[SECURITY] Audit the opentelemetry-cpp repository for supply chain attacks

[marcalff]

In light of the xz attack:

• https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/

audit the opentelemetry-cpp repository for possible attack vectors.

Full list of checks to be determined.

To start with:

• review executable permissions on files
• audit and remove all binary files from the repository (not aware of any)
• enforce CI to forbid binary files
• audit binary downloads used during the build process
• enforce checksums when appropriate
• cutoff unnecessary dependencies when practical
• prefer installing dependencies from the OS distribution, when practical

Subtasks:

• [X] #2627
• [ ] CI to forbid binary files

[marcalff]

Upstream unnecessary permission found, seen with github submodules:

• https://github.com/open-telemetry/opentelemetry-proto/issues/540

[github-actions[bot]]

This issue was marked as stale due to lack of activity.