pub icon indicating copy to clipboard operation
pub copied to clipboard
verified publisher icon dart-lang

Option to treat PUB_HOSTED_URL as a replacement of pub.dev

Open kmod-midori opened this issue 4 years ago • 5 comments

The majority of our team work in China, so we need PUB_HOSTED_URL=https://pub.flutter-io.cn otherwise pub get can take forever. Some even have different mirror configuration. However, some of our members and our CI service are not located in China, they sometimes can not even connect to the mirror.

The problem is, this URL ends up being written in pubspec.lock and is updated every time a different member works on the project, quickly becoming noisy. Currently we are ignoring pubspec.lock from our repository, but it is far from ideal. Is there any way around this?

kmod-midori avatar May 12 '21 12:05 kmod-midori

You can try this way

https://github.com/dart-lang/pub/issues/2226#issuecomment-945762896

yujiuqie avatar Oct 18 '21 13:10 yujiuqie

Option to treat PUB_HOSTED_URL as a replacement of pub.dev

I think this a bad idea from a security perspective.

Maybe one day, we'll have package signing and protection from replay attacks, etc... then we can contemplate implementing support for actual mirrors. But all of this is non-trivial, I've been looking at things like https://theupdateframework.io/

A workaround might be to do a pre-commit hook that rewrites pubspec.lock or something like that.

It's also possible we should consider dropping the URL in pubspec.lock for packages from the default repository. This might be reasonable if we have content-hashes in pubspec.lock.

jonasfj avatar Jan 03 '22 14:01 jonasfj

In addition to that, the CI pileline might rewrite the URLs with sed -i.

Git hooks would be fragile since we can not reject invalid commits on GitHub in the case the hooks fail to run or some new member/new machine forget to set that up (why isn't there some way to automatically configure that in 2022?). We also need something that works reliably across Windows/macOS/Linux.

Currently we are ignoring pubspec.lock in our repositories and hope for the best. This is not optimal and sometimes slow, but better than getting hit by network errors every time.

kmod-midori avatar Jan 03 '22 14:01 kmod-midori

Having to use a mirror without some signing/verification in place is already unsafe, but let's face the reality that pub.dev is not reliably accessible in China.

kmod-midori avatar Jan 03 '22 14:01 kmod-midori

This is still relevant

sigurdm avatar Sep 25 '25 08:09 sigurdm