To combat this scenario, we only had build servers populate the cache. Clients were readonly to the cache, so they would benefit from anything that build servers had already built, which covered 95%+ of what clients usually had to rebuild.
Also release builds were excluded from caching, to prevent any form of poisoning there.
The threat is not that the cache contains builds of untrusted code but that it contains builds that do not match the code that they are associated with.
iveqy|3 years ago
account42|3 years ago
williamcotton|3 years ago