SearchPath (was RE: hackage, cabal-get, and security)

[Simon Marlow]

On 18 May 2005 17:59, S. Alexander Jacobson wrote:

> On Wed, 18 May 2005, Simon Marlow wrote:
>> On 17 May 2005 17:14, S. Alexander Jacobson wrote:
>>> With SearchPath, you supply the URLs of the module maps you want to
>>> use.  SearchPath then uses these map to locate, download and
>>> "install" needed libraries without further user intervention.
>>> 
>>> A module map is just a file mapping module names to the base URLs of
>>> directories in which they reside.  If you want to supply the URL of
>>> a particular version of a module map rather than "latest" you are
>>> free to do that.
>> 
>> But how do you know what module maps were being used by the author of
>> the module you download?  Don't you have to download their module map
>> file too?
> 
> The reality is that, no matter what, you always have to assume that
> the user and author of a particular module/package need to live in
> basically the same universe of modules and packages.

So in fact I *cannot* locally modify my module map to use a different
version of an imported module.  The module map is fixed and global,
although I can extend it locally.

So basically, there's no versioning, because everyone has to use the
same version of everything.  Right?  Well, except that I can enter into
a pact with another module author to use a certain version of a third
party's module, and we both have to remember that we have the pact
because the information doesn't travel with the module sources (unlike
Cabal, where dependencies are explicit, I might add).

> With Cabal, if you download two packages, how do you know that they
> won't require conflicting versions of another module/package?

As discussed before, the fact that you can't use two versions of a
package simultaneously is a missing feature in the implementation,
nothing more.

Cheers,
	Simon