For some time I've experimented and looked for a good solution for building (reproducible) development boxes. These will be virtual machines aimed for development. In the beginning they will be local virtual machines, but in the future they could also be remote machines. Main reason for using the development boxes would be added security by separating and isolating projects/customer work from each other. Each VM would have projects for one customer and only required SSH/access keys. The actual builds are also run in isolated containers and have even more reduced access to resources. This will protect against supply-chain malware as they reduce significantly resources the malware can read, like SSH keys and access tokens. Here are requirements for my setup: