Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

merlyn (47)

merlyn
  merlyn@stonehenge.com
http://www.stonehenge.com/merlyn/
AOL IM: realmerlyn (Add Buddy, Send Message)
Yahoo! ID: realmerlyn (Add User, Send Message)

PAUSE-ID: MERLYN [cpan.org].
See my home page [stonehenge.com].

Journal of merlyn (47)

Sunday February 23, 2003
04:13 PM

perl2exe - no more secrets

[ #10743 ]
perl2exe is no way to hide your source code. Never was. Please recommend PAR instead.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • I don't think any knowledgable individual ever recommended perl2exe (or perlapp) as obfuscation. For that matter PAR does not adequately satisfy the requirements which lead many to the aformentioned "compilers". Specifically, it does not create a single distributable excutable. It comes close, but it requires a pre-existing perl environment.
    --
    Were that I say, pancakes?
    • Re:Umm (Score:4, Insightful)

      by Ovid (2709) on 2003.02.23 17:11 (#17414) Homepage Journal

      What is extremely aggravating about this is that the author credits Simon Cozens as being the source of information about the vulnerability. I was shocked. Simon Cozens should know better!

      Of course he knows better. In his email to bugtraq [simon-cozens.org], Simon very plainly states:

      The problem is not Perl2Exe itself, which does what it's supposed to do and does it well. The problem is people's expectations of it; they think that once it's in a "executable format", their source code can't be read. They're wrong.

      In my opinion, the author of the "vulnerability" warning should have made this clear. Instead, a reader with no knowledge of what is going on will be led to believe that a vulnerability in the software has been discovered when, in fact, it's merely users not understanding their tools (gah! I should be a Microsoft flack :). Further, there is a suggestion that the vendor may have been negligent as the author writes "Vendor has been notifyed a year ago..."

      I think that this information should be disseminated, but it should not be spread in such a way as to give a misleading impression, which is certainly what is happening here.

    • PAR does not require a pre-existing perl environment -- all it needs is a libperl.so or Perl5x.dll, if your Perl is compiled dynamically.
  • Please recommend PAR instead.

    PAR is not a way to hide your source code, either. Please disabuse users of the notion that they can "hide their source code" and still run it through the Perl interpreter.

    PAR is a distribution mechanism to simplify application deployment, no more no less. (It's actually quite ingenious, but that's a side issue.) There may be plans to add cryptographic signatures or even encryption to PAR at some point in the future. Neither of these options are available now, and nei