security update practice?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

security update practice?

Mark Wotton
Hi all,

there was a security update to the underlying library to one of my
bindings last night (lz4) and it got me thinking - how do we handle
security updates as a community? I typically find out from IRC or
twitter now, which isn't particularly reliable. Might it be possible
to mark an update on Hackage as a security update rather than feature
update?

cheers
Mark

--
A UNIX signature isn't a return address, it's the ASCII equivalent of a
black velvet clown painting. It's a rectangle of carets surrounding a
quote from a literary giant of weeniedom like Heinlein or Dr. Who.
        -- Chris Maeda
_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: security update practice?

Carter Schonwald
You can actually mark specific package releases deprecated on hackage. Which prevents cabal from picking it as part of a build plan. This of course doesn't handle the dissemination issue of course. 

On Tuesday, July 8, 2014, Mark Wotton <[hidden email]> wrote:
Hi all,

there was a security update to the underlying library to one of my
bindings last night (lz4) and it got me thinking - how do we handle
security updates as a community? I typically find out from IRC or
twitter now, which isn't particularly reliable. Might it be possible
to mark an update on Hackage as a security update rather than feature
update?

cheers
Mark

--
A UNIX signature isn't a return address, it's the ASCII equivalent of a
black velvet clown painting. It's a rectangle of carets surrounding a
quote from a literary giant of weeniedom like Heinlein or Dr. Who.
        -- Chris Maeda
_______________________________________________
Haskell-Cafe mailing list
<a href="javascript:;" onclick="_e(event, &#39;cvml&#39;, &#39;Haskell-Cafe@haskell.org&#39;)">Haskell-Cafe@...
http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: security update practice?

Aloïs Cochard
In reply to this post by Mark Wotton

I think it's an issue since I learnt that the platform can not be update on his own (need a new GHC version)...

How can we integrate security fix in the platform?... We can't...

On Jul 9, 2014 2:47 AM, "Mark Wotton" <[hidden email]> wrote:
Hi all,

there was a security update to the underlying library to one of my
bindings last night (lz4) and it got me thinking - how do we handle
security updates as a community? I typically find out from IRC or
twitter now, which isn't particularly reliable. Might it be possible
to mark an update on Hackage as a security update rather than feature
update?

cheers
Mark

--
A UNIX signature isn't a return address, it's the ASCII equivalent of a
black velvet clown painting. It's a rectangle of carets surrounding a
quote from a literary giant of weeniedom like Heinlein or Dr. Who.
        -- Chris Maeda
_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: security update practice?

Bob Ippolito
Adding a security fix in general is going to be tough since you'd have to rebuild all of the packages that the user has that depend on that package or else it would be instant cabal hell (which is basically why platform releases work best with different compiler versions). One alternative would be for the platform to add some artificial stuff to the GHC version so that its package db doesn't clash with anything else…

On Wednesday, July 9, 2014, Alois Cochard <[hidden email]> wrote:

I think it's an issue since I learnt that the platform can not be update on his own (need a new GHC version)...

How can we integrate security fix in the platform?... We can't...

On Jul 9, 2014 2:47 AM, "Mark Wotton" <<a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;mwotton@gmail.com&#39;);" target="_blank">mwotton@...> wrote:
Hi all,

there was a security update to the underlying library to one of my
bindings last night (lz4) and it got me thinking - how do we handle
security updates as a community? I typically find out from IRC or
twitter now, which isn't particularly reliable. Might it be possible
to mark an update on Hackage as a security update rather than feature
update?

cheers
Mark

--
A UNIX signature isn't a return address, it's the ASCII equivalent of a
black velvet clown painting. It's a rectangle of carets surrounding a
quote from a literary giant of weeniedom like Heinlein or Dr. Who.
        -- Chris Maeda
_______________________________________________
Haskell-Cafe mailing list
<a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;Haskell-Cafe@haskell.org&#39;);" target="_blank">Haskell-Cafe@...
http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: security update practice?

Adam Bergmark-2
In reply to this post by Carter Schonwald
On Wed, Jul 9, 2014 at 5:23 AM, Carter Schonwald <[hidden email]> wrote:
You can actually mark specific package releases deprecated on hackage. Which prevents cabal from picking it as part of a build plan. This of course doesn't handle the dissemination issue of course. 

A deprecated version is not a hard constraint. In particular Cabal seems to prefer installed versions over deprecations, so in a lot of cases the deprecated versions will still be picked.

 
On Tuesday, July 8, 2014, Mark Wotton <[hidden email]> wrote:
Hi all,

there was a security update to the underlying library to one of my
bindings last night (lz4) and it got me thinking - how do we handle
security updates as a community? I typically find out from IRC or
twitter now, which isn't particularly reliable. Might it be possible
to mark an update on Hackage as a security update rather than feature
update?

cheers
Mark

--
A UNIX signature isn't a return address, it's the ASCII equivalent of a
black velvet clown painting. It's a rectangle of carets surrounding a
quote from a literary giant of weeniedom like Heinlein or Dr. Who.
        -- Chris Maeda
_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe



_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe