Best practice using PackageCompiler.jl (or something else!) for code obfuscation and extensibility

I want to use Julia for a new, proprietary, software package being developed at work, however, a couple of requirements are that the package be deliverable to customers without visible source code and be extensible to allow custom types/functions/objects.

I was able to achieve this by using PackageCompiler.jl to build a relocatable sysimage (as a .dll), which allowed me to access my package’s structs/functions on another machine without being able to view the source.

I’m a noob when it comes to the pre-compilation stuff (and Julia generally), and just want to know if this is best practice? Right now I have to specify the sysimage at startup via the following and I’d like it if I could provide simple instructions to other users to be able to load up this sysimage into their chosen IDE (i.e. VSCode/Pluto/Jupyter)

$ julia --sysimage MyPackageSysimage.dll

julia> using .MyPackage

Thanks!

2 Likes

As for the “obfuscation” part, the following paragraph from the PackageCompiler documentation comes to mind:

https://julialang.github.io/PackageCompiler.jl/dev/apps.html#Reverse-engineering-the-compiled-app

However, IIUC part of the above might be alleviated by new 1.8 features (but I’m not sure exactly how these are meant to be used…)

2 Likes

Thanks for the response! Regarding the reverse engineering of PackageCompiler compiled apps, I’m not worried about the user seeing the build machine paths or the function/type names. Python is also being considered, and it looks like it may have similar reverse engineering issues. The lowered code is more concerning, but if it would require significant effort to recreate the whole package source from the delivered sysimage/app, then that meets our requirements. Do you know if it would be straightforward for someone to use Julia’s metaprogramming (or other) capabilities to back out the source from the metadata available from macros like @code_lowered and @code_warntype? Am I understanding correctly that the --strip-ir and --strip-metadata remove this capability from the julia sysimage compiled with those options?

Thanks for the links to the --strip-ir and --strip-metadata options. I think that’ll address some concerns. Looks like I can pass those arguments to PackageCompiler.jl via the sysimage_build_args option. I found this comment in another thread helpful as well.