[Haskell-cafe] Ticking time bomb

Bardur Arantsson spam at scientician.net
Thu Jan 31 18:40:10 CET 2013

On 01/30/2013 08:27 PM, Edward Z. Yang wrote:
> https://status.heroku.com/incidents/489
> Unsigned Hackage packages are a ticking time bomb.

Somewhere else that shall not be mentioned, someone posted this link
which points to an interesting solution to this problem:


It requies a little basic knowledge of the Node Package Manager to
understand. Here's a little summary that should it easier to understand
for people who are not familiar with NodeJS:

The Node Package Manager (npm) is the Node JS equivalent of

When you install a module (think Haskell package off Hackage) using
"npm", it installs into a directory called "node_modules" in the
project's directory instead of installing into a global name space.

When a NodeJS program imports a required module, it is first looked up
in the "node_modules" directory _before_ looking in the global package

Since modules *are* their source, you can check all of this into the
revision control system of your choice.

It seems to me that "cabal install" could do something very similar to
solve many of the "cabal hell" and potential security issues when users
blindly do "cabal install".

(*) Yeah, yeah, not a package manager. In practice it's being used as
one, so...

More information about the Haskell-Cafe mailing list