I know the answer to this really, but just in case …
A customer of mine wants my Anvil software installed locally. The problem with that is once the code is out there, any “secret sauce” I have is gone and the chances of me being cut out of the loop are high. Maybe not straight away, but the time will come when they will get some Fiverr.com person to “just have a look” when I’m on a rare holiday. It’s always a risk for a one man band. That and the fear I may go under a bus, metaphorically or otherwise.
So is there any way I can effectively “lock up” the distributed software, putting the “key” in escrow? Of course the customer will clearly have root access to the server itself.
As far as I can tell, the opensource server runs apps from plain text config files (for forms, server code, etc.) so these could, I assume, easily be imported into a new Anvil account and worked on from there.
Any points of view or insight would be gratefully received.
There’s very little you can do to stop a bad actor. However…
Who owns the Intellectual Property (the code) ?
Do they pay you for the provision of a service which is based on them using your app or, do they pay for your time to write code?
If it’s the former, they are now asking for a licence to use your code, so put one in place and charge for that. You will find it tricky to stop them stealing it, but it will be much clearer that is in fact what they’re doing.
If it’s the latter, they probably own the IPR anyway and you don’t really have any right to stop them in the first place.
I will agree with @owen.campbell here. Licensing is a simple and easy way to stop them from stealing. Plus, your backend will always be safe.
But just in case you want to do something really crazy, you can try
Step 1: Do all your Anvil work on a hidden app
Step 2: Maintain a published version of the app. This will have all forms and modules as your hidden app. But keep the code for all forms and modules blank for now.
Step 3: Choose one of the trillions of methods to encode code for all forms and modules.
Step 4: Now you fill the blank forms in your hidden app. First, decode the code for that respective form or module. And then, use the exec method on that decoded string.
This method will make your development more difficult and can have effects on your performance too… Even I find this absurd. But I don’t think there is any other way to hide your client code.
Actually I realized - What am I doing? If the client-side can decode your code, anyone can do it too. This method will just stop the code from being visible too easily
is the best case I can think of as well. I usually host all my services for precisely this reason. I think my recent personal Covid outage spooked some of them …
Actually I think there is a great way of setting things up when you are on holiday.
What if you took some of the server functions, and moved them to a virtual machine that you control? you can call them just the same but the code wont be accessable to anyone using Anvil. Especially a FIVVER quick-hire. In the situation you are talking about - you could set up like this when you go on holiday so that your work is “protected”.
Currently, If you are using python 3.9 and above, the compiled bytecode .pyc files themselves are very hard to decompile back to human-readable. It is possible, but beyond most thresholds for effort vs. reward.
This will not last forever, so you would have to recompile everything probably sooner or later, to whatever was next in line for “hard to do right now”
But you could always build a “to .pyc compiler” written in python, if all you are trying to secure is your own code/methods/maintenance.