Claus Reinke wrote:
The basic problem here is that the version number of the network package has not been bumped. .. .. Of course that's not true here because the package has changed without the version being bumped. .. Indeed the only reason it's trying to rebuild it at all is because the installed version has different deps from the available version, again due to the fact that it changed without changing version number.
So the solution is for the updated network package to have its version bumped and for it to be released.
For ghc at least, couldn't cabal grep the hashes from the output of
find dist/ -name '*.hi' | xargs ghc --show-iface
and associate the collection of hashes for the exposed-modules and cross-package imports with the version number, keeping a history of these associations?
cabal tag-current would try to add the current version number with the current hashes, complaining if the number already exists with different hashes
cabal sdist (and other distribution channels) would check that the current version number is in the history with the current hashes, and complain otherwise
Distributing packages without version number checks could result in in "unverified" packages, so users would know that the dependencies and version number haven't been checked (successful checks could create a package signature based on .cabal+.history, or on the whole package contents). Or are Ghc's new hashes non-portable/too specific?
GHC's hashes aren't suitable for this (yet). We do not hash the API, but rather the ABI, and the ABI is often not stable - re-compiling can give you a different ABI, as internal names change and things move around in unpredictable ways. However I do think we should have a way to get a dump of the API. We've talked in the past about having some kind of API tool that would compare APIs and show you the differences (built on the GHC API of course). This would make a nice little project for someone... Cheers, Simon