On Wed, Jul 9, 2014 at 5:23 AM, Carter Schonwald

wrote:

You can actually mark specific package releases deprecated on hackage. Which prevents cabal from picking it as part of a build plan. This of course doesn't handle the dissemination issue of course.

A deprecated version is not a hard constraint. In particular Cabal seems to prefer installed versions over deprecations, so in a lot of cases the deprecated versions will still be picked.

On Tuesday, July 8, 2014, Mark Wotton wrote:

...

Hi all,

there was a security update to the underlying library to one of my bindings last night (lz4) and it got me thinking - how do we handle security updates as a community? I typically find out from IRC or twitter now, which isn't particularly reliable. Might it be possible to mark an update on Hackage as a security update rather than feature update?

cheers Mark

-- A UNIX signature isn't a return address, it's the ASCII equivalent of a black velvet clown painting. It's a rectangle of carets surrounding a quote from a literary giant of weeniedom like Heinlein or Dr. Who. -- Chris Maeda _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

Adding a security fix in general is going to be tough since you'd have to rebuild all of the packages that the user has that depend on that package or else it would be instant cabal hell (which is basically why platform releases work best with different compiler versions). One alternative would be for the platform to add some artificial stuff to the GHC version so that its package db doesn't clash with anything else… On Wednesday, July 9, 2014, Alois Cochard wrote:

I think it's an issue since I learnt that the platform can not be update on his own (need a new GHC version)...

How can we integrate security fix in the platform?... We can't... On Jul 9, 2014 2:47 AM, "Mark Wotton" javascript:_e(%7B%7D,'cvml','mwotton@gmail.com');> wrote:

...

Hi all,

there was a security update to the underlying library to one of my bindings last night (lz4) and it got me thinking - how do we handle security updates as a community? I typically find out from IRC or twitter now, which isn't particularly reliable. Might it be possible to mark an update on Hackage as a security update rather than feature update?

cheers Mark

-- A UNIX signature isn't a return address, it's the ASCII equivalent of a black velvet clown painting. It's a rectangle of carets surrounding a quote from a literary giant of weeniedom like Heinlein or Dr. Who. -- Chris Maeda _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org javascript:_e(%7B%7D,'cvml','Haskell-Cafe@haskell.org'); http://www.haskell.org/mailman/listinfo/haskell-cafe