search

dart-lang / pub

The pub command line tool
https://dart.dev/tools/pub/cmd
BSD 3-Clause "New" or "Revised" License
1.04k stars 228 forks source link

Option to treat PUB_HOSTED_URL as a replacement of pub.dev #2993

Open kmod-midori opened 3 years ago

kmod-midori commented 3 years ago

The majority of our team work in China, so we need PUB_HOSTED_URL=https://pub.flutter-io.cn otherwise pub get can take forever. Some even have different mirror configuration. However, some of our members and our CI service are not located in China, they sometimes can not even connect to the mirror.

The problem is, this URL ends up being written in pubspec.lock and is updated every time a different member works on the project, quickly becoming noisy. Currently we are ignoring pubspec.lock from our repository, but it is far from ideal. Is there any way around this?

yujiuqie commented 3 years ago

You can try this way

https://github.com/dart-lang/pub/issues/2226#issuecomment-945762896

jonasfj commented 2 years ago

Option to treat PUB_HOSTED_URL as a replacement of pub.dev

I think this a bad idea from a security perspective.

Maybe one day, we'll have package signing and protection from replay attacks, etc... then we can contemplate implementing support for actual mirrors. But all of this is non-trivial, I've been looking at things like https://theupdateframework.io/

A workaround might be to do a pre-commit hook that rewrites pubspec.lock or something like that.

It's also possible we should consider dropping the URL in pubspec.lock for packages from the default repository. This might be reasonable if we have content-hashes in pubspec.lock.

kmod-midori commented 2 years ago

In addition to that, the CI pileline might rewrite the URLs with sed -i.

Git hooks would be fragile since we can not reject invalid commits on GitHub in the case the hooks fail to run or some new member/new machine forget to set that up (why isn't there some way to automatically configure that in 2022?). We also need something that works reliably across Windows/macOS/Linux.

Currently we are ignoring pubspec.lock in our repositories and hope for the best. This is not optimal and sometimes slow, but better than getting hit by network errors every time.

kmod-midori commented 2 years ago

Having to use a mirror without some signing/verification in place is already unsafe, but let's face the reality that pub.dev is not reliably accessible in China.