Secure Package management for python
In attempting to develop software in python that provides security to users, I have hit the software assurance roadblock that pip and easy install offer no security beyond using https for some repos.
This project is a step in the direction of providing a more effective tool and making the import-hell caused by vendoing complex packages more tolerable.
The current software provides two capibilities:
- Add a package to a content addressed cache
- Allow you to import the content addressed package
to install a package, run install_module.py
>sudo python3 install_module.py ./path/to/module
Package Name is:
QmWB2g5rxTjpNyk2GU2pdjkVwWWczLySbJcHMSd8VEymJw
And later use the module by:
import pysec #this adds the default cache to your import path
import QmWB2g5rxTjpNyk2GU2pdjkVwWWczLySbJcHMSd8VEymJw as modulename
The hash is a merkle tree root the details of which can be found in the "certfile" created and stored with each package.
pysec is small enough for manual inspection for malcious action, and reasonable to vendor and use as part of an install process.
The content-addressing part of pysec, will allow you to completely remove relative imports of sub-modules from your project if you wish.