[Haskell-cafe] security update practice?

Bob Ippolito bob at redivi.com
Wed Jul 9 14:52:29 UTC 2014

Adding a security fix in general is going to be tough since you'd have to
rebuild all of the packages that the user has that depend on that package
or else it would be instant cabal hell (which is basically why platform
releases work best with different compiler versions). One alternative would
be for the platform to add some artificial stuff to the GHC version so that
its package db doesn't clash with anything else…

On Wednesday, July 9, 2014, Alois Cochard <alois.cochard at gmail.com> wrote:

> I think it's an issue since I learnt that the platform can not be update
> on his own (need a new GHC version)...
> How can we integrate security fix in the platform?... We can't...
> On Jul 9, 2014 2:47 AM, "Mark Wotton" <mwotton at gmail.com
> <javascript:_e(%7B%7D,'cvml','mwotton at gmail.com');>> wrote:
>> Hi all,
>> there was a security update to the underlying library to one of my
>> bindings last night (lz4) and it got me thinking - how do we handle
>> security updates as a community? I typically find out from IRC or
>> twitter now, which isn't particularly reliable. Might it be possible
>> to mark an update on Hackage as a security update rather than feature
>> update?
>> cheers
>> Mark
>> --
>> A UNIX signature isn't a return address, it's the ASCII equivalent of a
>> black velvet clown painting. It's a rectangle of carets surrounding a
>> quote from a literary giant of weeniedom like Heinlein or Dr. Who.
>>         -- Chris Maeda
>> _______________________________________________
>> Haskell-Cafe mailing list
>> Haskell-Cafe at haskell.org
>> <javascript:_e(%7B%7D,'cvml','Haskell-Cafe at haskell.org');>
>> http://www.haskell.org/mailman/listinfo/haskell-cafe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20140709/4bb2c227/attachment.html>

More information about the Haskell-Cafe mailing list