[Nix-dev] Should we update Haskell packages in release-15.09?
Peter Simons
simons at cryp.to
Tue Nov 17 16:56:16 CET 2015
Hi James,
> How often are we seeing security vulnerabilities in Haskell packages?
it's hard to say. I am not aware of anyone tracking vulnerabilities
specifically for Haskell packages. I know that the 'tls' family of
packages has had security relevant updates in the past, but I don't know
how often these things happen.
> If it's rare enough, and we have enough time and energy, it would be
> nice to resolve each case neatly (e.g. either extract just the
> necessary security patch, or fix the updated package so it's no longer
> incompatible with the versions we've frozen in 15.09).
I agree that this would be the best solution. Personally, however, I
cannot do this.
> But if it's not rare, or nobody has the time and energy, then I vote
> for merging your pull request and keeping the Haskell packages
> current.
OK, that is what I've done for the time being. :-) Thanks for the
feedback.
Best regards,
Peter
More information about the nix-dev
mailing list