I am working on a product for a customer. He is concerned about
someone buying similar hardware and copying the code.
I know Arduino is all about "open", but I understand his concern.
Anyway to protect the source code?
Don't publish it 
You can also set the relevant FUSE bits to disable machine code download from the chip. If you go that way, it may be wise to get a programmer that can do high-voltage programming, as it is very easy to brick a chip that way. It may also be the case that using a bootloader undermines this security measure.
Yes of course. First of all you never upload any code. You upload compiled executables. So the only concern is to protect the compiled executable. This is achieved by setting the proper fuses in the Atmel processor. This explained in the datasheet.
Especially sections
7.2 In-System Reprogrammable Flash Program Memory
27.1 Program And Data Memory Lock Bits
The only issue is: you do not want to do this with a bootloader, you need an additional ISP like for example the AVR MK II. There are cheaper clones available as well.
Udo
Of course I guess I knew you didn't upload the source code. If someone wanted to duplicate the part they can correct. Blowing the fuses would prevent this?
Yes and no. It will prevent to read the code with simple means. That is the cost to get it back out of the chip will be significant. However the AVRs are not hardened against tampering. So if someone would be willing to spend enough money the code can still be retrieved. However I assume that it might be cheaper to reimplement your application from scratch. Of course it depends on how much you code is actually worth for someone else.
See here how it still could be retrieved and judge yourself if this a valid threat for your customer:
If you think that reverse engineering is not an issue blowing the fuses will be enough. If you use an ISP you will NOT brick the processor by blowing the fuses. You can still use an ISP to erase it completely and then reprogram it. But you can not use a programmer to retrieve the code.
Udo
Oops, now I see you write about protecting the source code. Why would you ship the source code at all?
Udo
Thanks thats clear - disregard post about source code
Thnaks
One addendum regarding the fuses and bricking a chip:
If you blow the 'right' fuses, all is well. But there are some that can get really unfriendly if you happen to touch them (assuming you only have a standard low voltage ISP programmer).
Serial program downloading (SPI) enabled; [SPIEN=0]
Reset Disabled (Enable PC6 as i/o pin); [RSTDISBL=0]
http://www.engbedded.com/fusecalc
http://www.avrfreaks.net/index.php?module=Freaks%20Files&func=viewFile&id=382