Dub is getting some flak here. This is unsurprising because it is
really hard to write a good package manager and build system. I
use a lot of languages and not one has a satisfactory package
manager. Mostly they try to do too much and get in the way or
they do too little and people complain (I prefer the second
option). And when there are 100+ dependencies, like with Go and
Node, it just becomes impossible to say anything about the state
of the system (security, anyone?).
Package management is mostly dependency management. This I handle
with GNU Guix (and Nix) package managers. They are great at that.
This also leaves people to choose any old build system. Inside
GNU Guix the build system is consistent, which is really nice.
I'll write a blog some time this year.
What you really want is to be able to discover packages (i.e., a
website such as Dub provides), pull them into your tree (which is
just a path and can be handled by git submodules, though I don't
like those much either), and when you distribute: add them to
Guix or Nix and provide those packages with build system and as
binary deployments to others. These package managers give control
over the full dependency graph, including shared libraries all
the way down to glibc.
I am not posting this to plug these systems per se. Just saying
that writing a generic package manager is hard and is better left
to systems that solve handling the full dependency graph
correctly. Personally, I am happy very happy with what Guix gives
me. Can't think of a better way. I have no reason to use dub.