Separating fetching from building for better security

grothesque: > The security gain from the above is that if a compromised dependency tried to exfiltrate user data over the network (even if a sandbox is used, sensitive project data might be available), it would have a much harder time doing so. Even without network during the build, compromise can be deferred to test time (which almost inevitably follows) where network is less likely to be completely disabled. I'm not saying this is nothing, but I think it needs to be part of a comprehensive design of how to allocate and enforce permissions to stages of the build pipeline. For example, I know that some database proc macros reach out to connect to a database to divine the schema during the build; how does one indicate that this permission is necessary? Can that permission be limited to that component of the build somehow? Also, this sounds like either a Linux-specific or CI-specific thing as I'm not sure how to "disable network" for a specific process on macOS (probably through the sandboxing framework?), Windows (???), FreeBSD (jails?). Even on Linux, you're at the mercy of user namespaces being available in order to create a network namespace you can manipulate.