Hi Johan, On Tue, Oct 8, 2013 at 9:54 AM, Johan Tibell wrote:

I would like for there to be a both a command line flag and a ~/.cabal/config setting (there isn't one already, is there?)

Please let me know if this is the case! I have combed through the docs and not found anything yet.

Some people have previously expressed a desire for it on security grounds.

That's our motivation as well.

P.S. We intend to have cabal build imply `cabal install --only-dependencies` when working in a sandbox in the future.

Would this cause `cabal build` to fetch dependencies if some are missing locally? We'd want to see a similar way to disable that behavior for security-sensitive environments as well. Reproducibility and isolation are our primary concerns for certain projects. Thanks! Adam

On Tue, Oct 8, 2013 at 9:46 AM, Adam Foltzer wrote:

...

Hello,

With the wonderful advent of sandboxes in mainline cabal, I'd like to see what folks think of a flag to disable remote fetching of dependencies. The idea is that one could `cabal sandbox add-source` a set of trusted dependencies, and then be assured that a subsequent `cabal install --no-remote-fetching` would *only* resolve dependencies in that trusted set.

I'd be willing to explore implementing this myself, if it would be appropriate for a first-time cabal hacker. I'm also quite interested to hear whether this would be a useful feature for others, or other ways you might propose to address the problem.

I also understand that I can get this behavior by modifying the ~/.cabal/config, but this is a kludgey approach that is not workable in all deployment environments.

Thanks! Adam

_______________________________________________ cabal-devel mailing list cabal-devel@haskell.org http://www.haskell.org/mailman/listinfo/cabal-devel

On Tue, Oct 8, 2013 at 10:40 AM, Adam Foltzer wrote:

Would this cause `cabal build` to fetch dependencies if some are missing locally? We'd want to see a similar way to disable that behavior for security-sensitive environments as well. Reproducibility and isolation are our primary concerns for certain projects.

Yes, without the flag enabled cabal build, when used in a sandbox, will install packages from remote-repo (e.g. Hackage).

...

On Tue, Oct 8, 2013 at 9:46 AM, Adam Foltzer wrote:

...

Hello,

With the wonderful advent of sandboxes in mainline cabal, I'd like to see what folks think of a flag to disable remote fetching of dependencies. The idea is that one could `cabal sandbox add-source` a set of trusted dependencies, and then be assured that a subsequent `cabal install --no-remote-fetching` would *only* resolve dependencies in that trusted set.

I'd be willing to explore implementing this myself, if it would be appropriate for a first-time cabal hacker. I'm also quite interested to hear whether this would be a useful feature for others, or other ways you might propose to address the problem.

I also understand that I can get this behavior by modifying the ~/.cabal/config, but this is a kludgey approach that is not workable in all deployment environments.

Thanks! Adam

_______________________________________________ cabal-devel mailing list cabal-devel@haskell.org http://www.haskell.org/mailman/listinfo/cabal-devel