I like dlang but i don't like dub
nise at nise.com
Tue Mar 22 17:36:13 UTC 2022
On Friday, 18 March 2022 at 18:16:51 UTC, Ali Çehreli wrote:
> The first time I learned about pulling in dependencies
> terrified me. (This is the part I realize I am very different
> from most other programmers.) I am still terrified that my
> dependency system will pull in a tree of code that I have no
> idea doing. Has it been modified to be malicious overnight? I
> thought it was possible. The following story is an example of
> what I was exactly terrified about:
> Despite such risks many projects just pull in code. (?) What am
> I missing?
This is an interesting observation and something of an oddity in
modern SW engineering. I have been on several projects where they
just download versions of libraries from some random server. For
personal projects I guess this would be ok but for commercial
software this would be a big no-no for me. Still the trend goes
towards this. Now, several build systems and packet manager
software have the possibility to change the server to a local
one. Changing to local one is unusual though which is strange.
First as you mentioned is that you increase the vulnerability by
the possibility injecting a modified version of a library with
back doors. Then you also become dependent on outside servers
which is bad if they are down.
In all, for commercial software just avoid dub. If you want to
use a build system go for Meson as it has D support out of the
box today. For commercial projects pull libraries manually as you
want to have full control where you get it, the version and so on.
More information about the Digitalmars-d-learn