On Saturday, 16 September 2017 at 17:09:34 UTC, David Gileadi
wrote:
Let me preface this by saying I love package managers and think
dub is one of the best things with dlang. However they can also
sometimes be dangerous, as this PyPI incident[1] shows: several
Python packages were uploaded that contained names similar to
the standard library, and had an extra semi-malicious payload.
They are apparently now part of live software.
You could of course expect developers to do due diligence with
the things they download, but of course they don't. It's
probably worth paying attention to what the PyPI devs do to
help mitigate this, and perhaps repeat some of those things
with dub.
[1]
https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/
We have the strength of being a mostly unknown language, but it
still sounds scary.
I usually download all the stuff, and only use dub to compile the
libraries, then mostly rely on the IDE's build system, and wrote
a PowerShell script to recompile the libraries I use in case if I
update the compiler.