On Monday, 27 October 2014 at 03:24:47 UTC, Ola Fosheim Grøstad
wrote:
That's ok for a personal user account, but not for a work
account IMO.
Then again, I prefer to fetch directly from repos manually and
only use dub-like features for languages that run in a VM.
What I am saying is that unless you read every line of all the
libraries that you want to use and de-compile every precompiled
library and read the asm, you are taking a risk, any of that code
could do malicious things. You draw a line.
Another point is that if you make fetching libraries too easy
it means bloat starts creeping in. OK for a scripting language,
but for a system level language…? You risk ending up with
Tango-bloat, where you cannot include anything without pulling
inn all kinds of dependencies.
The whole point of the thing is to get the benefits of a large
library without having a bloated standard lib. Obviously none of
phobos would depend on anything in dub. But users need things out
side of phobos, why would we want to make getting that harder?
