qualified imports, PVP and so on (Was: add new Data.Bits.Bits(bitZero) method)

Vincent Hanquez tab at snarc.org
Tue Feb 25 21:37:29 UTC 2014

On 2014-02-25 20:38, Michael Snoyman wrote:
> On Tue, Feb 25, 2014 at 9:23 PM, Gregory Collins 
> <greg at gregorycollins.net <mailto:greg at gregorycollins.net>> wrote:
> I really don't like this appeal to authority. I don't know who the 
> "royal we" is that you are referring to here, and I don't accept the 
> premise that the rest of us must simply adhere to a policy because "it 
> was decided." "My side" as you refer to it is giving concrete negative 
> consequences to the PVP. I'd expect "your side" to respond in kind, 
> not simply assert that we're "breaking Hackage" and other such hyperbole.
Strongly agreed.

>     Of course, people who want to follow PVP are also going to need
>     tooling to make sure their programs still build in the future
>     because so many people have broken the policy in the past --
>     that's where proposed kludges like "cabal freeze" are going to
>     come in.
> This is where we apparently fundamentally disagree. cabal freeze IMO 
> is not at all a kludge. It's the only sane approach to reliable 
> builds. If I ran my test suite against foo version 1.0.1, performed 
> manual testing on 1.0.1, did my load balancing against 1.0.1, I don't 
> want some hotfix build to automatically get upgraded to version 1.0.2, 
> based on the assumption that foo's author didn't break anything.

This is probably also the only sane approach at the moment for safe 
builds. Considering the whole hackage infrastructure is quite insecure 
at the moment (http download/upload, no package signing, etc), freezing 
your build packages after you have audited them is probably the only 
sensible way to ship secure products.

In a production environment (at 2 different work places), i've seen two 
approachs for proper builds:

* still using hackage directly, but pinning each package with a 
cryptographic hash on your build site.
* a private hackage instance where packages are manually imported. build 
is using exclusively this.

Using hackage directly(+ depending on the PvP) is at the moment too much 
like playing russian roulette.


More information about the Libraries mailing list