On Apr 2, 2021, at 6:59 PM, Alex Harsányi wrote: > Hi James, > > If you are worried about dependency confusion attacks, you can set up your > own package catalog on an internal server, delete the default catalogs from > racket and add only a reference just your internal catalog. This way, "raco > pkg install" will install all packages (and all their dependencies) only from > a source which you have full control of. > > I use a similar technique when I build my application on the CI server, to > ensure that all packages and their dependencies are under source control and > no untracked dependency sneaks in via a new package dependency.
Thanks. I had not though of that. My company will probably want to do something of the kind before we release anything to the public. -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/A5666929-68E1-4A8F-94DC-B085633D17C5%40biomantica.com.
