[Haskell-cafe] Standard package file format

Joachim Durchholz jo at durchholz.org
Fri Sep 16 08:36:48 UTC 2016

Am 16.09.2016 um 09:22 schrieb Alan & Kim Zimmerman:
> The more power you put into the package file description, the harder it is
> for the surrounding ecosystem to reason about it.
> So if you can execute arbitrary code in a new-gen cabal file, apart from
> the security aspects, it becomes difficult to be sure what is actually
> being specified, if you do not reproduce the original environment when
> evaluating the file.

A little-hyped aspect of Gradle is that it has two strictly divided 
phases: Phase 1 builds the dependency model, phase 2 executes it.
Once phase 1 finishes, the dependency model becomes read-only, phase 2 
is not allowed to modify it.

On the plus side, this makes it easy for tools to reason about the 
model: it's static and easy to reproduce (just run phase 1 on the config 
file, or even better, ask the Gradle daemon that's caching the model).

On the minus side, it's hard to make out which code in the config is 
phase-1 and which is phase-2: Same syntax, no static types to guide the 
intuition; essentially, you have to know which parameters of what 
phase-1 library functions are closures to be executed in phase 2.
Haskell might be able to do better in this area, though I'm in no 
position to make any proposals for that.

More information about the Haskell-Cafe mailing list