On 6/28/22 12:52, Maxime Devos wrote:
Jean Abou Samra schreef op di 28-06-2022 om 10:38 [+0200]:We had exactly the same problem at LilyPond, and this was the fix:https://gitlab.com/lilypond/lilypond/-/blob/master/release/binaries/lib/dependencies.py#L721For security, shouldn't this check the hash of the downloaded tarballls and patches?
Sorry, I forgot to reply to this. Yes, it likely should. On the otherhand, LilyPond has a lot of much more pressing security issues to care about…
Jean
