If the package is built using the build service scallywag, then you could not hide this easily. Any such manipulation would have to be listed in the *.cygport file: suspicious patch, download something from somewhere in the middle of the process or use some mystery alternate source for the package.
On Mon, May 26, 2025 at 12:52 PM Michael Cook via Cygwin-apps <cygwin-apps@cygwin.com> wrote: > > What concerns do we have about the volunteers who adopt Cygwin packages? > If a volunteer were to have bad intentions, do we think we would notice > before any actual problems were introduced? Imagine malware from a North > Korean team, for example. > > Michael
