johan.tibell at gmail.com
Thu Sep 5 21:18:15 CEST 2013
On Thu, Sep 5, 2013 at 12:06 PM, Iustin Pop <iusty at k1024.org> wrote:
> On Wed, Sep 04, 2013 at 09:14:03PM -0700, Johan Tibell wrote:
>> ## Do the right thing automatically
>> The focus here should be on avoiding manual steps the cabal could do
>> for the user.
>> * Automatically install dependencies when needed. When `cabal build`
>> would fail due to a missing dependency, just install this dependency
>> instead of bugging the user to do it. This will probably have to be
>> limited to sandboxes where we can't break the user's system
> I'm not sure if here by sandbox and break you mean break the
> cabal/package installation, or protect against malicious code.
> If it's not the latter (and even if it is, how safe are the sandboxes?),
> I would argue that until cabal can verify authenticity of downloaded
> archives, it would be better to not do this automatically. Maybe add a
> new command, cabal fetch-deps or something like that, that can do it,
> but leave 'cabal build' as a "safe" command.
By break I mean break the package DB by forcefully re-installing a
package. In a sandbox this is safe, as we have a single install plan
for the whole sandbox and it's always safe to reinstall everything if
As for security I don't think this is much less secure than telling
the user to type 'cabal install' manually. We better focus our
security efforts on making sure we speak HTTPS to Hackage, validate
uploads there, etc. For the extra security conscious we can add a
`no-automatic-downloads` setting to ~/.cabal/config.
More information about the cabal-devel