fix: run post-link scripts

[wolfv]

fixes:

• Different behaviour from conda/mamba when installing OpenCL prefix-dev/pixi#404
• Support for post-install.sh script prefix-dev/rattler-build#185

[baszalmstra]

👍

One of the primary reasons that I am very much against executing scripts during installation is that it is a massive security risk. We are basically allowing arbitrary code execution at install time.

Bun recently introduced the concept that a user has to explicitly allow running installation scripts for certain packages. Would you be open to adding a similar approach here right off the bat? I know this complicates the integration into rattler-build and pixi but I think its very important to protect users.

[wolfv]

From our discussion:

• I totally agree that post-link / pre-unlink scripts are ugly and should ideally not exist
• On the same note, activation scripts are "just as bad" (unfortunately!)
• Lastly we always have to trust packages

To make things more secure in the longer run I advocate for:

• sandboxing using cgroups, and other means
• removing activation or post-link scripts wherever possible and substituting for simpler "environment variable" setters (actually already possible but underused in conda-forge)

I will make it configurable wether to run the installation scripts, and we can also emit a warningi or something like that/