Insecure git:// downloads
For instance:
That's actual executable code downloaded over an insecure protocol, compiled, and then ran on contributors' computers. The Get Involved/development page doesn't mention anywhere that kdesrc-build should only be used on hardened VMs (it probably should anyway, as there's no guarantee that random some random CMake script won't download insecure code anyway, but at least that won't be kdesrc-build's fault)...
Edited by Someone Concerned