Hi James, > How often are we seeing security vulnerabilities in Haskell packages?
it's hard to say. I am not aware of anyone tracking vulnerabilities specifically for Haskell packages. I know that the 'tls' family of packages has had security relevant updates in the past, but I don't know how often these things happen. > If it's rare enough, and we have enough time and energy, it would be > nice to resolve each case neatly (e.g. either extract just the > necessary security patch, or fix the updated package so it's no longer > incompatible with the versions we've frozen in 15.09). I agree that this would be the best solution. Personally, however, I cannot do this. > But if it's not rare, or nobody has the time and energy, then I vote > for merging your pull request and keeping the Haskell packages > current. OK, that is what I've done for the time being. :-) Thanks for the feedback. Best regards, Peter _______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
