Just looking into python from a .net background.
Is python compiled like .net? If yes, can it be obfuscated and is it more or less secure than .net compiled code that is obfuscated?
does pretty much every web host (unix) support django and python?
Asked
Active
Viewed 8,281 times
3
-
I don't understand why do you need to obfuscate if it can be compiled? – grigy Sep 27 '09 at 15:31
-
1If your code really needs to be protected (it probably doesn't) then obfuscation doesn't help. – Lennart Regebro Sep 27 '09 at 16:48
7 Answers
11
There are many implementations of the Python language; the three that are certainly solid, mature and complete enough for production use are CPython, IronPython, and Jython. All of them are typically compiled to some form of bytecode, also known as intermediate code. The compilation from source to bytecode may take place as and when needed, but you can also do it in advance if you prefer; however Google App Engine, which lets you run small Python web apps, including Django, for free, as one of its limitations requires you to upload source and not compiled code (I know of no other host imposing the same limitation, but then I know of none giving you so many resources for free in exchange;-).
You might be most at home with IronPython, which is a Microsoft product (albeit, I believe, the first Microsoft product to be entirely open-source): in that case you can be certain that it is "compiled like .net", because it is (part of) .net (more precisely, .net and silverlight). Therefore it cannot be neither more nor less obfuscated and/or secure than .net (meaning, any other .net language).
Jython works on JVM, the Java Virtual Machine, much like IronPython works on Microsoft's Common Language Runtime, aka CLR. CPython has its own dedicated virtual machine.
For completeness, other implementations (not yet recommended for production use) include pypy, a highly flexible implementation that supports many possible back-ends (including but not limited to .net); unladen swallow, focused on evolving CPython to make it faster; pynie, a Python compiler to the Parrot virtual machine; wpython, a reimplementation based on "wordcode" instead of "bytecode"; and no doubt many, many others.
CPython, IronPython, Jython and pypy can all run Django (other implementations might also be complete enough for that, but I'm not certain).
Alex Martelli
- 854,459
- 170
- 1,222
- 1,395
-
Hello Alex, I need your input and experience regarding this question: http://stackoverflow.com/questions/14997414/obfuscating-python-code-through-interpreter-mutation/14997695 .Thanks! – securecurve Feb 22 '13 at 12:16
-
@Alex Martelli.. How it is possible to run Django using CPython? – Rodriguez David Oct 18 '17 at 13:45
2
I don't know about the security part but.
- Python is interpreted. Like PHP. (It's turned into bytecode which CPython reads)
- Django is just a framework on top of Python.
- Python can be compiled.
- And no not all hosts support python + django.
Ólafur Waage
- 68,817
- 22
- 142
- 198
-
Python (at least in the case of CPython) *is* compiled – the parser produces bytecode before executing it on the VM. It just happens to be a portable VM rather than the x86 instruction set in case of C or a .net VM in case of C#. – ilya n. Sep 27 '09 at 16:41
2
You shouldn't have to worry about obfuscating your code, specially since it's going to run on your server.
You are not supposed to put your code in a public directory anyway. The right thing to do with django (as oposed to PHP) is to make the code accessible by the webserver, but not by the public.
And if your server's security has been breached, then you have other things to worry about...
Flávio Amieiro
- 41,644
- 8
- 32
- 24
-
Some web-based products are meant to be hosted by the customer. Meaning that they have access to the server an all its content. – Nagev Nov 02 '17 at 16:47
1
Obfuscation is false security. And the only thing worse than no security is false security. Why would you obfuscate a web app anyways?
Python is compiled to bytecode and run on a virtual machine, but usually distributed as source code.
Unless you really plan to run your webapp on "pretty much every web host" that question doesn't matter. There are many good hosts that support python and django.
Jochen Ritzel
- 104,512
- 31
- 200
- 194
-
I just don't it to be too easy to get the source that's all, that's why I asked about obfuscation. – user179764 Sep 27 '09 at 15:07
0
Code obfuscation in .NET are mostly a question of changing variable names to make it harder to understand the disassembled code. Yes, you can do those techniques with CPython too.
Now, why ever you would want to is another question completely. It doesn't actually provide you with any security, and does not prevent anybody from stealing your software.
Lennart Regebro
- 167,292
- 41
- 224
- 251
0
The web server app python code does not need to be hosted to public view, nor does it need to be obfuscated. The only time that a programmer might wish to use obfuscation would be a forward facing API that divulges private IP/hostnames or other secure properties publicly in the form of viewing the page source in a browser. If the app does not do that, then you don't need to use any obfuscation at all. Examples of using that: Javascript that are public, html cgi variables that can be compromized in XSS attack, etc.
Jason Munro Graham
- 21
- 2
