Feature Idea: --no-remote-fetching flag

Adam Foltzer acfoltzer
Tue Oct 8 17:40:22 UTC 2013

Hi Johan,

On Tue, Oct 8, 2013 at 9:54 AM, Johan Tibell <johan.tibell at gmail.com> wrote:

> I would like for there to be a both a command line flag and a
> ~/.cabal/config setting (there isn't one already, is there?)

Please let me know if this is the case! I have combed through the docs and
not found anything yet.

> Some people have previously expressed a desire for it on security grounds.

That's our motivation as well.

> P.S. We intend to have cabal build imply `cabal install
> --only-dependencies` when working in a sandbox in the future.

Would this cause `cabal build` to fetch dependencies if some are missing
locally? We'd want to see a similar way to disable that behavior for
security-sensitive environments as well. Reproducibility and isolation are
our primary concerns for certain projects.


> On Tue, Oct 8, 2013 at 9:46 AM, Adam Foltzer <acfoltzer at gmail.com> wrote:
> > Hello,
> >
> > With the wonderful advent of sandboxes in mainline cabal, I'd like to see
> > what folks think of a flag to disable remote fetching of dependencies.
> The
> > idea is that one could `cabal sandbox add-source` a set of trusted
> > dependencies, and then be assured that a subsequent `cabal install
> > --no-remote-fetching` would *only* resolve dependencies in that trusted
> set.
> >
> > I'd be willing to explore implementing this myself, if it would be
> > appropriate for a first-time cabal hacker. I'm also quite interested to
> hear
> > whether this would be a useful feature for others, or other ways you
> might
> > propose to address the problem.
> >
> > I also understand that I can get this behavior by modifying the
> > ~/.cabal/config, but this is a kludgey approach that is not workable in
> all
> > deployment environments.
> >
> > Thanks!
> > Adam
> >
> > _______________________________________________
> > cabal-devel mailing list
> > cabal-devel at haskell.org
> > http://www.haskell.org/mailman/listinfo/cabal-devel
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/cabal-devel/attachments/20131008/28bc0a6a/attachment.html>

More information about the cabal-devel mailing list