A potential danger to dub
solidstate1991
laszloszeremi at outlook.com
Wed Sep 20 02:15:57 UTC 2017
On Saturday, 16 September 2017 at 17:09:34 UTC, David Gileadi
wrote:
> Let me preface this by saying I love package managers and think
> dub is one of the best things with dlang. However they can also
> sometimes be dangerous, as this PyPI incident[1] shows: several
> Python packages were uploaded that contained names similar to
> the standard library, and had an extra semi-malicious payload.
> They are apparently now part of live software.
>
> You could of course expect developers to do due diligence with
> the things they download, but of course they don't. It's
> probably worth paying attention to what the PyPI devs do to
> help mitigate this, and perhaps repeat some of those things
> with dub.
>
> [1]
> https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/
We have the strength of being a mostly unknown language, but it
still sounds scary.
I usually download all the stuff, and only use dub to compile the
libraries, then mostly rely on the IDE's build system, and wrote
a PowerShell script to recompile the libraries I use in case if I
update the compiler.
More information about the Digitalmars-d
mailing list