Downloaded binaries should be hashed/verified.

[mmlb]

To help ensure software supply chain security, this file needs to be hashed (SHA-2 256 or better) and verified against a copy of the hash that we store in this repository. Another option is to have the nix package manager install it, or have the user install it manually.

Originally posted by @stephen-fox in #33 (comment)

[stephen-fox]

One other comment on this topic... Do we have a policy for reviewing / auditing third party tools and libraries? Obviously one of us can just grab hashes, but what about the next time when a new version of a tool releases?

Edit: I would extend this to verifying dependencies in general (binary or otherwise).

[mmlb]

We do not have a policy setup/in place.