GitLab

Issue #50 (closed) noted that there were still some insecure git repository links present and the reporter also made some recommendations for additional improvement in security.

While I don't think they can be all tackled (at least now), the recommendation to disable network access for the build process makes a lot of sense and seems like it should be doable nowadays, at least as an option.

I haven't figured out how to make things like ip netns, unshare or systemd-run Do the Right Thing quite yet but since we already stuff the build into its own process it seems like it should be doable somehow, and without requiring root or setuid scripting.