Feature: Support asdf .plugin-versions
aabouzaid opened this issue ยท 4 comments
Is your feature request related to a problem? Please describe
Currently, asdf doesn't provide a method to pin its plugin's URL and version. This creates 2 main issues:
- Security-wise, the plugins are not secure unless manually added in 2 steps, first
asdf plugin add <name> [<git-url>], and secondasdf plugin update <name> [<git-ref>]. - Operational-wise, unlike
.tool-versions, it's not possible to set up asdf plugins declaratively, and it's hard to use it as part of Git/GitOps.
The .plugin-versions will be more or less the same format as .tool-versions, where the name, version/hash/tag, and URL will be set.
Describe the proposed solution
There are many issues here in this repo as well as asdf-plugins about the first point (security) (starting from #166 and ending with #1564, )
I believe introducing a new file called .plugin-versions should be the best solution for that without touching .tool-versions. That will reduce the complexity of the feature and avoid breaking changes in .tool-versions.
It can use what's in PR no. #1204 and build on top of it.
Describe similar asdf features and why they are not sufficient
asdf doesn't support the suggested feature.
Describe other workarounds you've considered
The current workaround is each user will create a make or bash script to manage asdf plugins in a secure way.
This would depend on #166
Edit: Didn't see this was already mentioned
@hyperupcall Well, it looks like a popular request ๐
Thanks for mentioning those issues ๐
I will read those issues and probably will close this one since it looks duplicated.
Closing as this is a duplicate of the aforementioned tickets.