Stack includes support for getting package indices (the collection of packages and their cabal files) from both an HTTP-downloaded tarball and a Git repository. Up until the most recent release of Stack, the default package index used the all-cabal-hashes repo[1]. As I detailed in a recent blog post[2], the default package index has just switched to the Hackage Security-based tarball provided over HTTP.
My question—which I hinted at in the blog post—is whether we should continue supporting Git-based indices. Upside: cool feature. Downside: extra code that needs to be maintained. Given that this is security-sensitive code, the downside is heavier than usual. I've opened up a PR[3] to remove the support, if you have thoughts on whether it should go through or not, please click the thumbs up or thumbs down buttons on the issue. [1] https://github.com/commercialhaskell/all-cabal-hashes [2] http://www.snoyman.com/blog/2017/02/hackage-security-stack [3] https://github.com/commercialhaskell/stack/pull/3077 -- You received this message because you are subscribed to the Google Groups "haskell-stack" group. To unsubscribe from this group and stop receiving emails from it, send an email to haskell-stack+unsubscr...@googlegroups.com. To post to this group, send email to haskell-stack@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/haskell-stack/CAKA2Jg%2BptF9nB7D0LaUitxtJRmxTSe1frRmcz%3D_yrS_-fAS-fg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
