Hackage is flooded with old package versions reuploads
Roman Cheplyaka
roma at ro-che.info
Mon Jan 19 04:23:59 UTC 2015
On 19/01/15 01:05, Vincent Hanquez wrote:
> This is not harmless. This is a security issue by itself, as now
> packages get changes transparently given a url, you might have a
> different package one day, which trigger hash check failure. or signed
> tag verification failure.
Correct me if I'm wrong, but editing version bounds on hackage doesn't
actually affect the tarball (and its checksum). The modified cabal file
is downloaded separately as part of the index.
Not saying it doesn't introduce its own problems, but the hash check
should continue to pass.
Roman
More information about the Libraries
mailing list