search

haskell / ghcup-hs

https://www.haskell.org/ghcup/
GNU Lesser General Public License v3.0
287 stars 88 forks source link

Audit dependencies #1092

Open hasufell opened 4 months ago

hasufell commented 4 months ago

https://github.com/haskell-CI/haskell-ci/issues/655 has sparked my motivation to remove all packages from the respective maintainer from the GHCup deptree.

So let's analyze first and get an overview.

Related: https://github.com/haskell/ghcup-hs/issues/1089

@jasagredo

hasufell commented 3 months ago

Affected dependencies (and their maintainers):

I think the following dependencies could be swapped out:

The following dependencies will have to be forked or inlined:

Unsure about the following dependencies:

Kleidukos commented 3 months ago

I wouldn't fret too much about optics, its maintenance is quite trustworthy.

cryptohash-sha256 is not easily replaceable because it's a pure Haskell implementation. If you need trustworthy maintenance, sel is guaranteed to have responsible and responsive maintainers.

hasufell commented 3 months ago

cryptohash-sha256 is not easily replaceable because it's a pure Haskell implementation

I found two:

They both seem to be Haskell.

Kleidukos commented 3 months ago

SHA's last commit was 6 years ago, hashing's last commit was from 2 years ago. None of them have CI.

hasufell commented 3 months ago

SHA's last commit was 6 years ago, hashing's last commit was from 2 years ago. None of them have CI.

SHA was developed by Galois. I don't know how much maintenance does a SHA256 algorithm really need.