DIP11: Automatic downloading of libraries
Daniel Gibson
metalcaedes at gmail.com
Tue Jun 14 12:41:15 PDT 2011
Am 14.06.2011 21:34, schrieb Robert Clipsham:
> On 14/06/2011 20:07, Andrei Alexandrescu wrote:
>> On 6/14/11 1:22 PM, Robert Clipsham wrote:
>>> On 14/06/2011 14:53, Andrei Alexandrescu wrote:
>>>> http://www.wikiservice.at/d/wiki.cgi?LanguageDevel/DIPs/DIP11
>>>>
>>>> Destroy.
>>>>
>>>>
>>>> Andrei
>>>
>>> This doesn't seem like the right solution to the problem - the correct
>>> solution, in my opinion, is to have a build tool/package manager handle
>>> this, not the compiler.
>>>
>>> Problems I see:
>>> * Remote server gets hacked, everyone using the library now
>>> executes malicious code
>>
>> This liability is not different from a traditional setup.
>
> Perhaps, but with a proper package management tool this can be avoided
> with sha sums etc, this can't happen with a direct get. Admittedly this
> line of defense falls if the intermediate server is hacked.
>
Signing the files/hashes with GPG helps (as long as the developers
private key isn't on the server).
More information about the Digitalmars-d
mailing list