Fellow kids: is it insane, permissible, or expected to use the same remote cache on developer machines and the build server? It makes me nervous that a dev machine might be able to poison cache or write maliciously, but that also seems improbable, and not a vector I need to worry about right now.

Our setup is RW from CI but read-only from dev-machines. However, we haven't found end-user gains that big as we use pyenv in cloud but host-python locally... Seems to cause a bunch of cache misses.

Stripe -- who as a large financial company may or may not have the same security posture as you -- has a long writeup on this topic: https://stripe.com/blog/fast-secure-builds-choose-two