Hackage is flooded with old package versions reuploads

Edward Kmett ekmett at gmail.com
Sun Jan 18 23:49:50 UTC 2015


The alternative is just that cabal will continue indefinitely to try to
install completely broken combinations, and more people will be driven to a
fixed package set like stackage LTS.

Most of these problems are caused by people being too optimistic about
upper bounds and when they realize their mistake and upload a new version,
they'll often leave the old versions with the lying bounds intact, which
causes cabal to pick old versions without bug fixes, and then give strange
build errors.

To my knowledge, the few cases where Herbert has actively done a patch to
the .cabal file like this without author communication is because the
package is in very very widespread use and the author has been
incommunicado for many months. As I recall, Max Bolingbroke has a some
packages that fit this bill.

At least in my case, and in the case of the Haskell core libraries, Herbert
has been very conscientious about talking to me, finding problems, auditing
what builds across all versions of GHC in recent and not-so-recent memory,
and working with me to find the best fix on a case by case basis. He has my
explicit consent for any tweaks he has had to make to the build
dependencies of my packages and has worked with the core libraries
committee very closely for patches to the core libraries.

If you have an example of a package you've written that he's patched that
you'd rather he left alone, I'm sure he'd be happy to oblige. I am,
however, as of yet unaware of any such overreach and I'm rather disinclined
to view the enormous amount of effort Herbert has poured into keeping the
ecosystem working smoothly as anything but a good thing. The price of doing
nothing here is quite high.

-Edward


On Sun, Jan 18, 2015 at 6:05 PM, Vincent Hanquez <tab at snarc.org> wrote:

>
> On 18/01/2015 09:56, kyra wrote:
>
>> Hi, guys,
>>
>> It looks old (and even ancient) versions of many packages gets uploaded
>> to hackage over and over again in ever increasing amounts. The username of
>> uploader for vast majority of these uploads is HerbertValerioRiedel.
>>
>> While this is harmless I wonder what idea stands behind this?
>>
> This is not harmless. This is a security issue by itself, as now packages
> get changes transparently given a url, you might have a different package
> one day, which trigger hash check failure. or signed tag verification
> failure.
>
> This has also the effect of not changing the bounds in the repository, so
> for example, next time you upload a tweak'ed packages, you effectively
> revert the change done on hackage only.
>
> This is also done without the consent of the maintainer of a given
> package, nor that the maintainer is actually notified when that happens, or
> allow to prevent it happening. This is pretty big start from the other
> similar policy for taking over packages, that insist on a very long period
> of repeated communication with the author and then the community.
>
> The whole thing is at best ill advised,
> --
> Vincent
>
> _______________________________________________
> Libraries mailing list
> Libraries at haskell.org
> http://www.haskell.org/mailman/listinfo/libraries
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/libraries/attachments/20150118/1db6da8d/attachment.html>


More information about the Libraries mailing list