Closed nazar-pc closed 8 months ago
It is indeed a good idea to harden the hwloc vendoring feature against supply chain attacks, but I think it's important to consider the full implications before committing to a particular technical choice:
What I'm trying to achieve is simple: when I install X version of the package and have it in lock file, I want to know that every time I install it, I get the same exact code and the same exact result.
The fact that every single time I compile it in CI I get potentially different version is strictly bad situation to be in. It may break in unexpected way, it may contain a backdoor. I don't want to worry about that, I want to know that I install exactly the same stuff every time.
Switching to tarballs is fine, but you need to not forget to implement a hashsum check to make sure package wasn't swapped with something unexpected.
If the main goal is build reproducibility, then I agree that a checksummed tarball is the right way to do it :)
Supply chain attacks are real, it is always better to download a known good commit hash rather than moving target