Am 14.06.2011 21:34, schrieb Robert Clipsham: > On 14/06/2011 20:07, Andrei Alexandrescu wrote: >> On 6/14/11 1:22 PM, Robert Clipsham wrote: >>> On 14/06/2011 14:53, Andrei Alexandrescu wrote: >>>> http://www.wikiservice.at/d/wiki.cgi?LanguageDevel/DIPs/DIP11 >>>> >>>> Destroy. >>>> >>>> >>>> Andrei >>> >>> This doesn't seem like the right solution to the problem - the correct >>> solution, in my opinion, is to have a build tool/package manager handle >>> this, not the compiler. >>> >>> Problems I see: >>> * Remote server gets hacked, everyone using the library now >>> executes malicious code >> >> This liability is not different from a traditional setup. > > Perhaps, but with a proper package management tool this can be avoided > with sha sums etc, this can't happen with a direct get. Admittedly this > line of defense falls if the intermediate server is hacked. >
Signing the files/hashes with GPG helps (as long as the developers private key isn't on the server).
