[Haskell-cafe] Ticking time bomb
spam at scientician.net
Thu Jan 31 18:40:10 CET 2013
On 01/30/2013 08:27 PM, Edward Z. Yang wrote:
> Unsigned Hackage packages are a ticking time bomb.
Somewhere else that shall not be mentioned, someone posted this link
which points to an interesting solution to this problem:
It requies a little basic knowledge of the Node Package Manager to
understand. Here's a little summary that should it easier to understand
for people who are not familiar with NodeJS:
The Node Package Manager (npm) is the Node JS equivalent of
When you install a module (think Haskell package off Hackage) using
"npm", it installs into a directory called "node_modules" in the
project's directory instead of installing into a global name space.
When a NodeJS program imports a required module, it is first looked up
in the "node_modules" directory _before_ looking in the global package
Since modules *are* their source, you can check all of this into the
revision control system of your choice.
It seems to me that "cabal install" could do something very similar to
solve many of the "cabal hell" and potential security issues when users
blindly do "cabal install".
(*) Yeah, yeah, not a package manager. In practice it's being used as
More information about the Haskell-Cafe