Secure dependency management

[evilrat]

On Saturday, 4 January 2025 at 20:33:55 UTC, Chris Piker wrote:
> Hi D
>
> So one of the projects I've been working on is moving closer to 
> production. Currently, the pull/build/test/install cycle is 
> handled by git, dub and GNU make.
>
> Currently I let dub fetch dependencies off the Internet, but 
> for mission reliability I would like to be able to handle the 
> process without Internet access.  Dub looks like it supports 
> local repositories, but before just start "Doing something" are 
> there any practices the community would recommend for D 
> supply-chain management?
>
> Thanks for any links and tips,

I don't think there is D specific rules on dependency management, 
as most people use it for small scale personal/hobby projects 
only.

If your project can't take the risk of losing online dependencies 
you might just want to put and commit them under your project's 
version control system - this is sometimes done in Go, people 
there justify it that unlike JS and some other languages with 
tons of generated stuff Go packages are relatively small so it is 
just a natural choice to place them next to your code.

And in Git for example submodules (other git repos linked to your 
repo) are also a thing, however by default it won't clone them 
without explicit recursive flag, and even you have git experience 
it is somewhat confusing to upgrade them (at least for me).

As for the dub itself, it has very scarce info on that, it has 
local overrides and stuff, but I'd say this is mostly for quick 
fixing the build issues, not a production solution.
So just having `dub.selections.json` in your repository pointing 
to a local (committed dependencies in that same repo) packages is 
viable option, even if something goes wrong you can always change 
it in dev environment to fix problems and commit back.
Unless you have license issues with dependencies this is probably 
the most secure one.