Re: Scripts that run insecurely-downloaded code

["Rebecca N. Palmer" <rebecca_palmer@zoho.com>]

On 01/05/2020 20:31, Elmar Stellnberger wrote:
> https isn´t any more secure than http as long as you do not have a 
> verifiably trustworthy server certificate that you can check for. As we 
> know the certification authority system is totally broken.

Imperfect yes, but still better than nothing.

> It is a bug 
> if a build script tries to download something.

This is already policy (and enforced by blocking network access) for 
official Debian package builds: dependencies must be installed by the 
package manager, not the build script.
https://www.debian.org/doc/debian-policy/ch-source.html#main-building-script-debian-rules

However, not all of these scripts are build scripts, and not all builds 
are .deb builds.

> I do not see any way than to rewrite these build scripts and pack 
> all the necessary sources into the package for compiling it offline.

If you mean vendored dependencies (embedded code copies), that's 
specifically *not* recommended, partly because these dependencies might 
need a security update.
https://www.debian.org/doc/debian-policy/ch-source.html#embedded-code-copies