Allow running Dart scripts upon package installation

[thosakwe]

Somewhat related to the long-closed #1674, but I believe this is a better solution.

What if, upon running pub get, a package could execute one or more scripts written in Dart? This would be useful for doing things like building native extensions, or other configuration necessary for the execution of a given package.

There could be a field called after_install with either a path to a single Dart script, or a list of paths. These paths would be resolved relative to the current working directory.

Example

name: foo
after_install:
  - tool/download_bar.dart
  - tool/do_something_else_.dart

The pub tool could spin up a new isolate instead of a new VM.

Nested usage (in dependencies)

pub should also be able to run after_install scripts from packages that are dependencies. For example, if you depend on package:foo that bundles a tool/bar.dart, you'll get the following:

$ pub get
Resolving dependencies...

Got dependencies!

package:foo is requesting to run the script `tool/bar.dart`.
Allow? (y/n/View contents)

Contents of `tool/bar.dart`:

import 'dart:io';

void main() {
  print(new File('foo.bar').readAsStringSync());
}

package:foo is requesting to run the script `tool/bar.dart`.
Allow? (y/N)

Caveats

• Executing arbitrary code is always something of a concern. To combat this, the "View contents" option would be the default, which would allow users to at least know what they're running before it runs.
• Each script would assume it were being run in the root directory of its corresponding package. For example, package:foo's scripts would run in ~/.pub-cache/hosted/pub.dartlang.org/foo/x.y.z.
• There would need to be some sort of of cache file (~/.pub-cache/after_install_cache.yaml) present containing timestamps of when each script was run, so that the user would not be repeatedly nagged to run scripts from every package they depend on. This would be in the pub cache, so that even if you use the same package in multiple projects, you'd only have to run things like native extension builders once globally.

Conclusion

Overall, I think that the ability to run a callback script can go a long way to improving the Dart ecosystem. Being able to build things like native extensions on-the-fly would be great for Dart IMO.

P.S. I'm wholly willing to send a PR, and would actually love to do so ASAP. Thanks in advance for consideration.

[zoechi]

Similar to what is mentioned in #39 (comment)

[thosakwe]

@zoechi after_install scripts definitely would facilitate adding something like building native extensions. However, unlike what's proposed in #39, I don't think native extension functionality needs to actually be built into pub, especially since pub is no longer a build tool.

The community could put together something like node-gyp that would do the trick. This morning I came up with a potential idea for such a system: https://gist.github.com/thosakwe/f8cc5f0fee0e8869350b01af8ef033d7

Anyways, that's beyond the scope of this discussion 😄

[thosakwe]

I forked Pub and got this working in an after_install_scripts branch:
https://github.com/thosakwe/pub-1/tree/after_install_scripts

I'm going to go ahead and send a PR, because I don't know how much time the maintainers will have to resolve individual issues in this repo.

[mit-mit]

This would change the security model for pub significantly, and I am not convinced the potential value justifies the potential risk.

[thosakwe]

I had an open PR for this, but closed it for this very reason. Going to close the issue, too.