Hi everyone, is there a way to distribute a Racket library without publishing its source code? There is load function to load a rkt file, and load/use-compiled function is used for loading .zo file?
Yes it is possible to distribute a library as binary only, but there are a few things to be aware of: binary code is specific to a Racket version, so you will need to supply binaries for each Racket version you want your library to be used with. Also, if your library uses any extra packages from http://pkgs.racket-lang.org\|pkgs.racket-lang.org, you will need to pin down the versions of the packages you depend on by creating a catalog, since http://pkgs.racket-lang.org\|pkgs.racket-lang.org will only supply the latest version of a package.
Dumb question but how can you call a function given only .zo and .dep files?
The .zo file contains the name of the function and the “machinecode” to evaluate when the function is called.
I am not 100% sure how they work using the new Chez Scheme backend. In the old BC backend the zo-files contained bytecode. The bytecode were instructions for a virtual machine that had operations like “create new function”. Allocate new datum. Etc.
One q: why do this? From a security perspective, I have to imagine it’s possible to reasonably decompile things…
It’s pretty low-level so it would take considerable effort. Just like going from real machine code to source code.
Sure, but people have disassembled/decompiled retro games and all kinds of other things. I’m just arguing that, with enough dedication, it could be done, so you’re still at risk of exposing some source. Which doesn’t matter if you’re not doing this for security. But if you are… this isn’t really what I would call “secure,” but it depends on your threat model I suppose.
With Racket CS, the code is machine code, so you’d need different versions per architecture/OS
You can also distribute zo files with machine-independent byte code (basically fully expanded s-exps)
The machine code would be relatively tricky to decompile, the Racket BC bytecode much less so, and the machine independent bytecode even easier
From the initial question I had assumed that this was for “intellectual property” reasons, not for security. I agree with @ben.knoble that relying on obfuscation by having machine code wouldn’t be effective. So if security comes into play here, the obfuscation could only be an additional obstacle, not the basis for a (not) secure software.
Even for IP, probably not a great solution, but I’ll get off my soapbox :slightly_smiling_face:
@simonec has joined the channel
For Racket 8.1 can anyone tell me if dynamic-require would be much slower than an equivalent require?
require is done at compile-time, but dynamic-require is done at run-time, so they are not really comparable