Selecting which libraries (‘dependencies’ or ‘packages’ in the industry’s jargon) to adopt in a project is an essential task in software development. The quality of the corresponding source code is a key factor behind this selection (from security to timeliness). Yet, how easy is it to find the ‘actual’ source? How reliable is this information? To address this problem, I developed an approach called py2src to automatically identify GitHub source code repositories corresponding to packages in PyPI and automatically provide an indicator of the reliability of such information. I also report a preliminary empirical evaluation.

I am a Ph.D. student at the University of Trento. My research interests are software supply chain security and malware detection.