Re: Abstract FilePath Proposal

5 Jul 2015

      On 07/05/2015 08:40 PM, Brandon Allbery wrote:
...
On Sun, Jul 5, 2015 at 2:25 PM, Bardur Arantsson 
wrote:
...
How often have security issues with GHC (or the base libraries) itself
been a problem? (In practice, I mean.)
Not that often, but consider one real example: aeson was found to have a
DDoS bug which was fixed by making it depend on a package which IIRC needed
a newer base, so the fix couldn't be backported to versions of aeson
compatible with older base. The necessary fix for those would have been
substantially more complicated.
(There are other examples, but the primary one that actually involves
something shipped with ghc is never going to be fixed until it destroys
someone's system, and I bet even then we'll get another load of HOMG MUST
NEVER CHANGE API ONLY DOCUMENT AS BAD from the maintainer. I'm still
waiting for one of the Linux distributions to notice and CVE it.)
Oh, yeah, that's a valid point... but is this something that should
drive design?

Further, I don't think the aeson DDoS problem was predicated on an
old/obsolete "base" library? Maybe I'm wrong about that, and I'm sure
y'all will be happy to point out where and why. :)

Regards,