DIP11: Automatic downloading of libraries
Andrei Alexandrescu
SeeWebsiteForEmail at erdani.org
Tue Jun 14 13:26:34 PDT 2011
On 6/14/11 2:34 PM, Robert Clipsham wrote:
> On 14/06/2011 20:07, Andrei Alexandrescu wrote:
>> On 6/14/11 1:22 PM, Robert Clipsham wrote:
>>> On 14/06/2011 14:53, Andrei Alexandrescu wrote:
>>>> http://www.wikiservice.at/d/wiki.cgi?LanguageDevel/DIPs/DIP11
>>>>
>>>> Destroy.
>>>>
>>>>
>>>> Andrei
>>>
>>> This doesn't seem like the right solution to the problem - the correct
>>> solution, in my opinion, is to have a build tool/package manager handle
>>> this, not the compiler.
>>>
>>> Problems I see:
>>> * Remote server gets hacked, everyone using the library now
>>> executes malicious code
>>
>> This liability is not different from a traditional setup.
>
> Perhaps, but with a proper package management tool this can be avoided
> with sha sums etc, this can't happen with a direct get. Admittedly this
> line of defense falls if the intermediate server is hacked.
You may want to update the proposal with the appropriate security artifacts.
[snip]
> I don't have a problem with automatically downloading source during a
> first build, I do see a problem with getting the compiler to do it
> though. I don't believe the compiler should have anything to do with
> getting source code, unless the compiler also becomes a package manager
> and build tool.
Would you agree with the setup in which the compiler interacts during
compilation with an external executable, placed in the same dir as the
compiler, and with this spec?
dget "url"
Gets "url" and prints the local dir to stdout, or fails and prints an
error message to stderr.
Then the matter is to write dget - in D!
I feel this is going somewhere.
Andrei
More information about the Digitalmars-d
mailing list