I would like to ask a few questions about build trust for downloading packages via PIP.
Recently I am developing and using python more and more - however I am also starting having some challenges in terms of building trust.
During my research I read about '--hash' option for pip, also about signed packages however I must admit that is still not clear for me how to build trust.
I am mostly working with python virtual environments per project (not using virtual environment wrapper).
So most of my projects are having file: requirements.txtFor example:
- I would like to start new project in virtualenv in project
- After creating folder I am running command (virtualenv venv) - virtualenv has been installed from system packages (RPM in my case).
- So lets say that some trust is on this package.then I am running commands: source venv/bin/active
- Now I would like to start using pip install command - with trust and so far this is not clear for me.
First what I was reading that I need download package with command pip download (pip download pkg_name).
Doing this I am getting compressed files, now I can check hash with 'pip hash' command.
Question - how I can confirm that hash match some commit in SCM (for example):
- 'pkg1' is hosted on GitHub and is showing that version 1.5 match to SHA1 commit XYZ
- How after downloading 'pkg1' package via PIP I can verify that hash is matching commit XYZ in GitHub
How to be sure that this version 1.5 is really matching right commit and not modified?
Could you point me to right direction please?
I am asking that recently I read article that some packages has been uploaded to PIP which had some malicious code.
For me is important to start building trust at least for the packages which I am using the most. And I am aware that Git repository also can have some code attached, however on this case I am interested verification process.
I look forward to hearing from you.
Thank you for help