You can actually mark specific package releases deprecated on hackage. Which prevents cabal from picking it as part of a build plan. This of course doesn't handle the dissemination issue of course. 

On Tuesday, July 8, 2014, Mark Wotton <mwotton@gmail.com> wrote:

Hi all,

there was a security update to the underlying library to one of my
bindings last night (lz4) and it got me thinking - how do we handle
security updates as a community? I typically find out from IRC or
twitter now, which isn't particularly reliable. Might it be possible
to mark an update on Hackage as a security update rather than feature
update?

cheers
Mark

--
A UNIX signature isn't a return address, it's the ASCII equivalent of a
black velvet clown painting. It's a rectangle of carets surrounding a
quote from a literary giant of weeniedom like Heinlein or Dr. Who.
        -- Chris Maeda
_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe@haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe@haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe