I like dlang but i don't like dub

[IGotD-]

On Friday, 18 March 2022 at 18:16:51 UTC, Ali Çehreli wrote:
>
> The first time I learned about pulling in dependencies 
> terrified me. (This is the part I realize I am very different 
> from most other programmers.) I am still terrified that my 
> dependency system will pull in a tree of code that I have no 
> idea doing. Has it been modified to be malicious overnight? I 
> thought it was possible. The following story is an example of 
> what I was exactly terrified about:
>
>
> https://medium.com/hackernoon/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
>
> Despite such risks many projects just pull in code. (?) What am 
> I missing?
>

This is an interesting observation and something of an oddity in 
modern SW engineering. I have been on several projects where they 
just download versions of libraries from some random server. For 
personal projects I guess this would be ok but for commercial 
software this would be a big no-no for me. Still the trend goes 
towards this. Now, several build systems and packet manager 
software have the possibility to change the server to a local 
one. Changing to local one is unusual though which is strange.

First as you mentioned is that you increase the vulnerability by 
the possibility injecting a modified version of a library with 
back doors. Then you also become dependent on outside servers 
which is bad if they are down.

In all, for commercial software just avoid dub. If you want to 
use a build system go for Meson as it has D support out of the 
box today. For commercial projects pull libraries manually as you 
want to have full control where you get it, the version and so on.