[Haskell-cafe] Improvements to package hosting and security
Michael Snoyman
michael at snoyman.com
Tue May 5 10:09:54 UTC 2015
We've implemented a fair amount of the Git-facing stuff here already (see
the stackage-update package). It just needs to clone from an https Git repo
on Github and fetch from the same repo. Signature verification is also
possible, but not necessary to get an improvement over the current state of
affairs. So I don't think interacting with user configs will be a blocker
here. That said, I agree with the main thrust of your email: seeing is
believing. Let's add Git and GPG to MinGHC and see where that puts us. As
usual, more hands help out with getting these things done quicker, so if
someone wants to get involved, let me know. But I expect this improvement
to happen some time this month.
On Tue, May 5, 2015 at 1:04 PM Tillmann Rendel <
rendel at informatik.uni-tuebingen.de> wrote:
> Hi,
>
> Michael Snoyman wrote:
> > That said, I think bundling the necessary Git tooling with MinGHC is an
> > easy win.
>
> Agreed. I mostly want to lobby for actually bundling it (properly, see
> below) instead of merely hand-waiving about how easy it is to install
> git on Windows.
>
> > here's actually a really easy solution to "have Git installed": bundle
> it with MinGHC
>
> This solution is certainly possible, but I'm not so sure whether it is
> *really easy*. From my perspective, MinGHC+git should be able to coexist
> on a system with some other system that bundles git, say, FOO+git,
> and/or just a copy of git that the user installed. (Otherwise,
> installing git after installing MinGHC+git would break MinGHC+git which
> would be unfortunate, wouldn't it?)
>
> Now how should the various copies of git interact?
>
> - should they share a configuration file?
> - should they use the same shell?
> - should they ever call each other?
>
> I'm imaging a search-path-tweaking nightmare to get this to work. For
> example, what if a user sets up `git bisect` to call `cabal update` (as
> part of some larger script) which in turns would call `git whatever` to
> update the index. Presumably, that should be different copies of git
> involved.
>
> But maybe cabal would need only some low-level git stuff which don't
> interact with user configuration or use the shell at all? That would
> make things easier.
>
> I'm not sure how valid my concerns here are, but I'm not convinced by
> "Git is fairly well supported on Windows these days and installs easily."
>
> Tillmann
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.haskell.org/pipermail/haskell-cafe/attachments/20150505/30f99700/attachment.html>
More information about the Haskell-Cafe
mailing list