RejectedSoftware Forums

Sign up

Security feature request: Specifying package registry in dub.json

Dub support for package registries other than code.dlang.org

Either by manipulation a DNS or by taking over code.dlang.org or an github repository,
an attacker could insert malicious code into your application. To reduce the attack vector,
companies have their own package registries with proven packages. I would like to specify in
dub.json which package registries, DUB will load the packages from

For the context of this request please see:
http://forum.dlang.org/post/vbeywgqdsuczhrykmlax@forum.dlang.org

Re: Security feature request: Specifying package registry in dub.json

I'd suggest to support a general settings override feature. See my reply in the other thread.