Hackage is flooded with old package versions reuploads
Vincent Hanquez
tab at snarc.org
Mon Jan 19 05:31:16 UTC 2015
On 18/01/2015 20:23, Roman Cheplyaka wrote:
> On 19/01/15 01:05, Vincent Hanquez wrote:
>> This is not harmless. This is a security issue by itself, as now
>> packages get changes transparently given a url, you might have a
>> different package one day, which trigger hash check failure. or signed
>> tag verification failure.
> Correct me if I'm wrong, but editing version bounds on hackage doesn't
> actually affect the tarball (and its checksum). The modified cabal file
> is downloaded separately as part of the index.
yes, that's right. I meant to say that what you're downloading through
cabal get
tweaked by cabal, but the end result is pretty much the same
> Not saying it doesn't introduce its own problems, but the hash check
> should continue to pass.
of the tarball yes, not of your compilation tree, and maybe not the
resulting binary.
--
Vincent
More information about the Libraries
mailing list