Mitigations against supply-chain attacks

[mosteo]

This is likely a long-term wish, but so it not gets entirely forgotten.

See https://go.dev/blog/supply-chain

Some ideas:

• We could add also transitive dependencies to the manifest to make them explicit (under [[depends-on.transitively]]?)
  • Or an autogenerated section in the manifest ([solution]?) might list all versions in use. So it would be a change in control versioning that would get reviewed.
• Our solver already can act "conservatively" preferring older dependencies rather than newer ones. This is not easy to use though and automatic updates will override it. A configuration option or better control over it could be implemented.
• We already tried checksumming sources but softlinks/line endings made us abandon the idea. We could investigate how Go does it.

[JeremyGrosser]

The OpenSSF organization has some good guidelines around supply chain security documented here: https://github.com/ossf/wg-best-practices-os-developers