How hard would it be to create a dub2deb tool?

Denis Feklushkin feklushkin.denis at gmail.com
Mon Feb 22 07:41:56 UTC 2021


On Thursday, 18 February 2021 at 19:56:51 UTC, H. S. Teoh wrote:

>> You simply can't download a bunch of crap from the internet 
>> and deploy it this way. First, this is very insecure (see 
>> https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 for the latest iteration of the madness) but it also a reproducibility problems (the source may change from under your feets) and availability (someone pulling leftpad can bring down your whole deployment capability).
>> 
>> This is why you want to be able to package things and deploy 
>> them as deb/rpm/dmg/whatever
>
> +1.  I have always been skeptical of having my ability to 
> build/deploy depend on some random 3rd party provider somewhere 
> out there in the wild internet whose availability/continued 
> existence is not under my control.

It seems, Meson build system solves this problem by referencing 
to strictly defined commits.

If we will have something like dub2meson then we can use it for 
build Debian packages:

dub2meson && dh build --buildsystem=meson


More information about the Digitalmars-d mailing list