[Nix-dev] Should we update Haskell packages in release-15.09?

James Cook james.cook at utoronto.ca
Tue Nov 10 20:00:11 CET 2015


> The problem I see is that the normal approach of "update packages only
> if it's relevant for security" is really hard to pull off in practice,
> because Haskell package versions tend to be crazy interdependent, and
> no-one really knows the smallest possible set of updates that we should
> make. So it feels like an update-all-or-nothing situation here.

Hi Peter,

Thanks for keeping on top of this.

How often are we seeing security vulnerabilities in Haskell packages?

If it's rare enough, and we have enough time and energy, it would be
nice to resolve each case neatly (e.g. either extract just the
necessary security patch, or fix the updated package so it's no longer
incompatible with the versions we've frozen in 15.09).

But if it's not rare, or nobody has the time and energy, then I vote
for merging your pull request and keeping the Haskell packages
current.

James


More information about the nix-dev mailing list