Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/alichtman/veripypi

WIP: Verify the package installed from PyPi is the same as the code on Github
https://github.com/alichtman/veripypi

pip pypi python-security security

Last synced: 16 days ago
JSON representation

WIP: Verify the package installed from PyPi is the same as the code on Github

Host: GitHub
URL: https://github.com/alichtman/veripypi
Owner: alichtman
License: mit
Created: 2018-12-19T10:18:21.000Z (almost 6 years ago)
Default Branch: master
Last Pushed: 2019-12-10T15:09:31.000Z (almost 5 years ago)
Last Synced: 2024-10-11T10:29:36.141Z (about 1 month ago)
Topics: pip, pypi, python-security, security
Language: Python
Homepage:
Size: 7.81 KB
Stars: 3
Watchers: 3
Forks: 1
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        ### Veripypi

Ensure the package you're installing from `PyPi` is the same as the source code advertised on GitHub.

#### Installation and Usage

```bash

$ pip3 install veripypi

$ veripypi 

```

#### Motivation

Open-sourced repositories provide a false sense of security. Since the code *is readable*, other developers *must have* read and audited it, right? Someone would surely say something if there were really an issue...

*(See [the Bystander Effect](https://en.wikipedia.org/wiki/Bystander_effect).)* 

But, even when the source code has been thoroughly audited, it's trivial to showcase a clean version of the project on GitHub and a distribute a trojaned package on `PyPi`.

This is a PoC to minimize this attack vector. (Although the real solution to this problem is probably more along the lines of enforcing PGP signed releases, but there's a whole lot of controversy surrounding this that I won't delve into here.)

#### How it works

First, a source distribution is created from the latest release of a GitHub repository of the package to be verified. This `sdist` is used as "ground truth." Then, the PyPi version of the package is installed. Both versions are compared, and if they're not identical, a flag is raised. 

#### Interpreting Results

A green flag from `veripypi` only tells you that the source code being distributed matches the source code that can be viewed on GitHub. It **does not** imply anything about the safety of the code being installed. 

Similarly, a red flag does not necessarily mean that the package is trojaned. One simple explanation for a rejection from this tool is a maintainer pushing an updated release to `PyPi` and forgetting to push to GitHub.