How hard would it be to create a dub2deb tool?
Petar
Petar
Fri Feb 19 08:43:21 UTC 2021
On Friday, 19 February 2021 at 08:07:29 UTC, Dukc wrote:
> On Thursday, 18 February 2021 at 19:31:10 UTC, deadalnix wrote:
>> You simply can't download a bunch of crap from the internet
>> and deploy it this way. First, this is very insecure (see
>> https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 for the latest iteration of the madness) but it also a reproducibility problems (the source may change from under your feets) and availability (someone pulling leftpad can bring down your whole deployment capability).
>>
>> This is why you want to be able to package things and deploy
>> them as deb/rpm/dmg/whatever
>
> Good news - none of these are problems for dub2nix. The final
> Nix derivation (Nix install script) won't use dub2nix program
> directly, it uses `dub.selections.nix` file the package
> maintainer has pregenerated with the tool. `dub selections.nix`
> links directly to github projects, and to specific versions of
> them - newer version of the DUB package won't be used unless
> the maintainer regenerates `dub.selections.nix`. Nix forces
> this design - Internet downloads are verified with a sha256
> provided in the dub derivation precisely because of the issues
> you mentioned.
>
> As for the availibility issue, Nix caches Internet downloads
> done by the derivations, and if you get a package published at
> Nixpkgs repository, it'll be cached in their servers too.
@deadalnix Required reading:
https://edolstra.github.io/pubs/phd-thesis.pdf
:P
More information about the Digitalmars-d
mailing list