jelly
commented
1 year ago This question is not really related to the security tracker but more a tooling question. You are basically asking for devtools to have an option to build offline which is a great idea in my opinion as we already build in nspawn.
However if you have a package.json without a lock file, you should really just add a lockfile.
ghost
Hello! PKGBUILD's, as of what i understand have a mechanism to check sources checksums, which is great for safety, but procedure of package building might not require internet connection. Say, you have a situation, where some library or package written in javascript has some source files, and they do not specify concrete version of packages. Then, during build process for this package some additional data will be loaded, but dependecy packages sources might have been changed. It would be great to have an option to execute only 'safe builds' for packages, and complety disable network activity in fakeroot while building packages, so that untrusted data is not affecting the final build. Thank you!