Double check sdist/bdist on pypi
Project description
Honesty
There's a long tail of people doing interesting/sketchy things to packages on pypi. Most aren't malicious, but this project gives you an easy way to check for some of the obvious ways that packages might be tampered with.
Usage
honesty list <package name>
honesty check <package name>[==version|==*] [--verbose]
honesty download <package name>[==version|==*] [--dest=some-path/]
honesty extract <package name>[==version|==*] [--dest=some-path/]
honesty license <package name>[==version|==*]
(provisional)
honesty ispep517 <package name>[==version|==*]
honesty native <package name>[==version|==*]
honesty age <package name>[==version|==*]
honesty deps [--flat|--pick] <package name>[==version|==*]
It will store a package cache, using the normal appdirs package to pick a
location (on Linux, this defaults to ~/.cache/honesty/pypi but, you can
override with XDG_CACHE_HOME or HONESTY_CACHE environment variables).
If you have a local bandersnatch, specify HONESTY_INDEX_URL to your /simple/
url. It also must support /pypi/<package>/json or pass --nouse-json to the
commands that support it.
Exit Status of 'check'
These are bit flags to make sense when there are multiple problems. If you pass
* for version, they are or'd together.
0 if only sdist or everything matches
1 if only bdist
2 (reserved for future "extraction error")
4 some .py from bdist not in sdist
8 some .py files present with same name but different hash in sdist (common
when using versioneer or 2to3)
API
The user-facing API is intended to be used to analyze metadata and download sdists. It is somewhat provisional, in that the exceptions raised are not well-defined.
from honesty.cache import Cache
from honesty.releases import async_parse_index
from honesty.api import async_download_one
async def foo(pkgname, pkgversion):
with Cache() as c:
pkg = await async_parse_index(pkgname, c, use_json=True)
path = async_download_one(pkg, pkgversion, cache=c)
License
Honesty is copyright Tim Hatch, and licensed under
the MIT license. I am providing code in this repository to you under an open
source license. This is my personal repository; the license you receive to
my code is from me and not from my employer. See the LICENSE file for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file honesty-0.3.0a4.tar.gz.
File metadata
- Download URL: honesty-0.3.0a4.tar.gz
- Upload date:
- Size: 39.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.10.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | b9f81af7e84d12617e51872ba16cd6391e5519ba7661c9e1b5251becf40e12dc |
|
| MD5 | 79ba7496abd986b1d505e2ee4218415c |
|
| BLAKE2b-256 | 39b39c2b8791cf52ba2eb8effabe3afe67c29ebc7f923876912fdc4d5f1a31c0 |
File details
Details for the file honesty-0.3.0a4-py3-none-any.whl.
File metadata
- Download URL: honesty-0.3.0a4-py3-none-any.whl
- Upload date:
- Size: 41.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.10.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 6dba8feb92aa6a2903ff30bdf0c4e172106a91cfe62559b6b608fba9ef951c2c |
|
| MD5 | dcb253bbdf95282ebc955b059c9e1df0 |
|
| BLAKE2b-256 | d56b0e929ac1b8308bd1aac8c7193805807760e7a652020ef189c71d9caf671e |
