On Apr 2, 2021, at 6:59 PM, Alex Harsányi wrote: > Hi James, > > If you are worried about dependency confusion attacks, you can set up your > own package catalog on an internal server, delete the default catalogs from > racket and add only a reference just your internal catalog. This way, "raco > pkg install" will install all packages (and all their dependencies) only from > a source which you have full control of. > > I use a similar technique when I build my application on the CI server, to > ensure that all packages and their dependencies are under source control and > no untracked dependency sneaks in via a new package dependency.
Thanks. I had not though of that. My company will probably want to do something of the kind before we release anything to the public. -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/A5666929-68E1-4A8F-94DC-B085633D17C5%40biomantica.com.
