... deploying a Perl script -- which can be read ...

shmem wrote a very high-ranked node on the topic of transforming perl-scripts to .exe-format to prevent them from being read: Uncool Use Of Perl: perl2exe. decompile quick steps. So please be aware of that risk (or rethink your security-approach)

shmem is right about perl2exe. PerlApp is more difficult. You won't find any text strings to display. In older versions, they just XOR'd the script with a fixed string. What they do now is more sophisticated and harder to figure out. But at some level of effort, it is possible to figure out. This is not NSA encryption!

I figure a main question is would be what the OP is trying to protect against? Insertion of malicious code? "Stealing" his software?

In the open source arena, if the program is a good one, it doesn't matter whether or not you have access to the source or not - you won't "crack it". Meaning that even if you know all about how it works, you can't make it misbehave, typically because the O/S permissions won't allow it.

"If you use the recent ActiveState PerlApp tools, it is possible, but not very easy to decode what the application .exe is doing. If you are up to it and want to take on a challenge, /msg me and I'll send you an .exe for you to de-compile. I think this is difficult."

Agreed. The FAQ states it's possible, and advises against relying on perlapp for hiding sensitive data. I'm sure if one where to google seach this topic they'd find, if not a complete solution, a script to start the on the right track to "de-compile" the generated exe.

One thing you can do is split your script into two parts — a client for which you give away the source code and a server which you keep adequately secure (you get to define "adequate") on a machine under your control.

Assuming that server does something sufficiently valuable and sufficiently complex that your users find it easier and/or cheaper to use it than to circumvent your security mechanisms to read and/or hack your script, then you have achieved your stated goal.

Paul

If you want some security with a script, just have it's permissions and ownership set, and maybe do some cryptographic fingerprinting of it.

I would be very suspicious of any binary I was asked to run, unless I compiled it myself.

"I would be very suspicious of any binary I was asked to run, unless I compiled it myself."

Really? I guess you must be running Gentoo then, and even then bootstrapped your own compiler from hand-written assembler in order to get the initial gcc working from code you trust.

There are times when you just have to trust a binary whether you like it or not. Reflections on Trusting Trust has a valuable take on the issue.

Paul

I agree, but there are certain tradeoffs in trust. I do keep a watch over the software than comes in precompiled form.

I make a distinction in trust levels.

I would be more likely to trust a binary that comes from a prebuilt distribution, like Ubuntu; than from some perl hacker who claims he/she dosn't want me to see what the script does. There is just an obvious difference there in threat level.

At least the distributions make their source packages available. Will the perl hacker make his uncompiled source script available to me?

---

I'm not really a human, but I play one on earth.
Old Perl Programmer Haiku ................... flash japh

which can be read and maybe hacked