Strategies for Distributing Python Programs Securely

Hello all,

I’m looking to develop a commercial program using a slicer. However, I’ve discovered that when I package and distribute this custom program, the source code remains exposed in the scripted model folder.

After searching the community, I found a solution suggesting converting .py files to .pyc files for distribution.

Considering the time that has passed, is this still a viable option? Furthermore, I’m planning to encrypt .py files using tools like pyarmor before converting them to .pyc. Is this plan reasonable?

If anyone has experience distributing programs with Python code, I’d appreciate some advice. Any insight would be valuable to me.

1 Like

I tried the chatbot on this question and I think the answer is a good summary (do others agree?).

Hi @pieper ,

Thank you for your reply!

Regarding this issue, we would like to test whether we can put our script module on the server and have it readable without downloading it (due to security concerns in the code).

After examining the slicer application, it seems that extension modules are defined and read in (in my case, 32438) under AdditionalPaths. However, it was difficult to find out how they are read in what manner. Can we gain insight into this?

In particular, it would be helpful to know how the modules in AdditionalPaths are loaded into slicer and in what order, and how access is possible from slicer.module (for example, slicer.modules.mymodule).

Hi @park -

Those AdditionalPaths describe places where the application searches for code to load and they all must be on the client machine as things currently exist. If the code matches what Slicer expects, the code is loaded as a module. The details are a bit complex but the idea is simple.

In the end if you have code running on a client computer it will need to be read and loaded, even if the code is fetched from the server at run time. If they are .pyc files they will be hard to understand, but in theory someone could decompile or even just call your functions themselves.

You could put in a wrapper that downloads the actual code at runtime and then deletes it after using it, but this seems a bit fragile and wouldn’t stop a really dedicated adversary.

I think the best way to truly isolate your code would be to never put it on the client machine, but instead use it via a web api with encryption and a license key so you know exactly who is calling it.

@pieper Thank you for the advice.

I would like to repost the article regarding this matter for more specific implementation.

Thank you for always responding kindly.