Feature: Support asdf .plugin-versions

[aabouzaid]

Is your feature request related to a problem? Please describe

Currently, asdf doesn't provide a method to pin its plugin's URL and version. This creates 2 main issues:

1. Security-wise, the plugins are not secure unless manually added in 2 steps, first asdf plugin add <name> [<git-url>], and second asdf plugin update <name> [<git-ref>].
2. Operational-wise, unlike .tool-versions, it's not possible to set up asdf plugins declaratively, and it's hard to use it as part of Git/GitOps.

The .plugin-versions will be more or less the same format as .tool-versions, where the name, version/hash/tag, and URL will be set.

Describe the proposed solution

There are many issues here in this repo as well as asdf-plugins about the first point (security) (starting from #166 and ending with #1564, )

I believe introducing a new file called .plugin-versions should be the best solution for that without touching .tool-versions. That will reduce the complexity of the feature and avoid breaking changes in .tool-versions.

It can use what's in PR no. #1204 and build on top of it.

Describe similar asdf features and why they are not sufficient

asdf doesn't support the suggested feature.

Describe other workarounds you've considered

The current workaround is each user will create a make or bash script to manage asdf plugins in a secure way.

[hyperupcall]

This would depend on #166

Edit: Didn't see this was already mentioned

[hyperupcall]

Looks related to #240 and #829

[aabouzaid]

@hyperupcall Well, it looks like a popular request 😀

Thanks for mentioning those issues 🙇
I will read those issues and probably will close this one since it looks duplicated.

[jthegedus]

Closing as this is a duplicate of the aforementioned tickets.