DIP11: Automatic downloading of libraries
Andrei Alexandrescu
SeeWebsiteForEmail at erdani.org
Tue Jun 14 07:49:34 PDT 2011
On 6/14/11 9:35 AM, Daniel Gibson wrote:
> Am 14.06.2011 16:09, schrieb Vladimir Panteleev:
>> On Tue, 14 Jun 2011 16:53:16 +0300, Andrei Alexandrescu
>> <SeeWebsiteForEmail at erdani.org> wrote:
>>
>>> http://www.wikiservice.at/d/wiki.cgi?LanguageDevel/DIPs/DIP11
>>
>> Why this is a bad idea:
>> 1) It hard-codes URLs in source code. Projects often move to other
>> code-hosting services. PHP, Python, Perl, not sure about Ruby all have a
>> central website which stores package metadata.
>> 2) It requires that the raw source code be available via HTTP. Not all
>> code hosting services allow this. GitHub will redirect all HTTP requests
>> to HTTPS.
>
> It should support HTTPS anyway, to prevent DNS spoofing attacks and such
> (i.e. most attacks that don't need your own machine to be compromised).
> But maybe additional support for signing the code would be even better,
> to be able to detect compromised code on the server.
Yah, I thought of a SHA1 optional parameter:
pragma(liburl, mylib, "myurl", "mysha1");
>> 3) It only solves the problem for D modules, but not any other possible
>> dependencies.
>>
>> I understand that this is a very urgent problem, but my opinion is that
>> this half-arsed solution will only delay implementing and cause
>> migration problems to a real solution, which should be able to handle
>> svn/hg/git checkout, proper packages with custom build scripts,
>> versioning, miscellaneous dependencies, publishing, etc.
>>
>
> I personally think that a standard build tool that does this (and
> possibly also ships with DMD) would be better than support directly in
> the language.
> Especially the case that the projects website changes could be handled
> more easily by adjusting the URL in a config file instead of changing
> your code.
This is still possible with D config files that contain pragmas.
Andrei
More information about the Digitalmars-d
mailing list