-
-
Notifications
You must be signed in to change notification settings - Fork 375
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a packaging option to minify or otherwise obfuscate the python code in the distribution package #1865
Comments
My experience has been that while some developers are very keen about code obfuscation, the tools are (a) not actually necessary for novice developers, and (b) not actually protection against a determined attacker. Ultimately, code (especially something like Python code) needs to be executed; if you want someone to use your code, you have to give it to them. I've seen first hand code that was written in C, and was distributed as an obfuscated binary, and it was still a relatively minor exercise to reverse engineer the "interesting" part of the code (in this case, the code that implemented license validation 😄). Code obfuscation is also somewhat opposed to the fundamental philosophy of FLOSS movements in general. This is especially important when you consider that this is a feature that is most likely to be requested by commercial users of Briefcase - so we'd be adding and maintaining a feature that is mostly useful for commercial users, with no particular benefit to the volunteers that maintain the (open source) code for the project. However, I'm also aware that not all software developers share my pessimism about the usefulness of obfuscation, and I don't want to render Briefcase inappropriate for those users that have a requirement to use obfuscation of some kind. So - my inclination is that this is the sort of feature we should support by an extension API. If we were to add a "build plugin" API, users could define steps that they want to be executed as part of the build process, including (but not limited to) obfuscation techniques. The "dogfood" use for this interface could be the current This would allow us to prove the plugin interface works; it would then be up to third-party developers to contribute other "post processing" steps - this could be:
or anything else someone might need to do. |
Good idea, anything update on this topic? @freakboy3742 |
@Jzhenli This isn't on my personal roadmap at present, and it seems unlikely it will be added any time soon. I'll happily review a PR if someone wants to implement it. |
What is the problem or limitation you are having?
Applications built by briefcase store all the python code (both for the app and included packages) in cleartext in (almost) the same hierarchy you see when you're the developer of the application. That both makes the packaged application bigger on disk than it needs to be and also makes it trivial for any user of the app to just browse the folder of the app they installed and see all the code. It would be nice if there were some options to allow obfuscation of that code so this weren't quite so easy.
Describe the solution you'd like
There could be an option in
pyproject.toml
called somethingobfuscation_level
that could specify which approach to use when packagin up the app. There's three different options I can think of from the jump:Python-Minifier
)zlib
or do some other obfuscatory thingpyarmor
which has a whole host of options that range up to the truly extreme attempts to make life hellish even for highly skilled reverse engineersDescribe alternatives you've considered
If you develop most of the logic in your briefcase app as a package such that briefcase imports the vast majority of the functionality via
pip install
from a private pypi or git repo you can apply these tools to the code, commit or release that obfuscated/minified version, and then have briefcase install it just as it would any other package.edit: i have actually gotten this approach to work successfully (with
pyarmor
as the obfuscation tool) for my own briefcase app.Additional context
Obviously there are some restrictions here around open source licenses. For instance if your briefcase app relies on a package licensed under the GPL then you are supposed to release the source code and so obfuscation of the code in the final application should not be allowed.
The text was updated successfully, but these errors were encountered: