[email protected] (Alfred M. Szmidt) skribis: > I'm seeing an increasing number of programs, whose configure and/or > makefile have been written, to open a connection to some remote url > (usually controlled by the project) download file(s) from there and > build them into the software. > > I think this is a bad idea, from many points of view: Scalability, > Security and Reproducability. I haven't found any such instances > in GNU Software, but I think we should put a statement about it in > the GCS. > > Seriously? Really curious what programs do this totally crazy > behaviour.
Unfortunately this is becoming commonplace. The Python build system (setuptools), Ruby’s, and probably other language-specific tools do that by default (that is, they check for a local dependency and fall back to downloading it silently.) I’ve seen C++ projects do that as well. Note that there is no real security and reproducibility issue *if* the tools verify that the hash of the downloaded code is as expected. Ludo’.
