canadaduane
commented
2 years ago I assume this would require some kind of hashing function or signing to prevent approved/accepted binaries being swapped for malware etc.?
Open guybedford opened 2 years ago
canadaduane
commented
2 years ago I assume this would require some kind of hashing function or signing to prevent approved/accepted binaries being swapped for malware etc.?
guybedford
commented
2 years ago Adding support for hashes would definitely be a needed follow-up feature, and would be pretty trivial, the main thing is how to make it usable.
We currently support extensions from any URL, which are cached in the global cache and downloaded once.
If we extended this concept to arbitrary binaries for tasks, which could be cached and then executed (assuming they have no dynamic linkage requirements), then that would be a nice way around pathing issues for CLI things.
The concept would be to have an architecture matrix that downloads the right URL then associates it with an environment variable in the global cache to reference in a task. This could be pretty cool.