Include patched hackage-security for #3073 #3865
Conversation
|
Looks like it got merged after all. Do we wait for a new release from upstream or use the patched version anyway? |
|
I've asked @hvr for clarification on the release timing of hackage-security in haskell/hackage-security#202 (comment). I'd say that, if the release isn't scheduled to happen this week, we move ahead with this PR, and then update to use the Hackage version when available. (Meanwhile, I'll update this PR to use the master branch of haskell/hackage-security instead.) |
snoyberg
force-pushed
the
3073-fix-hackage-security
branch
from
6fce83e to
37ca416
Compare
NOTE: This is included via an extra-dep, which would constitute the first time Stack would include a patched version of an upstream library. This is due to the fact that haskell/hackage-security#203 is likely not going to be merged, despite fixing issues affecting Stack. This leaves us with (AFAICT) 4 choices at the Stack level: 1. Continue using the officially released upstream version of hackage-security, bugs and all 2. Fork hackage-security on Hackage, and depend on the fork 3. Inline the code from hackage-security into Stack itself, and drop the explicit dependency on hackage-security 4. Include hackage-security via an `extra-dep` pointing at a Git commit. Our official builds will use the patched version of hackage-security, and anyone building from Hackage will end up with the unpatched version This PR represents approach (4). If and when the PR is merged and released to Hackage, this becomes a non-issue. But generally speaking, we should have a policy in Stack for handling these kinds of upstream issues cases.
snoyberg
force-pushed
the
3073-fix-hackage-security
branch
from
f1ab593 to
e961238
Compare
|
I've pushed a commit to rebase against the latest stable branch and include further upstream changes on hackage-security (for better or worse, we should match upstream as closely as possible). Since we're probably not getting an answer any time soon, let's merge this as soon as CI goes green. |
NOTE: This is included via an extra-dep, which would constitute the
first time Stack would include a patched version of an upstream library.
This is due to the fact that
haskell/hackage-security#203 is likely not going
to be merged, despite fixing issues affecting Stack. This leaves us with
(AFAICT) 4 choices at the Stack level:
hackage-security, bugs and all
explicit dependency on hackage-security
extra-deppointing at a Git commit.Our official builds will use the patched version of hackage-security,
and anyone building from Hackage will end up with the unpatched version
This PR represents approach (4). If and when the PR is merged and
released to Hackage, this becomes a non-issue. But generally speaking,
we should have a policy in Stack for handling these kinds of upstream
issues cases.
Note: Documentation fixes for https://docs.haskellstack.org/en/stable/ should target the "stable" branch, not master.
Please include the following checklist in your PR:
Please also shortly describe how you tested your change. Bonus points for added tests!