Hi James,
> How often are we seeing security vulnerabilities in Haskell packages?
it's hard to say. I am not aware of anyone tracking vulnerabilities
specifically for Haskell packages. I know that the 'tls' family of
packages has had security relevant updates in the past, but I don't know
how
On 11/10/2015 04:41 PM, Peter Simons wrote:
> The problem I see is that the normal approach of "update packages only
> if it's relevant for security" is really hard to pull off in practice,
I believe it's announced somewhere that it's fine to (optionally) push
bugfix/maintenance -only updates as
Hi folks,
I've prepared an update of the Haskell package set for the release-15.09
branch [1], but I'm unsure whether to merge it or not. What is our
policy with regard to this matter? Do we update Haskell packages in
release branches or don't we?
The problem I see is that the normal approach of
> The problem I see is that the normal approach of "update packages only
> if it's relevant for security" is really hard to pull off in practice,
> because Haskell package versions tend to be crazy interdependent, and
> no-one really knows the smallest possible set of updates that we should
>