search

haskell / hackage-security

Hackage security framework based on TUF (The Update Framework)
http://hackage.haskell.org/package/hackage-security
56 stars 48 forks source link

Is `hackage-security-0.6.2` a PVP violation? #285

Closed andreasabel closed 2 years ago

andreasabel commented 2 years ago

I got a build error in hackage-server which had no explicit dep on Cabal-syntax, but had Cabal ^>= 3.6.3.0 and hackage-security ^>= 0.6: 

Couldn't match type ‘PackageIdentifier’
                     with ‘Cabal-syntax-3.8.1.0:Distribution.Types.PackageId.PackageIdentifier’
      Expected: Cabal-syntax-3.8.1.0:Distribution.Types.PackageId.PackageIdentifier
        Actual: PackageId
      NB: ‘Cabal-syntax-3.8.1.0:Distribution.Types.PackageId.PackageIdentifier’
            is defined in ‘Distribution.Types.PackageId’
                in package ‘Cabal-syntax-3.8.1.0’
          ‘PackageIdentifier’
            is defined in ‘Distribution.Types.PackageId’
                in package ‘Cabal-3.6.3.0’

This shouldn't happen, I suppose? So, is hackage-security-0.6.2 a PVP violation, and should it be released as 0.7 instead?

See:

Mikolaj commented 2 years ago

I think this is just https://github.com/haskell/cabal/issues/8370, which is potentially the biggest regression in cabal 3.8.1.0; a ticking bomb. Relaxing bounds in 0.6.2 just made cabal 3.8.1.0 available, which exposed this cabal 3.8.1.0 bug.

andreasabel commented 2 years ago

Bumping hackage-security to 0.7 wouldn't fix the problem, I suppose.