Mirror source tarballs for contributing setup - oilshell.org and/or git scalar

[andychu]

          Also python 2 package retriving from python's official source is apparantly extremely slow in China, about 5KB/s. I modified it to some mirror site in China and managed to run this script and get errors. I'll try to see if waiting for 30min from python's official source will actually solve the issue.

eta 28min, crazy.

Originally posted by @glyh in #1923 (comment)

[andychu]

This will reduce any flakiness due to all the hosts we use

There are probably 5 different hosts -- it should be one

[andychu]

This also relates to xz backdoor fallout -- we want to build tarballs on 2 completely separate systems, and then compare them

Also do something about the intermediate docker containers ...

we don't have a 1 step build -- we have "caching" in Docker, which is not ideal

[glyh]

I think caching is fine?

[andychu]

Using Docker is necessary to make our CI fast, and for it to run on both sourcehut and Github Actions

However it's a dependency from a security perspective -- if someone hacks Docker, then they can backdoor BOTH the sourcehut AND the Github Actions tarballs

That's bad

So I would like to get rid of it in the future. Probably won't happen for awhile though

---

i.e. Docker is a single point of failure. I would like to have 2 completely separate cloud builds, all running from the same git source repos, that produce the same exact release tarball

So that if one provider is hacked, we will know. They would have to hack multiple clouds at the same time to trick us