On Friday, 18 March 2022 at 18:16:51 UTC, Ali Çehreli wrote:
The first time I learned about pulling in dependencies
terrified me. (This is the part I realize I am very different
from most other programmers.) I am still terrified that my
dependency system will pull in a tree of code that I have no
idea doing. Has it been modified to be malicious overnight? I
thought it was possible. The following story is an example of
what I was exactly terrified about:
https://medium.com/hackernoon/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
Despite such risks many projects just pull in code. (?) What am
I missing?
This is an interesting observation and something of an oddity in
modern SW engineering. I have been on several projects where they
just download versions of libraries from some random server. For
personal projects I guess this would be ok but for commercial
software this would be a big no-no for me. Still the trend goes
towards this. Now, several build systems and packet manager
software have the possibility to change the server to a local
one. Changing to local one is unusual though which is strange.
First as you mentioned is that you increase the vulnerability by
the possibility injecting a modified version of a library with
back doors. Then you also become dependent on outside servers
which is bad if they are down.
In all, for commercial software just avoid dub. If you want to
use a build system go for Meson as it has D support out of the
box today. For commercial projects pull libraries manually as you
want to have full control where you get it, the version and so on.