> The problem I see is that the normal approach of "update packages only > if it's relevant for security" is really hard to pull off in practice, > because Haskell package versions tend to be crazy interdependent, and > no-one really knows the smallest possible set of updates that we should > make. So it feels like an update-all-or-nothing situation here.
Hi Peter, Thanks for keeping on top of this. How often are we seeing security vulnerabilities in Haskell packages? If it's rare enough, and we have enough time and energy, it would be nice to resolve each case neatly (e.g. either extract just the necessary security patch, or fix the updated package so it's no longer incompatible with the versions we've frozen in 15.09). But if it's not rare, or nobody has the time and energy, then I vote for merging your pull request and keeping the Haskell packages current. James _______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
