dub: should we make it the de jure package manager for D?

H. S. Teoh hsteoh at quickfur.ath.cx
Wed Sep 11 13:15:26 PDT 2013


On Wed, Sep 11, 2013 at 10:07:02PM +0200, Jacob Carlborg wrote:
> On 2013-09-11 17:09, Dicebot wrote:
> 
> >Those should be provided as sources and built by dub too.
> >Distributing binary packages requires both package signing and
> >reasonable web of trust - something that is not easy to "just
> >implement" from scratch.  Otherwise any single malicious package may
> >ruin reputation of the whole system.

The same can be said of malicious source code. Just because it wasn't
precompiled for you doesn't mean you're going to read through every line
to ensure there are no malicious bits before compiling and using it.
Using the package at all -- regardless of whether it's source or binary
-- implies a certain level of trust already.


> I have no problems with the packages being distributed as source.
> That makes a lot of things easier. But it should compile and install
> it when it's downloaded. Currently it only clones the repository.
> Not giving much more than a plain "git clone".
[...]

How would it know which compiler(s) to use to compile the packages? What
if you have multiple compilers / development environments with
incompatible ABIs?


T

-- 
I don't trust computers, I've spent too long programming to think that
they can get anything right. -- James Miller


More information about the Digitalmars-d mailing list