On Thu, Sep 05, 2013 at 12:18:15PM -0700, Johan Tibell wrote: > On Thu, Sep 5, 2013 at 12:06 PM, Iustin Pop <iu...@k1024.org> wrote: > > On Wed, Sep 04, 2013 at 09:14:03PM -0700, Johan Tibell wrote: > >> ## Do the right thing automatically > >> > >> The focus here should be on avoiding manual steps the cabal could do > >> for the user. > >> > >> * Automatically install dependencies when needed. When `cabal build` > >> would fail due to a missing dependency, just install this dependency > >> instead of bugging the user to do it. This will probably have to be > >> limited to sandboxes where we can't break the user's system > > > > I'm not sure if here by sandbox and break you mean break the > > cabal/package installation, or protect against malicious code. > > > > If it's not the latter (and even if it is, how safe are the sandboxes?), > > I would argue that until cabal can verify authenticity of downloaded > > archives, it would be better to not do this automatically. Maybe add a > > new command, cabal fetch-deps or something like that, that can do it, > > but leave 'cabal build' as a "safe" command. > > By break I mean break the package DB by forcefully re-installing a > package. In a sandbox this is safe, as we have a single install plan > for the whole sandbox and it's always safe to reinstall everything if > need be.
Ack. > As for security I don't think this is much less secure than telling > the user to type 'cabal install' manually. We better focus our > security efforts on making sure we speak HTTPS to Hackage, validate > uploads there, etc. For the extra security conscious we can add a > `no-automatic-downloads` setting to ~/.cabal/config. I (personally) would still think no-automatic-downloads should be the default, but if it's properly announced in the release notes and if it can be disabled, then sounds good. thanks, iustin _______________________________________________ cabal-devel mailing list cabal-devel@haskell.org http://www.haskell.org/mailman/listinfo/cabal-devel
