Add dub.selections.json to .gitignore

[nordlow]

No description provided.

[ikod]

Thanks

[PetarKirov]

Lock files should always be committed, even for libraries. Check out e.g. https://classic.yarnpkg.com/blog/2016/11/24/lockfiles-for-all/ (this talks about yarn, but the same concepts apply to dub).

Traditionally, this is perhaps this was not the message that the D community has had on dub.selection.json files for libraries, but that really has to change.

[nordlow]

Ok, What is the meaning of a lock-file in this context?

[nordlow]

Can someone make a tag?

[ikod]

done, thanks

[PetarKirov]

@nordlow A lock file is a general concept implemented by most language package managers. In the case of Dub, that's dub.selections.json. It is supposed to contain the complete set of dependency package names, versions, cryptographic hashes of the archives containing them and from where to obtain download them. Unfortunately, Dub doesn't include the hash of package archives, which makes building with Dub not fully reproducible: if someone force pushes a git tag of a package and dub-registry happens to goes down, next time it starts it will fetch the new package tag, which can contain completely different contents (including malware).

[nordlow]

@nordlow A lock file is a general concept implement by most language package managers. In the case of Dub, that's dub.selections.json. It is supposed to contain the complete set of dependency package names, versions, cryptographic hashes of the archives containing them and from where to obtain download them. Unfortunately, Dub doesn't include the hash of package archives, which makes building not fully reproducible: if someone force pushes a git tag of a package and dub-registry happens to goes down next time it starts it will fetch the new package tag, which can contain completely different contents (including malware).

Thanks a lot for that explanation. Would it be possible to add support for that in dub, @s-ludwig?

FYI, @John-Colvin @skoppe.

[nordlow]

It is supposed to contain the complete set of dependency package names, versions, cryptographic hashes of the archives containing them and from where to obtain download them. Unfortunately, Dub doesn't include the hash of package archives.

What is meant by the word "archive" in this regard considering the code is transferred via Git?

[PetarKirov]

It is supposed to contain the complete set of dependency package names, versions, cryptographic hashes of the archives containing them and from where to obtain download them. Unfortunately, Dub doesn't include the hash of package archives.

What is meant by the word "archive" in this regard considering the code is transferred via Git?

There are several package suppliers. The default, which most people are familiar with, is dub-registry and it powers code.dlang.org. dub-registry stores archives of all packages as zip files on its server. So, in most cases, dub fetch is simply a zip file download: https://github.com/dlang/dub/blob/v1.27.0/source/dub/packagesuppliers/registry.d#L51-L86

Would it be possible to add support for that in dub?

Yes, but it would require changes to both dub-registry and dub.

[nordlow]

Yes, but it would require changes to both dub-registry and dub.

Seems to me like something worth investing in, @John-Colvin @skoppe.