z/OS

z/OS

z/OS

IBM z/OS is a widely-used mainframe operating system designed for a stable, secure and highly available environment for running mission-critical applications.

 View Only
Back to discussions
Expand all | Collapse all

Can Python be byte code only executable?

  • 1.  Can Python be byte code only executable?

    Posted Mon March 31, 2025 09:03 AM
    Edited by Lorraine Rizzuto Wed April 09, 2025 09:12 AM

    A standard two steps procedure to deployment of executables secures the production machines by preventing execution of human readable text source code on the production machines. The first step is to write the source code and convert the human readable text source code to an executable object or binary module (such as byte code or a load module) with a compiler and then test on the development machine. The second step is to deploy the binary executable to the production machine. The requisite compiler is not needed and not installed, or at least not authorized to be executed, on the production machine. Similarly, the source code is not needed and not installed, or at least not authorized to be read, on the production machine. JAVA v8 featured this two steps procedure to deployment that secures production. IBM REXX can also enforce this secure two steps procedure to deployment with a compiler via load modules.  The REXX source code interpreter and source code are then not needed and can be removed or unauthorized on the production machines. While Cython similarly converts Python to C\C++ so it can be deployed as a load module the Cython web site indicates that it requires Linux which may not be installed.

    When the UNIX file system is shared across machines, and I was told such sharing is needed for GPDS, the same UNIX user home directories are available from both the development and production machines. Unfortunately, starting with JAVA v11, and now also with Python, the interpreter automatically compiles and executes source code, thereby undercutting the ability to properly secure the production machine by making it easy for people with production machine accounts that includes a UNIX user home directory to edit, save, and execute the source code on the production machine, thus bypassing the two step based software change management security controls where the first step needs to be completed on the development machine.

    Is it possible to deploy Python and/or JAVA programs to production machines that have been configured so that it is not possible for people with production machine accounts to execute uncompiled Python or JAVA source code scripts on the production machines from their UNIX home directories? How could that be done?


    ------------------------------
    Mathew Goldstein
    ------------------------------



Related Content