Feature Idea: --no-remote-fetching flag
Johan Tibell
johan.tibell
Tue Oct 8 20:11:02 UTC 2013
On Tue, Oct 8, 2013 at 10:40 AM, Adam Foltzer <acfoltzer at gmail.com> wrote:
> Would this cause `cabal build` to fetch dependencies if some are missing
> locally? We'd want to see a similar way to disable that behavior for
> security-sensitive environments as well. Reproducibility and isolation are
> our primary concerns for certain projects.
Yes, without the flag enabled cabal build, when used in a sandbox,
will install packages from remote-repo (e.g. Hackage).
>> On Tue, Oct 8, 2013 at 9:46 AM, Adam Foltzer <acfoltzer at gmail.com> wrote:
>> > Hello,
>> >
>> > With the wonderful advent of sandboxes in mainline cabal, I'd like to
>> > see
>> > what folks think of a flag to disable remote fetching of dependencies.
>> > The
>> > idea is that one could `cabal sandbox add-source` a set of trusted
>> > dependencies, and then be assured that a subsequent `cabal install
>> > --no-remote-fetching` would *only* resolve dependencies in that trusted
>> > set.
>> >
>> > I'd be willing to explore implementing this myself, if it would be
>> > appropriate for a first-time cabal hacker. I'm also quite interested to
>> > hear
>> > whether this would be a useful feature for others, or other ways you
>> > might
>> > propose to address the problem.
>> >
>> > I also understand that I can get this behavior by modifying the
>> > ~/.cabal/config, but this is a kludgey approach that is not workable in
>> > all
>> > deployment environments.
>> >
>> > Thanks!
>> > Adam
>> >
>> > _______________________________________________
>> > cabal-devel mailing list
>> > cabal-devel at haskell.org
>> > http://www.haskell.org/mailman/listinfo/cabal-devel
>> >
>
>
More information about the cabal-devel
mailing list