|
|
|
|
|
|
by dataflow
241 days ago
|
|
|
> I think the whole idea that a build system just fetches resources from outside of the build environment is fundamentally broken I think your phrasing is a bit overbroad. There's nothing fundamentally broken with the build system fetching resources; what's broken is not verifying what it's fetching. Audit the package beforehand and have your build system verify its integrity after downloading, and you're fine. |
|
|
nobody verifies all packages that are automatically downloaded all the time, unless there is a problem. We got lucky, that time.