Abstract FilePath Proposal

Brandon Allbery allbery.b at gmail.com
Sun Jul 5 18:40:56 UTC 2015


On Sun, Jul 5, 2015 at 2:25 PM, Bardur Arantsson <spam at scientician.net>
wrote:

> How often have security issues with GHC (or the base libraries) itself
> been a problem? (In practice, I mean.)
>

Not that often, but consider one real example: aeson was found to have a
DDoS bug which was fixed by making it depend on a package which IIRC needed
a newer base, so the fix couldn't be backported to versions of aeson
compatible with older base. The necessary fix for those would have been
substantially more complicated.

(There are other examples, but the primary one that actually involves
something shipped with ghc is never going to be fixed until it destroys
someone's system, and I bet even then we'll get another load of HOMG MUST
NEVER CHANGE API ONLY DOCUMENT AS BAD from the maintainer. I'm still
waiting for one of the Linux distributions to notice and CVE it.)

-- 
brandon s allbery kf8nh                               sine nomine associates
allbery.b at gmail.com                                  ballbery at sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad        http://sinenomine.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.haskell.org/pipermail/ghc-devs/attachments/20150705/8e74b61d/attachment.html>


More information about the ghc-devs mailing list