A potential danger to dub

David Gileadi via Digitalmars-d digitalmars-d at puremagic.com
Sat Sep 16 17:09:34 UTC 2017

Let me preface this by saying I love package managers and think dub is 
one of the best things with dlang. However they can also sometimes be 
dangerous, as this PyPI incident[1] shows: several Python packages were 
uploaded that contained names similar to the standard library, and had 
an extra semi-malicious payload. They are apparently now part of live 

You could of course expect developers to do due diligence with the 
things they download, but of course they don't. It's probably worth 
paying attention to what the PyPI devs do to help mitigate this, and 
perhaps repeat some of those things with dub.


More information about the Digitalmars-d mailing list