I have to agree with tachyon here. One of the benefits of compiling your scripts - according to ActiveState - is:

Script Encryption
Protect your intellectual property with the ability to hide your source code.

Yes, the source code is hidden, but the suggestion that this allows one to protect one's intellectual property is flat out wrong. My personal thought is that it is dishonest for a company to suggest that their products offer more than they do.

Incidentally, this is not the only time that ActiveState has decided that security is not that big of a deal. From an email correspondence I had with ActiveState (emphasis mine):

Unfortunately, PerlEx does not currently allow you to use taint checking. However, it is being considered as a feature of the next PerlEx release, which is scheduled to occur in the couple of months.

That email was sent two months ago, as of this writing. As far as I understand, they still do not incorporate taint checking in PerlEx. Security does not appear to be a significant concern to them.

Side note: we are in the process of migrating one of our largest projects from Win2K/IIS to Linux/Apache/mod_perl in part because of ActiveState's lackadaisical attitude regarding security.

Cheers,
Ovid

Vote for paco!

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

Script Encryption
Protect your intellectual property with the ability to hide your source code.

In that case, one wonders whether perlmonks.com et. al. are in violation of the DMCA for reverse-engineering a mechanism that "effectively controls access to a copyrighted work". Of course, the word "effective" isn't the first that springs to mind in this particular case :-)

   MeowChow                                   
               s aamecha.s a..a\u$&owag.print

Where are you getting this? Is there a perldoc PerlApp you are looking at?

The ActiveState PDK3.0 docs clearly state the purpose of PerlApp. It Turns your Perl scripts into executables, so that you can run Perl scripts on computers without installing Perl.

Maybe ActiveState stated the security business in previous versions of PerlApp or PDKs. And then again, perhaps they realized the folly of protecting IP. I'm sure they wouldn't want to be liable for someone's IP being compromised using their product.

Please post the relevant documentation so I can understand what you and tachyon are saying. No offense, but I think you guys are getting worked up over a fallacy.

As lemming pointed out, that was caused by my confusing PerlEx and PerlApp. Once I saw that, I started looking at things a bit closer. PerlEx claims to offer the source code protection. However, all PerlEx does is keep a version of Perl memory-resident and compile the first execution of a Perl/CGI script and save that in memory (see this link for details). The source code is still readily available. Why the heck do they claim source code protection when there is absolutely no attempt to protect the source code?

Now regarding PerlApp, there's no apparent claim that source code is protected. However, since you wish to play Devil's Advocate, why, exactly, would one wish to XOR the source code with a string? This merely adds an unnecessary level of complexity. In fact, the only reason that I could come up with is a naive attempt to hide the source code, which brings us back to tachyon's original post. If you have other theories, I'd love to here them.

Cheers,
Ovid

Vote for paco!

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

This may be a PerlApp vs. PerlEx issue

I note that the PerlEx page has the encryption quote. Nothing with PerlApp.

I am curious if the copyright notice "encryption" is on their free version of PerlEx and there may be a better version on their licenced version. (Not curious enough to pay money though)

my $0.02 = "Isnt it part of the Perl license that things distributed with Perl source, are distributed under the same license as Perl itself?";

If so, where is the intellectual property?

_14k4 - perlmonks@poorheart.com (www.poorheart.com)