diff options
| author | Wolfgang Walther <walther@technowledgy.de> | 2025-05-24 14:05:26 +0200 |
|---|---|---|
| committer | Wolfgang Walther <walther@technowledgy.de> | 2025-05-25 14:33:06 +0200 |
| commit | 6720d254294220cdfce18c3f981a8aabffb3de94 (patch) | |
| tree | 55e21e4a3a67c31f396743a7cc1a93413ee705dd /pkgs/development/python-modules/python-mapnik/python-mapnik_std_optional.patch | |
| parent | 539e8d4f66323b87aa1b8e715ec01b9f5199ca82 (diff) | |
workflows: checkout nixpkgs into trusted/untrusted directories
By consistently checking out nixpkgs into the same location in every
workflow, it's easier to reason about the different workflows at once.
We also use crystal-clear names to make clear, which checkouts are
considered trusted, because they only contain target-branch-code and
which checkouts are untrusted, because they contain code from the head
branch. By naming the checkout directories trusted/untrusted, it's
obvious at the call-site.
One example of where we likely did the wrong thing is the nixpkgs-vet
workflow: Fetching the toolVersion from the untrusted checkout opens the
door for an injection into the download URL, thus code could be
downloaded from anywhere. This is not a problem, because this workflow
does not run with elevated privileges, but it's a scary oversight
nonetheless.
Diffstat (limited to 'pkgs/development/python-modules/python-mapnik/python-mapnik_std_optional.patch')
0 files changed, 0 insertions, 0 deletions