dub bad, aur hack edition
Luna
luna at foxgirls.gay
Sun Jun 14 12:02:30 UTC 2026
On Sunday, 14 June 2026 at 11:36:38 UTC, Guillaume Piolat wrote:
> On Sunday, 14 June 2026 at 05:54:17 UTC, Kapendev wrote:
>>
>> But, but... I can see how this can be a problem for DUB too.
>> AUR and NPM are not special or anything.
>
> Before dub is hacked we should take a step towards signing
> packages somehow?
Overall the dub server infrastructure should probably get an
overhaul, signing packages might be a good idea. Could be that
the dub server generates a signing certificate that you then can
use to sign git artifacts. But that would also add a bunch of
friction to the package manager.
I think a main point that needs to be addressed is separating dub
into 2 systems, one for package management, one for being a
robust build system.
That way the attack surface would be limited to just the package
management component instead of affecting the entire system.
More information about the Digitalmars-d
mailing list