|
|
 Dave Smith - 2015-11-12 23:56:46 Using Nick Daniel's GhostCrypt version 2, it is now possible to easily generate obfuscated class files.
I reviewed the package submission policy, and there is not mention that I could find which requires open source. So my question is... are obfuscated packages allowed?
Dave
 Manuel Lemos - 2015-11-13 02:48:34 - In reply to message 1 from Dave SmithWell it is not the first class that generates obfuscated or encrypted code.
There is nothing in the submission rules about obfuscated code because nobody sent code obfuscated packages, except once that one used sent code with eval base64_decode but it had bad repercussion because it made it hard for people to understand what it does.
Many users do not really use packages but rather take a look at the code to pick ideas. I also need to be able to read the code to understand what it really does, in order to elaborate a good description to approve the package.
In that case it was really not hard to decode the class code, so I approved it as is. But after the bad repercussion, I decided to talk with any authors that do it again to provide code that everybody can understand.
I just did not update the site rules because it only happened once one author submitting obfuscated code. But now that you asked, if an author submits packages with obfuscated code, I will politely ask to provide a version that anybody can understand.
Actually even when the code is readable, sometimes package approval is delayed because I need to ask the authors how the packages work or I need to spend more time understanding the code by myself.
Anyway, why would you want to submit obfuscated code? Just let me know, maybe we can think of a different solution for the problem you want to solve.
Dave Smith - 2015-11-13 17:40:55 - In reply to message 2 from Manuel LemosWell, my thinking on this is fairly drawn out, but I will attempt to keep from straying too far into left field :)
The package has changed a bit since you approved it, so that it now also provides a way to truly protect the code if the file is stolen. However, to share the code willingly it has to be obfuscated using the less secure method, which anyone who understands the process can easily decrypt.
It currently uses a psuedo public/private key scheme for the secure method and the next logical step is to use a true public/private key which would make publicly shared code nearly impossible to read and easy to share.
A practical example would be if a developer had discovered an undocumented api to a very useful service. He may have spent months testing different endpoints and would prefer to make it so that other developers would actually need to put in some effort of their own, instead of just cutting an pasting his work into their own packages.
So, that got me wondering if phpClasses was only part of the open source PHP community, or if you allowed obfuscated code. Obviously, it defeats the purpose to obfuscate if you are also required to provide the source.
Anyway, that is why I asked.
Dave
|
