Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Ferret7446 3 days ago

I'd suggest you submodule in dependencies rather than curl. Supply chain attacks and version incompatibilities both happen and suck

susam 3 days ago | parent [-]

> I'd suggest you submodule in dependencies rather than curl. Supply chain attacks and version incompatibilities both happen and suck

What kind of supply chain attack or version incompatibility would affect

  curl -sSL https://github.com/edicl/hunchentoot/archive/v1.3.1.tar.gz | tar -xz
but not

  git submodule add https://github.com/edicl/hunchentoot.git && cd hunchentoot/ && git checkout v1.3.1

?
Ferret7446 2 days ago | parent [-]

Submodules are pinned by commit hash. It prevents an attacker from replacing a release.

parlortricks 2 days ago | parent [-]

That is very handy to know.

cdegroot 2 days ago | parent [-]

You can achieve roughly the same by writing down the SHA256 hash the first time you download and then comparing when you download the next time.

But, yeah, while I do not like submodules, for vendoring stuff it seems a reasonable approach. There's also https://github.com/fosskers/vend if you lean that way.