0

In my setup, the py2exe bundles all the dependency modules into a zip and I can see them on the deployed machine. (*.pyo)

My script windows_app.py is specified in the setup.py as setup(windows = ["windows_app.py"] However I do not see windows_app.pyo on the deployed box anywhere (is this correct?). I do see "windows_app.exe" though which is expected.

My question here is, can I keep my private password in the windows_app.py (which goes into windows_app.exe) and assume it is a better place as the .pyo are easily decompilable.

Vink
  • 1,019
  • 2
  • 9
  • 18
  • 1
    if someone really wants it they will get your password if it is stored anywhere in the local package ... exe's are also easily decompiled (especially when its just a thin wrapper around python) – Joran Beasley May 20 '14 at 23:51
  • 3
    You definitely shouldn't keep any sensitive data inside the executable. – Jwosty May 20 '14 at 23:58
  • Well, I can scramble my password or distribute it in my code etc. I had an opinion that it is not easy to decompile exe. Also how is the executable generated by py2exe different then the one generated by MSVS or gcc (considering optimization etc.) – Vink May 21 '14 at 00:14
  • Why are you storing a password in the EXE? Also, presume anything you give to someone else they can find out, so don't give them a secret. Give them a hash or not at all. –  May 21 '14 at 01:26
  • I am not putting plain text password etc. it is a hash and a salt. How do I protect them? – Vink May 21 '14 at 06:16

1 Answers1

1

An exe compiled by py2exe isn't compiled in the same sense as a c/c++ application is. When you run py2exe's setup command, it collects your dependencies and packages them together. Depending on the options supplied, it can create an archive file that contains the .py[odc] files that comprise your app, but they are still on the user system. They can be accessed, decompiled, inspected, or modified. What a user does with your code once they have it is out of your hands. You should not deploy sensitive information, passwords, private keys, or anything else that might cause damage in the "wrong" hands.

g.d.d.c
  • 46,865
  • 9
  • 101
  • 111
  • thanks, I am deploying a constant hash and a salt on the users box. Yes I see that py2exe generates an archive, but it also generates an executable from the script provided in setup ( windows[] ) sectoin. I cannot find this ,script-name>.pyo in the generated archive or anywhere after installation. I assume all the code goes into .exe. Is that a correct assumption? – Vink May 21 '14 at 06:26