Open kmod-midori opened 3 years ago
You can try this way
https://github.com/dart-lang/pub/issues/2226#issuecomment-945762896
Option to treat PUB_HOSTED_URL as a replacement of pub.dev
I think this a bad idea from a security perspective.
Maybe one day, we'll have package signing and protection from replay attacks, etc... then we can contemplate implementing support for actual mirrors. But all of this is non-trivial, I've been looking at things like https://theupdateframework.io/
A workaround might be to do a pre-commit hook that rewrites pubspec.lock
or something like that.
It's also possible we should consider dropping the URL in pubspec.lock
for packages from the default repository. This might be reasonable if we have content-hashes in pubspec.lock
.
In addition to that, the CI pileline might rewrite the URLs with sed -i
.
Git hooks would be fragile since we can not reject invalid commits on GitHub in the case the hooks fail to run or some new member/new machine forget to set that up (why isn't there some way to automatically configure that in 2022?). We also need something that works reliably across Windows/macOS/Linux.
Currently we are ignoring pubspec.lock
in our repositories and hope for the best. This is not optimal and sometimes slow, but better than getting hit by network errors every time.
Having to use a mirror without some signing/verification in place is already unsafe, but let's face the reality that pub.dev
is not reliably accessible in China.
The majority of our team work in China, so we need
PUB_HOSTED_URL=https://pub.flutter-io.cn
otherwisepub get
can take forever. Some even have different mirror configuration. However, some of our members and our CI service are not located in China, they sometimes can not even connect to the mirror.The problem is, this URL ends up being written in
pubspec.lock
and is updated every time a different member works on the project, quickly becoming noisy. Currently we are ignoringpubspec.lock
from our repository, but it is far from ideal. Is there any way around this?