Should we instead of these cooldowns just run builds in isolated contexts?
replyI’m running a maven proxy locally. All builds happen inside containers. I only use public repos for python, npm, and go. So these builds happen also in containers but don’t need a repository proxy.
> Should we instead of these cooldowns just run builds in isolated contexts?
replyI'd suggest both. Cooldown for 1-2 days is very cheap and you likely won't even notice it, so it's quite harmless and from what I've seen even just 24 hours is enough to let security companies pick up malware.
But yeah, isolation is a must-have.
At this point, is there an obligation of package managers, or at least npm to arrange the sandboxing themselves?
replyOr as us or companies to wrap the build tools to provide the wrapping for them.
>install the latest version of zizmor.
replyWhat if it gets compromised?
More of a joke. But was funny after saying that new packages should be delayed.
lol yeah I thought of that as typing but figured I'd avoid the complexity. "latest version" means, give or take, whichever the latest one was that contained a bunch of new rules around supply chain stuff.
reply> anything where code executes
replyALL the agentic orchestrators like codex, claude-code, etc. seem to do this by default.