Abstract FilePath Proposal

Bardur Arantsson spam at scientician.net
Sun Jul 5 19:27:37 UTC 2015

On 07/05/2015 08:40 PM, Brandon Allbery wrote:
> On Sun, Jul 5, 2015 at 2:25 PM, Bardur Arantsson <spam at scientician.net>
> wrote:
>> How often have security issues with GHC (or the base libraries) itself
>> been a problem? (In practice, I mean.)
> Not that often, but consider one real example: aeson was found to have a
> DDoS bug which was fixed by making it depend on a package which IIRC needed
> a newer base, so the fix couldn't be backported to versions of aeson
> compatible with older base. The necessary fix for those would have been
> substantially more complicated.
> (There are other examples, but the primary one that actually involves
> something shipped with ghc is never going to be fixed until it destroys
> someone's system, and I bet even then we'll get another load of HOMG MUST
> NEVER CHANGE API ONLY DOCUMENT AS BAD from the maintainer. I'm still
> waiting for one of the Linux distributions to notice and CVE it.)

Oh, yeah, that's a valid point... but is this something that should
drive design?

Further, I don't think the aeson DDoS problem was predicated on an
old/obsolete "base" library? Maybe I'm wrong about that, and I'm sure
y'all will be happy to point out where and why. :)


More information about the ghc-devs mailing list