[feature] use lockfiles for moon/proto toolchains #1161
Labels
enhancement
New feature or request
Comments
|
@prabirshrestha Starting with moon v1.16, proto plugins are fixed to a specific version, so they will never change until I bump them in another release. This will fix the drift that has happened over the past few weeks. As for someone replacing a GitHub release with something malicious, the probability of that happening is extremely unlikely, although not impossible. Not against a lockfile, but it will require a ton of upfront work for it to be viable. |
|
Gonna close this as we're tracking it in proto. moonrepo/proto#446 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
All package mangers supports lockfile for reproducible builds and security with checksum. Is it possible for moon to support the same such that it is guaranteed that a specific version mentioned in the lockfile is always installed for plugins. Since moon is promoting external unofficial plugins I'm also worried about security where someone can easily delete a github release and add a malicious release.
toml files supports checksum and only few tools such as zig supports it currently. It also doesn't make sense for me to ask some of these tools to support minisign.
This would also solve the scenario where randomly if I clean the tools or use a different machine my build would no longer compile since it most likely pulls in the latest version as mentioned in moonrepo/proto#248.
The text was updated successfully, but these errors were encountered: