Host upstream packages.

[dumol]

For the long term, we should make sure we have full contol over pythia dependencies.

This mean, keeping copies of things like libffi on bin.chevah.com and have chevahbs script download them from bin.chevah.com

_Originally posted by @adiroiban in https://github.com/chevah/pythia/pull/32#discussion_r857625420_

[dumol]

An interesting thing I've noticed today… While trying to generate a Linux arm64 package for the 3b1a8ba revision of Pythia currently used in our server repo, the build failed because of a checksum error for zlib version 1.2.11.

Turns out that particular version was pulled out from the upstream server because of vulnerabilities, and curl was downloading an HTML file instead.

If it were hosted on our side, we wouldn't have known. I say +1 for still downloading packages from upstream, they know best when something should definitely not be used any longer.

[adiroiban]

Yes... the problem is for legacy version, we might need even old versions

In terms of library versions, we should have separate dedicated checks like we have for python.

The thing is that we are in business and customers are paying our salary to make sure we are able to help them with all their needs, including legacy systems.

We have many customers using SFTPPlus over separate leased private fibers and with everything over VPN... so no public access.

I think this that it's very important to make sure we have everything on our servers