How hard would it be to create a dub2deb tool?
ajieskola at gmail.com
Fri Feb 19 08:07:29 UTC 2021
On Thursday, 18 February 2021 at 19:31:10 UTC, deadalnix wrote:
> You simply can't download a bunch of crap from the internet and
> deploy it this way. First, this is very insecure (see
> https://email@example.com/dependency-confusion-4a5d60fec610 for the latest iteration of the madness) but it also a reproducibility problems (the source may change from under your feets) and availability (someone pulling leftpad can bring down your whole deployment capability).
> This is why you want to be able to package things and deploy
> them as deb/rpm/dmg/whatever
Good news - none of these are problems for dub2nix. The final Nix
derivation (Nix install script) won't use dub2nix program
directly, it uses `dub.selections.nix` file the package
maintainer has pregenerated with the tool. `dub selections.nix`
links directly to github projects, and to specific versions of
them - newer version of the DUB package won't be used unless the
maintainer regenerates `dub.selections.nix`. Nix forces this
design - Internet downloads are verified with a sha256 provided
in the dub derivation precisely because of the issues you
As for the availibility issue, Nix caches Internet downloads done
by the derivations, and if you get a package published at Nixpkgs
repository, it'll be cached in their servers too.
More information about the Digitalmars-d