19 Jan
2015
19 Jan
'15
4:23 a.m.
On 19/01/15 01:05, Vincent Hanquez wrote:
This is not harmless. This is a security issue by itself, as now packages get changes transparently given a url, you might have a different package one day, which trigger hash check failure. or signed tag verification failure.
Correct me if I'm wrong, but editing version bounds on hackage doesn't actually affect the tarball (and its checksum). The modified cabal file is downloaded separately as part of the index. Not saying it doesn't introduce its own problems, but the hash check should continue to pass. Roman