I'd like to gauge community interest in adding an explicit permission for both Swift Package Manager command and build tool plugins to access the network outside their sandbox. I believe there are compelling reasons for both types of plugins to do so, and I'd like to collect those reasons to advance this to a pitch.
At a minimum, I believe that private plugins (ones that aren't published by the package) should be granted this permission.
If your plugins were granted network access, what kinds of plugins would you write? Alternatively, why should (or shouldn't) plugins be able to access the network?
My team distributes modular binary xcframeworks to clients. We keep their public interface clean and user-friendly, and for inter-module communication we use SPIs (System Programming Interfaces). The distributed xcframework only contains the regular swiftinterface files (without SPI declarations), while private swiftinterface files are stored separately, uploaded to an artifact storage.
In order to build modules which depend on other modules, we have to have access to the inter-module SPIs. So whenever we're building one of these, we need to download the .private.swiftinterface files of the dependent modules from a remote storage and put them next to the regular ones (inside the xcframework bundle) so these APIs become visible to the build system.
Without Swift Package Manager providing network access to the plugin sandbox, we can only fetch these artifacts outside of the realm of SPM.
This has come up in the SSWG and we obviously need network access to be able to deploy Swift apps to AWS/GCP/Heroku etc with a Swift plugin. I believe there is a flag to enable network access, similar to how the file access works but someone in the know can correct me
Is this about app sandbox keys on macOS or something else?
I disagree with this. Forking and editing downloaded packages is very common, so there should be a specific permission. Now, yes, most IDEs ask the user to trust a downloaded directory, but there’s still a huge risk from automatically granting this permission. I think the same is true for storage permissions.
This is an excellent example.
If so, it hasn't been advertised and isn't available in as a
Great points. I realize I made it sounds like my opinion was in favor of an implicit permission for private plugins — I should've specified an explicit permission.
This seems to be a common workaround — pre-fetch the network resources and make them available before building with SPM. I'll make sure to include this motivation.