On 18/01/2015 20:23, Roman Cheplyaka wrote:
On 19/01/15 01:05, Vincent Hanquez wrote:
This is not harmless. This is a security issue by itself, as now packages get changes transparently given a url, you might have a different package one day, which trigger hash check failure. or signed tag verification failure. Correct me if I'm wrong, but editing version bounds on hackage doesn't actually affect the tarball (and its checksum). The modified cabal file is downloaded separately as part of the index. yes, that's right. I meant to say that what you're downloading through cabal get tweaked by cabal, but the end result is pretty much the same Not saying it doesn't introduce its own problems, but the hash check should continue to pass. of the tarball yes, not of your compilation tree, and maybe not the resulting binary.
-- Vincent