nimble
nimble copied to clipboard
nim-lang
track build dependencies and versions
Nimble could keep track of which dependencies are used during a build and their versions. This is useful during the lifetime of statically linked binaries to track:
- if any of the dependencies used a build time has (currently) known security issues
- ...or bugs or copyright violations that justify rebuilding and deploying the binary
- in order to debug issues that happen only with a specific combination of dependency versions
This information could be printed out at build time but embedded in the binary to be available where it's deployed.
If a dependency was tracking HEAD, the commitish should be tracked instead. The compiler/stdlib version should be tracked as well.
At build time, Nimble could also print out where the dependencies are coming from: globally, from ~/.nimble, from the local directory, from $NIM_LIB_PREFIX ... This allows debugging issues like #407 and checking that the compiler is using the right sources. (Paths should not be embedded in the binary)
Nimble already sort of does this if you pass --verbose, you will see each --path passed to the compiler.
