On 18/01/2015 15:51, David Feuer wrote:
It would be best to be sure to make the maintainer (if there is one) aware of such changes. That said, not every package has a responsive maintainer, and *someone* has to do this work, and do it promptly. A signed hash failure does not introduce a security hole, unless you count a sort of semi-manual, avoidable denial of service.
Not sure how you got "security hole" from what I said, but a failing hash or signature, means that the build system breaks while cabal install stuff and that I have to manually inspect what the change is. If you can't pin down a special tarball when doing a download (i.e. it can changes under your feet, one day to the other), then it's an issue. Lots of people would be *horrified* to download some {c,c++,python,ruby,...} library-a.b.c.tar.gz and found anything changed inside without changing the exact name for it.
If you don't trust Herbert and Austin, you probably shouldn't bother trying to use Haskell anyway.
lol ? Do you mean that I should switch language, if security is remotely important to me ? As much as Herbert and Austin are doing awesome work in general, I certainly do not blindly trust them. -- Vincent