stephen-fox
commented
2 years ago One other comment on this topic... Do we have a policy for reviewing / auditing third party tools and libraries? Obviously one of us can just grab hashes, but what about the next time when a new version of a tool releases?
Edit: I would extend this to verifying dependencies in general (binary or otherwise).
mmlb
To help ensure software supply chain security, this file needs to be hashed (SHA-2 256 or better) and verified against a copy of the hash that we store in this repository. Another option is to have the nix package manager install it, or have the user install it manually.
_Originally posted by @stephen-fox in https://github.com/tinkerbell/lint-install/pull/33#discussion_r749433136_