We currently fudge a little with systemTool: we assume the tool is in PATH, but we don't check at all and also don't prevent it from running anything else by name in PATH.
Implementation idea: look up the binary in PATH, then symlink the binary location to some discrete bin directory that the job has access to. Takes a little more work but isolates more and lets us give better error messages for missing binaries.
We currently fudge a little with
systemTool
: we assume the tool is inPATH
, but we don't check at all and also don't prevent it from running anything else by name in PATH.Implementation idea: look up the binary in PATH, then symlink the binary location to some discrete bin directory that the job has access to. Takes a little more work but isolates more and lets us give better error messages for missing binaries.