzo.

--
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-18 Thread Chris Angelico 
On Fri, Sep 18, 2015 at 3:55 PM, Jondy Zhao  wrote:
> On Friday, September 18, 2015 at 11:06:25 AM UTC+8, Ben Finney wrote:
>> Jondy Zhao  writes:
>>
>> > For example, I develop a game by python. What I want to do is that the
>> > player or the agent could not simply copy the game to others. For the
>> > player or the agent, they needn't research the game.
>>
>> Deciding for the customer what they may not do, on their own computer,
>> is quite hostile. Please don't enable such restrictions.
>>
>
> This is only one possible way to distribute encrypted scripts. As I thought 
> the user of Pyarmor would be the producer of commercial software, so they 
> could bind their license file to netcard, harddisk, cpu, etc.
>

Great. Please put a big warning notice on your application:

ATTENTION ALL USERS
The author of this program believes that he controls your usage of it,
to the extent that a legitimately-purchased copy will refuse to run if
you upgrade your computer's hardware.
It is therefore recommended that you pirate this program as per XKCD 488.
If you don't like this, don't use the program.


At least then you'll be being honest.

ChrisA
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-18 Thread Jondy Zhao 
On Friday, September 18, 2015 at 3:27:28 PM UTC+8, Chris Angelico wrote:
> On Fri, Sep 18, 2015 at 3:55 PM, Jondy Zhao  wrote:
> > On Friday, September 18, 2015 at 11:06:25 AM UTC+8, Ben Finney wrote:
> >> Jondy Zhao  writes:
> >>
> >> > For example, I develop a game by python. What I want to do is that the
> >> > player or the agent could not simply copy the game to others. For the
> >> > player or the agent, they needn't research the game.
> >>
> >> Deciding for the customer what they may not do, on their own computer,
> >> is quite hostile. Please don't enable such restrictions.
> >>
> >
> > This is only one possible way to distribute encrypted scripts. As I thought 
> > the user of Pyarmor would be the producer of commercial software, so they 
> > could bind their license file to netcard, harddisk, cpu, etc.
> >
> 
> Great. Please put a big warning notice on your application:
> 
> ATTENTION ALL USERS
> The author of this program believes that he controls your usage of it,
> to the extent that a legitimately-purchased copy will refuse to run if
> you upgrade your computer's hardware.
> It is therefore recommended that you pirate this program as per XKCD 488.
> If you don't like this, don't use the program.
> 
> 
> At least then you'll be being honest.
> 

I know you hate it. But I have purchased some commercial software in this way 
before, a tool named ERWIN used to create relation database. The license I got 
from software provider is bind to the network card of my PC. I can't use this 
tool in any other machine. This is true case.

The world is wide, maybe it's better to be tolerant of all things.

> ChrisA

-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-17 Thread Chris Angelico 
On Fri, Sep 18, 2015 at 11:58 AM, Jondy Zhao  wrote:
> Think that python developer is manufacturer, and he want to sell his product 
> to the customers who don't know anything about programming. He don't hope his 
> customers redistribute his product, that's protected by Pyarmor.
>

The trouble with that thinking is that they _can_ redistribute his
product. In fact, PyArmor isn't going to do anything about that. It
might make it harder for them to reverse engineer that product, but it
does nothing whatsoever for redistribution.

ChrisA
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-17 Thread Ben Finney 
Jondy Zhao  writes:

> Think that python developer is manufacturer, and he want to sell his
> product to the customers who don't know anything about programming.

Are you also assuming those customers have no-one they can talk with who
knows programming?

> He don't hope his customers redistribute his product, that's protected
> by Pyarmor.

Pyarmor is not going to stop them redistributing anything. If they're
motivated to redistribute the code, this won't stop them. If they're
motivated to examine what the code does, this will increase the effort
but not stop them.

At best, it will annoy customers who want to get someone's help in
debugging the product. That sounds like an anti-feature.

-- 
 \ “This world in arms is not spending money alone. It is spending |
  `\  the sweat of its laborers, the genius of its scientists, the |
_o__)   hopes of its children.” —Dwight Eisenhower, 1953-04-16 |
Ben Finney

-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-17 Thread Jondy Zhao 
On Tuesday, September 15, 2015 at 5:36:52 PM UTC+8, Ben Finney wrote:
> Jondy Zhao  writes:
> 
> > Pyarmor is a simple to use tool which is capable of importing or
> > running encrypted Python script files. Moreover, it can apply encoding
> > algorithms to your Python scripts, in order to help you protect them
> > before you can distribute them. You may also generate license files
> > with custom validity conditions.
> 
> Protect them from whom? What is the threat model against which Pyarmor
> is claimed to protect? Who is the attacker, who is being protected?
> 
> > The program allows you to encrypt files, but to also open and run them
> > as if no protection was applied. Moreover, it can run or import
> > encrypted Python scripts in any target machine, only in specified
> > machines or before a specified date. This aspect can be controlled by
> > the creation of the license files: bound to a hard disk serial number
> > or by an expiration date.
> 
> So a Python file encrypted this way will be arbitrarily restricted in
> how it can be inspected for debugging, performance monitoring, and
> testing?
> 
> This seems to explicitly treat the user of the Python software as a
> hostile attacker. That is not a friendly or respectful position, and I
> hope I misunderstand Pyarmor's operation.
> 
> -- 
>  \   "Any fool can write code that a computer can understand. Good |
>   `\   programmers write code that humans can understand." --Martin |
> _o__)  Fowler, _Refactoring_, 2000 |
> Ben Finney

Think that python developer is manufacturer, and he want to sell his product to 
the customers who don't know anything about programming. He don't hope his 
customers redistribute his product, that's protected by Pyarmor.



-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-17 Thread Jondy Zhao 
On Tuesday, September 15, 2015 at 5:49:15 PM UTC+8, Chris Angelico wrote:
> On Tue, Sep 15, 2015 at 7:21 PM, Jondy Zhao  wrote:
> > Pyarmor is dedicated to users who create their applications, components, 
> > scripts or any file with the help of the Python programming language. You 
> > may use this application to encrypt the files, in order to protect their 
> > content and your intellectual property, by encoding the scripts.
> >
> >
> > The program allows you to encrypt files, but to also open and run them as 
> > if no protection was applied.
> 
> If they can be run as if no protection had been applied, that
> presumably means the loader is capable of decrypting them, right? So
> what's to stop anyone from reading the loader, using it to decrypt the
> actual code, and running it?
> 
> ChrisA

The loader only can see the compiled scripts as ast nodes, even if the load 
some tools could dump the separated ast node to bytecode and de-compile it, 
think of one script is divided into thousands of pieces, it's not easy to 
assemble them again.

The final solution is to distribute the loader with encrypted scripts, only my 
own loader can run the encrypted scripts.
Besides,
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-17 Thread Jondy Zhao 
On Friday, September 18, 2015 at 10:06:30 AM UTC+8, Chris Angelico wrote:
> On Fri, Sep 18, 2015 at 11:58 AM, Jondy Zhao  wrote:
> > Think that python developer is manufacturer, and he want to sell his 
> > product to the customers who don't know anything about programming. He 
> > don't hope his customers redistribute his product, that's protected by 
> > Pyarmor.
> >
> 
> The trouble with that thinking is that they _can_ redistribute his
> product. In fact, PyArmor isn't going to do anything about that. It
> might make it harder for them to reverse engineer that product, but it
> does nothing whatsoever for redistribution.
> 
> ChrisA

The encrypted scripts could be distributed to bind to hard disk of computer, so 
the customers could not simplely copy them to somewhere else. Except they could 
reverse all the bytecodes, and pyarmor does make it harder to reverse bytecode 
to source. 
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-17 Thread Jondy Zhao 
On Friday, September 18, 2015 at 10:27:35 AM UTC+8, Ben Finney wrote:
> Jondy Zhao  writes:
> 
> > Think that python developer is manufacturer, and he want to sell his
> > product to the customers who don't know anything about programming.
> 
> Are you also assuming those customers have no-one they can talk with who
> knows programming?
> 
> > He don't hope his customers redistribute his product, that's protected
> > by Pyarmor.
> 
> Pyarmor is not going to stop them redistributing anything. If they're
> motivated to redistribute the code, this won't stop them. If they're
> motivated to examine what the code does, this will increase the effort
> but not stop them.
> 
> At best, it will annoy customers who want to get someone's help in
> debugging the product. That sounds like an anti-feature.
> 
> -- 
>  \ "This world in arms is not spending money alone. It is spending |
>   `\  the sweat of its laborers, the genius of its scientists, the |
> _o__)   hopes of its children." --Dwight Eisenhower, 1953-04-16 |
> Ben Finney

For example, I develop a game by python. What I want to do is that the player 
or the agent could not simply copy the game to others. For the player or the 
agent, they needn't research the game. That's cases concerned by PyArmor.
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-17 Thread Ben Finney 
Jondy Zhao  writes:

> For example, I develop a game by python. What I want to do is that the
> player or the agent could not simply copy the game to others. For the
> player or the agent, they needn't research the game.

Deciding for the customer what they may not do, on their own computer,
is quite hostile. Please don't enable such restrictions.

-- 
 \   “We must find our way to a time when faith, without evidence, |
  `\disgraces anyone who would claim it.” —Sam Harris, _The End of |
_o__) Faith_, 2004 |
Ben Finney

-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-17 Thread Chris Angelico 
On Fri, Sep 18, 2015 at 12:40 PM, Jondy Zhao  wrote:
> The loader only can see the compiled scripts as ast nodes, even if the load 
> some tools could dump the separated ast node to bytecode and de-compile it, 
> think of one script is divided into thousands of pieces, it's not easy to 
> assemble them again.
>
> The final solution is to distribute the loader with encrypted scripts, only 
> my own loader can run the encrypted scripts.

So anyone who's going to run your program needs your loader. If
someone wants to redistribute your code, s/he can simply distribute
the loader as well - and you're right back where you started. You have
still achieved nothing in terms of preventing redistribution.

Please do not do this. Not only are you not achieving the goal you
think you are, you're making a mess for people to have to deal with.

ChrisA
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-17 Thread Jondy Zhao 
On Friday, September 18, 2015 at 1:02:09 PM UTC+8, Chris Angelico wrote:
> On Fri, Sep 18, 2015 at 12:40 PM, Jondy Zhao  wrote:
> > The loader only can see the compiled scripts as ast nodes, even if the load 
> > some tools could dump the separated ast node to bytecode and de-compile it, 
> > think of one script is divided into thousands of pieces, it's not easy to 
> > assemble them again.
> >
> > The final solution is to distribute the loader with encrypted scripts, only 
> > my own loader can run the encrypted scripts.
> 
> So anyone who's going to run your program needs your loader. If
> someone wants to redistribute your code, s/he can simply distribute
> the loader as well - and you're right back where you started. You have
> still achieved nothing in terms of preventing redistribution.
> 
> Please do not do this. Not only are you not achieving the goal you
> think you are, you're making a mess for people to have to deal with.
> 
> ChrisA

But the loader and the encrypted scripts could be bind to one fixed computer 
when I distribute them to end users, so the end users can't redistribute them 
to any other machines. Actually this is what some commercial software does.
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-15 Thread Chris Angelico 
On Tue, Sep 15, 2015 at 7:21 PM, Jondy Zhao  wrote:
> Pyarmor is dedicated to users who create their applications, components, 
> scripts or any file with the help of the Python programming language. You may 
> use this application to encrypt the files, in order to protect their content 
> and your intellectual property, by encoding the scripts.
>
>
> The program allows you to encrypt files, but to also open and run them as if 
> no protection was applied.

If they can be run as if no protection had been applied, that
presumably means the loader is capable of decrypting them, right? So
what's to stop anyone from reading the loader, using it to decrypt the
actual code, and running it?

ChrisA
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-15 Thread Ben Finney 
Jondy Zhao  writes:

> Pyarmor is a simple to use tool which is capable of importing or
> running encrypted Python script files. Moreover, it can apply encoding
> algorithms to your Python scripts, in order to help you protect them
> before you can distribute them. You may also generate license files
> with custom validity conditions.

Protect them from whom? What is the threat model against which Pyarmor
is claimed to protect? Who is the attacker, who is being protected?

> The program allows you to encrypt files, but to also open and run them
> as if no protection was applied. Moreover, it can run or import
> encrypted Python scripts in any target machine, only in specified
> machines or before a specified date. This aspect can be controlled by
> the creation of the license files: bound to a hard disk serial number
> or by an expiration date.

So a Python file encrypted this way will be arbitrarily restricted in
how it can be inspected for debugging, performance monitoring, and
testing?

This seems to explicitly treat the user of the Python software as a
hostile attacker. That is not a friendly or respectful position, and I
hope I misunderstand Pyarmor's operation.

-- 
 \   “Any fool can write code that a computer can understand. Good |
  `\   programmers write code that humans can understand.” —Martin |
_o__)  Fowler, _Refactoring_, 2000 |
Ben Finney

-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-15 Thread Chris Angelico 
On Wed, Sep 16, 2015 at 2:20 AM, Grant Edwards  wrote:
> On 2015-09-15, Chris Angelico  wrote:
>> On Tue, Sep 15, 2015 at 11:16 PM, Grant Edwards  
>> wrote:
>>> On 2015-09-15, Chris Angelico  wrote:
 If they can be run as if no protection had been applied, that
 presumably means the loader is capable of decrypting them, right? So
 what's to stop anyone from reading the loader, using it to decrypt
 the actual code, and running it?
>>>
>>> I rather expect the answer to that questions is "laziness".
>>>
>>> It's like the lock on my front door.  It's not going to stop anybody
>>> who really wants to get in, but it will prevent the idle curious from
>>> wandering in and messing about with my stuff.
>>
>> Maybe. It seems more like having a lock on your front door, with the
>> key permanently inside it. But maybe that's just me.
>
> I you may be underestimating the laziness and overestimating the
> cleverness of most people. ;)

Heh :) But in that case, you can probably get away with just
zipimport. Deflation sure isn't encryption, but the code is pretty
thoroughly concealed anyway.

ChrisA
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-15 Thread Grant Edwards 
On 2015-09-15, Chris Angelico  wrote:
>
>> I you may be underestimating the laziness and overestimating the
>> cleverness of most people. ;)
>
> Heh :) But in that case, you can probably get away with just
> zipimport. Deflation sure isn't encryption, but the code is pretty
> thoroughly concealed anyway.

I agree completely.  There are three categories of protection:

  1) The program never leaves your computer.

  2) Obfuscation to deter the idle curious from mucking about.

  3) Put the source code on the interwebs.

In category 2 you find the single-file/directory-app bundlers[1]
(which IIRC mostly use something like zipimport) and various other
"encryption" wrappers.  They all provide pretty much the same minimal
"protection".

[1] Most of which are intended to provide ease of distribution and
installation -- the obfuscation is mostly a side-effect.

-- 
Grant Edwards   grant.b.edwardsYow! I love ROCK 'N ROLL!
  at   I memorized the all WORDS
  gmail.comto "WIPE-OUT" in 1965!!
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-15 Thread Grant Edwards 
On 2015-09-15, Chris Angelico  wrote:
> On Tue, Sep 15, 2015 at 11:16 PM, Grant Edwards  
> wrote:
>> On 2015-09-15, Chris Angelico  wrote:
>>> On Tue, Sep 15, 2015 at 7:21 PM, Jondy Zhao  wrote:
 Pyarmor is dedicated to users who create their applications, components, 
 scripts or any file with the help of the Python programming language. You 
 may use this application to encrypt the files, in order to protect their 
 content and your intellectual property, by encoding the scripts.

 The program allows you to encrypt files, but to also open and run
 them as if no protection was applied.
>>>
>>> If they can be run as if no protection had been applied, that
>>> presumably means the loader is capable of decrypting them, right? So
>>> what's to stop anyone from reading the loader, using it to decrypt
>>> the actual code, and running it?
>>
>> I rather expect the answer to that questions is "laziness".
>>
>> It's like the lock on my front door.  It's not going to stop anybody
>> who really wants to get in, but it will prevent the idle curious from
>> wandering in and messing about with my stuff.
>
> Maybe. It seems more like having a lock on your front door, with the
> key permanently inside it. But maybe that's just me.

I you may be underestimating the laziness and overestimating the
cleverness of most people. ;)

-- 
Grant Edwards   grant.b.edwardsYow! Is this sexual
  at   intercourse yet??  Is it,
  gmail.comhuh, is it??
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-15 Thread Chris Angelico 
On Wed, Sep 16, 2015 at 2:40 AM, Grant Edwards  wrote:
> On 2015-09-15, Chris Angelico  wrote:
>>
>>> I you may be underestimating the laziness and overestimating the
>>> cleverness of most people. ;)
>>
>> Heh :) But in that case, you can probably get away with just
>> zipimport. Deflation sure isn't encryption, but the code is pretty
>> thoroughly concealed anyway.
>
> I agree completely.  There are three categories of protection:
>
>   1) The program never leaves your computer.
>
>   2) Obfuscation to deter the idle curious from mucking about.
>
>   3) Put the source code on the interwebs.

Agreed. #3 is the protection that I use for most of my code, and it's
protected me several times from a threat that's far more serious (in
my mind) than someone ripping off my code: it's kept my code safe from
hard drive failures. Yeah, nothing like seeing errors spewing off a
drive that's suddenly died to make you appreciate distributed source
control! (Oh look, my private key is no longer accessible. How
terrible... I have to go to GitHub and register a new public key
before I can continue development. That's gonna set me back... five
whole minutes!)

#1 wasn't really viable until the always-on internet connection became
a normal thing, but today, it's actually pretty easy. Shove your
application up onto cheap hosting somewhere, and make it accessible
via the web... anyone can do it, and your code needs no obfuscation to
be truly secure.

> In category 2 you find the single-file/directory-app bundlers[1]
> (which IIRC mostly use something like zipimport) and various other
> "encryption" wrappers.  They all provide pretty much the same minimal
> "protection".
>
> [1] Most of which are intended to provide ease of distribution and
> installation -- the obfuscation is mostly a side-effect.

Right. Anyone who thinks zipapp is good for security is wrong, but it
sure can be handy for packaging up a one-click "here, download and run
this" Windows .exe file. Any obfuscation should be seen as a freebie,
on par with the toy you get in a fast-food meal.

ChrisA
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-15 Thread Grant Edwards 
On 2015-09-15, Chris Angelico  wrote:
> On Tue, Sep 15, 2015 at 7:21 PM, Jondy Zhao  wrote:
>> Pyarmor is dedicated to users who create their applications, components, 
>> scripts or any file with the help of the Python programming language. You 
>> may use this application to encrypt the files, in order to protect their 
>> content and your intellectual property, by encoding the scripts.
>>
>> The program allows you to encrypt files, but to also open and run
>> them as if no protection was applied.
>
> If they can be run as if no protection had been applied, that
> presumably means the loader is capable of decrypting them, right? So
> what's to stop anyone from reading the loader, using it to decrypt
> the actual code, and running it?

I rather expect the answer to that questions is "laziness".

It's like the lock on my front door.  It's not going to stop anybody
who really wants to get in, but it will prevent the idle curious from
wandering in and messing about with my stuff.

-- 
Grant Edwards   grant.b.edwardsYow! Are we on STRIKE yet?
  at   
  gmail.com
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Pyarmor, guard your python scripts

2015-09-15 Thread Chris Angelico 
On Tue, Sep 15, 2015 at 11:16 PM, Grant Edwards  wrote:
> On 2015-09-15, Chris Angelico  wrote:
>> On Tue, Sep 15, 2015 at 7:21 PM, Jondy Zhao  wrote:
>>> Pyarmor is dedicated to users who create their applications, components, 
>>> scripts or any file with the help of the Python programming language. You 
>>> may use this application to encrypt the files, in order to protect their 
>>> content and your intellectual property, by encoding the scripts.
>>>
>>> The program allows you to encrypt files, but to also open and run
>>> them as if no protection was applied.
>>
>> If they can be run as if no protection had been applied, that
>> presumably means the loader is capable of decrypting them, right? So
>> what's to stop anyone from reading the loader, using it to decrypt
>> the actual code, and running it?
>
> I rather expect the answer to that questions is "laziness".
>
> It's like the lock on my front door.  It's not going to stop anybody
> who really wants to get in, but it will prevent the idle curious from
> wandering in and messing about with my stuff.

Maybe. It seems more like having a lock on your front door, with the
key permanently inside it. But maybe that's just me.

In any case, this needs to be clear about how much security it's
actually offering.

ChrisA
-- 
https://mail.python.org/mailman/listinfo/python-list