On 2020/03/04 07:54:46, hanwenn wrote: > LGTM Can you update the commit message though? I don't think there is a security problem here.
Adding . in $PATH is a security problem on multi-user systems. In the context of the build, you can regard this from two angles: - you're executing in a known environment (ie. the build or src dir), so the multi-user concern doesn't hold - you're executing build commands that were probably downloaded from a potentially untrusted source, so you're SOL anyway. https://codereview.appspot.com/563650043/
