Right now the makefile blindly downloads and executes the golangci-lint installation script and accepts whatever it downloads as the linter to use. We should store the signatures of both files in the makefile and verify that they match.
Motivation
An attacker could compromise either file so that whoever builds the SDK runs arbitrary code.
Description
Right now the makefile blindly downloads and executes the golangci-lint installation script and accepts whatever it downloads as the linter to use. We should store the signatures of both files in the makefile and verify that they match.
Motivation
An attacker could compromise either file so that whoever builds the SDK runs arbitrary code.
Exemplification
N/A
Benefits
One security vulnerability down, N to go.
Possible Drawbacks
None.