This tool can download esbuild, tailwind, etc. This is awesome, but the checksums of these executables are not verified. This means that there's nothing to protect Lustre users from malicious code execution in the event of a man-in-the-middle attack, the remote storage getting compromised, etc.
I think it would be wise to keep the checksums for the binaries in the dev-tools source, and check the binaries prior to making them executable.
Hello!
This tool can download esbuild, tailwind, etc. This is awesome, but the checksums of these executables are not verified. This means that there's nothing to protect Lustre users from malicious code execution in the event of a man-in-the-middle attack, the remote storage getting compromised, etc.
I think it would be wise to keep the checksums for the binaries in the dev-tools source, and check the binaries prior to making them executable.
Thanks, Louis