“Only use models from verifiable sources and use third-party model integrity checks with signing and file hashes to compensate for the lack of strong model provenance.”

This is the direct answer to Part 2's core trick. torchtriton (Slide 9), the fake-OpenAI repo (Slide 14), and namespace reuse all rely on you trusting a name. A pinned hash or signature checks the actual bytes — an imposter with the same name produces a different hash and fails.

→ Pin models, adapters, and packages to a specific version and a known-good hash/commit — never “latest” by name
→ Verify signatures where the publisher provides them; reject unsigned artifacts in critical paths
→ Prefer non-executable formats (safetensors) so a verified file also can't run code

Swap a pinned hash for a wrong one and run your pipeline. If the download still succeeds, you are verifying nothing.