If we can get an upgraded swig on the bots then that is definitely the better solution. But it does seem a shame that we can’t implement useful features because we can’t update the bots.
Note, I don’t think that this needs to be a security concern, IRL. I think requiring any builder that is actually releasing lldb built products to keep their swig up to date, and build the swig products locally is a very reasonable policy. The static files would only be used on PR bots where the swig version is too old. I guess that could lead to exploits on the bots, but that seems a stretch.
Note, I’m not pushing this solution in particular, getting all the systems we need to build on to have a sufficiently up to date swig is an obviously better solution. I just don’t want us to have to not do reasonable things because one system somewhere has too old a version of swig installed locally.