You don't automatically download anything at build or install time, you just update your local source copies when you want to. Which to be clear I know means rarely.
Vendoring is nice, and I usually prefer it, but you don't always have the time or people for it.
Vendoring + custom build system (Bazel?) for everything is basically googles approach, if what I have read is correct. Definitely better than everything we have, but the resources for it are not something most can afford.
P.S also what mrcus said, if we trust the upstream build process, we may as well trust their binaries.
You don't automatically download anything at build or install time, you just update your local source copies when you want to. Which to be clear I know means rarely.
It's 1970 all over again!