Closed pbrisbin closed 1 month ago
LTS 22.23 sets the development
flag to be true
. See lines 8 and 9 of: https://github.com/commercialhaskell/stackage-snapshots/blob/master/lts/22/23.yaml. Background to that choice appears to be at:
Whoa! So it seems that if a package needs flags set to pass its tests, those flags then implicitly become set for every user that installs the package? That seems Very Bad, don't you agree?
I mean, there's the innocuous build-tests
or build-examples
kind of flags that projects use to make components non-buildable for normal installs, that they might need built in testing only. Users of those packages are just having time stolen. But I'm now imagining some SSL library that uses a skip-verification
flag for its test suite, which seems totally reasonable in isolation, but now suddenly everyone installing it from Stackage is not verifying SSL... :scream:
Now that I think about it, our library is exactly that. If we deployed this this way, someone could submit a webhook payload with a self-signed cert on a localhost domain (like we use in tests) and we'd accept it incorrectly. We don't do any processing worth exploiting, thankfully, but this is a real vector.
@pbrisbin, the questions you raise are better asked at the Stackage project's GitHub repository: https://github.com/commercialhaskell/stackage/issues. The Stack project makes use of the curated package sets but does not influence their content.
Oh of course, sorry.
Hi there- I'm struggling with a very weird behavior in one of our projects around build flags and CPP, and I really would just like a second set of eyes because I'm going a bit crazy.
We have a package, aws-sns-verify for verifying SNS messages. Part of that is validating a domain name. We use CPP to switch which domain we validate against (AWS vs localhost):
This is enabled via a build flag:
I'm finding that if my project uses
lts-22.23
, which contains aws-sns-verify-0.0.0.3, I end up getting a package that appears to be compiled as if thedevelopment
flag wereTrue
. But if Istack unpack aws-sns-verify
and include the local sources as anextra-dep
, it works as intended.I'm a bit baffled at how this can be, so I've put together a reproduction that attempts to be as isolated as possible by building in a docker context instead of my local system (which could've perhaps had some pre-compiled thing stuck with the flag on)
In order to reproduce you'll need to create the following files:
An
example.hs
that shows how the thing's been built:A
package.yaml
for it:A
stack.yaml
that brings in the dependency normally:Then run
stack unpack aws-sns-verify
and make astack-works.yaml
that uses those instead:Then a
Dockerfile
that can build things either way:And, finally, a
docker-compose.yml
for building and running those images:Then you can run the broken build (Hackage dep):
Or the one that works (unpacked sources):