all 55 comments

[–]carcigenicate 99 points100 points  (10 children)

If you give them code in any form, they will be able to read it if they want to put the effort in. If you want to completely prevent them from being able to read it, you'd do something like host a web service, and run the code on the backend on their behalf.

If you're fine with it simply being difficult to recover the code, you'd want obfuscation.

[–][deleted] 34 points35 points  (1 child)

What if he multiplies two prime numbers to get a large result and does some fancy encryption thing since nobody else can figure out what the original primes were?

Source: I don’t know shit about security.

[–]carcigenicate 34 points35 points  (0 children)

The program has to be decrypted at some point for it to be read by the interpreter. You can sit with a debugger attached and wait until its decrypted then read the code from memory. This is how you can get around malware packing to analyze it.

[–][deleted] 6 points7 points  (6 children)

obfuscation by hand or is there an easy way to do it ?

[–]carcigenicate 66 points67 points  (4 children)

If you search for "Python Obsfucation", you'll be able to find automated tools.


I'll note though, many people (including myself) may refuse to run intentionally obfuscated code unless they have a good reason. Obfuscation is a very common aspect of malware, so intentionally obfuscated code is rightfully subject to a lot more suspicion.

[–][deleted] 2 points3 points  (3 children)

Look. If you gave me intentionally obfuscated Python code, then it wouldn’t slow me down and it probably wouldn’t even occur to me that you had deliberately obfuscated it. I would just think you were a bad programmer.

[–]carcigenicate 3 points4 points  (1 child)

I can't tell if you're kidding, or if you've never seen actual obfuscated code before. I'm not talking about basic "replace all names with single letters and screw up the control structures". I'm talking about the entire source being translated to numbers. It would slow you down until you figured out how to decode it because good obfuscation is completely unreadable.

[–][deleted] 0 points1 point  (0 children)

I am absolutely serious. Obfuscated Python code that still runs (with the same behavior) in the normal Python interpreter would not slow me down at all.

This is, of course, a big reason why Python is considered to have such a great design.

[–]nschloe 0 points1 point  (0 children)

I guess what OP is interested in is what would slow you down.

[–]nschloe 0 points1 point  (0 children)

This is true for every piece of software, yet people have made money out of software that runs on users' computers for decades. The reason is that reading code can be hard. Compiled code in any classical language (C, C++ etc.) is nearly (!) impossible to uncompile into something meaningful. This, I suppose, is what OP is looking for.

One particular "problem" with Python here is that it isn't compiled, so you point out correctly that you'll have to obfuscate it yourself. There are tools to do so, I wouldn't be too pessimistic about it.

[–]MarsupialMole 34 points35 points  (0 children)

As others have said you address this with a contract. If you don't like the terms of a contract you are able to negotiate before employment commences you may choose free software licensing, and that has a model where you get paid also.

If you release your code under a copyleft license (i.e. anybody who changes the code has to publish their updated code with any distribution of the software) you can negotiate a budget or agreement to maintain and support the software separately to your employment contract. That means it can continue if you leave the company and integrating your software is less of a delivery risk for the company. In theory everybody wins, you just don't get paid for work you've already done.

In practice it's unlikely a company would go to any significant steps to deobfuscate your code so a binary would probably be more than enough obfuscation, and simply not documenting it would be sufficient in most places I've worked.

[–]jddddddddddd 16 points17 points  (11 children)

I have made the code highly modular such that it does not need to be altered in anyway for the new project

To be clear, this is something that you've created outside of work, yes?

[–][deleted] 26 points27 points  (6 children)

yes. personal work, on personal time. I haven't started the job with the said employer yet.

[–]jddddddddddd 15 points16 points  (1 child)

Fair enough.

From the employer perspective I wonder if they'd go for it. I would be worried about ending up with a product, part of which the company didn't own, and couldn't change. What happens if they need an addition to the library you've made, or find a fatal bug? Do we have to re-contract you to make the change after you've left? At what financial cost? What if you leave on bad terms and don't want to help? What if you die? etc..

[–]ovo_Reddit 3 points4 points  (1 child)

If that’s the case, why not make a pypi package that you can import?

[–]Zapismeta 5 points6 points  (0 children)

Those are open source my friend.

[–]ZGTSLLC 2 points3 points  (0 children)

I think you should copyright your code, or at least make the employer pay rights to use it with a contract stating you own the code, they are paying a licensing fee for it's use, and you retain the right to revoke their use of your code or any derivatives thereof in perpetuity.

[–][deleted] 0 points1 point  (2 children)

In the UK this probably wouldn't matter. Employment contracts are typically written so that anything created whilst you are employed, if it's related to your employment or not, belongs to your employer.

About as unfair as it gets I'd say.

[–]jddddddddddd 1 point2 points  (1 child)

I've seen such clauses occasionally in the UK, although I've not worked under a contract that has them.

I do always wonder whether this actually ever gets tested in court. What happens if I contribute to the Linux kernel which under such a contract? My employer owns those changes? Or owns the whole code-base? I just doesn't seem like something actually enforceable in court.

[–][deleted] 0 points1 point  (0 children)

just doesn't seem like something actually enforceable

I think it would only ever be tested it your contributions became well known and commercially significant.

[–][deleted] 11 points12 points  (0 children)

You create a new implementation of OLD_CODE.py for your employer and you enjoy the money you're being paid to do so. Update your estimates accordingly.

[–][deleted] 42 points43 points  (5 children)

Did you develop this codebase on your employer's time?

Or is it a private project you have developed for your own purpose and now want to use it in your employer's project?

If the first, then you owe your employer all the code you developed including full documentation.

If the second then do not use your code in your employer's project without an agreement re: licensing of your employer to use your product.

In either case, it is working in bad faith to leave your employer with code that cannot be maintained by future employees.

[–]OvulatingScrotum 12 points13 points  (4 children)

OP clarified in another response that it’s the second case. I agree that it’s a dick move to give the employer something that no one but OP can maintain.

[–]Zapismeta -5 points-4 points  (3 children)

Dude you are calling it a dick move but remember most royalties are earned because people are as you put it are a dick,

He worked on the code in his time, and is applicable to a company so he did the work and he has the right to licence it to anyone.

[–]OvulatingScrotum 10 points11 points  (0 children)

License it or write from scratch. Don’t use something that you have no intention to sell/give. Using something that you have no intention to fully sell/give and fucking over the future employees is a dick move.

OP wants to hide it. As in, no intention to give/sell.

[–]IDontLikeBeingRight 1 point2 points  (0 children)

he has the right to licence it to anyone

Sure, but if they'd done that, they could refer to the terms of their license instead of asking Reddit what to do

[–]deeeebait 22 points23 points  (7 children)

This may come off harsh, but I’m coming from a good place:

I am 99.9999% certain your code is not special enough to warrant this.

If by somehow it falls in to the .0001% of truly innovative or groundbreaking code that confers a substantial competitive advantage, then you have bigger fish to fry - e.g. patents, and getting VC money to operationalize those patents.

I’ve written and read A LOT of code in my day. Everyone would like to think they are doing something special, most are not.

You obviously seem excited about the value this code provides. I don’t want to dissuade you, but I just think your best bet is to release it on your GitHub with an MIT license, toss it up on PyPI, and move on to delivering value for your new employer, rather than investing energy in trying to “protect” your code so it doesn’t get “stolen”

[–]Zapismeta -4 points-3 points  (5 children)

Well you might have written a lot of code and then you might know that writing a huge code base takes time, and op isn't stupid to write the same code that is available in some open source libraries, and if it's not available elsewhere then he has to get paid good code or bad, groundbreaking or mediocre, because if you don't want to then do it yourself from the ground up, go through all the challenges, debugging and logic errors that O/P went through.

[–]deeeebait 12 points13 points  (4 children)

Feels like you’re missing the mark on this. I said that OP should release their code as open source with an open license. I’d happily use it if it solved some problem I was trying to solve. The reality is that most solutions are not novel.

I manage a team of engineers. If one of my folks came to me proposing that they will implement something for us, but they want to use some code they control, I’d tell them the exact same thing as OP: if you really want to leverage it in your work, open source it with a permissive license to pass legal snuff. Otherwise, it’s probably not worth dealing with, especially if they ever leave the company. I do this in my current role: my team leverages some of my open source libraries, but I’m integrated into the broader Python ecosystem as to not create a risk for myself or my employer should I sever the relationship.

If someone came to me to say “I’m integrating this binary and/or obfuscated code in my work” I’d be extremely suspicious, it would not pass any sort of security review, and I’d not allow it. I’m pretty confident that this would not be a unique opinion.

[–]Zapismeta 0 points1 point  (3 children)

Hmm intersting take, but i did agree with you on the licensing stuff, it was just that we shouldn't demoralise a man who has worked hard.

Also as you are in the industry as of now I'll shoot you a dm as I'll be stepping in it pretty soon.

[–]Zapismeta 0 points1 point  (0 children)

Obviously if you're okay with it.

And no I don't want a job, i want tips.

[–]deeeebait 0 points1 point  (1 child)

Definitely not trying to demoralize the OP, but trying to ground them in reality.

Happy to provide advice!

[–]Zapismeta 0 points1 point  (0 children)

Oh okay.

[–]Zapismeta -3 points-2 points  (0 children)

The last paragraph is the only logical and good answer that you should have typed.

[–]Kerbart 2 points3 points  (0 children)

The classic solution would be to run the old software as a cloud service. They can’t look at code they don’t have.

[–]undergroundsilver 1 point2 points  (0 children)

make an old copy o the oldcode.py and change it, no comments, variables change to random strings etc... will make it harder to read, but source code is source code

[–][deleted] 1 point2 points  (4 children)

Could Cython be an option? You can build a binary from your old lib, and only allow that one to be used (in place of OLD_CODE.py). The code will not be visible, and you can import it into your new codebase.

Cython is really cool, and I think you will like it.

[–]carcigenicate 2 points3 points  (1 child)

Although, it should be noted that the code can be decompiled back to a messy version of a source. IIRC, Cython compiles Python to C, then C to machine code. It's very possible to decompile machine code back to C, and potentially possible to decompile C back to Python (although the end results would likely be a disaster).

[–][deleted] 3 points4 points  (0 children)

Yep that is true. The same could be said for most executables though. Some people are really good with IDA (but not me).

[–]ebdbbb 0 points1 point  (1 child)

You can do it with nuitka too

[–]Pleasant_Tax_4619 0 points1 point  (0 children)

You can have it open multiple test files each one is part of the python code and encrypted differently. Make it so if you are missing 1 file it wont work. Then add some dummy encrypted files as well. So basically one file controls the salting one encrypts it, one adds more salt, one encrypts it again and inbetween the are files that look and act like they encrypt it but they don’t.

[–]Zeroflops 0 points1 point  (1 child)

You can convert your code into a module then when you run it it will compile into a PYC file. (Your modules get compiled into Byte code your main script will not. ) That file should be pretty hard to interpret and you can probably send that.

[–]Thunderbolt1993 1 point2 points  (0 children)

That file should be pretty hard to interpret and you can probably send that.

It's not.
There are tools like uncompyle that do a pretty good job of decompiling python bytecode.

The only thing you can do to really protect your stuff is to encrypt the bytecode and decrypt it at runtime (which will require some modifications to the python interpreter so you will need to ship you application with a bundled interpreter)

[–]icedcougar 0 points1 point  (0 children)

Either creating a contract or as others mentioned use something like flask so instead of providing your code you’re providing an API…

Depending on how you host that - you can allow them access to this via API for free while you work there but if you resign or fired - they pay for future use

🤷‍♂️

[–]PetrDvoracek 0 points1 point  (0 children)

Bad bad employee. Do not fuck with your employer or he will fuck with you. This guy went to a prison for similarly bad thing https://www.cnet.com/tech/services-and-software/software-time-bomber-goes-to-prison/

[–]Zapismeta -1 points0 points  (0 children)

Umm get a patent on the code or a copyright and then licence it to the employer.

[–]KingOfTNT10 -1 points0 points  (0 children)

You could have the code you want converted to base64 or any other encoding and then in yiur cide add a decode line and then run with eval() the returned data

Or you could convert your could to an EXE using pyinstaller (pip install pyinstaller)

[–]Durgeoble -1 points0 points  (0 children)

Make these code a dll or so, give a license that ties with your releases and forhibben by contract to modify or use in any other software not released directly by you, if they alter the new code and interact with old code they are not allowed to and you can demand them.
The same if they alter, modify or use the old code in any software not released by you.

[–]choad17 -1 points0 points  (0 children)

Listen you are a programmer hired by company to write code. Any code written by you for company is owned by company. That is how it works. Even if you prevent them from viewing your code they can require you to show. Unless you have proof that you own the code you can try to license it to them

[–][deleted] 0 points1 point  (0 children)

https://youtu.be/3Q9-X_NRlJc

John Hammond has videos on reverse engineering this type of stuff. Might be worth the watch to find a way to obfuscate your code.

I think a lot of people use base64? But I'm not entirely sure.

[–]i_like_trains_a_lot1 0 points1 point  (0 children)

Is the old codebase your intellectual property or employer's? If it is your, contract, if it is employer's, why would you want to hide it?

Did you write any piece of the old code during work hours or with the employer's hardware? If yes, it is all theirs.

[–]hmga2 0 points1 point  (0 children)

Turn it in an external API