I'm happy to announce the first version of stackage-upload. Copied below is the content of the README file; if you see errors please send a pull request to update the content. This tool is pretty simple right now, but can be easily extended. If others are interested in collaborating on this project, please be in touch.
stackage-upload provides a more secure version of the cabal upload command by using HTTPS. When uploading a package to Hackage, cabal upload will perform the upload in plain-text via unencrypted HTTP, using basic authentication, which is vulnerable to both man in the middle (MITM) and eavesdropping attacks (anyone sniffing your packets can get your username and password). This package instead uses secure HTTPS to upload to avoid both of these attacks.
To install, simply run cabal update && cabal install stackage-upload. Usage is quite similar to cabal upload: just call stackage-upload and pass in a list of tarballs to upload. (If you have stackage-cli installed, you can call stk upload instead.) stackage-upload --help will provide full options.Why not fix cabal?
I'd be happy to add TLS support to cabal-install directly (using Vincent's tls package), but the two last times this topic came up, I have been unable to find a proposal that is acceptable to the Cabal project (mostly around Haskell Platform requirements). I made an open offer to send the pull request myself to move cabal-install over to http-client to get TLS support (either via http-client-tls or http-client-openssl).Why Stackage?
- Store passwords securely via GPG encryption
- Upload documentation to Hackage (work around the sometimes-broken doc builder)
- Perform pre-upload checks, such as running the test suite from the tarball to check for missing files
This tool was something that I (Michael Snoyman) wrote for myself a while back, and decided to rebrand as stackage-upload when the severity of the insecure upload situation became apparent to me, and it became obvious that there was no path forward for getting cabal-install fixed.
I actually consider this situation to be so dangerous that I would like to ask the Hackage Server team to consider turning off insecure uploads to Hackage. The current possibility for corrupted uploads to infect all users of a package is alarmingly high.
I can't write (a->) as a section, but I can write ((->) a) to refer to functions that take an a, with the return type unparametrised, e.g. for writing an instance Functor ((->) r). But how can I write the opposite - a function that returns an a with the domain unparametrised? e.g. a Contrafunctor instance: Contrafunctor (->a).submitted by peterjoel
[link] [5 comments]
Posit the backslash-key on my keyboard is broken, but I'd like to keep using haskell. I now would like to build a quasi-quoter that translates, say, [|quoter| LAMDA(x,y,z): x + y + z + c |] to \x y z -> x + y + z + c. The right-hand-side should be any valid haskell expression.
How would I build quoter? I don't want hygiene, e.g. I'd like to capture the variable c from an outer scope. I see two possible solutions to implementing quoter.
1) Doing a purely syntactic translation, basically search-and-replacing LAMBDA(...): to \... -> and splicing this back as text into my program, like a c-preprocessor would.
2) Using a quoter for haskell expressions. Basically if I had the functionality of [|...|], but as a unhygienic function quoteExp :: String -> ExpQ that was fine with free variables occurring in the expression. I could then generate something like [|\x y z -> $(quoteExp expAsString)|].
I've been unable to figure out how to implement either approach. I'd prefer something along the lines of 2) if possible, but I'd prefer not writing a String -> ExpQ parser myself. I assume there are also some problems involving e.g. fixity/precedence of custom operators.
Thanks!submitted by ueberbobo
[link] [2 comments]