Clarify code outside build script

[david-a-wheeler]

This criterion is not clear:

  - id: OSPS-05
    maturity_level: 1
    category: Build & Release
    criteria: |
      The project's build and release pipelines
      MUST NOT execute arbitrary code that is
      input from outside of the build script.
    objective: |
      Reduce the risk of code injection or other
      security vulnerabilities in the project's
      build and release processes by restricting
      the execution of external code.
    implementation: |
      Ensure that the project's build and release
      pipelines do not execute arbitrary code
      provided from external sources.

On first reading, it sounded like many common practices
are forbidden:

• pipe-to-shell like curl https://STUFF | sh appears forbidden.
  I'm no fan of pipe-to-shell, as it carries big risks if the
  server is compromised, but it's so widespread that it can't be
  a level 1 requirement. For example, the recommended way to
  install Rust is pipe-to-shell.
• Downloading components & dependencies to run the
  build script appears forbidden - they must all be downloaded
  before building. Again, not a bad idea, but way too many
  build systems figure out what's needed, then get it.

It appears what's really meant is countering some specific
workflow attacks like script injection, as detected by Scorecard.
That sounds far more tractable, but the current text doesn't say that.

I think this text needs to be redone to say what was actually intended.