Re: Perl 'executable'
by marto (Cardinal) on Oct 22, 2010 at 01:41 UTC
|
You can package scripts using pp or similar, but you can't hide the source code. See perlfaq3.
| [reply] |
Re: Perl 'executable'
by Ratazong (Monsignor) on Oct 22, 2010 at 07:38 UTC
|
... deploying a Perl script -- which can be read ...
shmem wrote a very high-ranked node on the topic of transforming perl-scripts to .exe-format to prevent them from being read: Uncool Use Of Perl: perl2exe. decompile quick steps. So please be aware of that risk (or rethink your security-approach)
HTH, Rata
| [reply] |
|
| [reply] |
Re: Perl 'executable'
by aquarium (Curate) on Oct 22, 2010 at 04:11 UTC
|
| [reply] |
Re: Perl 'executable'
by Marshall (Canon) on Oct 22, 2010 at 04:45 UTC
|
If you use the recent ActiveState PerlApp tools, it is possible, but not very easy to decode what the application .exe is doing. If you are up to it and want to take on a challenge, /msg me and I'll send you an .exe for you to de-compile. I think this is difficult.
In the open source arena, if the program is a good one, it doesn't matter whether or not you have access to the source or not - you won't "crack it". Meaning that even if you know all about how it works, you can't make it misbehave, typically because the O/S permissions won't allow it.
| [reply] |
|
"If you use the recent ActiveState PerlApp tools, it is possible, but not very easy to decode what the application .exe is doing. If you are up to it and want to take on a challenge, /msg me and I'll send you an .exe for you to de-compile. I think this is difficult."
Agreed. The FAQ states it's possible, and advises against relying on perlapp for hiding sensitive data. I'm sure if one where to google seach this topic they'd find, if not a complete solution, a script to start the on the right track to "de-compile" the generated exe.
| [reply] |
Re: Perl 'executable'
by Xilman (Hermit) on Oct 22, 2010 at 13:38 UTC
|
One thing you can do is split your script into two parts — a client for which you give away the source code and a server which you keep adequately secure (you get to define "adequate") on a machine under your control.
Assuming that server does something sufficiently valuable and sufficiently complex that your users find it easier and/or cheaper to use it than to circumvent your security mechanisms to read and/or hack your script, then you have achieved your stated goal.
Paul
| [reply] |
Re: Perl 'executable'
by zentara (Archbishop) on Oct 22, 2010 at 12:40 UTC
|
You could look at it the other way. When it's deployed as a binary, no one really can be sure what it is doing, without extensive effort. Whereas a conventional script can be easily scanned, to see what it is doing. If you want some security with a script, just have it's permissions and ownership set, and maybe do some cryptographic fingerprinting of it. I would be very suspicious of any binary I was asked to run, unless I compiled it myself.
| [reply] |
|
"I would be very suspicious of any binary I was asked to run, unless I compiled it myself."
Really? I guess you must be running Gentoo then, and even then bootstrapped your own compiler from hand-written assembler in order to get the initial gcc working from code you trust.
There are times when you just have to trust a binary whether you like it or not. Reflections on Trusting Trust has a valuable take on the issue.
Paul
| [reply] |
|
I agree, but there are certain tradeoffs in trust. I do keep a watch over the software than comes in precompiled form.
I make a distinction in trust levels.
I would be more likely to trust a binary that comes from a prebuilt distribution, like Ubuntu; than from some perl hacker who claims he/she dosn't want me to see what the script does. There is just an obvious difference there in threat level. At least the distributions make their source packages available. Will the perl hacker make his uncompiled source script available to me?
| [reply] |
Re: Perl 'executable'
by bart (Canon) on Oct 24, 2010 at 08:59 UTC
|
which can be read and maybe hacked
You know, a pre-built .exe file doesn't have to be hacked, as it can just be replaced by any drop-in replacement program... And generally, nobody will know it has been replaced, without running it.
| [reply] [d/l] |