Git-based package index support

[Michael Snoyman]

Stack includes support for getting package indices (the collection of packages and their cabal files) from both an HTTP-downloaded tarball and a Git repository. Up until the most recent release of Stack, the default package index used the all-cabal-hashes repo[1]. As I detailed in a recent blog post[2], the default package index has just switched to the Hackage Security-based tarball provided over HTTP.

My question—which I hinted at in the blog post—is whether we should continue supporting Git-based indices. Upside: cool feature. Downside: extra code that needs to be maintained. Given that this is security-sensitive code, the downside is heavier than usual.

I've opened up a PR[3] to remove the support, if you have thoughts on whether it should go through or not, please click the thumbs up or thumbs down buttons on the issue.

[1] https://github.com/commercialhaskell/all-cabal-hashes

[2] http://www.snoyman.com/blog/2017/02/hackage-security-stack

[3] https://github.com/commercialhaskell/stack/pull/3077

[Adam Bergmark]

Kill it, you have more worthwhile things to do!

/Adam

--
You received this message because you are subscribed to the Google Groups "haskell-stack" group.
To unsubscribe from this group and stop receiving emails from it, send an email to haskell-stac...@googlegroups.com.
To post to this group, send email to haskel...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/haskell-stack/CAKA2Jg%2BptF9nB7D0LaUitxtJRmxTSe1frRmcz%3D_yrS_-fAS-fg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.