-
-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: Pinning TOML plugins #431
Comments
The primary reason I haven't added git support, is that cloning the repo to extract the file adds considerable overhead. At the top of your post, you're talking about how |
Yeah that makes sense. Perhaps doing some trickery similar to https://www.npmjs.com/package/hosted-git-info might get you most of the way.
Unless some knowledge about e.g. the githubusercontent.com domain is built into the Even if it did, then it would lose the context of where it should look for plugin updates (if that became a thing later), plus needing special github logic for how to check for updates. The part that actually solves my main issues with using |
Maybe we just expand |
Yeah I think you're right, that would get us far in a short time. Support for other git hosts could come later. Also no need for relying on "proto plugin add" to automatically add the commit shas I mentioned, as that could go in the lockfile we spoke about. |
Currently it's possible to achieve this, if it's hosted on a forge like GitHub which you trust, then you can create a permalink to the current version of the plugin e.g:
However this is tedious, not obvious, and difficult to document in your plugin's README, as it changes on each commit. So right now the common method is just to point it to the latest version which is a glaring security hole, as at any point the plugin author can make the tool's download-url point to a malicious payload.
I don't see a general way to solve this for the
source
locator, so I think discouraging its use and implementing a native git locator would be better.Ideas
1)
github
locator should support non-releases and TOML pluginsCurrently it assumes you're interested in releases and only looks for archives or wasm assets in that release. Not sure if the archive can contain a TOML plugin, but using releases for TOML plugins seems a bit overkill in any case.
I don't think this one makes sense, so quickly jumping further to...
2) Implement a
git
locatorI'm thinking the syntax could be:
Whether it should start with
git:example.com
orgit://example.com
I'm not sure about, the latter does however read clearer if you use basic auth. It's inspired by how npm handles it.git+ssl://[email protected]
should probably also be possible.Examples:
This in itself wouldn't solve the issue, but it could if the
proto plugin add
was made the preferred way to add plugins, and it additionally used the locator to transform into an explicit URI similar toproto pin
's--resolve
option like so:Resulting in the
.prototools
entry:The text was updated successfully, but these errors were encountered: