1. We are planning scheduled maintenance on this website on Friday 5 March (tomorrow) at 4:00 am UTC. It is estimated that this maintenance will last 15 minutes. You can view this time in your local timezone here. Thanks.
    Dismiss Notice

Is obfuscation acceptable?

Discussion in 'Spigot Discussion' started by buildblox, Mar 17, 2017.


Is Obfuscation Acceptable?

Poll closed Mar 31, 2017.
  1. Yes, because...

    32 vote(s)
  2. No, because...

    20 vote(s)
Thread Status:
Not open for further replies.
  1. EDIT: This thread has been summarized and released as an article here: https://craftbuzz.net/2017/04/11/the-price-to-pay-is-obfuscation-acceptable/

    I want your thoughts: do you think obfuscation in plugins/programs is acceptable? If so, or if not, why?
    @MiniDigger ;)

    Disclaimer: this information is being collected for an upcoming article of mine. We will always ask for your permission prior to quoting you or your post.
    #1 buildblox, Mar 17, 2017
    Last edited: Apr 12, 2017
  2. Everything is still readable... People waste a lot of time and money on obfuscating stuff but it is still shit.
    • Agree Agree x 1
  3. MiniDigger


    - it can decrease performance
    - it makes debugging in prod harder
    - it wastes time to configure it
    - it wastes money on buying software
    - it doesn't fully protect your software anyways
    - it makes your software harder to maintain if you chose to abandon it
    - it makes it harder to add my own modifications

    I prolly forget a couple, but those are the point I can give you ontop of my head.

    for everyone replying here, PLEASE:
    - stay on topic
    - stay rational
    - provide actual arguments

    see you on page 10
    • Like Like x 3
    • Agree Agree x 1
  4. Hey, the more content provided, the better ;)
  5. *cough* *cough* @Shahar_hn...
  6. By the way, some obfuscators are really shit, like ALLATORI.... You can still read the methods etc...
  7. Strahan


    While I agree with you overall, the "makes debugging hard" and "harder to maintain" part aren't really valid because the author would have the original, non-obfuscated project to work with.
  8. Choco


    And when someone reports a stacktrace for the method a.a.a.b.aBDc(), will you know where to look? Most likely not...

    Also, @OP:
    • Agree Agree x 2
    • Like Like x 1
  9. Strahan


    Ah, good point lol. I was thinking of local debugging.
  10. All modern obfuscators generate mapping, and can deobfuscate a stacktrace with it.
    • Like Like x 1
    • Agree Agree x 1
  11. Hence the ;)
    • Like Like x 1
  12. MiniDigger


    you will have to save every mapping version of every plugin version you ever distributed and then need to search for the right version. that's certainly harder than just looking at it.
  13. MiniDigger


    it's for his blog, that's kinda OK ^^
    • Like Like x 2
  14. Acceptable yes, useful no.
    • Agree Agree x 2
  15. JustisR


    I'm still very much interested in hearing other people's positions on this, not being particularly convinced either way, however, I feel that I naturally lean towards a few points regarding the subject.

    Free projects should never be obfuscated and should be open-source, unless the code could be used to break it's functionality. Such as with anti-cheats; because otherwise, there's no reason not to collaborate with the rest of the development community in an open-source way.

    The authors of paid projects, assuming my previous position on what projects should and shouldn't be paid; that being those which are meant as rare and unique luxury items as opposed to those meant for the general public where competition is already there, should feel free to obfuscate their projects given their own best judgement. Are they willing to deal with the disadvantages in order to keep their original source to themselves? Is the code provided in their plugin worth going to the effort of ensuring it isn't recycled into the plugins of those who would have otherwise copied/skidded it?
    Most of the time, that's probably going to be a "No".
    Most of the time, it's much more advantageous to the author and the users of the plugin if the source is kept readable, especially when concerning the majority of spigot plugins, where their development time averages under a couple months at most.
    However, sometimes it's worth it to the author in the long run to keep the original source to themselves. Sometimes, not often, but sometimes the luxury item is something worth copying/skidding, and the author may feel the need to obfuscate it to protect the item's intended rarity which makes it special, and of course, it's always up to the author what they do with their work.
    Plugins that get plenty of downloads despite their price being upwards of $30USD probably meet that criteria, and of course, once again, I do believe the download count gives us a pretty good idea of when the author has made the overall right decisions concerning the development life cycle of their project. However, only they can truly say what's satisfactory. Only the author knows the project's intended aim.

    Hopefully, even when we disagree, we can all choose to respect each author's decision on the subject of their source. Obfuscated or not.

    Looking forward to everyone else's input.
    • Like Like x 1
  16. MiniDigger


    well, if somebody is plainly copy pasting your code and reuploading it, ppl will report it and it will be taken down.
    if somebody takes a look at your code and copies a nice hack you found to do something nice, you can't stop ppl from that using obfuscation.
    generally, the more complex your resource is, the more unlikely it is that ppl will copy it. it would be way to obvious.

    another point I want to throw in: licencing. (sorry if that is too offtopic)

    bukkit is licensed under the GNU General Public Licence, GPL in short. (https://hub.spigotmc.org/stash/projects/SPIGOT/repos/bukkit/browse/LICENCE.txt). The GPL has some special parts, which aims to benefit the project. The parts I am talking about here are that you Cannot Sublicense a project licenced unter the gpl. this includes derivative work. one could consider bukkit plugins as derivative work. that would mean that every plugin needs to be gpl too. that would be that you have to disclose the source if asked and that you can't sell it. that could be an issue for some ;)
    this problem was made clear to the lead back when the licence was originally announced, 6 years ago.
    EvilSeph, one of the projects lead ppl back then, said this:
    those considerations lead to nothing. (see https://bukkit.org/threads/what-license-is-the-bukkit-project-under.154/ for the full thread)
    note that IANAL, I have no idea if an actual lawyer would follow my argumentation. could be kinda interesting to find out tho.

    but yeah, if you follow that argumentation obfuscation is not acceptable because you could break bukkits licence.
  17. J0U


    OBF is good & bad at the same time... Yes : it wil use more performance but if u want that nobody can read your code it's okay. For example : I'm programming a Plugin and someone is always uploadind the code, then I would obfuscate it as fuck for stealing his/her time :)
  18. Note that I've never used an obfuscator before.

    I don't see why it shouldn't be acceptable. Obfuscation is used to decrease the readabilty of the code and doesn't affect the behaviour of the resource (well, it shouldn't). If you need to see the source code you can always ask the author for it (although there was probably a very good reason for obfuscating it, you can always try asking).

    While I prefer plugins being open source (and thus there is no reason to obfuscate it), I don't see any reason why it shouldn't be allowed. I think the choice of obfuscating the code should be up to the developer and shouldn't be prevented by any sort of rule or something like that.

    Also concerning API issues for projects, I think obfuscators have an option to disable the obfuscated naming for certain classes (never used an obfuscator, but there are probably ways to do this) which would fix that issue.

    (@OP you may use this in your article if you want to)
  19. J0U


    I'm obfuscating my plugins, because nobody hast to know my license servers ip. One buyer has deompiled the plugin and has attacked this server! Stringobfuscating is a right step against this.
    • Agree Agree x 1
  20. MiniDigger


    if you have the license server ip in your code, everybody can still read it, it's not securely stored...
    string encryption can be easily reversed, either automatically with tools if it's a common algorithm or by hand. remember, the jvm has to read it so the code the decrypt it is in your plugin. I can search for that and decrypt all your strings.
    • Like Like x 1
Thread Status:
Not open for further replies.