I just created a dub package. Frankly, the whole thign is backward.
Ola Fosheim Grøstad
ola.fosheim.grostad at gmail.com
Wed Apr 27 06:48:48 UTC 2022
On Tuesday, 26 April 2022 at 23:48:03 UTC, norm wrote:
> No more than anything else like maven, linux package managers,
> chocolatey on windows. I hear vcpkg also supports prebuilt
> binaries now but I think it is only for private registries,
> they're not hosting them.
I think it comes down to credible management and vetting
strategies. My impression from Debian stable (when I used it
regularly) was that they took security very seriously and made it
hard for rogue binaries to make it into the repo. It also helps
to have a million critical and skilled users that are eagerly
looking for flaws!
In contrast, I am much more critical of pip/Python and either
avoid less known packages from pip or vet the code before
executing it.
> When you invoke conan, or in your config file, you can tell it
> to only build from source so it will not download the binary
> package even if available.
Thanks, I might have look at Conan then… :)
(I guess it is ok if the binaries are reproducible and built on a
secure cloud solution and not by individual contributors, but it
still sounds like a risk to my ears.)
More information about the Digitalmars-d
mailing list