On Monday, 27 October 2014 at 03:15:45 UTC, Tofu Ninja wrote:
On Monday, 27 October 2014 at 03:00:50 UTC, Ola Fosheim Grøstad
Bad for security.
My response to that is that any library you ever download is
bad for security (including dmd and phobos).
I currently run dmd on a separate user account…
We need to draw the line somewhere for things we trust and
things we don't trust, personally I draw the line where it best
suits me to get things done. If giving up some small about of
security allowed me to automatically integrate dub packages
into my projects, I would happily give it up. :)
That's ok for a personal user account, but not for a work account
IMO.
Then again, I prefer to fetch directly from repos manually and
only use dub-like features for languages that run in a VM.
Another point is that if you make fetching libraries too easy it
means bloat starts creeping in. OK for a scripting language, but
for a system level language…? You risk ending up with
Tango-bloat, where you cannot include anything without pulling
inn all kinds of dependencies.
Also it is why I suggested that it could be policed.
But the D community is too small for that atm.
