dub: should we make it the de jure package manager for D?

[Dicebot]

On Wednesday, 11 September 2013 at 20:16:52 UTC, H. S. Teoh wrote:
> On Wed, Sep 11, 2013 at 10:07:02PM +0200, Jacob Carlborg wrote:
>> On 2013-09-11 17:09, Dicebot wrote:
>> 
>> >Those should be provided as sources and built by dub too.
>> >Distributing binary packages requires both package signing and
>> >reasonable web of trust - something that is not easy to "just
>> >implement" from scratch.  Otherwise any single malicious 
>> >package may
>> >ruin reputation of the whole system.
>
> The same can be said of malicious source code. Just because it 
> wasn't
> precompiled for you doesn't mean you're going to read through 
> every line
> to ensure there are no malicious bits before compiling and 
> using it.
> Using the package at all -- regardless of whether it's source 
> or binary
> -- implies a certain level of trust already.

Source packages are never trusted by default. It is your (and 
community) responsibility to verify the source if it is 
important. Or just ignore the possible consequences if it is not 
worth it. Contrary to this, binary package does not leave any 
verification options and in absence of any package signing / 
trust network one has no other choice but to always consider 
those harmful.

It is subtle but important difference. As far as I am aware, all 
major Linux distributions have rather complex infrastructure that 
assures basic package safety. It is imperfect, of course, but any 
custom system will be far far away even from that.