|
|
|
|
|
|
by pabs3
588 days ago
|
|
|
> Download a package from the original creators Don't download packages from PyPI, go upstream to the actual source code on GitHub, audit that, build locally, verify your build is the same as the PyPI one, check the audits people have posted using crev, decide if you trust any of them, upload your audit to crev too. https://reproducible-builds.org/
https://github.com/crev-dev/ |
|
|