I think pinning a dependency against a version identifier and a digest of a tarball is a great way to ensure reproducibility.
You’re controlling which dependency you’re using very specifically.
Reproducibility like this protects against supply chain attacks.
This may be a bit contrived, but It could prevent a malicious package maintainer from releasing a modified version of OpenSSL that you depend on without you noticing that change in your dependencies.
You’re controlling which dependency you’re using very specifically.
Reproducibility like this protects against supply chain attacks.
This may be a bit contrived, but It could prevent a malicious package maintainer from releasing a modified version of OpenSSL that you depend on without you noticing that change in your dependencies.