Making cabal-install SSL capable

Herbert Valerio Riedel hvriedel at gmail.com
Tue Apr 28 13:22:13 UTC 2015


On 2015-04-28 at 10:21:04 +0200, Michael Snoyman wrote:

[...]

> I have no intention of playing the "minimal dependency" game (though I
> don't mind dropping data-default, which accounts for 6 of the dependencies
> listed there). I will point out- as Gershom already did- that in many cases
> it's likely easier to install a few extra Haskell packages than it is to
> pull in OpenSSL as a dependency, especially on Windows. (And that's
> ignoring the fact that http-client-openssl exists.)

While I do appreciate the technical issues resulting from HsOpenSSL on
Windows[1], I'll be frank and admit that there's a "political" aspect
that worries me with such a large number of added dependencies imported
into the cabal project in one go, as that would promote (or at the very
least bias) one specific family of multiple competing HTTP-client
abstractions into the Haskell Platform through the back-door (assuming
the idea of the HP hasn't been abandoned -- I may not be up to date
regarding that debate), and make it a fait accompli without having
actually had any agreement on it (which I admit may never be reached, as
the associated communities involved have grown quite large by now and
may disagree quite violently on basic design choices...).

That's why I suggested HTTP+HsOpenSSL (which tbh is not my favorite HTTP
library), as that would be the neutral choice regarding HTTP-libraries
at the foundational core library level. Alternatively, Gershom's
suggestion to shell out to curl(1)/wget(1)/etc would equally achieve
impartiality regarding HTTP-libraries (and probably work better on
Windows too)

PS: We shouldn't forget that there's also an existing deployed
    cabal-install user-base we can't get rid off so easily, which may
    still leak unencrypted basic-auth credentials for the years to
    come. Just saying...

 [1]: Are those issues documented somewhere btw? Could that it be
      addressed via minghc?

Cheers,
  hvr


More information about the cabal-devel mailing list