Suspicious data sources during build

[EnSec4Git]

Hi, While performing the "Extracting vendor files for Nexus and Pixel devices" step during build, in particular in the vendor/android-prepare-vendor/execute-all.sh -d $DEVICE -b $GSBUILD_ID -o vendor/android-prepare-vendor, the script downloads the oatdump tool from pretty weird URLs, including (for me at least):

• https://onedrive.live.com/download?cid=D1FAC8CC6BE2C2B0&resid=D1FAC8CC6BE2C2B0!557&authkey=AG47qhXu164sYwc
• https://v1ogfw.bn1304.livefilestore.com/y4mOuT6vrRQ5gZ_RD7WtspaH70qAJWw65M9YzynjNxZ1Hjbl-SkFk_Fqa2zdmjnnrXSyBzOeIQNBH0jssDYwM32-1-adDAoZO2plLtOD0O4rrlrz6h09LPTMe8wCPlurikoJXxFYTDILMGkgdHVINHacDKT-Unc6PzoW58PGQKxfGIa_57elC1l9FQNu0XcwXvCTnxfZdE5Tsl85CULZzeUNQ/Linux_oatdump_bin_deps.zip?download&psid=1

Both of these appear to be outside of Copperhead's control. Can you clarify are there any legal reasons for not hosting the required files in GitHub or somewhere else?

[thestinger]

android-prepare-vendor isn't Copperhead software:

https://github.com/anestisb/android-prepare-vendor

The sha256sum of the oatdump download is verified so I don't see this as an issue.