On Saturday, 4 January 2025 at 20:33:55 UTC, Chris Piker wrote:
Hi D
So one of the projects I've been working on is moving closer to
production. Currently, the pull/build/test/install cycle is
handled by git, dub and GNU make.
Currently I let dub fetch dependencies off the Internet, but
for mission reliability I would like to be able to handle the
process without Internet access. Dub looks like it supports
local repositories, but before just start "Doing something" are
there any practices the community would recommend for D
supply-chain management?
Thanks for any links and tips,
I don't think there is D specific rules on dependency management,
as most people use it for small scale personal/hobby projects
only.
If your project can't take the risk of losing online dependencies
you might just want to put and commit them under your project's
version control system - this is sometimes done in Go, people
there justify it that unlike JS and some other languages with
tons of generated stuff Go packages are relatively small so it is
just a natural choice to place them next to your code.
And in Git for example submodules (other git repos linked to your
repo) are also a thing, however by default it won't clone them
without explicit recursive flag, and even you have git experience
it is somewhat confusing to upgrade them (at least for me).
As for the dub itself, it has very scarce info on that, it has
local overrides and stuff, but I'd say this is mostly for quick
fixing the build issues, not a production solution.
So just having `dub.selections.json` in your repository pointing
to a local (committed dependencies in that same repo) packages is
viable option, even if something goes wrong you can always change
it in dev environment to fix problems and commit back.
Unless you have license issues with dependencies this is probably
the most secure one.
