Summary
Pin or verify executable build inputs used by non-Nix build paths.
Source
Migrated from docs/maintainers/security-backlog.md.
Maintained Docs
- Security backlog index and review workflow:
docs/maintainers/security-backlog.md
- Threat model:
docs/maintainers/threat-model.md
- Package and runtime maintenance:
docs/maintainers/package-runtime-maintenance.md
- Build and Run Guide:
docs/usage/build-and-run.md
Context
Non-Nix builds fetch npm packages, Electron archives, 7zz archives, and the Rust bootstrap through live endpoints. Some helper fallbacks now carry checked digests, but the broader non-Nix path still relies heavily on TLS, registry behavior, and operator review.
Review Gate
Run the @codex-security workflow before treating implementation as review-ready.
Desired State
- Electron archives and helper downloads have checked integrity metadata.
- npm-based build helpers are pinned through checked-in manifests or an equivalent reproducible tool path.
- Remote shell bootstraps are avoided when a distro package or verified installer is viable.
Summary
Pin or verify executable build inputs used by non-Nix build paths.
Source
Migrated from
docs/maintainers/security-backlog.md.Maintained Docs
docs/maintainers/security-backlog.mddocs/maintainers/threat-model.mddocs/maintainers/package-runtime-maintenance.mddocs/usage/build-and-run.mdContext
Non-Nix builds fetch npm packages, Electron archives, 7zz archives, and the Rust bootstrap through live endpoints. Some helper fallbacks now carry checked digests, but the broader non-Nix path still relies heavily on TLS, registry behavior, and operator review.
Review Gate
Run the
@codex-securityworkflow before treating implementation as review-ready.Desired State