Skip to content
/ honest Public

Are your installed packages _really_ the same as you saw on GitHub?

License

Apache-2.0 license
24 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

david942j/honest

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
bin
bin
 
 
libexec
libexec
 
 
screenshots
screenshots
 
 
script
script
 
 
share/honest
share/honest
 
 
test
test
 
 
.travis.yml
.travis.yml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
README.tpl.md
README.tpl.md
 
 
install.sh
install.sh
 
 

Repository files navigation

Honest: Are your installed packages honest?

Build Status

Are your installed packages really the same as you saw on GitHub?

Verify the source code before you installed it!

Why

All open-source projects can be reviewed on GitHub, BitBucket, GitLab, etc.

But are you sure those packages published to pip/gem exactly same as they are in git-repositories?

Imagine this: It looks all good, secure, many-users on GitHub, but who has checked the packge pushed to PyPI? What if the developer hide an one-line backdoor in source-code before pushing it? Once you installed it, you got owned!

Let's find out whether the packages you installed are Honest!

Installation

$ git clone https://github.com/david942j/honest
$ cd honest
$ ./install.sh /usr/local # you may need sudo before the command
# or you can install somewhere under your home directory, such as:
# $ mkdir ~/local && ./install.sh ~/local && export PATH="$HOME/local/bin:$PATH"

$ honest --version # check if the installation succeed!

Usage

$ honest github:david942j/one_gadget gem:one_gadget
# [INFO] OK, one_gadget is Honest!

You can specify a version:

honest github:bbatsov/rubocop gem:rubocop -v 0.55.0
# [INFO] OK, rubocop is Honest!

Compare with a local directory:

$ honest ./httpie pip:httpie -v 0.9.8
# [INFO] OK, httpie is Honest!

See help for more details

$ honest
# Honest version 1.0.0
# Usage: honest [-h/--help] [--version]
#               <git-url> <package> [-v version[:version]]
#
# Examples:
#        honest --version
#        honest github:david942j/one_gadget gem:one_gadget
#        honest github:david942j/one_gadget gem:one_gadget -v master:1.6.0
#        honest https://github.com/pypa/setuptools pip:setuptools -v 39.0.1
#        honest ~/path_on_my_laptop/seccomp-tools gem:seccomp-tools -v 1.2.0
#
# Options:
#        -h, --help
#               Show this usage.
#        --version
#               Display version information and exit.
#
# Git Url Parameter:
#        <git-url> can be:
#               - A relative/absolute path
#               - An url like https://<git host>/<author>/<project>
#               - <github|bitbucket|gitlab>:<author>/<project>
#        If no branch/commit/tag is specified in the `-v` option, the latest release(tag) will be used.
#        With this behavior we can have the simplest usage of honest: `$ honest github:user/proj pip:proj`.

Screenshots

honest gem

honest pip

Supported Package Manager

  • RubyGems (Ruby)
  • PyPi (Python)

About

Are your installed packages _really_ the same as you saw on GitHub?

Topics

security package-manager

Resources

Readme

License

Apache-2.0 license
Activity

Stars

24 stars

Watchers

4 watching

Forks

1 fork
Report repository

Releases 1

v1.0.0 Latest
Jun 1, 2018

Packages

No packages published

Contributors 2

  •  
  •  

Languages