Git, the D package manager
Sönke Ludwig via Digitalmars-d
digitalmars-d at puremagic.com
Thu Feb 5 05:52:11 PST 2015
Am 04.02.2015 um 23:00 schrieb Mike Parker:
> On 2/5/2015 4:02 AM, Jacob Carlborg wrote:
>> On 2015-02-02 09:58, Joseph Rushton Wakeling via Digitalmars-d wrote:
>>
>>> Scenario: a dependency has a security hole that gets patched. If the
>>> dub package is updated, all applications using that dub package will
>>> automatically have that update available next time they are built.
>>
>> That's the worst kind of behavior for security reasons. It's vital that
>> you can reproduce a build any point in time. For example, building an
>> application now and six months later should result in the exact same
>> binary if the code of the application has not changed.
>>
> Then you specify a specific version of the library as a dependency,
> rather than a version range.
Or you commit the dub.selections.json to the repository. The good thing
will be that DUB will still issue a message when an upstream library has
an update available and suggests to run "dub upgrade".
More information about the Digitalmars-d
mailing list