name: hackage-security
version: 0.2.0.0
synopsis: Hackage security library
description: The hackage security library provides both server and
client utilities for securing the Hackage package server
(). It is based on The Update
Framework (), a set of
recommendations developed by security researchers at
various universities in the US as well as developers on the
Tor project ().
.
The current implementation supports only index signing,
thereby enabling untrusted mirrors. It does not yet provide
facilities for author package signing.
.
The library has two main entry points:
"Hackage.Security.Client" is the main entry point for
clients (the typical example being @cabal@), and
"Hackage.Security.Server" is the main entry point for
servers (the typical example being @hackage-server@).
.
This is a beta release.
license: BSD3
license-file: LICENSE
author: Edsko de Vries
maintainer: edsko@well-typed.com
copyright: Copyright 2015 Well-Typed LLP
category: Distribution
build-type: Simple
cabal-version: >=1.10
flag base48
description: Are we using base 4.8 or later?
manual: False
flag use-network-uri
description: Are we using network-uri?
manual: False
library
-- Most functionality is exported through the top-level entry points .Client
-- and .Server; the other exported modules are intended for qualified imports.
exposed-modules: Hackage.Security.Client
Hackage.Security.Client.Repository
Hackage.Security.Client.Repository.Cache
Hackage.Security.Client.Repository.Local
Hackage.Security.Client.Repository.Remote
Hackage.Security.Client.Repository.HttpLib
Hackage.Security.JSON
Hackage.Security.Key.Env
Hackage.Security.Server
Hackage.Security.TUF.FileMap
Hackage.Security.Util.Checked
Hackage.Security.Util.IO
Hackage.Security.Util.Lens
Hackage.Security.Util.Path
Hackage.Security.Util.Pretty
Hackage.Security.Util.Some
Text.JSON.Canonical
other-modules: Hackage.Security.Client.Formats
Hackage.Security.Key
Hackage.Security.Trusted
Hackage.Security.Trusted.TCB
Hackage.Security.TUF
Hackage.Security.TUF.Common
Hackage.Security.TUF.FileInfo
Hackage.Security.TUF.Header
Hackage.Security.TUF.Layout
Hackage.Security.TUF.Mirrors
Hackage.Security.TUF.Patterns
Hackage.Security.TUF.Root
Hackage.Security.TUF.Signed
Hackage.Security.TUF.Snapshot
Hackage.Security.TUF.Targets
Hackage.Security.TUF.Timestamp
Hackage.Security.Util.Base64
Hackage.Security.Util.JSON
Hackage.Security.Util.Stack
Hackage.Security.Util.TypedEmbedded
Prelude
-- We support ghc 7.2 (bundled with Cabal 1.12) and up
build-depends: base >= 4.4 && < 5,
base64-bytestring >= 1.0 && < 1.1,
-- we need Data.ByteString.Builder to build tar indices,
-- which is only available from bytestring-0.10.2 and up
-- TODO: We should probably fix that upstream (in tar)
-- so that we can compile with the version of bytestring
-- that comes with ghc for ghc < 7.8
bytestring >= 0.10.2 && < 0.11,
Cabal >= 1.12 && < 1.25,
containers >= 0.4 && < 0.6,
directory >= 1.1 && < 1.3,
ed25519 >= 0.0 && < 0.1,
filepath >= 1.2 && < 1.5,
mtl >= 2.2 && < 2.3,
parsec >= 3.1 && < 3.2,
cryptohash >= 0.11 && < 0.12,
-- version 0.4.2 of tar introduces TarIndex
tar >= 0.4.2 && < 0.5,
time >= 1.2 && < 1.6,
transformers >= 0.4 && < 0.5,
zlib >= 0.5 && < 0.7,
-- whatever versions are bundled with ghc:
template-haskell,
ghc-prim
hs-source-dirs: src
default-language: Haskell2010
default-extensions: DefaultSignatures
DeriveDataTypeable
DeriveFunctor
FlexibleContexts
FlexibleInstances
GADTs
GeneralizedNewtypeDeriving
KindSignatures
MultiParamTypeClasses
NamedFieldPuns
NoMonomorphismRestriction
RankNTypes
RecordWildCards
ScopedTypeVariables
StandaloneDeriving
TupleSections
TypeFamilies
TypeOperators
ViewPatterns
other-extensions: BangPatterns
CPP
OverlappingInstances
PackageImports
QuasiQuotes
TemplateHaskell
UndecidableInstances
ghc-options: -Wall
if flag(base48)
build-depends: base >= 4.8
else
build-depends: old-locale >= 1.0
-- The URI type got split out off the network package after version 2.5, and
-- moved to a separate network-uri package. Since we don't need the rest of
-- network here, it would suffice to rely only on network-uri:
--
-- > if flag(use-network-uri)
-- > build-depends: network-uri >= 2.6 && < 2.7
-- > else
-- > build-depends: network >= 2.5 && < 2.6
--
-- However, if we did the same in hackage-security-HTTP, Cabal would consider
-- those two flag choices (hackage-security:use-network-uri and
-- hackage-security-HTTP:use-network-uri) to be completely independent; but
-- they aren't: if it links hackage-security against network-uri and
-- hackage-security-HTTP against network, we will get type errors when
-- hackage-security-HTTP tries to pass a URI to hackage-security.
--
-- It might seem we can solve this problem by re-exporting the URI type in
-- hackage-security and avoid the dependency in hackage-security-HTTP
-- altogether. However, this merely shifts the problem: hackage-security-HTTP
-- relies on the HTTP library which--surprise!--makes the same choice between
-- depending on network or network-uri. Cabal will not notice that we cannot
-- build hackage-security and hackage-security-HTTP against network-uri but
-- HTTP against network.
--
-- We solve the problem by explicitly relying on network-2.6 when choosing
-- network-uri. This dependency is redundant, strictly speaking. However, it
-- serves as a proxy for forcing flag choices: since all packages in a
-- solution must be linked against the same version of network, having one
-- version of network in one branch of the conditional and another version of
-- network in the other branch forces the choice to be consistent throughout.
-- (Note that the HTTP library does the same thing, though in this case the
-- dependency in network is not redundant.)
if flag(use-network-uri)
build-depends: network-uri >= 2.6 && < 2.7,
network >= 2.6 && < 2.7
else
build-depends: network >= 2.5 && < 2.6
if impl(ghc >= 7.8)
other-extensions: RoleAnnotations
if impl(ghc >= 7.10)
other-extensions: AllowAmbiguousTypes
-- StaticPointers
-- ^^^ Temporarily disabled because Hackage doesn't know yet about this
-- extension and will therefore reject this package.