Option to treat PUB_HOSTED_URL as a replacement of pub.dev #2993
Comments
|
You can try this way |
I think this a bad idea from a security perspective. Maybe one day, we'll have package signing and protection from replay attacks, etc... then we can contemplate implementing support for actual mirrors. But all of this is non-trivial, I've been looking at things like https://theupdateframework.io/ A workaround might be to do a pre-commit hook that rewrites It's also possible we should consider dropping the URL in |
|
In addition to that, the CI pileline might rewrite the URLs with Git hooks would be fragile since we can not reject invalid commits on GitHub in the case the hooks fail to run or some new member/new machine forget to set that up (why isn't there some way to automatically configure that in 2022?). We also need something that works reliably across Windows/macOS/Linux. Currently we are ignoring |
|
Having to use a mirror without some signing/verification in place is already unsafe, but let's face the reality that |
The majority of our team work in China, so we need
PUB_HOSTED_URL=https://pub.flutter-io.cnotherwisepub getcan take forever. Some even have different mirror configuration. However, some of our members and our CI service are not located in China, they sometimes can not even connect to the mirror.The problem is, this URL ends up being written in
pubspec.lockand is updated every time a different member works on the project, quickly becoming noisy. Currently we are ignoringpubspec.lockfrom our repository, but it is far from ideal. Is there any way around this?The text was updated successfully, but these errors were encountered: