Git, the D package manager
Mike Parker via Digitalmars-d
digitalmars-d at puremagic.com
Wed Feb 4 14:00:48 PST 2015
On 2/5/2015 4:02 AM, Jacob Carlborg wrote:
> On 2015-02-02 09:58, Joseph Rushton Wakeling via Digitalmars-d wrote:
>
>> Scenario: a dependency has a security hole that gets patched. If the
>> dub package is updated, all applications using that dub package will
>> automatically have that update available next time they are built.
>
> That's the worst kind of behavior for security reasons. It's vital that
> you can reproduce a build any point in time. For example, building an
> application now and six months later should result in the exact same
> binary if the code of the application has not changed.
>
Then you specify a specific version of the library as a dependency,
rather than a version range.
More information about the Digitalmars-d
mailing list