This is Visual Studio Code and plug-in specific.
I’m using the Verdin full sized carrier and an iMX8M Plus but that doesn’t matter for this question.
I worked my way through the Python example.
I was somewhat shocked when I saw this happening
[09-21 07:11:35.347] Step 5/16 : RUN apt-get update && apt-get install -y --no-install-recommends dos2unix python3-minimal python3-pip python3-setuptools && rm -rf /var/lib/apt/lists/* [09-21 07:11:35.556] ---> [Warning] The requested image's platform (linux/arm64/v8) does not match the detected host platform (linux/amd64) and no specific platform was requested [09-21 07:11:35.557] ---> Running in ed678ba7df4c [09-21 07:11:37.575] Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB] [09-21 07:11:37.771] Get:2 http://deb.debian.org/debian bullseye-updates InRelease [39.4 kB] [09-21 07:11:37.797] Get:3 http://security.debian.org/debian-security bullseye-security InRelease [44.1 kB] [09-21 07:11:37.974] Get:4 https://feeds.toradex.com/debian/snapshots/20210909T072507Z testing InRelease [13.0 kB] [09-21 07:11:41.440] Get:5 http://deb.debian.org/debian bullseye/main arm64 Packages [8068 kB] [09-21 07:11:47.043] Get:6 http://deb.debian.org/debian bullseye-updates/main arm64 Packages [2304 B] [09-21 07:11:49.576] Get:7 http://security.debian.org/debian-security bullseye-security/main arm64 Packages [71.6 kB] [09-21 07:11:54.403] Get:8 https://feeds.toradex.com/debian/snapshots/20210909T072507Z testing/main arm64 Packages [133 kB] [09-21 07:11:55.004] Get:9 https://feeds.toradex.com/debian/snapshots/20210909T072507Z testing/non-free arm64
later on it pulled down and installed a bunch of other stuff from deb.debian.org
At some point when I was sitting there idle VSCode decided to magically install stuff as well.
I know kids today think reaching out across the Web to get the latest build of everything is super cool, but in a regulated environment this cannot happen. You have to vet every tool. If one needs to make a minor change, like some text on the screen, you don’t want to go through a full new product verification process with clinical trials because new libraries were introduced; you want to go through the minor change approval path.
How can we lock down your plug-in so it only looks either locally in the VM or a secured and privately hosted repo?
We cannot have the build just finding things on the Web and adding them to the container. Every version of everything must remain locked down.