Hackage is flooded with old package versions reuploads
Vincent Hanquez
tab at snarc.org
Mon Jan 19 00:57:29 UTC 2015
On 18/01/2015 15:51, David Feuer wrote:
>
> It would be best to be sure to make the maintainer (if there is one)
> aware of such changes. That said, not every package has a responsive
> maintainer, and *someone* has to do this work, and do it promptly. A
> signed hash failure does not introduce a security hole, unless you
> count a sort of semi-manual, avoidable denial of service.
>
Not sure how you got "security hole" from what I said, but a failing
hash or signature, means that the build system breaks while cabal
install stuff and that I have to manually inspect what the change is. If
you can't pin down a special tarball when doing a download (i.e. it can
changes under your feet, one day to the other), then it's an issue.
Lots of people would be *horrified* to download some
{c,c++,python,ruby,...} library-a.b.c.tar.gz and found anything changed
inside without changing the exact name for it.
>
> If you don't trust Herbert and Austin, you probably shouldn't bother
> trying to use Haskell anyway.
>
lol ? Do you mean that I should switch language, if security is remotely
important to me ?
As much as Herbert and Austin are doing awesome work in general, I
certainly do not blindly trust them.
--
Vincent
More information about the Libraries
mailing list