dub: JSON, SDL, YAML, TOML, what color should we paint it ?
Steven Schveighoffer
schveiguy at gmail.com
Tue Feb 28 16:28:59 UTC 2023
On 2/28/23 11:18 AM, Commander Zot wrote:
> whats preventing some buildfile from including some malicious cmd line
> in dub?
> if you want to restrict buildfiles, they become pretty useless for a lot
> of cases
You need to at least restrict them to things they should be doing.
Opening up the entire world of compiled programs to building means you
can make extremely brittle build files.
Note also that with such a mechanism, we can have more control over
building than current dub has. For instance, you could configure a
global "security" import that validates the build file, so it can e.g.
only run approved external programs.
I would also like to draw attention to the dmd build.d setup:
https://github.com/dlang/dmd/blob/master/compiler/src/build.d
It's a complex mess that's nigh unreadable/unmaintainable.
Keeping build files *simple* should be a goal.
That being said, there are plenty of languages (I know swift is one of
them) that use the language to configure/direct builds and package
management. I think it's a reasonable and promising idea. We should also
be looking at the precedents and see how they tackled it.
-Steve
More information about the Digitalmars-d
mailing list