On Sun, Jul 5, 2015 at 2:25 PM, Bardur Arantsson
How often have security issues with GHC (or the base libraries) itself been a problem? (In practice, I mean.)
Not that often, but consider one real example: aeson was found to have a DDoS bug which was fixed by making it depend on a package which IIRC needed a newer base, so the fix couldn't be backported to versions of aeson compatible with older base. The necessary fix for those would have been substantially more complicated. (There are other examples, but the primary one that actually involves something shipped with ghc is never going to be fixed until it destroys someone's system, and I bet even then we'll get another load of HOMG MUST NEVER CHANGE API ONLY DOCUMENT AS BAD from the maintainer. I'm still waiting for one of the Linux distributions to notice and CVE it.) -- brandon s allbery kf8nh sine nomine associates allbery.b@gmail.com ballbery@sinenomine.net unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net