DIP11: Automatic downloading of libraries
Daniel Gibson
metalcaedes at gmail.com
Tue Jun 14 13:46:08 PDT 2011
Am 14.06.2011 22:27, schrieb Andrei Alexandrescu:
> On 6/14/11 2:41 PM, Daniel Gibson wrote:
>> Am 14.06.2011 21:34, schrieb Robert Clipsham:
>>> On 14/06/2011 20:07, Andrei Alexandrescu wrote:
>>>> On 6/14/11 1:22 PM, Robert Clipsham wrote:
>>>>> On 14/06/2011 14:53, Andrei Alexandrescu wrote:
>>>>>> http://www.wikiservice.at/d/wiki.cgi?LanguageDevel/DIPs/DIP11
>>>>>>
>>>>>> Destroy.
>>>>>>
>>>>>>
>>>>>> Andrei
>>>>>
>>>>> This doesn't seem like the right solution to the problem - the correct
>>>>> solution, in my opinion, is to have a build tool/package manager
>>>>> handle
>>>>> this, not the compiler.
>>>>>
>>>>> Problems I see:
>>>>> * Remote server gets hacked, everyone using the library now
>>>>> executes malicious code
>>>>
>>>> This liability is not different from a traditional setup.
>>>
>>> Perhaps, but with a proper package management tool this can be avoided
>>> with sha sums etc, this can't happen with a direct get. Admittedly this
>>> line of defense falls if the intermediate server is hacked.
>>>
>>
>> Signing the files/hashes with GPG helps (as long as the developers
>> private key isn't on the server).
>
> Could you please add a subsection to the trust model discussing such a
> possibility?
>
> Thanks,
>
> Andrei
Done
More information about the Digitalmars-d
mailing list