weberc2
commented
4 years ago Maybe every time we put something in the cache, we make it read-only except for the current human user account (do we need to recurse through directories) and we run subprocesses as a system user without write permissions.
Cache entries are meant to be immutable to ensure reproducibility, but depending on programmers to not mutate is subject to human error, especially when you consider that plugins often call into subcommands that we may not completely understand.