From 5419b35c79d5e237169bb89c83b9d239b5aaed02 Mon Sep 17 00:00:00 2001 From: gueux Date: Thu, 10 Sep 2015 09:30:57 +0000 Subject: Added a comment --- .../comment_3_0b24a74ca08b24b6b6d14860b8ab903a._comment | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 doc/forum/Why_downloading_package_list_from_hackage.haskell.org__63__/comment_3_0b24a74ca08b24b6b6d14860b8ab903a._comment (limited to 'doc/forum/Why_downloading_package_list_from_hackage.haskell.org__63__/comment_3_0b24a74ca08b24b6b6d14860b8ab903a._comment') diff --git a/doc/forum/Why_downloading_package_list_from_hackage.haskell.org__63__/comment_3_0b24a74ca08b24b6b6d14860b8ab903a._comment b/doc/forum/Why_downloading_package_list_from_hackage.haskell.org__63__/comment_3_0b24a74ca08b24b6b6d14860b8ab903a._comment new file mode 100644 index 00000000..229ff1e0 --- /dev/null +++ b/doc/forum/Why_downloading_package_list_from_hackage.haskell.org__63__/comment_3_0b24a74ca08b24b6b6d14860b8ab903a._comment @@ -0,0 +1,11 @@ +[[!comment format=mdwn + username="gueux" + subject="comment 3" + date="2015-09-10T09:30:57Z" + content=""" +The host has 128Mo of RAM :-). All dependencies should be available to apt-get, though... as it runs debian jessie. I used propellor on several other hosts running jessie also, and (it seems that) they didn't download the package list. + +Downloading anything from hackage is problematic because cabal uses insecure http (potential MITM), and a new version of a dependency may introduce security holes. + +As side note, stack may be an alternative to cabal in the case where apt can't find all the dependencies: it downloads everything securely, and stackage allows to deal with dependencies issues: the build may probably fail if new incompatible versions of propellor dependencies are released to hackage. Or maybe using strict versioning would be a solution there. Or maybe building propellor (at least for host with the same architecture) before sending it to the host? +"""]] -- cgit v1.2.3