{"id":16209443,"url":"https://github.com/alichtman/veripypi","last_synced_at":"2025-03-19T08:31:04.263Z","repository":{"id":57477434,"uuid":"162420337","full_name":"alichtman/veripypi","owner":"alichtman","description":"WIP: Verify the package installed from PyPi is the same as the code on Github","archived":false,"fork":false,"pushed_at":"2019-12-10T15:09:31.000Z","size":8,"stargazers_count":3,"open_issues_count":1,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-17T05:11:30.750Z","etag":null,"topics":["pip","pypi","python-security","security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/alichtman.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-12-19T10:18:21.000Z","updated_at":"2019-01-24T03:27:30.000Z","dependencies_parsed_at":"2022-08-30T14:10:28.663Z","dependency_job_id":null,"html_url":"https://github.com/alichtman/veripypi","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alichtman%2Fveripypi","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alichtman%2Fveripypi/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alichtman%2Fveripypi/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alichtman%2Fveripypi/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/alichtman","download_url":"https://codeload.github.com/alichtman/veripypi/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244389818,"owners_count":20445006,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["pip","pypi","python-security","security"],"created_at":"2024-10-10T10:29:38.035Z","updated_at":"2025-03-19T08:31:04.009Z","avatar_url":"https://github.com/alichtman.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"### Veripypi\n\nEnsure the package you're installing from `PyPi` is the same as the source code advertised on GitHub.\n\n#### Installation and Usage\n\n```bash\n$ pip3 install veripypi\n$ veripypi \u003cPACKAGE_NAME\u003e\n```\n\n#### Motivation\n\nOpen-sourced repositories provide a false sense of security. Since the code *is readable*, other developers *must have* read and audited it, right? Someone would surely say something if there were really an issue...\n\n*(See [the Bystander Effect](https://en.wikipedia.org/wiki/Bystander_effect).)* \n\nBut, even when the source code has been thoroughly audited, it's trivial to showcase a clean version of the project on GitHub and a distribute a trojaned package on `PyPi`.\n\nThis is a PoC to minimize this attack vector. (Although the real solution to this problem is probably more along the lines of enforcing PGP signed releases, but there's a whole lot of controversy surrounding this that I won't delve into here.)\n\n#### How it works\n\nFirst, a source distribution is created from the latest release of a GitHub repository of the package to be verified. This `sdist` is used as \"ground truth.\" Then, the PyPi version of the package is installed. Both versions are compared, and if they're not identical, a flag is raised. \n\n#### Interpreting Results\n\nA green flag from `veripypi` only tells you that the source code being distributed matches the source code that can be viewed on GitHub. It **does not** imply anything about the safety of the code being installed. \n\nSimilarly, a red flag does not necessarily mean that the package is trojaned. One simple explanation for a rejection from this tool is a maintainer pushing an updated release to `PyPi` and forgetting to push to GitHub. \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falichtman%2Fveripypi","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falichtman%2Fveripypi","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falichtman%2Fveripypi/lists"}