Skip to content

WIP: Verify the package installed from PyPi is the same as the code on Github

License

Notifications You must be signed in to change notification settings

alichtman/veripypi

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Veripypi

Ensure the package you're installing from PyPi is the same as the source code advertised on GitHub.

Installation and Usage

$ pip3 install veripypi
$ veripypi <PACKAGE_NAME>

Motivation

Open-sourced repositories provide a false sense of security. Since the code is readable, other developers must have read and audited it, right? Someone would surely say something if there were really an issue...

(See the Bystander Effect.)

But, even when the source code has been thoroughly audited, it's trivial to showcase a clean version of the project on GitHub and a distribute a trojaned package on PyPi.

This is a PoC to minimize this attack vector. (Although the real solution to this problem is probably more along the lines of enforcing PGP signed releases, but there's a whole lot of controversy surrounding this that I won't delve into here.)

How it works

First, a source distribution is created from the latest release of a GitHub repository of the package to be verified. This sdist is used as "ground truth." Then, the PyPi version of the package is installed. Both versions are compared, and if they're not identical, a flag is raised.

Interpreting Results

A green flag from veripypi only tells you that the source code being distributed matches the source code that can be viewed on GitHub. It does not imply anything about the safety of the code being installed.

Similarly, a red flag does not necessarily mean that the package is trojaned. One simple explanation for a rejection from this tool is a maintainer pushing an updated release to PyPi and forgetting to push to GitHub.

About

WIP: Verify the package installed from PyPi is the same as the code on Github

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages