Closed roop closed 2 years ago
roop
commented
2 years ago @jeroenleenarts:
Good point. This PR currently pins dependencies to exact versions, but if the dependency repository is compromised (as in, it changes what is tagged as a particular version), and if we build against that, our product will be affected.
One way to address this could be to pin to exact commit hashes instead of version numbers. What do you think?
jeroenleenarts
commented
2 years ago Pinning on a commit would be a more clear selection.
roop
commented
2 years ago @jeroenleenarts: Do you think pinning against commit hashes would sufficiently address your concerns? If yes, I'll modify this PR to do that.
jeroenleenarts
commented
2 years ago Yes pinning on a commit hash is a cryptographically verifiable value.
roop
commented
2 years ago This PR now pins direct dependencies to commit hashes instead of version numbers. Moreover, commit hashes of all dependencies (including sub-dependencies) are tracked in Package.resolved (which is populated by Xcode).
Removes use of CocoaPods from the project and moves to Swift packages.
With this PR, all dependencies are managed as Swift packages in Xcode. Instead of libsodium, we now use swift-sodium from the same author.
Resolves #95.