How hard would it be to create a dub2deb tool?

[Dukc]

On Thursday, 18 February 2021 at 19:31:10 UTC, deadalnix wrote:
> You simply can't download a bunch of crap from the internet and 
> deploy it this way. First, this is very insecure (see 
> https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 for the latest iteration of the madness) but it also a reproducibility problems (the source may change from under your feets) and availability (someone pulling leftpad can bring down your whole deployment capability).
>
> This is why you want to be able to package things and deploy 
> them as deb/rpm/dmg/whatever

Good news - none of these are problems for dub2nix. The final Nix 
derivation (Nix install script) won't use dub2nix program 
directly, it uses `dub.selections.nix` file the package 
maintainer has pregenerated with the tool. `dub selections.nix` 
links directly to github projects, and to specific versions of 
them - newer version of the DUB package won't be used unless the 
maintainer regenerates `dub.selections.nix`. Nix forces this 
design - Internet downloads are verified with a sha256 provided 
in the dub derivation precisely because of the issues you 
mentioned.

As for the availibility issue, Nix caches Internet downloads done 
by the derivations, and if you get a package published at Nixpkgs 
repository, it'll be cached in their servers too.