Building trust for downloaded packages
17 views
Skip to first unread message
Marcin Prączko
Sep 25, 2017, 6:13:00 PM9/25/17
to virtualenv
Hi,
I would like to ask a few questions about build trust for downloading packages via PIP.
Recently I am developing and using python more and more - however I am also starting having some challenges in terms of building trust.
During my research I read about '--hash' option for pip, also about signed packages however I must admit that is still not clear for me how to build trust.
I am mostly working with python virtual environments per project (not using virtual environment wrapper).
So most of my projects are having file: requirements.txt
For example:
Doing this I am getting compressed files, now I can check hash with 'pip hash' command.
Question - how I can confirm that hash match some commit in SCM (for example):
I am asking that recently I read article that some packages has been uploaded to PIP which had some malicious code.
For me is important to start building trust at least for the packages which I am using the most. And I am aware that Git repository also can have some code attached, however on this case I am interested verification process.
I look forward to hearing from you.
Thank you for help
I would like to ask a few questions about build trust for downloading packages via PIP.
Recently I am developing and using python more and more - however I am also starting having some challenges in terms of building trust.
During my research I read about '--hash' option for pip, also about signed packages however I must admit that is still not clear for me how to build trust.
I am mostly working with python virtual environments per project (not using virtual environment wrapper).
So most of my projects are having file: requirements.txt
For example:
- I would like to start new project in virtualenv in project
- After creating folder I am running command (virtualenv venv) - virtualenv has been installed from system packages (RPM in my case).
- So lets say that some trust is on this package.then I am running commands: source venv/bin/active
- Now I would like to start using pip install command - with trust and so far this is not clear for me.
Doing this I am getting compressed files, now I can check hash with 'pip hash' command.
Question - how I can confirm that hash match some commit in SCM (for example):
- 'pkg1' is hosted on GitHub and is showing that version 1.5 match to SHA1 commit XYZ
- How after downloading 'pkg1' package via PIP I can verify that hash is matching commit XYZ in GitHub
How to be sure that this version 1.5 is really matching right commit and not modified?
I am asking that recently I read article that some packages has been uploaded to PIP which had some malicious code.
For me is important to start building trust at least for the packages which I am using the most. And I am aware that Git repository also can have some code attached, however on this case I am interested verification process.
I look forward to hearing from you.
Thank you for help
Reply all
Reply to author
Forward
0 new messages