|
|
|
|
|
|
by gizmo686
240 days ago
|
|
|
The solution I've seen employed is to prevent the build environment from reaching outside. Setup a mirror of all the repositories you care about; then configure the network so your build system can reach the mirrors; but not the general Internet. Of course, once you do this, you eventually create a cron job on mirrors to blindly update themselves... This setup does at least prevent an old version of a dependency from silently changing, so projects that pin their dependencies can be confident in that. But even in those cases, you end up with a periodic "update all dependencies" ticket, that just blindly takes the new version. |
|
|