| ▲ | g-b-r 3 hours ago | |||||||
Hmm, potentially, the problem is that hardly anyone ever audits packages, while at least someone occasionally gives a look at a repository history Can't the things you list be part of the build scripts? | ||||||||
| ▲ | cygx 2 hours ago | parent [-] | |||||||
Sure - but running build scripts on an end-user's machine requires the user to have all relevant tools installed, and isn't exactly reducing the attack surface... I still like the idea of shipping tarballs that include generated files instead of pulling input files from source control. As mentioned, the first thing that came to mind to make things easier to audit is to stick their contents into a community-controlled VCS. | ||||||||
| ||||||||