Open johnkord opened 5 years ago
i can jump onto this one
@johnkord @elemanhillary I could easily be wrong, but I think this is not a problem any more, because the current provision script seems to rely on apt repos only: https://github.com/microsoft/oe-engine/blob/2736bb8cfe11eacdc7dbb7d8761d131b90f04d76/parts/provision.sh
@achamayou then the issue should be closed
@elemanhillary I tend agree, but:
There are some files that are downloaded during provisioning. Those files should be hash verified with their pre-computed (and statically checked in) hashes. If a file needs to be updated to a new version, the person who updates that file to the new version should update the hash accordingly.