[Haskell-cafe] Ticking time bomb
Bardur Arantsson
spam at scientician.net
Thu Jan 31 18:40:10 CET 2013
On 01/30/2013 08:27 PM, Edward Z. Yang wrote:
> https://status.heroku.com/incidents/489
>
> Unsigned Hackage packages are a ticking time bomb.
>
Somewhere else that shall not be mentioned, someone posted this link
which points to an interesting solution to this problem:
http://www.futurealoof.com/posts/nodemodules-in-git.html
It requies a little basic knowledge of the Node Package Manager to
understand. Here's a little summary that should it easier to understand
for people who are not familiar with NodeJS:
The Node Package Manager (npm) is the Node JS equivalent of
cabal-install(*).
When you install a module (think Haskell package off Hackage) using
"npm", it installs into a directory called "node_modules" in the
project's directory instead of installing into a global name space.
When a NodeJS program imports a required module, it is first looked up
in the "node_modules" directory _before_ looking in the global package
database.
Since modules *are* their source, you can check all of this into the
revision control system of your choice.
It seems to me that "cabal install" could do something very similar to
solve many of the "cabal hell" and potential security issues when users
blindly do "cabal install".
(*) Yeah, yeah, not a package manager. In practice it's being used as
one, so...
More information about the Haskell-Cafe
mailing list