DIP11: Automatic downloading of libraries

Andrei Alexandrescu SeeWebsiteForEmail at erdani.org
Tue Jun 14 13:27:15 PDT 2011


On 6/14/11 2:41 PM, Daniel Gibson wrote:
> Am 14.06.2011 21:34, schrieb Robert Clipsham:
>> On 14/06/2011 20:07, Andrei Alexandrescu wrote:
>>> On 6/14/11 1:22 PM, Robert Clipsham wrote:
>>>> On 14/06/2011 14:53, Andrei Alexandrescu wrote:
>>>>> http://www.wikiservice.at/d/wiki.cgi?LanguageDevel/DIPs/DIP11
>>>>>
>>>>> Destroy.
>>>>>
>>>>>
>>>>> Andrei
>>>>
>>>> This doesn't seem like the right solution to the problem - the correct
>>>> solution, in my opinion, is to have a build tool/package manager handle
>>>> this, not the compiler.
>>>>
>>>> Problems I see:
>>>> * Remote server gets hacked, everyone using the library now
>>>> executes malicious code
>>>
>>> This liability is not different from a traditional setup.
>>
>> Perhaps, but with a proper package management tool this can be avoided
>> with sha sums etc, this can't happen with a direct get. Admittedly this
>> line of defense falls if the intermediate server is hacked.
>>
>
> Signing the files/hashes with GPG helps (as long as the developers
> private key isn't on the server).

Could you please add a subsection to the trust model discussing such a 
possibility?

Thanks,

Andrei


More information about the Digitalmars-d mailing list