How hard would it be to create a dub2deb tool?

Petar Petar
Fri Feb 19 08:43:21 UTC 2021

On Friday, 19 February 2021 at 08:07:29 UTC, Dukc wrote:
> On Thursday, 18 February 2021 at 19:31:10 UTC, deadalnix wrote:
>> You simply can't download a bunch of crap from the internet 
>> and deploy it this way. First, this is very insecure (see 
>> for the latest iteration of the madness) but it also a reproducibility problems (the source may change from under your feets) and availability (someone pulling leftpad can bring down your whole deployment capability).
>> This is why you want to be able to package things and deploy 
>> them as deb/rpm/dmg/whatever
> Good news - none of these are problems for dub2nix. The final 
> Nix derivation (Nix install script) won't use dub2nix program 
> directly, it uses `dub.selections.nix` file the package 
> maintainer has pregenerated with the tool. `dub selections.nix` 
> links directly to github projects, and to specific versions of 
> them - newer version of the DUB package won't be used unless 
> the maintainer regenerates `dub.selections.nix`. Nix forces 
> this design - Internet downloads are verified with a sha256 
> provided in the dub derivation precisely because of the issues 
> you mentioned.
> As for the availibility issue, Nix caches Internet downloads 
> done by the derivations, and if you get a package published at 
> Nixpkgs repository, it'll be cached in their servers too.

@deadalnix Required reading:

More information about the Digitalmars-d mailing list